Date: Fri, 28 Jan 2011 13:24:57 +0200 From: Daniel Zhelev <daniel@zhelev.biz> To: freebsd-security@freebsd.org Subject: Re: [FALSE ALARM] Windows virus uploaded after ports update or compromised machine Message-ID: <AANLkTinnbb0KMxdNmLS2B_cpFxh7k4_wx38Hx6yJXufo@mail.gmail.com> In-Reply-To: <AANLkTimzS_DKGhfBiUWeKOS2C3-thGztGoPCvDRG0F2m@mail.gmail.com> References: <AANLkTimzS_DKGhfBiUWeKOS2C3-thGztGoPCvDRG0F2m@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 28, 2011 at 12:39 PM, Daniel Zhelev <daniel@zhelev.biz> wrote: > Hello all, > > Yesterday we`ve updated all ports on our FreeBSD 8.1-RELEASE server and > today this report came in from ClamAV > > Data scanned: 17602.46 MB > Data read: 67230.77 MB (ratio 0.26:1) > Time: 4528.782 sec (75 m 28 s) > > > ------------------------------------------------------------------------------- > > > ----------- SCAN SUMMARY ----------- > Known viruses: 878062 > Engine version: 0.96.5 > Scanned directories: 251182 > Scanned files: 1108908 > Infected files: 0 > Data scanned: 17471.19 MB > Data read: 67231.75 MB (ratio 0.26:1) > Time: 3727.463 sec (62 m 7 s) > > > ------------------------------------------------------------------------------- > > > ----------- SCAN SUMMARY ----------- > Known viruses: 878135 > Engine version: 0.96.5 > Scanned directories: 120669 > Scanned files: 587273 > Infected files: 0 > Data scanned: 14511.79 MB > Data read: 60574.53 MB (ratio 0.24:1) > Time: 25865.679 sec (431 m 5 s) > > > ------------------------------------------------------------------------------- > > /usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > /jails/ > web.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > /jails/ > db.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > /jails/ > db.sgate.org/usr/local/share/cmake/Templates/CMakeVSMacros1.vsmacros: > Trojan.Gendal-7 FOUND > /jails/ > db.sgate.org/usr/local/share/cmake/Templates/CMakeVSMacros2.vsmacros: > Trojan.Gendal-7 FOUND > /jails/ > ftp.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > /jails/ > samba.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > /jails/ > backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > > ----------- SCAN SUMMARY ----------- > Known viruses: 878215 > Engine version: 0.96.5 > Scanned directories: 251681 > Scanned files: 1110831 > Infected files: 8 > Data scanned: 17561.01 MB > Data read: 64728.64 MB (ratio 0.27:1) > Time: 3368.233 sec (56 m 8 s) > > [root@wolfdale ~]# ls -al /jails/ > backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe > -r--r--r-- 1 root wheel 2560 Oct 13 09:05 /jails/ > backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe > > Our AIDE report is pretty useless in this situation since the database > was rebuild-ed after the update. > Machine however seems not to be unaffected - there is no hidden processes, > strange open ports, new webpages on our web server, new accounts and etc. > Before we shoot this machine down for re-installation, could someone check > if this is not an port issue since lately a lot of opensource projects > were attacked? > > P.S. There is no direct access to only of those jails or the machine itself > by an Windows host. Other recent activity was to change an hard drive on the > machine so the host was down for 3 days before the update, and the last > AIDE report and ClamAV check is fine. > UPDATE: Big fun, it was an ClamAV issue - checked gettext versions up to 0.17 with McAfree and MSA - no viruses found, however with ClamAV: [root@wolfdale ~]# /usr/local/bin/clamscan -r /jails/ samba.sgate.org/storage/csharpexec-test\ \(2\).exe --infected /jails/samba.sgate.org/storage/csharpexec-test (2).exe: Trojan.Gendal-7 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 878215 Engine version: 0.96.5 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 2.642 sec (0 m 2 s) This is the file downloaded from http://ftp.gnu.org/gnu/gettext/ Same for the older versions. Then I did [root@wolfdale ~]# freshclam ClamAV update process started at Fri Jan 28 13:17:58 2011 main.cld is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven) Downloading daily-12579.cdiff [100%] Downloading daily-12580.cdiff [100%] Downloading daily-12581.cdiff [100%] daily.cld updated (version: 12581, sigs: 33248, f-level: 58, builder: mcichosz) bytecode.cld is up to date (version: 123, sigs: 29, f-level: 58, builder: edwin) Database updated (879491 signatures) from database.clamav.net (IP: 193.92.150.194) [root@wolfdale ~]# /usr/local/bin/clamscan -r /jails/ samba.sgate.org/storage/csharpexec-test\ \(2\).exe --infected ----------- SCAN SUMMARY ----------- Known viruses: 878234 Engine version: 0.96.5 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 2.605 sec (0 m 2 s) [root@wolfdale ~]# And miracle the virus was gone. Sorry for bothering you :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTinnbb0KMxdNmLS2B_cpFxh7k4_wx38Hx6yJXufo>