Diagnosing an alleged trojan reported by ClamAV

Question

Unfortunately I have very little Linux experience. We have an Amazon instance running Debian 7.6 and got a message from Amazon saying we were port scanning. We have hopefully stopped this by restricting outbound traffic via an Amazon security group, but as part of the investigation we ran:

sudo clamscan -r -i --bell

this showed the following possible infection:

/var/lib/tomcat7/update_temporary: Unix.Trojan.Elknot FOUND

and I can find very little about this (but some stuff about ElkKnot with an extra K - are they the same thing?)

The following warnings also appear multiple times in the output:

WARNING: Can't open file /sys/module/nfnetlink_log/uevent: Permission denied
LibClamAV Warning: fmap_readpage: pread fail: asked for 4094 bytes @ offset 2, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0

So my questions are: How I can tell whether the reported infection is genuine or a false positive? Should I be worried about all the LibClamAV warnings? Are they an indication of something wrong, or of Debian not being set up correctly?

Answer 1

As far as "How can I tell whether ... genuine or false positive?"

You may want to copy the file (if possible) to another medium to test with a virus scanner other than ClamAV (if you have concerns on the validity of Clam's result).

Alternatively, if you're reluctant to move the file from one machine to another - you may wish to make the file accessible on a web server - and test with a URL test utility like https://www.virustotal.com/ to see if it too confirms a hit.

Obviously, you'll want to revert/delete any files.

If you'd like confirmation of the programs attempting inbound/outbound communications - try this...

netstat -tnp | awk '/:80 */ {split($NF,a,"/"); print a[2],a[1]}'

Note, if the process is running with root privs- and it unfortunately likely is - you'll need to execute the above command with matching privs for the program to be detected.