The Linux/Ebury root-kit infects ssh and can be identified by the way it handles illegal or unknown command-line options, not printing an information line before usage: ...
Accepted wisdom is to invoke ssh with an illegal option and check that the expected extra line is there (clean) or missing (infected).
chkrootkit uses $(ssh -G) as it's illegal invocation but OpenSSH added the '-G' option to print configuration back in 2014.
Long story short - chkrootkit needs to pick a different illegal option.
Currently unused options include djruzBHJUZ.
Changing the script (2 places) appears to work (I used -H, $(rpm -Vv openssh-clients) to check).
...
Searching for Linux/Ebury - Operation Windigo ssh... nothing found
...
After a little investigation....
The Linux/Ebury root-kit infects ssh and can be identified by the way it handles illegal or unknown command-line options, not printing an information line before usage: ...
Accepted wisdom is to invoke ssh with an illegal option and check that the expected extra line is there (clean) or missing (infected).
chkrootkit uses $(ssh -G) as it's illegal invocation but OpenSSH added the '-G' option to print configuration back in 2014.
Long story short - chkrootkit needs to pick a different illegal option.
Currently unused options include djruzBHJUZ.
Changing the script (2 places) appears to work (I used -H, $(rpm -Vv openssh-clients) to check).
...
Searching for Linux/Ebury - Operation Windigo ssh... nothing found
...