[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] Fwd: URGENT - HTcondor condor_8.4.9-382747-ubuntu14_amd64.deb INFECTED - Benjamin.
- Date: Fri, 11 Nov 2016 22:52:27 -0600
- From: Aaron Moate <wiscmoate@xxxxxxxxx>
- Subject: Re: [HTCondor-users] Fwd: URGENT - HTcondor condor_8.4.9-382747-ubuntu14_amd64.deb INFECTED - Benjamin.
I got drweb working on the 32-bit EL6 BaTLab platform, and it
does indeed seem to think that
condor_8.4.9-382747-ubuntu14_amd64.deb is a threat, specifically
the usr/lib/condor/libexec/condor_ckpt_probe file inside. I
tried to extract the file uzing xzcat and tar, but for some
reason have been unable to so far, even though strace claims
it's being written to disk.
[moate@localhost ~]$ drweb-ctl -d scan condor_8.4.9-382747-ubuntu14_amd64.deb
Debug: Use ConfigD public socket "/var/run/.com.drweb.public"
Debug: ConfigD <-- GET_FCHECK_REQUEST uid=10006
Debug: ConfigD --> GET_FCHECK_RESPONSE: OK
Debug: Use FileCheck socket "/var/run/.com.drweb.fcheck/10006"
Debug: ConfigD <-- MY_INFO_NOTIFICATION
Debug: FileCheck <-- SUBSCRIBE_TO_SCAN_INFO
Debug: FileCheck <-- START_SCAN_REQUEST
Debug: FileCheck --> SCAN_INFO_NOTIFICATION ()
Debug: FileCheck --> START_SCAN_RESPONSE 15
Debug: FileCheck --> SCAN_INFO_NOTIFICATION (15:SCAN_STATE_PENDING)
Debug: FileCheck --> SCAN_INFO_NOTIFICATION (15:SCAN_STATE_RUNNING)
Debug: FileCheck --> SCAN_INFO_NOTIFICATION (15:SCAN_STATE_FINISHED Success)
Info: /home/moate/condor_8.4.9-382747-ubuntu14_amd64.deb//data.tar.xz//xz//./usr/lib/condor/libexec/condor_ckpt_probe - infected with Linux.Mirai.54
Debug: Scan finished: Success
Info: Scanned objects: 1, scan errors: 0, threats found: 1, threats neutralized: 0.
Info: Scanned 20082.08 KB in 8.49 s with speed 2364.55 KB/s.
[moate@localhost ~]$ mkdir -p data
[moate@localhost ~]$ cd data
[moate@localhost data]$ xzcat ../data.tar.xz | tar xv ./usr/lib/condor/libexec/condor_ckpt_probe
[moate@localhost data]$ ls -al ./usr/lib/condor/libexec/condor_ckpt_probe
ls: cannot access ./usr/lib/condor/libexec/condor_ckpt_probe: No such file or directory
CHTC Infrastructure Team
On Sat, Nov 12, 2016 at 03:35:54AM +0100, Benjamin LIPERE wrote:
> Thanks for your helps !
> That was very informative from both of you !
> Best Regards.
> 2016-11-12 2:43 GMT+01:00 Tim Theisen <tim@xxxxxxxxxxx>:
> Is there any chance that you installed the 8.5.7 version from the
> development release?
> For a brief time the 8.5.7 version available for download had some
> preliminary work that was not yet intended to be released. If you find
> any of the following files in your installation, please delete them:
> rm -f /etc/condor/config.d/50ec2.config
> rm -f /etc/condor/config.d/49ec2-instance.sh
> rm -f /etc/condor/master_shutdown_script.sh
> This was not present in the stable release (8.4.9). However, since the
> symptoms match, it is worth mentioning. If you have the
> master_shutdown_script.sh present, the machine will shut itself down
> after 15 minutes with no HTCondor job.
> On 11/11/2016 06:08 PM, Benjamin LIPERE wrote:
> I did a scan with ESET too.
> And same md5.
> This probably is a false positive.
> But there is two things to know if you are a "hard" in security ;
> 1) Drweb last 30mn under attack because it is a "new program", other
> anti-virus last around 30 seconds
> 2) Clamav scan have only a 30-40% rate off detection, witch is pretty
> Also I did have a strange behavior.
> Once installed, the computers of my cluster keep shutting down
> I am using the port 4445 for a shutdown/reboot script.
> Does last version of htcondor use this port ?
> What should we do, please ?
> Thanks by advance.
> Best Regards.