Windows virus uploaded after ports update or compromised machine
Daniel Zhelev
daniel at zhelev.biz
Fri Jan 28 11:07:37 UTC 2011
Hello all,
Yesterday we`ve updated all ports on our FreeBSD 8.1-RELEASE server and
today this report came in from ClamAV
Data scanned: 17602.46 MB
Data read: 67230.77 MB (ratio 0.26:1)
Time: 4528.782 sec (75 m 28 s)
-------------------------------------------------------------------------------
----------- SCAN SUMMARY -----------
Known viruses: 878062
Engine version: 0.96.5
Scanned directories: 251182
Scanned files: 1108908
Infected files: 0
Data scanned: 17471.19 MB
Data read: 67231.75 MB (ratio 0.26:1)
Time: 3727.463 sec (62 m 7 s)
-------------------------------------------------------------------------------
----------- SCAN SUMMARY -----------
Known viruses: 878135
Engine version: 0.96.5
Scanned directories: 120669
Scanned files: 587273
Infected files: 0
Data scanned: 14511.79 MB
Data read: 60574.53 MB (ratio 0.24:1)
Time: 25865.679 sec (431 m 5 s)
-------------------------------------------------------------------------------
/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe:
Trojan.Gendal-7 FOUND
/jails/
web.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe:
Trojan.Gendal-7 FOUND
/jails/
db.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe:
Trojan.Gendal-7 FOUND
/jails/db.sgate.org/usr/local/share/cmake/Templates/CMakeVSMacros1.vsmacros:
Trojan.Gendal-7 FOUND
/jails/db.sgate.org/usr/local/share/cmake/Templates/CMakeVSMacros2.vsmacros:
Trojan.Gendal-7 FOUND
/jails/
ftp.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe:
Trojan.Gendal-7 FOUND
/jails/
samba.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe:
Trojan.Gendal-7 FOUND
/jails/
backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe:
Trojan.Gendal-7 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 878215
Engine version: 0.96.5
Scanned directories: 251681
Scanned files: 1110831
Infected files: 8
Data scanned: 17561.01 MB
Data read: 64728.64 MB (ratio 0.27:1)
Time: 3368.233 sec (56 m 8 s)
[root at wolfdale ~]# ls -al /jails/
backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe
-r--r--r-- 1 root wheel 2560 Oct 13 09:05 /jails/
backup.sgate.org/usr/local/share/doc/gettext/examples/build-aux/csharpexec-test.exe
Our AIDE report is pretty useless in this situation since the database
was rebuild-ed after the update.
Machine however seems not to be unaffected - there is no hidden processes,
strange open ports, new webpages on our web server, new accounts and etc.
Before we shoot this machine down for re-installation, could someone check
if this is not an port issue since lately a lot of opensource projects were
attacked?
P.S. There is no direct access to only of those jails or the machine itself
by an Windows host. Other recent activity was to change an hard drive on the
machine so the host was down for 3 days before the update, and the last
AIDE report and ClamAV check is fine.
More information about the freebsd-security
mailing list