False Positives in chkrootkit

swarfendor437 · 13 December 2020 13:13

Hi, Just been running chkrootkit and it reported this:

Searching for Linux.Xor.DDoS ... INFECTED: >Possible Malicious Linux.Xor.DDoS installed
/tmp/timeshift/uxloY7as/2020-12-13_11-07-22/script.sh
/tmp/timeshift/uxloY7as/2020-12-13_11-00-02/script.sh

Having done a search found various posts that point out if an executable lives in /tmp - it will report this false positive.

zabadabadoo · 13 December 2020 16:49

Does Rkhunter indicate anything on same machine?

swarfendor437 · 18 December 2020 23:10

Hi, I can’t remember zabadabadoo, I don’t think it did. Also bear in mind there can sometimes be other false positives when you add new applications as rkhunter looks at what is present at point of install.

Der_Panzer · 19 January 2021 06:53

Try using VirusTotal to check if it is false positive or true positive.