Devuan bug report logs - #858
Detection of ebury malware in debuan system

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.devuan.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package:  Daedalus 5.0  live cd

 Hi !

 I was reading the information of this malware in the site of

https://arstechnica.com/security/2024/05/ssh-backdoor-has-infected-400000-linux-servers-over-15-years-and-keeps-on-spreading/

also in

https://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/

I follow the links to make the test that is;

https://github.com/eset/malware-ioc/tree/master/windigo


In one part the information indicates:


The command ssh -G has a different behavior on a system with Linux/Ebury on OpenSSH version 6.7 or earlier. A clean server will print

$ ssh -G
ssh: illegal option -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-p port]
           [-Q cipher | cipher-auth | mac | kex | key]
           [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] [user@]hostname [command]

to stderr but an infected server will only print the usage (note the missing ssh: illegal option -- G):

$ ssh -G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-p port]
           [-Q cipher | cipher-auth | mac | kex | key]
           [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] [user@]hostname [command]

One can use the following command to determine if the server he is on is compromised:

ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"


I did the test and found that the live cd  Daedalus 5.0  S.O have this bug/malware/issue, I attach some screenshots
of my test, and the test;

A) The version of the S.O
devuan@devuan:~$ uname -a
Linux devuan 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64 GNU/Linux


B ) The test of ssh
devuan@devuan:~$ ssh -G
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
           [-i identity_file] [-J [user@]host[:port]] [-L address]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] destination [command [argument ...]]


This indicate tha the system have the ebury malware



C) In a clearer test
devuan@devuan:~$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System infected




I appreciated the time you take to read and solve this issue, thanks in advance
and have a nice day.

[Message part 2 (text/html, inline)]

[Test_version-1.png (image/png, attachment)]

[Test_2.png (image/png, attachment)]

[Test_3.png (image/png, attachment)]

Message #10 received at 858-done@bugs.devuan.org (full text, mbox, reply):

Alter,

Thanks for this.


On Wed, Sep 04, 2024 at 09:44:36AM +0000, Alter Kim wrote:
>    In one part the information indicates:
> 
>    The command ssh -G has a different behavior on a system with
>    Linux/Ebury on OpenSSH version 6.7 or earlier. A clean server will
>    print
> 
>    $ ssh -G
> 
>    ssh: illegal option -- G

I think you have missed the point that all current Devuan releases ship more
recent versions of OpenSSH than required by this test (6.7 or earlier):

openssh    | 1:7.9p1-10+deb10u2 | oldoldstable           | source
openssh    | 1:7.9p1-10+deb10u2 | oldoldstable-debug     | source
openssh    | 1:8.4p1-2~bpo10+1  | buster-backports       | source
openssh    | 1:8.4p1-2~bpo10+1  | buster-backports-debug | source
openssh    | 1:8.4p1-5+deb11u3  | oldstable              | source
openssh    | 1:8.4p1-5+deb11u3  | oldstable-debug        | source
openssh    | 1:9.2p1-2+deb12u3  | stable                 | source
openssh    | 1:9.2p1-2+deb12u3  | stable-debug           | source
openssh    | 1:9.8p1-8          | testing                | source
openssh    | 1:9.8p1-8          | unstable               | source
openssh    | 1:9.8p1-8          | unstable-debug         | source

-G is now a legitimate ssh option (see ssh(1)).

We have reviewed the article you provided and can find no evidence of compromise
of Devuan installations. It is also worth noting that all of Devuan's openssh
packages come directly from Debian, so it would likely be Debian that was
compromised.

I will close this report now, but if you feel we have misunderstood you or
missed something, please feel free to reopen.

Best wishes

Mark

Message #15 received at 858@bugs.devuan.org (full text, mbox, reply):

FYI the "ssh -G" is listed on this page
https://github.com/eset/malware-ioc/tree/master/windigo

The section is "Linux/Ebury v1.4 and earlier" with a couple of notices. 
One notice is that Ebury v1.4 is no longer deployed and most of the
indicators below no longer work.  Another notice is that this technique
only works with OpenSSH 6.7 or earlier.  OpenSSH 6.8 adds a legitimate
usage for the -G flag.  This is even shown in the first line of the output:
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
There are other detection methods listed for newer versions of OpenSSH.

Send a report that this bug log contains spam.