Daniel Zhelev
2011-Jan-28 11:08 UTC
Windows virus uploaded after ports update or compromised machine
Hello all, Yesterday we`ve updated all ports on our FreeBSD 8.1-RELEASE server and today this report came in from ClamAV Data scanned: 17602.46 MB Data read: 67230.77 MB (ratio 0.26:1) Time: 4528.782 sec (75 m 28 s) ------------------------------------------------------------------------------- ----------- SCAN SUMMARY ----------- Known viruses: 878062 Engine version: 0.96.5 Scanned directories: 251182 Scanned files: 1108908 Infected files: 0 Data scanned: 17471.19 MB Data read: 67231.75 MB (ratio 0.26:1) Time: 3727.463 sec (62 m 7 s) ------------------------------------------------------------------------------- ----------- SCAN SUMMARY ----------- Known viruses: 878135 Engine version: 0.96.5 Scanned directories: 120669 Scanned files: 587273 Infected files: 0 Data scanned: 14511.79 MB Data read: 60574.53 MB (ratio 0.24:1) Time: 25865.679 sec (431 m 5 s) ------------------------------------------------------------------------------- /usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND /jails/ web.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND /jails/ db.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND /jails/db.sgate.org/usr/local/share/cmake/Templates/CMakeVSMacros1.vsmacros: Trojan.Gendal-7 FOUND /jails/db.sgate.org/usr/local/share/cmake/Templates/CMakeVSMacros2.vsmacros: Trojan.Gendal-7 FOUND /jails/ ftp.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND /jails/ samba.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND /jails/ backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: Trojan.Gendal-7 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 878215 Engine version: 0.96.5 Scanned directories: 251681 Scanned files: 1110831 Infected files: 8 Data scanned: 17561.01 MB Data read: 64728.64 MB (ratio 0.27:1) Time: 3368.233 sec (56 m 8 s) [root@wolfdale ~]# ls -al /jails/ backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe -r--r--r-- 1 root wheel 2560 Oct 13 09:05 /jails/ backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe Our AIDE report is pretty useless in this situation since the database was rebuild-ed after the update. Machine however seems not to be unaffected - there is no hidden processes, strange open ports, new webpages on our web server, new accounts and etc. Before we shoot this machine down for re-installation, could someone check if this is not an port issue since lately a lot of opensource projects were attacked? P.S. There is no direct access to only of those jails or the machine itself by an Windows host. Other recent activity was to change an hard drive on the machine so the host was down for 3 days before the update, and the last AIDE report and ClamAV check is fine.
Daniel Zhelev
2011-Jan-28 11:25 UTC
[FALSE ALARM] Windows virus uploaded after ports update or compromised machine
On Fri, Jan 28, 2011 at 12:39 PM, Daniel Zhelev <daniel@zhelev.biz> wrote:> Hello all, > > Yesterday we`ve updated all ports on our FreeBSD 8.1-RELEASE server and > today this report came in from ClamAV > > Data scanned: 17602.46 MB > Data read: 67230.77 MB (ratio 0.26:1) > Time: 4528.782 sec (75 m 28 s) > > > ------------------------------------------------------------------------------- > > > ----------- SCAN SUMMARY ----------- > Known viruses: 878062 > Engine version: 0.96.5 > Scanned directories: 251182 > Scanned files: 1108908 > Infected files: 0 > Data scanned: 17471.19 MB > Data read: 67231.75 MB (ratio 0.26:1) > Time: 3727.463 sec (62 m 7 s) > > > ------------------------------------------------------------------------------- > > > ----------- SCAN SUMMARY ----------- > Known viruses: 878135 > Engine version: 0.96.5 > Scanned directories: 120669 > Scanned files: 587273 > Infected files: 0 > Data scanned: 14511.79 MB > Data read: 60574.53 MB (ratio 0.24:1) > Time: 25865.679 sec (431 m 5 s) > > > ------------------------------------------------------------------------------- > > /usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > /jails/ > web.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > /jails/ > db.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > /jails/ > db.sgate.org/usr/local/share/cmake/Templates/CMakeVSMacros1.vsmacros: > Trojan.Gendal-7 FOUND > /jails/ > db.sgate.org/usr/local/share/cmake/Templates/CMakeVSMacros2.vsmacros: > Trojan.Gendal-7 FOUND > /jails/ > ftp.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > /jails/ > samba.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > /jails/ > backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe: > Trojan.Gendal-7 FOUND > > ----------- SCAN SUMMARY ----------- > Known viruses: 878215 > Engine version: 0.96.5 > Scanned directories: 251681 > Scanned files: 1110831 > Infected files: 8 > Data scanned: 17561.01 MB > Data read: 64728.64 MB (ratio 0.27:1) > Time: 3368.233 sec (56 m 8 s) > > [root@wolfdale ~]# ls -al /jails/ > backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe > -r--r--r-- 1 root wheel 2560 Oct 13 09:05 /jails/ > backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe > > Our AIDE report is pretty useless in this situation since the database > was rebuild-ed after the update. > Machine however seems not to be unaffected - there is no hidden processes, > strange open ports, new webpages on our web server, new accounts and etc. > Before we shoot this machine down for re-installation, could someone check > if this is not an port issue since lately a lot of opensource projects > were attacked? > > P.S. There is no direct access to only of those jails or the machine itself > by an Windows host. Other recent activity was to change an hard drive on the > machine so the host was down for 3 days before the update, and the last > AIDE report and ClamAV check is fine. >UPDATE: Big fun, it was an ClamAV issue - checked gettext versions up to 0.17 with McAfree and MSA - no viruses found, however with ClamAV: [root@wolfdale ~]# /usr/local/bin/clamscan -r /jails/ samba.sgate.org/storage/csharpexec-test\ \(2\).exe --infected /jails/samba.sgate.org/storage/csharpexec-test (2).exe: Trojan.Gendal-7 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 878215 Engine version: 0.96.5 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 2.642 sec (0 m 2 s) This is the file downloaded from http://ftp.gnu.org/gnu/gettext/ Same for the older versions. Then I did [root@wolfdale ~]# freshclam ClamAV update process started at Fri Jan 28 13:17:58 2011 main.cld is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven) Downloading daily-12579.cdiff [100%] Downloading daily-12580.cdiff [100%] Downloading daily-12581.cdiff [100%] daily.cld updated (version: 12581, sigs: 33248, f-level: 58, builder: mcichosz) bytecode.cld is up to date (version: 123, sigs: 29, f-level: 58, builder: edwin) Database updated (879491 signatures) from database.clamav.net (IP: 193.92.150.194) [root@wolfdale ~]# /usr/local/bin/clamscan -r /jails/ samba.sgate.org/storage/csharpexec-test\ \(2\).exe --infected ----------- SCAN SUMMARY ----------- Known viruses: 878234 Engine version: 0.96.5 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 2.605 sec (0 m 2 s) [root@wolfdale ~]# And miracle the virus was gone. Sorry for bothering you :)