Mailing List Archives

Public Access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Fwd: URGENT - HTcondor condor_8.4.9-382747-ubuntu14_amd64.deb INFECTED - Benjamin.

Is there any chance that you installed the 8.5.7 version from the development release?

For a brief time the 8.5.7 version available for download had some preliminary work that was not yet intended to be released. If you find any of the following files in your installation, please delete them:

    rm -f /etc/condor/config.d/50ec2.config
    rm -f /etc/condor/config.d/49ec2-instance.sh
    rm -f /etc/condor/master_shutdown_script.sh

This was not present in the stable release (8.4.9). However, since the symptoms match, it is worth mentioning. If you have the master_shutdown_script.sh present, the machine will shut itself down after 15 minutes with no HTCondor job.

...Tim


On 11/11/2016 06:08 PM, Benjamin LIPERE wrote:
Hello.

I did a scan with ESET too.
Nothing.
And same md5.

This probably is a false positive.
But there is two things to know if you are a "hard" in security ;
1) Drweb last 30mn under attack because it is a "new program", other anti-virus last around 30 seconds
2) Clamav scan have only a 30-40% rate off detection, witch is pretty low.

Also I did have a strange behavior.
Once installed, the computers of my cluster keep shutting down themselve.
I am using the port 4445 for a shutdown/reboot script.
Does last version of htcondor use this port ?

What should we do, please ?
Thanks by advance.
Best Regards.
Benjamin.

2016-11-12 0:51 GMT+01:00 Aaron Moate <wiscmoate@xxxxxxxxx>:
Hello Ben,

   I tried scanning the .deb with clamav. It shows as clean for
me.  I'm trying to get the one-month trial of drweb working so
that I can try its scan.  Could you give us some more data,
like the specifics of the detection message?

   I show the specifics of my clamav scan method below.

Cheers,
Aaron Moate
CHTC Infrastructure Team


Here's the md5sum of the .deb I checked:

moate@localhost:~$ md5sum condor_8.4.9-382747-ubuntu14_amd64.deb
0597e97d242cf0a65005902888ee81c1  condor_8.4.9-382747-ubuntu14_amd64.deb

My clamav version:

moate@localhost:~$ dpkg -l clamav
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                                          Version                             Architecture                        Description
+++-=============================================================-===================================-===================================-================================================================================================================================
ii  clamav                                                        0.99.2+addedllvm-0ubuntu0.14.04.1   amd64                               anti-virus utility for Unix - command-line interface

moate@localhost:~$ clamscan condor_8.4.9-382747-ubuntu14_amd64.deb
condor_8.4.9-382747-ubuntu14_amd64.deb: OK

----------- SCAN SUMMARY -----------
Known viruses: 5073809
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 39.59 MB
Data read: 19.61 MB (ratio 2.02:1)
Time: 15.895 sec (0 m 15 s)

I unpacked it with ar, xzcat and tar and did another scan:

moate@localhost:~$ ar vx condor_8.4.9-382747-ubuntu14_amd64.deb
x - debian-binary
x - control.tar.gz
x - data.tar.xz
moate@localhost:~$ mkdir -p data
moate@localhost:~$ cd data/
moate@localhost:~/data$ xzcat ../data.tar.xz | tar x
moate@localhost:~/data$ clamscan -r ./
----------- SCAN SUMMARY -----------
Known viruses: 5073809
Engine version: 0.99.2
Scanned directories: 47
Scanned files: 480
Infected files: 0
Data scanned: 183.85 MB
Data read: 99.91 MB (ratio 1.84:1)
Time: 26.313 sec (0 m 26 s)

On Fri, Nov 11, 2016 at 11:26:16PM +0100, Benjamin LIPERE wrote:
>    It is the normal download.
>    2016-11-11 23:25 GMT+01:00 Benjamin LIPERE
>    <[1]benjamin.lipere123@gmail.com>:
>
>      Hello.
>
>      Thanks for your help !
>
>      Here is the link :
>      [2]https://research.cs.wisc.edu/htcondor/downloads/?state=select_from_mirror_page&version=8.4.9&mirror=UW%20Madison&optional_organization_url=http://
>
>      Best Regards.
>      Benjamin.
>      2016-11-11 23:21 GMT+01:00 Todd Tannenbaum <[3]tannenba@xxxxxxxxxxx>:
>
>        On 11/11/2016 4:10 PM, Benjamin LIPERE wrote:
>
>          Hello.
>
>          condor_8.4.9-382747-ubuntu14_amd64.deb
>          and every ubuntu14 that I am downloading
>          are reported infected by Linux.Mirai by Drweb antivirus.
>
>          Can someone check on his end and get back at me quickly, please ?
>
>        Where are you obtaining this deb archive?
>
>        Is it from the UW-Madison Ubuntu repo at
>          [4]https://research.cs.wisc.edu/htcondor/ubuntu/stable/
>        or someplace else?
>
>        thanks
>        Todd
>
>        _______________________________________________
>        HTCondor-users mailing list
>        To unsubscribe, send a message to
>        [5]htcondor-users-request@cs.wisc.edu with a
>        subject: Unsubscribe
>        You can also unsubscribe by visiting
>        [6]https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
>        The archives can be found at:
>        [7]https://lists.cs.wisc.edu/archive/htcondor-users/
>
>      --
>      LIPERE Benjamin
>      Le logis de paille
>      87270, Chaptelat
>      FRANCE
>      06 26 14 35 20
>      [8]benjamin.lipere123@gmail.com
>
>    --
>    LIPERE Benjamin
>    Le logis de paille
>    87270, Chaptelat
>    FRANCE
>    06 26 14 35 20
>    [9]benjamin.lipere123@gmail.com
>
> References
>
>    Visible links
>    1. mailto:benjamin.lipere123@gmail.com
>    2. https://research.cs.wisc.edu/htcondor/downloads/?state=select_from_mirror_page&version=8.4.9&mirror=UW%20Madison&optional_organization_url=http://
>    3. mailto:tannenba@xxxxxxxxxxx
>    4. https://research.cs.wisc.edu/htcondor/ubuntu/stable/
>    5. mailto:htcondor-users-request@cs.wisc.edu
>    6. https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>    7. https://lists.cs.wisc.edu/archive/htcondor-users/
>    8. mailto:benjamin.lipere123@gmail.com
>    9. mailto:benjamin.lipere123@gmail.com

> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@cs.wisc.edu with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@cs.wisc.edu with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/



--
LIPERE Benjamin
Le logis de paille
87270, Chaptelat
FRANCE
06 26 14 35 20
benjamin.lipere123@xxxxxxxxx


_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/

-- 
Tim Theisen
Release Manager
HTCondor & Open Science Grid
Center for High Throughput Computing
Department of Computer Sciences
University of Wisconsin - Madison
4261 Computer Sciences and Statistics
1210 W Dayton St
Madison, WI 53706-1685
+1 608 265 5736