Is this an accurate method for detecting operation windigo?

I run this in terminal and I get system infected: ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”.
So is it accurate? I ran other tests and everything seems ok. Should I wipe my HDD? What about other computers on my network? Note I don’t run a server.

No it's not.
Where did you get that command?

Edit: nevermind I found it:

1 Like

It originates from ESET’s whitepaper "Operation Windigo - The vivisection of a large Linux server-side credential stealing malware campaign" published 3 years ago.

In page 58 the code snippet is listed as a quickie method for finding out if the system is compromised by Linux/Ebury. On the same page a better way of checking is explained, one that involves inspecting POSIX shared memory segments.

@ouroumov is right: one should not rely on such quickie methods that rely on certain strings being present in a command’s output.

1 Like

Chkrootkit showed possible installation Operation Windigo. I formatted my pc a week ago; these hackers are either good enough to survive a format or they know my habits so they somehow infected me. If I am infected in the first place. I get this when I enter # ipcs -m:

sudo # ipcs -m
usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] [VAR=value] [-i|-s] []
usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file …
Same results with sudo # ipcs -m -p.

I guess it is a false alarm. If it is I apologise for bothering you.

Do not type the #, it's there to indicate the command should be run as root (root user has # at the end of their prompt, $ indicates a command to be run as a regular user). So, use sudo to run the command as root:

sudo ipcs -m 

In the output look for segments that have a number bigger than 600 in the "perms" (permissions) column. If everything is 600, I'd say you're good to go. If you see 666, for example, use the "shmid" (segment ID) to get more info as instructed on page 58 of the whitepaper.

[not sure how to quote using this interface…]

I’ve been bitching for years about quickie methods like that, and how ubiquitous they are within linux (probably all Unix-derived systems), but it seems like the linux old-timers always thought it should be done that way so it’s the way it should be done; go figure.

I get 600 as permission, so I guess it is all good. I guess the quickie methods are used by anti-virus companies to trick noobs into thinking that they have something going in their computers to sell more of their products. Thank you for your time. I highly appreciate it.