[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Fwd: URGENT - HTcondor condor_8.4.9-382747-ubuntu14_amd64.deb INFECTED - Benjamin.



Do you plan a patch ? Please let me know.


LeÂ16 nov. 2016 03:47, "Tim Theisen" <tim@xxxxxxxxxxx> a ÃcritÂ:

ÂI have rebuilt HTCondor on a fresh Ubuntu14 installation, I checked the signatures and checksums. I am confident that this is a false positive.

This particular executable is only used to determine standard universe support. If Dr. Web deletes this file, most of HTCondor will continue to work properly.

...Tim


On 11/14/2016 11:36 AM, Aaron Moate wrote:
It seems I was unable to extract the file in question
because drweb was deleting it as soon as it was written.
"condor_ckpt_probe" is indeed the specific file it's
alerting on.

We ran drweb's scan against a release that is two years old
(before Mirai was discovered).  The scan showed positive:

[moate@localhost ~]$ sudo drweb-ctl scan condor-8.2.3-274619-ubuntu_14.04_amd64.deb
/home/moate/condor-8.2.3-274619-ubuntu_14.04_amd64.deb//data.tar.gz//gziped.gz//./usr/lib/condor/libexec/condor_ckpt_probe - infected with Linux.Mirai.54
Scanned objects: 1, scan errors: 0, threats found: 1, threats neutralized: 0.
Scanned 31907.75 KB in 5.87 s with speed 5432.03 KB/s.

So right now it's looking like a false positive.  We're working
at getting more exact verification.

Cheers,
Aaron Moate
CHTC Infrastructure Team

On Sat, Nov 12, 2016 at 08:12:05AM +0100, Benjamin LIPERE wrote:
   So i am not really surprised. Thanks for the confirmation.

   Le 12 nov. 2016 08:11, "Benjamin LIPERE" <[1]benjamin.lipere123@gmail.com>
   a ïcrit :

     Yep. Drweb is a very good antivirus. For me, sometime, i can't finish
     the download. Also, it is the easiest one for HPC cluster.

     Le 12 nov. 2016 05:53, "Aaron Moate" <[2]wiscmoate@xxxxxxxxx> a ïcrit :

       I got drweb working on the 32-bit EL6 BaTLab platform, and it
       does indeed seem to think that
       condor_8.4.9-382747-ubuntu14_amd64.deb is a threat, specifically
       the usr/lib/condor/libexec/condor_ckpt_probe file inside.  I
       tried to extract the file uzing xzcat and tar, but for some
       reason have been unable to so far, even though strace claims
       it's being written to disk.

       [moate@localhost ~]$ drweb-ctl -d scan
       condor_8.4.9-382747-ubuntu14_amd64.deb
       Debug: Use ConfigD public socket "/var/run/.com.drweb.public"
       Debug: ConfigD <-- GET_FCHECK_REQUEST uid=10006
       Debug: ConfigD --> GET_FCHECK_RESPONSE: OK
       Debug: Use FileCheck socket "/var/run/.com.drweb.fcheck/10006"
       Debug: ConfigD <-- MY_INFO_NOTIFICATION
       Debug: FileCheck <-- SUBSCRIBE_TO_SCAN_INFO
       Debug: FileCheck <-- START_SCAN_REQUEST
       Debug: FileCheck --> SCAN_INFO_NOTIFICATION ()
       Debug: FileCheck --> START_SCAN_RESPONSE 15
       Debug: FileCheck --> SCAN_INFO_NOTIFICATION (15:SCAN_STATE_PENDING)
       Debug: FileCheck --> SCAN_INFO_NOTIFICATION (15:SCAN_STATE_RUNNING)
       Debug: FileCheck --> SCAN_INFO_NOTIFICATION (15:SCAN_STATE_FINISHED
       Success)
       Info:
       /home/moate/condor_8.4.9-382747-ubuntu14_amd64.deb//data.tar.xz//xz//./usr/lib/condor/libexec/condor_ckpt_probe
       - infected with Linux.Mirai.54
       Debug: Scan finished: Success
       Info: Scanned objects: 1, scan errors: 0, threats found: 1, threats
       neutralized: 0.
       Info: Scanned 20082.08 KB in 8.49 s with speed 2364.55 KB/s.

       [moate@localhost ~]$ mkdir -p data
       [moate@localhost ~]$ cd data
       [moate@localhost data]$ xzcat ../data.tar.xz | tar xv
       ./usr/lib/condor/libexec/condor_ckpt_probe
       ./usr/lib/condor/libexec/condor_ckpt_probe
       [moate@localhost data]$ ls -al
       ./usr/lib/condor/libexec/condor_ckpt_probe
       ls: cannot access ./usr/lib/condor/libexec/condor_ckpt_probe: No such
       file or directory

       Aaron Moate
       CHTC Infrastructure Team


_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@cs.wisc.edu with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/

-- 
Tim Theisen
Release Manager
HTCondor & Open Science Grid
Center for High Throughput Computing
Department of Computer Sciences
University of Wisconsin - Madison
4261 Computer Sciences and Statistics
1210 W Dayton St
Madison, WI 53706-1685
+1 608 265 5736

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@cs.wisc.edu with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/