Re: [devuan-dev] Devuan 6 Excalibur is virused?

Autor: Ralph Ronnquist
Data:
A: devuan-dev
Assumpte: Re: [devuan-dev] Devuan 6 Excalibur is virused?

On Wed, Nov 26, 2025 at 09:57:28AM +1200, Arcady Ivanov wrote:
> Hello all.
>
>
>
> I've installed Devuan 6 (Excalibur) on few servers/workstations. Today it is 6 computers.
>
>
>
> I have Wazuh in my network. Wazuh informs that on each of this computers
>
> I have:
>
>
>
> Trojaned version of file '/usr/bin/chsh' detected. Signature used: 'bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]' (Generic).
>
>
>
> Trojaned version of file '/bin/passwd' detected. Signature used: 'bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-s,uvxz]' (Generic).
>

As far as I can tell, those detect the string "/dev/null" in the
binaries, which does look like a false positive to me. Though I have
no experience whatsoever with "wazuh".

Ralph.
>
>
>
>
> IKIR IT Chief. Arcady Ivanov.
>
> phone: +7(914)024-4191
>
> mailto: arc@???
>

> _______________________________________________
> devuan-dev internal mailing list
> devuan-dev@???
> Manage your subscription: https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/devuan-dev
> Archive: https://lists.dyne.org/lurker/list/devuan-dev.en.html

Aquest missatge és part del següent fil:
	l'arbre de fils complet ordenat per data
	Lorenzo en
	Arcady Ivanov en

Donate to Dyne.org