Re: [HTCondor-users] Fwd: URGENT - HTcondor condor_8.4.9-382747-ubuntu14_amd64.deb INFECTED - Benjamin.

[Aaron Moate <wiscmoate@xxxxxxxxx>]

I got drweb working on the 32-bit EL6 BaTLab platform, and it
does indeed seem to think that
condor_8.4.9-382747-ubuntu14_amd64.deb is a threat, specifically
the usr/lib/condor/libexec/condor_ckpt_probe file inside.  I
tried to extract the file uzing xzcat and tar, but for some
reason have been unable to so far, even though strace claims
it's being written to disk.

[moate@localhost ~]$ drweb-ctl -d scan condor_8.4.9-382747-ubuntu14_amd64.deb
Debug: Use ConfigD public socket "/var/run/.com.drweb.public"
Debug: ConfigD <-- GET_FCHECK_REQUEST uid=10006
Debug: ConfigD --> GET_FCHECK_RESPONSE: OK
Debug: Use FileCheck socket "/var/run/.com.drweb.fcheck/10006"
Debug: ConfigD <-- MY_INFO_NOTIFICATION
Debug: FileCheck <-- SUBSCRIBE_TO_SCAN_INFO
Debug: FileCheck <-- START_SCAN_REQUEST
Debug: FileCheck --> SCAN_INFO_NOTIFICATION ()
Debug: FileCheck --> START_SCAN_RESPONSE 15
Debug: FileCheck --> SCAN_INFO_NOTIFICATION (15:SCAN_STATE_PENDING)
Debug: FileCheck --> SCAN_INFO_NOTIFICATION (15:SCAN_STATE_RUNNING)
Debug: FileCheck --> SCAN_INFO_NOTIFICATION (15:SCAN_STATE_FINISHED Success)
Info: /home/moate/condor_8.4.9-382747-ubuntu14_amd64.deb//data.tar.xz//xz//./usr/lib/condor/libexec/condor_ckpt_probe - infected with Linux.Mirai.54
Debug: Scan finished: Success
Info: Scanned objects: 1, scan errors: 0, threats found: 1, threats neutralized: 0.
Info: Scanned 20082.08 KB in 8.49 s with speed 2364.55 KB/s.

[moate@localhost ~]$ mkdir -p data
[moate@localhost ~]$ cd data
[moate@localhost data]$ xzcat ../data.tar.xz | tar xv ./usr/lib/condor/libexec/condor_ckpt_probe
./usr/lib/condor/libexec/condor_ckpt_probe
[moate@localhost data]$ ls -al ./usr/lib/condor/libexec/condor_ckpt_probe
ls: cannot access ./usr/lib/condor/libexec/condor_ckpt_probe: No such file or directory

Aaron Moate
CHTC Infrastructure Team

On Sat, Nov 12, 2016 at 03:35:54AM +0100, Benjamin LIPERE wrote:
>    Hello.
> 
>    Thanks for your helps !
>    That was very informative from both of you !
> 
>    Best Regards.
>    Benjamin.
>    2016-11-12 2:43 GMT+01:00 Tim Theisen <[1]tim@xxxxxxxxxxx>:
> 
>      Is there any chance that you installed the 8.5.7 version from the
>      development release?
> 
>      For a brief time the 8.5.7 version available for download had some
>      preliminary work that was not yet intended to be released. If you find
>      any of the following files in your installation, please delete them:
> 
>          rm -f /etc/condor/config.d/50ec2.config
>          rm -f /etc/condor/config.d/49ec2-instance.sh
>          rm -f /etc/condor/master_shutdown_script.sh
> 
>      This was not present in the stable release (8.4.9). However, since the
>      symptoms match, it is worth mentioning. If you have the
>      master_shutdown_script.sh present, the machine will shut itself down
>      after 15 minutes with no HTCondor job.
> 
>      ...Tim
> 
>      On 11/11/2016 06:08 PM, Benjamin LIPERE wrote:
> 
>        Hello.
> 
>        I did a scan with ESET too.
>        Nothing.
>        And same md5.
>        This probably is a false positive.
>        But there is two things to know if you are a "hard" in security ;
>        1) Drweb last 30mn under attack because it is a "new program", other
>        anti-virus last around 30 seconds
>        2) Clamav scan have only a 30-40% rate off detection, witch is pretty
>        low.
> 
>        Also I did have a strange behavior.
>        Once installed, the computers of my cluster keep shutting down
>        themselve.
>        I am using the port 4445 for a shutdown/reboot script.
>        Does last version of htcondor use this port ?
>        What should we do, please ?
>        Thanks by advance.
>        Best Regards.
>        Benjamin.