Comment 14 for bug 1508248

After a little investigation....

The Linux/Ebury root-kit infects ssh and can be identified by the way it handles illegal or unknown command-line options, not printing an information line before usage: ...

Accepted wisdom is to invoke ssh with an illegal option and check that the expected extra line is there (clean) or missing (infected).

chkrootkit uses $(ssh -G) as it's illegal invocation but OpenSSH added the '-G' option to print configuration back in 2014.

Long story short - chkrootkit needs to pick a different illegal option.

Currently unused options include djruzBHJUZ.

Changing the script (2 places) appears to work (I used -H, $(rpm -Vv openssh-clients) to check).

...
Searching for Linux/Ebury - Operation Windigo ssh... nothing found
...