:: [devuan-dev] bug#858: Detection of …
Top Page
Delete this message
Reply to this message
Author: Alter Kim
Date:  
To: submit@bugs.devuan.org
Subject: [devuan-dev] bug#858: Detection of ebury malware in debuan system

Package:  Daedalus 5.0  live cd

 Hi !

 I was reading the information of this malware in the site of

https://arstechnica.com/security/2024/05/ssh-backdoor-has-infected-400000-linux-servers-over-15-years-and-keeps-on-spreading/

also in

https://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/

I follow the links to make the test that is;

https://github.com/eset/malware-ioc/tree/master/windigo


In one part the information indicates:


The command ssh -G has a different behavior on a system with Linux/Ebury on OpenSSH version 6.7 or earlier. A clean server will print

$ ssh -G
ssh: illegal option -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-p port]
           [-Q cipher | cipher-auth | mac | kex | key]
           [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] [user@]hostname [command]

to stderr but an infected server will only print the usage (note the missing ssh: illegal option -- G):

$ ssh -G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-p port]
           [-Q cipher | cipher-auth | mac | kex | key]
           [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] [user@]hostname [command]

One can use the following command to determine if the server he is on is compromised:

ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"


I did the test and found that the live cd  Daedalus 5.0  S.O have this bug/malware/issue, I attach some screenshots
of my test, and the test;

A) The version of the S.O
devuan@devuan:~$ uname -a
Linux devuan 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64 GNU/Linux


B ) The test of ssh
devuan@devuan:~$ ssh -G
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
           [-i identity_file] [-J [user@]host[:port]] [-L address]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] destination [command [argument ...]]


This indicate tha the system have the ebury malware



C) In a clearer test
devuan@devuan:~$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System infected




I appreciated the time you take to read and solve this issue, thanks in advance
and have a nice day.