Thank you for your answers.



It starts only in Devuan 6. No such problem in 4,5.



I think that it is really "false positive".



От: "Lorenzo" <plorenzo@???>
Кому: "Arcady Ivanov" <it.chief@???>
Копия: "devuan developers internal list" <devuan-dev@???>
Отправлено: среда, 26 ноября 2025 г., 10:46
Тема: Re: [devuan-dev] Devuan 6 Excalibur is virused?

Hi Arcady,

On Wed, 26 Nov 2025 09:57:28 +1200 (PETT)
Arcady Ivanov wrote:

> I have Wazuh in my network. Wazuh informs that on each of this
> computers
>
> I have:
>
> Trojaned version of file '/usr/bin/chsh' detected. Signature used:
> 'bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]' (Generic).
>
> Trojaned version of file '/bin/passwd' detected. Signature used:
> 'bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-s,uvxz]' (Generic).
>

likely a false positive

see https://github.com/wazuh/wazuh/issues/20363#issuecomment-3450739212

and

https://github.com/wazuh/wazuh/issues/32142

In any case is not Devuan specific, it affects Debian and other
derivatives (Ubuntu) as well.

Best,
Lorenzo

>
>
>
> IKIR IT Chief. Arcady Ivanov.
>
> phone: +7(914)024-4191
>
> mailto: arc@???
>

_______________________________________________
devuan-dev internal mailing list
devuan-dev@???
Manage your subscription: https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/devuan-dev
Archive: https://lists.dyne.org/lurker/list/devuan-dev.en.html