there is not much have to do to produce this error other than install the program and type : sudo chkrootkit according to relevent websites i found this error occurs because ssh didn't use implement -g so chkrootkits method of this rootkit is no longer valid. par the following conversation on the ubuntu forums: Thread Tools Display August 24th, 2015 #1 fthx fthx is offline Spilled the Beans Join Date Jul 2015 Beans 14 Heartbreaking chkrootkit 'operation windigo' positive warning Hi, Was raining today but suddenly I got the sun in my face : Code: sudo chkrootkit Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd (original typo...) Well... after some search I think it's a false positive. (I do not play with fishy PPAs and do not use my system as a server.) Sources : http://www.eset.com/int/about/press/...net-uncovered/ https://www.cert-bund.de/ebury-faq http://ubuntuforums.org/showthread.p...ration+windigo https://bbs.archlinux.org/viewtopic.php?id=195395 https://github.com/openssh/openssh-p...75ab3b9cc84cba If you run the "ssh -G" test in above links, you could be scared. But the commit (link to github) seems to show that a new ssh option has been introduced since the testing command line : Code: ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected" So this command does not return any error message, so you should get "System infected" in your terminal... I checked the sizes of the libraries (2nd link), ran ipcs commands and everything seemed to be ok. What do you think about this stuff ? Should I run some additional tests ? Advanced reply Adv Reply Reply With Quote Reply With Quote August 24th, 2015 #2 runrickus's Avatar runrickus runrickus is offline Iced Almond Soy Ubuntu, No Foam Join Date Jun 2005 Location The Front 9 Beans Hidden! Distro Ubuntu Mate Development Release Re: Heartbreaking chkrootkit 'operation windigo' positive warning I would think you would be safe if you did not show "System infected" Also there is this to show if infected. Code: # netstat -nap | grep "@/proc/udevd" Ebury version 1.5 On Linux-based systems, an additional shared library file 'libns2.so' is installed and the existing libkeyutils file is patched to link against this library instead of libc6. The malicious 'libns2.so' file can be located by running the following command, which should not return any results on clean systems. # find /lib* -type f -name libns2.so /lib64/libns2.so Ebury now uses Unix domain sockets instead of shared memory segments for interprocess communication. The malicious socket can be located using 'netstat' as follows. Again, this command should not return any results on clean systems. Do antivirus products or other security tools detect Ebury?Some antivirus products are capable of detecting Ebury, usually as 'SSHDoor' or 'Sshdkit'. However,ClamAV or tools like chkrootkit or rkhunter currently do not detect Ebury. For Me Code: me-Aspire-M3300 me # netstat -nap | grep "@/proc/udevd" me-Aspire-M3300 # exit exit me@me-Aspire-M3300:~$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected" System clean Hope that helps Regards what i expect is an explation of why my conclusion is wrong, and this is a real infection; or a fix to the software, so i get no more false positives. What i need is a malware by the way this seems not only affect ubuntu to affect not only has been reported at Debian and and Red Hat three months ago but chkrootkit rootkit scanner seems not be fixed for ubuntu