Devuan bug report logs - #858
Detection of ebury malware in debuan system

Packages: 5.0, cd, daedalus, live; Maintainer for 5.0 is (unknown); Maintainer for cd is (unknown); Maintainer for daedalus is (unknown); Maintainer for live is (unknown);

Reported by: Alter Kim <alter-kim@hotmail.com>

Date: Wed, 4 Sep 2024 09:47:16 UTC

Severity: normal

Done: Mark Hindley <mark@hindley.org.uk>

Full log


🔗 View this message in rfc822 format

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: owner@bugs.devuan.org
From: "Devuan bug Tracking System" <owner@bugs.devuan.org>
To: Mark Hindley <mark@hindley.org.uk>
Subject: bug#858: marked as done (Detection of ebury malware in debuan system)
Message-ID: <handler.858.D858.172545778125273.ackdone@bugs.devuan.org>
References: <ZthlHNiTm2NYyxLj@hindley.org.uk>
 <MW5PR84MB225042878AAF32BCAA315B2FE39C2@MW5PR84MB2250.NAMPRD84.PROD.OUTLOOK.COM>
X-Devuan-PR-Message: closed 858
X-Devuan-PR-Package: daedalus 5.0  live cd
Reply-To: 858@bugs.devuan.org
Date: Wed, 04 Sep 2024 13:50:01 +0000
Content-Type: multipart/mixed; boundary="----------=_1725457801-25312-0"
[Message part 1 (text/plain, inline)]
Your message dated Wed, 4 Sep 2024 14:48:12 +0100
with message-id <ZthlHNiTm2NYyxLj@hindley.org.uk>
and subject line Re: bug#858: Detection of ebury malware in debuan system
has caused the Devuan bug report #858,
regarding Detection of ebury malware in debuan system
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.devuan.org
immediately.)


-- 
858: https://bugs.devuan.org/cgi/bugreport.cgi?bug=858
Devuan Bug Tracking System
Contact owner@bugs.devuan.org with problems
[Message part 2 (message/rfc822, inline)]
From: Alter Kim <alter-kim@hotmail.com>
To: "submit@bugs.devuan.org" <submit@bugs.devuan.org>
Subject: Detection of ebury malware in debuan system
Date: Wed, 4 Sep 2024 09:44:36 +0000
[Message part 3 (text/plain, inline)]
Package:  Daedalus 5.0  live cd

 Hi !

 I was reading the information of this malware in the site of

https://arstechnica.com/security/2024/05/ssh-backdoor-has-infected-400000-linux-servers-over-15-years-and-keeps-on-spreading/

also in

https://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/

I follow the links to make the test that is;

https://github.com/eset/malware-ioc/tree/master/windigo


In one part the information indicates:


The command ssh -G has a different behavior on a system with Linux/Ebury on OpenSSH version 6.7 or earlier. A clean server will print

$ ssh -G
ssh: illegal option -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-p port]
           [-Q cipher | cipher-auth | mac | kex | key]
           [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] [user@]hostname [command]

to stderr but an infected server will only print the usage (note the missing ssh: illegal option -- G):

$ ssh -G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-p port]
           [-Q cipher | cipher-auth | mac | kex | key]
           [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] [user@]hostname [command]

One can use the following command to determine if the server he is on is compromised:

ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"


I did the test and found that the live cd  Daedalus 5.0  S.O have this bug/malware/issue, I attach some screenshots
of my test, and the test;

A) The version of the S.O
devuan@devuan:~$ uname -a
Linux devuan 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64 GNU/Linux


B ) The test of ssh
devuan@devuan:~$ ssh -G
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
           [-i identity_file] [-J [user@]host[:port]] [-L address]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] destination [command [argument ...]]


This indicate tha the system have the ebury malware



C) In a clearer test
devuan@devuan:~$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System infected




I appreciated the time you take to read and solve this issue, thanks in advance
and have a nice day.










[Message part 4 (text/html, inline)]
[Test_version-1.png (image/png, attachment)]
[Test_2.png (image/png, attachment)]
[Test_3.png (image/png, attachment)]
[Message part 8 (message/rfc822, inline)]
From: Mark Hindley <mark@hindley.org.uk>
To: Alter Kim <alter-kim@hotmail.com>, 858-done@bugs.devuan.org
Subject: Re: bug#858: Detection of ebury malware in debuan system
Date: Wed, 4 Sep 2024 14:48:12 +0100
Alter,

Thanks for this.


On Wed, Sep 04, 2024 at 09:44:36AM +0000, Alter Kim wrote:
>    In one part the information indicates:
> 
>    The command ssh -G has a different behavior on a system with
>    Linux/Ebury on OpenSSH version 6.7 or earlier. A clean server will
>    print
> 
>    $ ssh -G
> 
>    ssh: illegal option -- G

I think you have missed the point that all current Devuan releases ship more
recent versions of OpenSSH than required by this test (6.7 or earlier):

openssh    | 1:7.9p1-10+deb10u2 | oldoldstable           | source
openssh    | 1:7.9p1-10+deb10u2 | oldoldstable-debug     | source
openssh    | 1:8.4p1-2~bpo10+1  | buster-backports       | source
openssh    | 1:8.4p1-2~bpo10+1  | buster-backports-debug | source
openssh    | 1:8.4p1-5+deb11u3  | oldstable              | source
openssh    | 1:8.4p1-5+deb11u3  | oldstable-debug        | source
openssh    | 1:9.2p1-2+deb12u3  | stable                 | source
openssh    | 1:9.2p1-2+deb12u3  | stable-debug           | source
openssh    | 1:9.8p1-8          | testing                | source
openssh    | 1:9.8p1-8          | unstable               | source
openssh    | 1:9.8p1-8          | unstable-debug         | source

-G is now a legitimate ssh option (see ssh(1)).

We have reviewed the article you provided and can find no evidence of compromise
of Devuan installations. It is also worth noting that all of Devuan's openssh
packages come directly from Debian, so it would likely be Debian that was
compromised.

I will close this report now, but if you feel we have misunderstood you or
missed something, please feel free to reopen.

Best wishes

Mark

Send a report that this bug log contains spam.


Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Fri Nov 22 20:32:18 2024;