From owner-freebsd-security@FreeBSD.ORG Fri Jan 28 11:25:00 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4CEEC1065670 for ; Fri, 28 Jan 2011 11:25:00 +0000 (UTC) (envelope-from click@sgate.org) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 091908FC0A for ; Fri, 28 Jan 2011 11:24:59 +0000 (UTC) Received: by qyk36 with SMTP id 36so3110587qyk.13 for ; Fri, 28 Jan 2011 03:24:59 -0800 (PST) MIME-Version: 1.0 Received: by 10.229.219.132 with SMTP id hu4mr854408qcb.60.1296213897335; Fri, 28 Jan 2011 03:24:57 -0800 (PST) Sender: click@sgate.org Received: by 10.229.88.198 with HTTP; Fri, 28 Jan 2011 03:24:57 -0800 (PST) In-Reply-To: References: Date: Fri, 28 Jan 2011 13:24:57 +0200 X-Google-Sender-Auth: JePXsPDUaejFOVOQx9XVoGyVOBM Message-ID: From: Daniel Zhelev To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: [FALSE ALARM] Windows virus uploaded after ports update or compromised machine X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2011 11:25:00 -0000 On Fri, Jan 28, 2011 at 12:39 PM, Daniel Zhelev wrote: > Hello all, > > Yesterday we`ve updated all ports on our FreeBSD 8.1-RELEASE server and > today this report came in from ClamAV > > Data scanned: 17602.46 MB > Data read: 67230.77 MB (ratio 0.26:1) > Time: 4528.782 sec (75 m 28 s) > > > ------------------------------------------------------------------------------- > > > ----------- SCAN SUMMARY ----------- > Known viruses: 878062 > Engine version: 0.96.5 > Scanned directories: 251182 > Scanned files: 1108908 > Infected files: 0 > Data scanned: 17471.19 MB > Data read: 67231.75 MB (ratio 0.26:1) > Time: 3727.463 sec (62 m 7 s) > > > ------------------------------------------------------------------------------- > > > ----------- SCAN SUMMARY ----------- > Known viruses: 878135 > Engine version: 0.96.5 > Scanned directories: 120669 > Scanned files: 587273 > Infected files: 0 > Data scanned: 14511.79 MB > Data read: 60574.53 MB (ratio 0.24:1) > Time: 25865.679 sec (431 m 5 s) > > > ------------------------------------------------------------------------------- > > /usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > /jails/ > web.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > /jails/ > db.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > /jails/ > db.sgate.org/usr/local/share/cmake/Templates/CMakeVSMacros1.vsmacros: > Trojan.Gendal-7 FOUND > /jails/ > db.sgate.org/usr/local/share/cmake/Templates/CMakeVSMacros2.vsmacros: > Trojan.Gendal-7 FOUND > /jails/ > ftp.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > /jails/ > samba.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > /jails/ > backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > > ----------- SCAN SUMMARY ----------- > Known viruses: 878215 > Engine version: 0.96.5 > Scanned directories: 251681 > Scanned files: 1110831 > Infected files: 8 > Data scanned: 17561.01 MB > Data read: 64728.64 MB (ratio 0.27:1) > Time: 3368.233 sec (56 m 8 s) > > [root@wolfdale ~]# ls -al /jails/ > backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe > -r--r--r-- 1 root wheel 2560 Oct 13 09:05 /jails/ > backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe > > Our AIDE report is pretty useless in this situation since the database > was rebuild-ed after the update. > Machine however seems not to be unaffected - there is no hidden processes, > strange open ports, new webpages on our web server, new accounts and etc. > Before we shoot this machine down for re-installation, could someone check > if this is not an port issue since lately a lot of opensource projects > were attacked? > > P.S. There is no direct access to only of those jails or the machine itself > by an Windows host. Other recent activity was to change an hard drive on the > machine so the host was down for 3 days before the update, and the last > AIDE report and ClamAV check is fine. > UPDATE: Big fun, it was an ClamAV issue - checked gettext versions up to 0.17 with McAfree and MSA - no viruses found, however with ClamAV: [root@wolfdale ~]# /usr/local/bin/clamscan -r /jails/ samba.sgate.org/storage/csharpexec-test\ \(2\).exe --infected /jails/samba.sgate.org/storage/csharpexec-test (2).exe: Trojan.Gendal-7 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 878215 Engine version: 0.96.5 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 2.642 sec (0 m 2 s) This is the file downloaded from http://ftp.gnu.org/gnu/gettext/ Same for the older versions. Then I did [root@wolfdale ~]# freshclam ClamAV update process started at Fri Jan 28 13:17:58 2011 main.cld is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven) Downloading daily-12579.cdiff [100%] Downloading daily-12580.cdiff [100%] Downloading daily-12581.cdiff [100%] daily.cld updated (version: 12581, sigs: 33248, f-level: 58, builder: mcichosz) bytecode.cld is up to date (version: 123, sigs: 29, f-level: 58, builder: edwin) Database updated (879491 signatures) from database.clamav.net (IP: 193.92.150.194) [root@wolfdale ~]# /usr/local/bin/clamscan -r /jails/ samba.sgate.org/storage/csharpexec-test\ \(2\).exe --infected ----------- SCAN SUMMARY ----------- Known viruses: 878234 Engine version: 0.96.5 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 2.605 sec (0 m 2 s) [root@wolfdale ~]# And miracle the virus was gone. Sorry for bothering you :)