From owner-freebsd-security@FreeBSD.ORG Fri Jan 28 11:07:37 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B454A106564A for ; Fri, 28 Jan 2011 11:07:37 +0000 (UTC) (envelope-from click@sgate.org) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id 672A38FC08 for ; Fri, 28 Jan 2011 11:07:36 +0000 (UTC) Received: by qyk8 with SMTP id 8so622300qyk.13 for ; Fri, 28 Jan 2011 03:07:35 -0800 (PST) MIME-Version: 1.0 Received: by 10.229.97.1 with SMTP id j1mr2596148qcn.212.1296211164853; Fri, 28 Jan 2011 02:39:24 -0800 (PST) Sender: click@sgate.org Received: by 10.229.88.198 with HTTP; Fri, 28 Jan 2011 02:39:24 -0800 (PST) Date: Fri, 28 Jan 2011 12:39:24 +0200 X-Google-Sender-Auth: 6n9QXYXSU5-s3ApNSQRKM6h6f80 Message-ID: From: Daniel Zhelev To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Windows virus uploaded after ports update or compromised machine X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2011 11:07:37 -0000 Hello all, Yesterday we`ve updated all ports on our FreeBSD 8.1-RELEASE server and today this report came in from ClamAV Data scanned: 17602.46 MB Data read: 67230.77 MB (ratio 0.26:1) Time: 4528.782 sec (75 m 28 s) ------------------------------------------------------------------------------- ----------- SCAN SUMMARY ----------- Known viruses: 878062 Engine version: 0.96.5 Scanned directories: 251182 Scanned files: 1108908 Infected files: 0 Data scanned: 17471.19 MB Data read: 67231.75 MB (ratio 0.26:1) Time: 3727.463 sec (62 m 7 s) ------------------------------------------------------------------------------- ----------- SCAN SUMMARY ----------- Known viruses: 878135 Engine version: 0.96.5 Scanned directories: 120669 Scanned files: 587273 Infected files: 0 Data scanned: 14511.79 MB Data read: 60574.53 MB (ratio 0.24:1) Time: 25865.679 sec (431 m 5 s) ------------------------------------------------------------------------------- /usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND /jails/ web.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND /jails/ db.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND /jails/db.sgate.org/usr/local/share/cmake/Templates/CMakeVSMacros1.vsmacros: Trojan.Gendal-7 FOUND /jails/db.sgate.org/usr/local/share/cmake/Templates/CMakeVSMacros2.vsmacros: Trojan.Gendal-7 FOUND /jails/ ftp.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND /jails/ samba.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND /jails/ backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 878215 Engine version: 0.96.5 Scanned directories: 251681 Scanned files: 1110831 Infected files: 8 Data scanned: 17561.01 MB Data read: 64728.64 MB (ratio 0.27:1) Time: 3368.233 sec (56 m 8 s) [root@wolfdale ~]# ls -al /jails/ backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe -r--r--r-- 1 root wheel 2560 Oct 13 09:05 /jails/ backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe Our AIDE report is pretty useless in this situation since the database was rebuild-ed after the update. Machine however seems not to be unaffected - there is no hidden processes, strange open ports, new webpages on our web server, new accounts and etc. Before we shoot this machine down for re-installation, could someone check if this is not an port issue since lately a lot of opensource projects were attacked? P.S. There is no direct access to only of those jails or the machine itself by an Windows host. Other recent activity was to change an hard drive on the machine so the host was down for 3 days before the update, and the last AIDE report and ClamAV check is fine.