Home | Devuan | Git | Forum | Packages | Popcon
Donate now!
Download

Devuan bug report logs - #858
Detection of ebury malware in debuan system

Packages: cd, live, daedalus, 5.0; Maintainer for cd is (unknown); Maintainer for live is (unknown); Maintainer for daedalus is (unknown); Maintainer for 5.0 is (unknown);

Reported by: Alter Kim <alter-kim@hotmail.com>

Date: Wed, 4 Sep 2024 09:47:16 UTC

Severity: normal

Done: Mark Hindley <mark@hindley.org.uk>

Full log

🔗 View this message in rfc822 format

X-Loop: owner@bugs.devuan.org
Subject: bug#858: [devuan-dev] bug#858: Detection of ebury malware in debuan system
Reply-To: tempforever <dev1@tempforever.com>, 858@bugs.devuan.org
Resent-From: tempforever <dev1@tempforever.com>
Resent-To: devuan-bugs@lists.dyne.org
Resent-CC: devuan-dev@lists.dyne.org
X-Loop: owner@bugs.devuan.org
Resent-Date: Wed, 04 Sep 2024 16:26:02 +0000
Resent-Message-ID: <handler.858.B858.172546713613233@bugs.devuan.org>
Resent-Sender: owner@bugs.devuan.org
X-Devuan-PR-Message: followup 858
X-Devuan-PR-Package: daedalus 5.0  live cd
X-Devuan-PR-Keywords: 
References: <MW5PR84MB225042878AAF32BCAA315B2FE39C2@MW5PR84MB2250.NAMPRD84.PROD.OUTLOOK.COM> <MW5PR84MB225042878AAF32BCAA315B2FE39C2@MW5PR84MB2250.NAMPRD84.PROD.OUTLOOK.COM>
Received: via spool by 858-submit@bugs.devuan.org id=B858.172546713613233
          (code B ref 858); Wed, 04 Sep 2024 16:26:02 +0000
Received: (at 858) by bugs.devuan.org; 4 Sep 2024 16:25:36 +0000
Delivered-To: bugs@devuan.org
Received: from email.devuan.org [2a01:4f9:fff1:13::5fd9:f9e4]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Wed, 04 Sep 2024 16:25:36 +0000 (UTC)
Received: from email.devuan.org
	by email.devuan.org with LMTP
	id cEfNOKiJ2GZkTQAAmSBk0A
	(envelope-from <dev1@tempforever.com>)
	for <bugs@devuan.org>; Wed, 04 Sep 2024 16:24:08 +0000
Received: by email.devuan.org (Postfix, from userid 109)
	id CCB505A2; Wed,  4 Sep 2024 16:24:08 +0000 (UTC)
Authentication-Results: email.devuan.org;
	dkim=pass (1024-bit key; unprotected) header.d=tempforever.com header.i=@tempforever.com header.a=rsa-sha256 header.s=domkey header.b=Oc4JLJGY;
	dkim-atps=neutral
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,NICE_REPLY_A,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
	autolearn_force=no version=3.4.6
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=185.144.158.117; helo=tempforever.com; envelope-from=dev1@tempforever.com; receiver=<UNKNOWN> 
Received: from tempforever.com (tempforever.com [185.144.158.117])
	by email.devuan.org (Postfix) with ESMTP id B4F4F4F
	for <858@bugs.devuan.org>; Wed,  4 Sep 2024 16:24:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tempforever.com;
	s=domkey; t=1725467045;
	bh=F2o7g6ZFR55IEcZ75SsiK19v7kILjxeJHZIX9W63tEk=;
	h=Subject:To:References:From:Date:In-Reply-To:From;
	b=Oc4JLJGYTqA1AxqB5cnOD/1D3GEYgP8cILMRUUmKx39dCjsHnWrBZJOnxljIW8uDU
	 GgAbCCVQldEcypAB0AoEatrzcVi3eMkKXlE//rmreM5zlrnxX2ddv4egI70WiOrCpb
	 gvfN37fKvrrqDztMcKY5sTt5M6Oqwovjf3TC7FlU=
Received: from [192.168.2.10] (unknown [192.168.2.10])
	by tempforever.com (Postfix) with ESMTPSA id E50F560040
	for <858@bugs.devuan.org>; Wed,  4 Sep 2024 12:24:04 -0400 (EDT)
To: 858@bugs.devuan.org
From: tempforever <dev1@tempforever.com>
Message-ID: <6fc1d1fd-6a15-2dd1-6cf8-86001a26319f@tempforever.com>
Date: Wed, 4 Sep 2024 12:24:04 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Firefox/91.0 SeaMonkey/2.53.15
MIME-Version: 1.0
In-Reply-To: <MW5PR84MB225042878AAF32BCAA315B2FE39C2@MW5PR84MB2250.NAMPRD84.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

FYI the "ssh -G" is listed on this page
https://github.com/eset/malware-ioc/tree/master/windigo

The section is "Linux/Ebury v1.4 and earlier" with a couple of notices. 
One notice is that Ebury v1.4 is no longer deployed and most of the
indicators below no longer work.  Another notice is that this technique
only works with OpenSSH 6.7 or earlier.  OpenSSH 6.8 adds a legitimate
usage for the -G flag.  This is even shown in the first line of the output:
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
There are other detection methods listed for newer versions of OpenSSH.

Send a report that this bug log contains spam.

Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Thu Dec 18 17:13:02 2025;