Home | Devuan | Git | Forum | Packages | Popcon
Donate now!
Download

Devuan bug report logs - #858
Detection of ebury malware in debuan system

Packages: daedalus, live, cd, 5.0; Maintainer for daedalus is (unknown); Maintainer for live is (unknown); Maintainer for cd is (unknown); Maintainer for 5.0 is (unknown);

Reported by: Alter Kim <alter-kim@hotmail.com>

Date: Wed, 4 Sep 2024 09:47:16 UTC

Severity: normal

Done: Mark Hindley <mark@hindley.org.uk>

Full log

Message #5 received at submit@bugs.devuan.org (full text, mbox, reply):

Received: (at submit) by bugs.devuan.org; 4 Sep 2024 09:45:11 +0000
Return-Path: <alter-kim@hotmail.com>
Delivered-To: bugs@devuan.org
Received: from email.devuan.org [2a01:4f9:fff1:13::5fd9:f9e4]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Wed, 04 Sep 2024 09:45:11 +0000 (UTC)
Received: from email.devuan.org
	by email.devuan.org with LMTP
	id JRbzBA0s2GYUOwAAmSBk0A
	(envelope-from <alter-kim@hotmail.com>)
	for <bugs@devuan.org>; Wed, 04 Sep 2024 09:44:45 +0000
Received: by email.devuan.org (Postfix, from userid 109)
	id CABAA5AA; Wed,  4 Sep 2024 09:44:44 +0000 (UTC)
Authentication-Results: email.devuan.org;
	dkim=pass (2048-bit key; unprotected) header.d=hotmail.com header.i=@hotmail.com header.a=rsa-sha256 header.s=selector1 header.b=d1EN4wNr;
	dkim-atps=neutral
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org
X-Spam-Level: *
X-Spam-Status: No, score=1.4 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	FORGED_HOTMAIL_RCVD2,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_MSPIKE_H2,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.6
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=40.92.19.72; helo=nam11-dm6-obe.outbound.protection.outlook.com; envelope-from=alter-kim@hotmail.com; receiver=<UNKNOWN> 
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11olkn2072.outbound.protection.outlook.com [40.92.19.72])
	by email.devuan.org (Postfix) with ESMTPS id 78912189
	for <submit@bugs.devuan.org>; Wed,  4 Sep 2024 09:44:41 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=ygP5fd6MnB7020yUKgCtVWGnMihRxp2/NPlYsARVRfBJQr+63qiaosKM+ac/4Rjabhl6RMv6sLGe3BckID201rFYScxY2agzbhRSRwTb0XLsOs4+Z5bafclpZkuzmXcRdnoARtDUd/AWyQ39VMGHYJCzknrb8jlfJKMK7D/+smCu46+5bi16lP8ZOuthRHVhbKjIcInjhKf79KlkmxbNNpndEAgEWdiUu4xXVO4cHqPjRzOikUMMxdm+SkNIpXNHYSSlQahxAtBot90r6XpYMnaCrtB8CU31aES2i+va651ZB1ymiQF6CfTReXu+tWC5q6geuh0iXzx3eaLgSs1ZwQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=jB1a8eBv7LffVkMEJG9h/WgQCTy/khIPNYnEUmuRPbo=;
 b=w7jL9RXCGFPkgW4IxHTruPY8A2DfxXFMDmztegRXXA/qDFwLh7IEW4XXbyKVotM8g0C4Nkp9Dpn5JRDRCWUfoMfIH/5yC7Dq2zJYK7I/PC5Y+6EsAGjVCK5/eajoGAU0sgH3D9IalQXjaGAv9tRsYyLE9slDUU9qDQa/o0TnBfkCW0Fc53YK37F61awU05kKTm+eQ0CNBHN+F0NHMzb6TtqrykLot125UP5WHQ8p4Q+P3ODhfoYnEbrvoPu+IdkRsstGIS+mvYSZWjgiCWv1C+iq39qXzFxlekt0Vo3M4vunbOHndSQNZUpQGg50u+naf7qsFqYeakX8pA0Etjmqgg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=jB1a8eBv7LffVkMEJG9h/WgQCTy/khIPNYnEUmuRPbo=;
 b=d1EN4wNrymSlRJeo4PFozvU90JH94TyXCka2gHtwMiIAZ4BffuCw/Dp5PR0BrGJSCiBsYatiGiffBjmdoZJZv5K36gGlhLGxC5hhNUSXM2FNWzoyshYUQdiRyyzRAwpPw1ugoSP5h5jW4VVgK5GJpdJPYvhcPStu+dKL3+p/WeeKmT8o7YSy71TKwzO17JebR6gpBknN9qbkuMI2ZN7cdrQAjN+XIuOqa5Ixz78hyW3jF2WFTuGVAR1JKmsaUBMSrQIkbW/WKrp30T77xN87FeJmnNFFDh1Nm1EM1Q3gZqbM4Y6t0nu4SbU/5MEdx4kT27eZCmkvhnsqHQ2TH03QdQ==
Received: from MW5PR84MB2250.NAMPRD84.PROD.OUTLOOK.COM (2603:10b6:303:1c8::13)
 by SJ0PR84MB1845.NAMPRD84.PROD.OUTLOOK.COM (2603:10b6:a03:433::19) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7918.24; Wed, 4 Sep
 2024 09:44:37 +0000
Received: from MW5PR84MB2250.NAMPRD84.PROD.OUTLOOK.COM
 ([fe80::6304:fef3:84d9:3079]) by MW5PR84MB2250.NAMPRD84.PROD.OUTLOOK.COM
 ([fe80::6304:fef3:84d9:3079%3]) with mapi id 15.20.7918.024; Wed, 4 Sep 2024
 09:44:37 +0000
From: Alter Kim <alter-kim@hotmail.com>
To: "submit@bugs.devuan.org" <submit@bugs.devuan.org>
Subject: Detection of ebury malware in debuan system
Thread-Topic: Detection of ebury malware in debuan system
Thread-Index: AQHa/qoc/btpJq/b8kmQFBt7nz5j9g==
Date: Wed, 4 Sep 2024 09:44:36 +0000
Message-ID:
 <MW5PR84MB225042878AAF32BCAA315B2FE39C2@MW5PR84MB2250.NAMPRD84.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels:
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [BP7Mb3Fd387OVxjlNXYs3xoNDV8Co5G/]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW5PR84MB2250:EE_|SJ0PR84MB1845:EE_
x-ms-office365-filtering-correlation-id: 71274f9e-1e01-4489-67e6-08dcccc63083
x-microsoft-antispam:
 BCL:0;ARA:14566002|15030799003|6092099012|15080799006|19110799003|8060799006|12050799009|461199028|9400799024|1602099012|3412199025|440099028|4302099013|3430499032|102099032;
x-microsoft-antispam-message-info:
 gje7th/vGSr5/uePlUTTPBErv6c1XdRGkhezm9iktn4GsWguU9DCGmLQ3TVoAZTXYPI103sawxRHZOnyyqCeTJhIu49KWJZ/Aqc5kbneucWHulggqVWeWVNS48UORpka8aSZeADBxSU+IzGGPsv0NkCmUouHYOc4a8l14AL+E5nBx9rrFpOlAlnc+4JL55Q4ru5YXgwblJRJniia8fmrG0yvgLlfMczpNbAhw1xaWefz/TNcuzO1YF+YDHoy/7xAZhqTUGiZVGljxSHrm07ChKyogah5OZ5N2tZl5WXDA4ku0tMef1DArbAT5MbnlE916QMpY3FjeJS0fycfTSQ1F0XiQ2TCAo4QPM6jR0Kpr7BLAbn5qmTHBxqt0LbrQTMZ2sQIiwWdxWAadG/2awT/KCaylWCJAcUp2czhVsI+KLmqX6VtB/QeHrHOJbPBPKtEExicPXKr/ldXriLZcfWExpiyE0SYk3lK0TN5Rnee0C/yX0omhbutcWjZbnB8jD8CcUOANlNSMQ/DwEZdbUnWKOAEKNKb8pcdpB7bMkqO5M/NvTvuX3/Dd5//Fd3xm4igjj0q7QQkvYOYp+pycEJ2E11cabCC49utEspS7+QhteheRaP0DtOTNoVG3At/OEMP4N9H5CwK3iQMOV1gLoI/R+o3CllKqdy0YIjVHRNVsgFzNP6fvACI3z5KeoxcFmrX/2p54IDC0G8yoIorbx7vV/i4FZqKgpIOmdNqGCpzD7eRr2Iejils7HZtE8bTOdfoPBfEoxi7BxvolgkOEWvSvMX3zpWeZ/gDrM+X8nLMwJWeQjIQ0GIk43/t+BM3NH1MbdNlVaGmy9JCRQPg8O/glS6q0T0eDeMJjsBO8Edf5K2vm4dMZISPMZsumk/zCMXAp5j+Zgq8NekYwsUy7WpzRNaoHPxQCcgBLxKeZfkPUNY=
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0:
 OwZ/WLDxG1Iv6NEHJ93OOsP0D7qcHeh5k1ly+1oRRZA4iYmM8tg0qlKYdZ9SNpjpEsGrg/HK0xqBHhGTHDmkB7AWcU4lw4vt2c3IrQWSxOrXW3NXo2MgOkW7gK9E0eiQcsU8pBaBqBnNbY2cPyU2TX9Ez6G2yDpKdkiQXM9Q4SbC+T94Oe3dZZ4DVNRH0tcpVWMUovdNtNt/nsne6orBwUn50k18SD2/vpLvL/O/V+9dAmnF1Rzaq7wMf7snsHsZk+U6eDzU0qPniG9LMXR3jzbZB4YtlcqIgsfJY6B99jimLAn4wgD/3/goeVejrUj0keOkveZsXqRVyndsXPvNE240LWPgLEly1/ONWMmf7YmRLwFH/ctxiT8QhKVfNRiJBW1/V5x7XjqaUtW05L/wqiErE+TWtzoBqGKgaytRRmcRfxH1kZQcAMkhCp+L5llPdp9LU7zc9h+X/Pe81JR8VAOhNHnKqm61W+RgjKaI3Lmc9Ce/sLTeqhBhSLXpYKtzCnNnA5LNem8jiqvSLFrC9DuZiM4hXDvmkuxFy/2jjqfwp8E6Qr9tmyVqAOJFvUMKTj2L/QgHaoV3LFZ3tUwuLy//Ik4xwtAhHOiJL0eJmJoUH8kJSbPa0KExFHsCXbRdSu0y2zGmxOOYrbxbnZm1LAt01YVHAsPmpuj5hPZoYjBxo+Qq8rN3wjHALD5vQp/b5xWzXBn0K4fnQfE1NZz/4DFPdI9B6Ry2CMDeX2LuJCIkJTD8pobrKqfM6Y+vybJT/7vMC2euCQw/eC/o7loYvazXNKjAC19VTAoTUJiG9v1Serx6yVZGi7mP/qSqTfJNarZeEAvbxXBIOE9bKarf+/Q6ka6VN67MSSKSi/lP512EuSXxS/ZFbr6dojw0k3nRrniITIXwd1w86Yiu3IuUIo0ccFa3Y7mhK6Hi6HNaiIQQ0+tpxVsRNFlMZ2IOyYVh7kKUr6ILn1O9A7WHlyJXg1BXSQvaXVXVEy2yvXKyuCV1+8no4UkV0TNj/jE8n1nfTlaRWeo/7eiMgWLe0/JupKSk3VrdM7MTvr6M8iJhCJ3OG6woW2GYwnJV7EFqiFE396mxJDlrP8NPINAInDli8e3jUkScOdwIkEHZbMGB3yFgVUaKOanie5K7HBtc+WCWgyk5Cz3yHKZ9lJU311s2zjcHHXivrPQzYPu3Q5wAI11qHp47j/WbzILXcB4HjKeubP96f40nf19G95Hlrrn8sg==
Content-Type: multipart/mixed;
	boundary="_006_MW5PR84MB225042878AAF32BCAA315B2FE39C2MW5PR84MB2250NAMP_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-7741-18-msonline-outlook-a58aa.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW5PR84MB2250.NAMPRD84.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 71274f9e-1e01-4489-67e6-08dcccc63083
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Sep 2024 09:44:36.8729
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR84MB1845

[Message part 1 (text/plain, inline)]
Package:  Daedalus 5.0  live cd

 Hi !

 I was reading the information of this malware in the site of

https://arstechnica.com/security/2024/05/ssh-backdoor-has-infected-400000-linux-servers-over-15-years-and-keeps-on-spreading/

also in

https://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/

I follow the links to make the test that is;

https://github.com/eset/malware-ioc/tree/master/windigo


In one part the information indicates:


The command ssh -G has a different behavior on a system with Linux/Ebury on OpenSSH version 6.7 or earlier. A clean server will print

$ ssh -G
ssh: illegal option -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-p port]
           [-Q cipher | cipher-auth | mac | kex | key]
           [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] [user@]hostname [command]

to stderr but an infected server will only print the usage (note the missing ssh: illegal option -- G):

$ ssh -G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-p port]
           [-Q cipher | cipher-auth | mac | kex | key]
           [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] [user@]hostname [command]

One can use the following command to determine if the server he is on is compromised:

ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"


I did the test and found that the live cd  Daedalus 5.0  S.O have this bug/malware/issue, I attach some screenshots
of my test, and the test;

A) The version of the S.O
devuan@devuan:~$ uname -a
Linux devuan 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64 GNU/Linux


B ) The test of ssh
devuan@devuan:~$ ssh -G
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
           [-i identity_file] [-J [user@]host[:port]] [-L address]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] destination [command [argument ...]]


This indicate tha the system have the ebury malware



C) In a clearer test
devuan@devuan:~$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System infected




I appreciated the time you take to read and solve this issue, thanks in advance
and have a nice day.











[Message part 2 (text/html, inline)]
[Test_version-1.png (image/png, attachment)]
[Test_2.png (image/png, attachment)]
[Test_3.png (image/png, attachment)]

Send a report that this bug log contains spam.

Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Fri Nov 22 20:10:39 2024;