Devuan bug report logs - #858
Detection of ebury malware in debuan system

Packages: cd, 5.0, daedalus, live; Maintainer for cd is (unknown); Maintainer for 5.0 is (unknown); Maintainer for daedalus is (unknown); Maintainer for live is (unknown);

Reported by: Alter Kim <alter-kim@hotmail.com>

Date: Wed, 4 Sep 2024 09:47:16 UTC

Severity: normal

Done: Mark Hindley <mark@hindley.org.uk>

Full log


Message #10 received at 858-done@bugs.devuan.org (full text, mbox, reply):

Received: (at 858-done) by bugs.devuan.org; 4 Sep 2024 13:49:41 +0000
Return-Path: <mark@hindley.org.uk>
Delivered-To: bugs@devuan.org
Received: from email.devuan.org [2a01:4f9:fff1:13::5fd9:f9e4]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Wed, 04 Sep 2024 13:49:41 +0000 (UTC)
Received: from email.devuan.org
	by email.devuan.org with LMTP
	id 4J+QFCFl2GZPSAAAmSBk0A
	(envelope-from <mark@hindley.org.uk>)
	for <bugs@devuan.org>; Wed, 04 Sep 2024 13:48:17 +0000
Received: by email.devuan.org (Postfix, from userid 109)
	id 117815A2; Wed,  4 Sep 2024 13:48:16 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org
X-Spam-Level: 
X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=193.36.131.86; helo=mx.hindley.org.uk; envelope-from=mark@hindley.org.uk; receiver=<UNKNOWN> 
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	by email.devuan.org (Postfix) with ESMTPS id 54AC7189
	for <858-done@bugs.devuan.org>; Wed,  4 Sep 2024 13:48:14 +0000 (UTC)
Received: from hindley.org.uk (apollo.hindleynet [192.168.1.3])
	by mx.hindley.org.uk (Postfix) with SMTP id A67A7D0;
	Wed,  4 Sep 2024 14:48:12 +0100 (BST)
Received: (nullmailer pid 17625 invoked by uid 1000);
	Wed, 04 Sep 2024 13:48:12 -0000
Date: Wed, 4 Sep 2024 14:48:12 +0100
From: Mark Hindley <mark@hindley.org.uk>
To: Alter Kim <alter-kim@hotmail.com>, 858-done@bugs.devuan.org
Subject: Re: bug#858: Detection of ebury malware in debuan system
Message-ID: <ZthlHNiTm2NYyxLj@hindley.org.uk>
References: <MW5PR84MB225042878AAF32BCAA315B2FE39C2@MW5PR84MB2250.NAMPRD84.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <MW5PR84MB225042878AAF32BCAA315B2FE39C2@MW5PR84MB2250.NAMPRD84.PROD.OUTLOOK.COM>
X-Debbugs-No-Ack: No Thanks
Alter,

Thanks for this.


On Wed, Sep 04, 2024 at 09:44:36AM +0000, Alter Kim wrote:
>    In one part the information indicates:
> 
>    The command ssh -G has a different behavior on a system with
>    Linux/Ebury on OpenSSH version 6.7 or earlier. A clean server will
>    print
> 
>    $ ssh -G
> 
>    ssh: illegal option -- G

I think you have missed the point that all current Devuan releases ship more
recent versions of OpenSSH than required by this test (6.7 or earlier):

openssh    | 1:7.9p1-10+deb10u2 | oldoldstable           | source
openssh    | 1:7.9p1-10+deb10u2 | oldoldstable-debug     | source
openssh    | 1:8.4p1-2~bpo10+1  | buster-backports       | source
openssh    | 1:8.4p1-2~bpo10+1  | buster-backports-debug | source
openssh    | 1:8.4p1-5+deb11u3  | oldstable              | source
openssh    | 1:8.4p1-5+deb11u3  | oldstable-debug        | source
openssh    | 1:9.2p1-2+deb12u3  | stable                 | source
openssh    | 1:9.2p1-2+deb12u3  | stable-debug           | source
openssh    | 1:9.8p1-8          | testing                | source
openssh    | 1:9.8p1-8          | unstable               | source
openssh    | 1:9.8p1-8          | unstable-debug         | source

-G is now a legitimate ssh option (see ssh(1)).

We have reviewed the article you provided and can find no evidence of compromise
of Devuan installations. It is also worth noting that all of Devuan's openssh
packages come directly from Debian, so it would likely be Debian that was
compromised.

I will close this report now, but if you feel we have misunderstood you or
missed something, please feel free to reopen.

Best wishes

Mark

Send a report that this bug log contains spam.


Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Sun Nov 10 03:02:13 2024;