Home | Devuan | Git | Forum | Packages | Popcon
Donate now!
Download

Devuan bug report logs - #858
Detection of ebury malware in debuan system

Packages: live, 5.0, daedalus, cd; Maintainer for live is (unknown); Maintainer for 5.0 is (unknown); Maintainer for daedalus is (unknown); Maintainer for cd is (unknown);

Reported by: Alter Kim <alter-kim@hotmail.com>

Date: Wed, 4 Sep 2024 09:47:16 UTC

Severity: normal

Done: Mark Hindley <mark@hindley.org.uk>

Full log

Message #15 received at 858@bugs.devuan.org (full text, mbox, reply):

Received: (at 858) by bugs.devuan.org; 4 Sep 2024 16:25:36 +0000
Return-Path: <dev1@tempforever.com>
Delivered-To: bugs@devuan.org
Received: from email.devuan.org [2a01:4f9:fff1:13::5fd9:f9e4]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Wed, 04 Sep 2024 16:25:36 +0000 (UTC)
Received: from email.devuan.org
	by email.devuan.org with LMTP
	id cEfNOKiJ2GZkTQAAmSBk0A
	(envelope-from <dev1@tempforever.com>)
	for <bugs@devuan.org>; Wed, 04 Sep 2024 16:24:08 +0000
Received: by email.devuan.org (Postfix, from userid 109)
	id CCB505A2; Wed,  4 Sep 2024 16:24:08 +0000 (UTC)
Authentication-Results: email.devuan.org;
	dkim=pass (1024-bit key; unprotected) header.d=tempforever.com header.i=@tempforever.com header.a=rsa-sha256 header.s=domkey header.b=Oc4JLJGY;
	dkim-atps=neutral
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,NICE_REPLY_A,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
	autolearn_force=no version=3.4.6
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=185.144.158.117; helo=tempforever.com; envelope-from=dev1@tempforever.com; receiver=<UNKNOWN> 
Received: from tempforever.com (tempforever.com [185.144.158.117])
	by email.devuan.org (Postfix) with ESMTP id B4F4F4F
	for <858@bugs.devuan.org>; Wed,  4 Sep 2024 16:24:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tempforever.com;
	s=domkey; t=1725467045;
	bh=F2o7g6ZFR55IEcZ75SsiK19v7kILjxeJHZIX9W63tEk=;
	h=Subject:To:References:From:Date:In-Reply-To:From;
	b=Oc4JLJGYTqA1AxqB5cnOD/1D3GEYgP8cILMRUUmKx39dCjsHnWrBZJOnxljIW8uDU
	 GgAbCCVQldEcypAB0AoEatrzcVi3eMkKXlE//rmreM5zlrnxX2ddv4egI70WiOrCpb
	 gvfN37fKvrrqDztMcKY5sTt5M6Oqwovjf3TC7FlU=
Received: from [192.168.2.10] (unknown [192.168.2.10])
	by tempforever.com (Postfix) with ESMTPSA id E50F560040
	for <858@bugs.devuan.org>; Wed,  4 Sep 2024 12:24:04 -0400 (EDT)
Subject: Re: [devuan-dev] bug#858: Detection of ebury malware in debuan system
To: 858@bugs.devuan.org
References: <MW5PR84MB225042878AAF32BCAA315B2FE39C2@MW5PR84MB2250.NAMPRD84.PROD.OUTLOOK.COM>
From: tempforever <dev1@tempforever.com>
Message-ID: <6fc1d1fd-6a15-2dd1-6cf8-86001a26319f@tempforever.com>
Date: Wed, 4 Sep 2024 12:24:04 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Firefox/91.0 SeaMonkey/2.53.15
MIME-Version: 1.0
In-Reply-To: <MW5PR84MB225042878AAF32BCAA315B2FE39C2@MW5PR84MB2250.NAMPRD84.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

FYI the "ssh -G" is listed on this page
https://github.com/eset/malware-ioc/tree/master/windigo

The section is "Linux/Ebury v1.4 and earlier" with a couple of notices. 
One notice is that Ebury v1.4 is no longer deployed and most of the
indicators below no longer work.  Another notice is that this technique
only works with OpenSSH 6.7 or earlier.  OpenSSH 6.8 adds a legitimate
usage for the -G flag.  This is even shown in the first line of the output:
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
There are other detection methods listed for newer versions of OpenSSH.

Send a report that this bug log contains spam.

Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Thu Apr 3 16:49:16 2025;