0

Unfortunately I have very little Linux experience. We have an Amazon instance running Debian 7.6 and got a message from Amazon saying we were port scanning. We have hopefully stopped this by restricting outbound traffic via an Amazon security group, but as part of the investigation we ran:

sudo clamscan -r -i --bell

this showed the following possible infection:

/var/lib/tomcat7/update_temporary: Unix.Trojan.Elknot FOUND

and I can find very little about this (but some stuff about ElkKnot with an extra K - are they the same thing?)

The following warnings also appear multiple times in the output:

WARNING: Can't open file /sys/module/nfnetlink_log/uevent: Permission denied
LibClamAV Warning: fmap_readpage: pread fail: asked for 4094 bytes @ offset 2, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0

So my questions are: How I can tell whether the reported infection is genuine or a false positive? Should I be worried about all the LibClamAV warnings? Are they an indication of something wrong, or of Debian not being set up correctly?

Andy Nichols
  • 103
  • 4
  • 1
    Some more about that trojan [here](http://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html) – HBruijn Nov 25 '14 at 17:28

1 Answers1

1

As far as "How can I tell whether ... genuine or false positive?"

You may want to copy the file (if possible) to another medium to test with a virus scanner other than ClamAV (if you have concerns on the validity of Clam's result).

Alternatively, if you're reluctant to move the file from one machine to another - you may wish to make the file accessible on a web server - and test with a URL test utility like https://www.virustotal.com/ to see if it too confirms a hit.

Obviously, you'll want to revert/delete any files.

If you'd like confirmation of the programs attempting inbound/outbound communications - try this...

netstat -tnp | awk '/:80 */ {split($NF,a,"/"); print a[2],a[1]}'

Note, if the process is running with root privs- and it unfortunately likely is - you'll need to execute the above command with matching privs for the program to be detected.

sonnik
  • 146
  • 2
  • Thanks, some useful information here. I am currently running the netstat command (with -tnpu as the initial port scanning was attempting to attach to UDP port 80) – Andy Nichols Nov 26 '14 at 10:19