After a security breach and hack into Bionic desktop, secure erase the SSD with hdparm and re-installed minimal Bionic, UFW rules and others.
Running chkrootkit, I get tcpd INFECTED.
Code:
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... INFECTED
Checking `tcpdump'... not infected
Checking `top'... not infected
and....
Code:
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/debug/.build-id /lib/modules/4.15.0-20-generic/vdso/.build-id /lib/modules/4.15.0-38-generic/vdso/.build-id
/usr/lib/debug/.build-id /lib/modules/4.15.0-20-generic/vdso/.build-id /lib/modules/4.15.0-38-generic/vdso/.build-id
Google investigation shows this "could" be a false positive. However......
Code:
$ dpkg -S /usr/sbin/tcpd
dpkg-query: no path found matching pattern /usr/sbin/tcpd
a manual search finds tcpdump file which cannot be opened.
"Could not display "tcpdump". There is no application installed for "shared library" files.
A further search does not reveal
/usr/lib/debug/.build-id /lib/modules/4.15.0-20-generic/vdso/.build-id /lib/modules/4.15.0-38-generic/vdso/.build-id
/usr/lib/debug/.build-id /lib/modules/4.15.0-20-generic/vdso/.build-id /lib/modules/4.15.0-38-generic/vdso/.build-id
I'm trying to verify if these are false positives or to compare the checksum.
Can anyone assist with this dilemma?
Bookmarks