False Positives in chkrootkit

Hi, Just been running chkrootkit and it reported this:

Searching for Linux.Xor.DDoS ... INFECTED: >Possible Malicious Linux.Xor.DDoS installed
/tmp/timeshift/uxloY7as/2020-12-13_11-07-22/script.sh
/tmp/timeshift/uxloY7as/2020-12-13_11-00-02/script.sh

Having done a search found various posts that point out if an executable lives in /tmp - it will report this false positive.

1 Like

Does Rkhunter indicate anything on same machine?

Hi, I can’t remember zabadabadoo, I don’t think it did. Also bear in mind there can sometimes be other false positives when you add new applications as rkhunter looks at what is present at point of install.

Try using VirusTotal to check if it is false positive or true positive.