[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Fwd: URGENT - HTcondor condor_8.4.9-382747-ubuntu14_amd64.deb INFECTED - Benjamin.

So i am not really surprised. Thanks for the confirmation.

LeÂ12 nov. 2016 08:11, "Benjamin LIPERE" <benjamin.lipere123@xxxxxxxxx> a ÃcritÂ:

Yep. Drweb is a very good antivirus. For me, sometime, i can't finish the download. Also, it is the easiest one for HPC cluster.

LeÂ12 nov. 2016 05:53, "Aaron Moate" <wiscmoate@xxxxxxxxx> a ÃcritÂ:
I got drweb working on the 32-bit EL6 BaTLab platform, and it
does indeed seem to think that
condor_8.4.9-382747-ubuntu14_amd64.deb is a threat, specifically
the usr/lib/condor/libexec/condor_ckpt_probe file inside. I
tried to extract the file uzing xzcat and tar, but for some
reason have been unable to so far, even though strace claims
it's being written to disk.

[moate@localhost ~]$ drweb-ctl -d scan condor_8.4.9-382747-ubuntu14_amd64.deb
Debug: Use ConfigD public socket "/var/run/.com.drweb.public"
Debug: ConfigD <-- GET_FCHECK_REQUEST uid=10006
Debug: Use FileCheck socket "/var/run/.com.drweb.fcheck/10006"
Debug: FileCheck <-- START_SCAN_REQUEST
Debug: FileCheck --> SCAN_INFO_NOTIFICATION ()
Debug: FileCheck --> START_SCAN_RESPONSE 15
Info: /home/moate/condor_8.4.9-382747-ubuntu14_amd64.deb//data.tar.xz//xz//./usr/lib/condor/libexec/condor_ckpt_probe - infected with Linux.Mirai.54
Debug: Scan finished: Success
Info: Scanned objects: 1, scan errors: 0, threats found: 1, threats neutralized: 0.
Info: Scanned 20082.08 KB in 8.49 s with speed 2364.55 KB/s.

[moate@localhost ~]$ mkdir -p data
[moate@localhost ~]$ cd data
[moate@localhost data]$ xzcat ../data.tar.xz | tar xv ./usr/lib/condor/libexec/condor_ckpt_probe
[moate@localhost data]$ ls -al ./usr/lib/condor/libexec/condor_ckpt_probe
ls: cannot access ./usr/lib/condor/libexec/condor_ckpt_probe: No such file or directory

Aaron Moate
CHTC Infrastructure Team

On Sat, Nov 12, 2016 at 03:35:54AM +0100, Benjamin LIPERE wrote:
>Â Â Hello.
>Â Â Thanks for your helps !
>Â Â That was very informative from both of you !
>Â Â Best Regards.
>Â Â Benjamin.
>Â Â 2016-11-12 2:43 GMT+01:00 Tim Theisen <[1]tim@xxxxxxxxxxx>:
>Â Â Â Is there any chance that you installed the 8.5.7 version from the
>Â Â Â development release?
>Â Â Â For a brief time the 8.5.7 version available for download had some
>Â Â Â preliminary work that was not yet intended to be released. If you find
>Â Â Â any of the following files in your installation, please delete them:
>Â Â Â Â Â rm -f /etc/condor/config.d/50ec2.config
>Â Â Â Â Â rm -f /etc/condor/config.d/49ec2-instance.sh
>Â Â Â Â Â rm -f /etc/condor/master_shutdown_script.sh
>Â Â Â This was not present in the stable release (8.4.9). However, since the
>Â Â Â symptoms match, it is worth mentioning. If you have the
>Â Â Â master_shutdown_script.sh present, the machine will shut itself down
>Â Â Â after 15 minutes with no HTCondor job.
>Â Â Â ...Tim
>Â Â Â On 11/11/2016 06:08 PM, Benjamin LIPERE wrote:
>Â Â Â Â Hello.
>Â Â Â Â I did a scan with ESET too.
>Â Â Â Â Nothing.
>Â Â Â Â And same md5.
>Â Â Â Â This probably is a false positive.
>Â Â Â Â But there is two things to know if you are a "hard" in security ;
>Â Â Â Â 1) Drweb last 30mn under attack because it is a "new program", other
>Â Â Â Â anti-virus last around 30 seconds
>Â Â Â Â 2) Clamav scan have only a 30-40% rate off detection, witch is pretty
>Â Â Â Â low.
>Â Â Â Â Also I did have a strange behavior.
>Â Â Â Â Once installed, the computers of my cluster keep shutting down
>Â Â Â Â themselve.
>Â Â Â Â I am using the port 4445 for a shutdown/reboot script.
>Â Â Â Â Does last version of htcondor use this port ?
>Â Â Â Â What should we do, please ?
>Â Â Â Â Thanks by advance.
>Â Â Â Â Best Regards.
>Â Â Â Â Benjamin.
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxx.edu with a
subject: Unsubscribe
You can also unsubscribe by visiting

The archives can be found at: