Re: [HTCondor-users] Fwd: URGENT - HTcondor condor_8.4.9-382747-ubuntu14_amd64.deb INFECTED - Benjamin.

[Aaron Moate <wiscmoate@xxxxxxxxx>]

It seems I was unable to extract the file in question
because drweb was deleting it as soon as it was written.
"condor_ckpt_probe" is indeed the specific file it's
alerting on.

We ran drweb's scan against a release that is two years old
(before Mirai was discovered).  The scan showed positive:

[moate@localhost ~]$ sudo drweb-ctl scan condor-8.2.3-274619-ubuntu_14.04_amd64.deb
/home/moate/condor-8.2.3-274619-ubuntu_14.04_amd64.deb//data.tar.gz//gziped.gz//./usr/lib/condor/libexec/condor_ckpt_probe - infected with Linux.Mirai.54
Scanned objects: 1, scan errors: 0, threats found: 1, threats neutralized: 0.
Scanned 31907.75 KB in 5.87 s with speed 5432.03 KB/s.

So right now it's looking like a false positive.  We're working
at getting more exact verification.

Cheers,
Aaron Moate
CHTC Infrastructure Team

On Sat, Nov 12, 2016 at 08:12:05AM +0100, Benjamin LIPERE wrote:
>    So i am not really surprised. Thanks for the confirmation.
> 
>    Le 12 nov. 2016 08:11, "Benjamin LIPERE" <[1]benjamin.lipere123@xxxxxxxxx>
>    a éit :
> 
>      Yep. Drweb is a very good antivirus. For me, sometime, i can't finish
>      the download. Also, it is the easiest one for HPC cluster.
> 
>      Le 12 nov. 2016 05:53, "Aaron Moate" <[2]wiscmoate@xxxxxxxxx> a éit :
> 
>        I got drweb working on the 32-bit EL6 BaTLab platform, and it
>        does indeed seem to think that
>        condor_8.4.9-382747-ubuntu14_amd64.deb is a threat, specifically
>        the usr/lib/condor/libexec/condor_ckpt_probe file inside.  I
>        tried to extract the file uzing xzcat and tar, but for some
>        reason have been unable to so far, even though strace claims
>        it's being written to disk.
> 
>        [moate@localhost ~]$ drweb-ctl -d scan
>        condor_8.4.9-382747-ubuntu14_amd64.deb
>        Debug: Use ConfigD public socket "/var/run/.com.drweb.public"
>        Debug: ConfigD <-- GET_FCHECK_REQUEST uid=10006
>        Debug: ConfigD --> GET_FCHECK_RESPONSE: OK
>        Debug: Use FileCheck socket "/var/run/.com.drweb.fcheck/10006"
>        Debug: ConfigD <-- MY_INFO_NOTIFICATION
>        Debug: FileCheck <-- SUBSCRIBE_TO_SCAN_INFO
>        Debug: FileCheck <-- START_SCAN_REQUEST
>        Debug: FileCheck --> SCAN_INFO_NOTIFICATION ()
>        Debug: FileCheck --> START_SCAN_RESPONSE 15
>        Debug: FileCheck --> SCAN_INFO_NOTIFICATION (15:SCAN_STATE_PENDING)
>        Debug: FileCheck --> SCAN_INFO_NOTIFICATION (15:SCAN_STATE_RUNNING)
>        Debug: FileCheck --> SCAN_INFO_NOTIFICATION (15:SCAN_STATE_FINISHED
>        Success)
>        Info:
>        /home/moate/condor_8.4.9-382747-ubuntu14_amd64.deb//data.tar.xz//xz//./usr/lib/condor/libexec/condor_ckpt_probe
>        - infected with Linux.Mirai.54
>        Debug: Scan finished: Success
>        Info: Scanned objects: 1, scan errors: 0, threats found: 1, threats
>        neutralized: 0.
>        Info: Scanned 20082.08 KB in 8.49 s with speed 2364.55 KB/s.
> 
>        [moate@localhost ~]$ mkdir -p data
>        [moate@localhost ~]$ cd data
>        [moate@localhost data]$ xzcat ../data.tar.xz | tar xv
>        ./usr/lib/condor/libexec/condor_ckpt_probe
>        ./usr/lib/condor/libexec/condor_ckpt_probe
>        [moate@localhost data]$ ls -al
>        ./usr/lib/condor/libexec/condor_ckpt_probe
>        ls: cannot access ./usr/lib/condor/libexec/condor_ckpt_probe: No such
>        file or directory
> 
>        Aaron Moate
>        CHTC Infrastructure Team