Date: Fri, 28 Jan 2011 12:39:24 +0200 From: Daniel Zhelev <daniel@zhelev.biz> To: freebsd-security@freebsd.org Subject: Windows virus uploaded after ports update or compromised machine Message-ID: <AANLkTimzS_DKGhfBiUWeKOS2C3-thGztGoPCvDRG0F2m@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello all, Yesterday we`ve updated all ports on our FreeBSD 8.1-RELEASE server and today this report came in from ClamAV Data scanned: 17602.46 MB Data read: 67230.77 MB (ratio 0.26:1) Time: 4528.782 sec (75 m 28 s) ------------------------------------------------------------------------------- ----------- SCAN SUMMARY ----------- Known viruses: 878062 Engine version: 0.96.5 Scanned directories: 251182 Scanned files: 1108908 Infected files: 0 Data scanned: 17471.19 MB Data read: 67231.75 MB (ratio 0.26:1) Time: 3727.463 sec (62 m 7 s) ------------------------------------------------------------------------------- ----------- SCAN SUMMARY ----------- Known viruses: 878135 Engine version: 0.96.5 Scanned directories: 120669 Scanned files: 587273 Infected files: 0 Data scanned: 14511.79 MB Data read: 60574.53 MB (ratio 0.24:1) Time: 25865.679 sec (431 m 5 s) ------------------------------------------------------------------------------- /usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND /jails/ web.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND /jails/ db.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND /jails/db.sgate.org/usr/local/share/cmake/Templates/CMakeVSMacros1.vsmacros: Trojan.Gendal-7 FOUND /jails/db.sgate.org/usr/local/share/cmake/Templates/CMakeVSMacros2.vsmacros: Trojan.Gendal-7 FOUND /jails/ ftp.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND /jails/ samba.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND /jails/ backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 878215 Engine version: 0.96.5 Scanned directories: 251681 Scanned files: 1110831 Infected files: 8 Data scanned: 17561.01 MB Data read: 64728.64 MB (ratio 0.27:1) Time: 3368.233 sec (56 m 8 s) [root@wolfdale ~]# ls -al /jails/ backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe -r--r--r-- 1 root wheel 2560 Oct 13 09:05 /jails/ backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe Our AIDE report is pretty useless in this situation since the database was rebuild-ed after the update. Machine however seems not to be unaffected - there is no hidden processes, strange open ports, new webpages on our web server, new accounts and etc. Before we shoot this machine down for re-installation, could someone check if this is not an port issue since lately a lot of opensource projects were attacked? P.S. There is no direct access to only of those jails or the machine itself by an Windows host. Other recent activity was to change an hard drive on the machine so the host was down for 3 days before the update, and the last AIDE report and ClamAV check is fine.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTimzS_DKGhfBiUWeKOS2C3-thGztGoPCvDRG0F2m>