[devuan-dev] bug#858: marked as done (Detection of ebury malware in debuan system)

Autor: Devuan bug Tracking System
Datum:
To: Mark Hindley
Betreff: [devuan-dev] bug#858: marked as done (Detection of ebury malware in debuan system)

Your message dated Wed, 4 Sep 2024 14:48:12 +0100
with message-id <ZthlHNiTm2NYyxLj@???>
and subject line Re: bug#858: Detection of ebury malware in debuan system
has caused the Devuan bug report #858,
regarding Detection of ebury malware in debuan system
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@???
immediately.)

--
858: https://bugs.devuan.org/cgi/bugreport.cgi?bug=858
Devuan Bug Tracking System
Contact owner@??? with problems

Package:  Daedalus 5.0  live cd

 Hi !

 I was reading the information of this malware in the site of

https://arstechnica.com/security/2024/05/ssh-backdoor-has-infected-400000-linux-servers-over-15-years-and-keeps-on-spreading/

also in

https://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/

I follow the links to make the test that is;

https://github.com/eset/malware-ioc/tree/master/windigo


In one part the information indicates:


The command ssh -G has a different behavior on a system with Linux/Ebury on OpenSSH version 6.7 or earlier. A clean server will print

$ ssh -G
ssh: illegal option -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-p port]
           [-Q cipher | cipher-auth | mac | kex | key]
           [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] [user@]hostname [command]

to stderr but an infected server will only print the usage (note the missing ssh: illegal option -- G):

$ ssh -G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-p port]
           [-Q cipher | cipher-auth | mac | kex | key]
           [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] [user@]hostname [command]

One can use the following command to determine if the server he is on is compromised:

ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"


I did the test and found that the live cd  Daedalus 5.0  S.O have this bug/malware/issue, I attach some screenshots
of my test, and the test;

A) The version of the S.O
devuan@devuan:~$ uname -a
Linux devuan 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64 GNU/Linux


B ) The test of ssh
devuan@devuan:~$ ssh -G
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
           [-i identity_file] [-J [user@]host[:port]] [-L address]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] destination [command [argument ...]]


This indicate tha the system have the ebury malware



C) In a clearer test
devuan@devuan:~$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System infected




I appreciated the time you take to read and solve this issue, thanks in advance
and have a nice day.

Alter,

Thanks for this.

On Wed, Sep 04, 2024 at 09:44:36AM +0000, Alter Kim wrote:
> In one part the information indicates:

>
> The command ssh -G has a different behavior on a system with > Linux/Ebury on OpenSSH version 6.7 or earlier. A clean server will > print

>
> $ ssh -G

>
> ssh: illegal option -- G

I think you have missed the point that all current Devuan releases ship more
recent versions of OpenSSH than required by this test (6.7 or earlier):

openssh    | 1:7.9p1-10+deb10u2 | oldoldstable           | source
openssh    | 1:7.9p1-10+deb10u2 | oldoldstable-debug     | source
openssh    | 1:8.4p1-2~bpo10+1  | buster-backports       | source
openssh    | 1:8.4p1-2~bpo10+1  | buster-backports-debug | source
openssh    | 1:8.4p1-5+deb11u3  | oldstable              | source
openssh    | 1:8.4p1-5+deb11u3  | oldstable-debug        | source
openssh    | 1:9.2p1-2+deb12u3  | stable                 | source
openssh    | 1:9.2p1-2+deb12u3  | stable-debug           | source
openssh    | 1:9.8p1-8          | testing                | source
openssh    | 1:9.8p1-8          | unstable               | source
openssh    | 1:9.8p1-8          | unstable-debug         | source

-G is now a legitimate ssh option (see ssh(1)).

We have reviewed the article you provided and can find no evidence of compromise
of Devuan installations. It is also worth noting that all of Devuan's openssh
packages come directly from Debian, so it would likely be Debian that was
compromised.

I will close this report now, but if you feel we have misunderstood you or
missed something, please feel free to reopen.

Best wishes

Mark

Diese Nachricht ist Teil des folgenden Threads:
	Der komplette Thread sortiert nach Datum

Donate to Dyne.org