Suppose system components been patched since then and ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected" is producing nowadays false positives only.
Ran this on a couple of my linux boxes and all returned being infected which though is not the case.
The correct version of the test is:
ssh -G 2>&1 | grep -e illegal -e unknown -e Gg > /dev/null && echo "System clean" || echo "System infected"
As a -G option has been added to ssh, the -e Gg is needed to prevent false positives.
Not sure how you reached the conclusion that that the pi been infected with that particular strain but it would not survive a hd formatting and reinstalltion of the OS in any event.
If the pi repo provides the rkhunter (rootkit hunter) package you could install it or install it manually Rootkit Hunter / Code / [016a77] /files/README
I already suspected the command was giving false positives. Because the sites with the description of the command are already several years old. And I expected there would be some changes in the files by upgrades since that time.
But the RPi with the OS that was already several years old, which gave “clean”, still gave “clean” after the update and upgrade. After the update/upgrade the newer files should give a false positive now. But they didn’t. And that was what confused me.
Thanks for the correct version of the command. I tested it at my Xubuntu laptop and ssh into my Omnia and ran the command there also.
First the old command and then the new one. In both cases infected with the old and clean with the new.
https://www.walagata.com/w/nightwalker/Omnia/Toch_schoon.jpg
I did the test again with the fresh installed RPi and ssh into the Domoticz Pi with that one. Nothing to lose on the fresh installed Pi.
Result was the same for both. Infected with the old and clean with the new command.
https://www.walagata.com/w/nightwalker/Omnia/Ook_schoon.jpg
So, all the computers are clean of an ssh infection. I only have to re-install the Domoticz Pi to get rid of the botnet which is trying to call all these strange ip addresses.
Rootkit hunter is available for the RPi. I just installed it at the fresh installed Pi to experiment with. And installed it at the Domoticz Pi.
Both checks came out clean. But I still have to experiment some more with the settings of rkhunter.
