Devuan bug report logs -
#858
Detection of ebury malware in debuan system
Full log
🔗
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
This is an automatic notification regarding your bug report
which was filed against the daedalus 5.0 live cd package:
#858: Detection of ebury malware in debuan system
It has been closed by Mark Hindley <mark@hindley.org.uk>.
Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Mark Hindley <mark@hindley.org.uk> by
replying to this email.
--
858: https://bugs.devuan.org/cgi/bugreport.cgi?bug=858
Devuan Bug Tracking System
Contact owner@bugs.devuan.org with problems
[Message part 2 (message/rfc822, inline)]
Alter,
Thanks for this.
On Wed, Sep 04, 2024 at 09:44:36AM +0000, Alter Kim wrote:
> In one part the information indicates:
>
> The command ssh -G has a different behavior on a system with
> Linux/Ebury on OpenSSH version 6.7 or earlier. A clean server will
> print
>
> $ ssh -G
>
> ssh: illegal option -- G
I think you have missed the point that all current Devuan releases ship more
recent versions of OpenSSH than required by this test (6.7 or earlier):
openssh | 1:7.9p1-10+deb10u2 | oldoldstable | source
openssh | 1:7.9p1-10+deb10u2 | oldoldstable-debug | source
openssh | 1:8.4p1-2~bpo10+1 | buster-backports | source
openssh | 1:8.4p1-2~bpo10+1 | buster-backports-debug | source
openssh | 1:8.4p1-5+deb11u3 | oldstable | source
openssh | 1:8.4p1-5+deb11u3 | oldstable-debug | source
openssh | 1:9.2p1-2+deb12u3 | stable | source
openssh | 1:9.2p1-2+deb12u3 | stable-debug | source
openssh | 1:9.8p1-8 | testing | source
openssh | 1:9.8p1-8 | unstable | source
openssh | 1:9.8p1-8 | unstable-debug | source
-G is now a legitimate ssh option (see ssh(1)).
We have reviewed the article you provided and can find no evidence of compromise
of Devuan installations. It is also worth noting that all of Devuan's openssh
packages come directly from Debian, so it would likely be Debian that was
compromised.
I will close this report now, but if you feel we have misunderstood you or
missed something, please feel free to reopen.
Best wishes
Mark
[Message part 3 (message/rfc822, inline)]
[Message part 4 (text/plain, inline)]
Package: Daedalus 5.0 live cd
Hi !
I was reading the information of this malware in the site of
https://arstechnica.com/security/2024/05/ssh-backdoor-has-infected-400000-linux-servers-over-15-years-and-keeps-on-spreading/
also in
https://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/
I follow the links to make the test that is;
https://github.com/eset/malware-ioc/tree/master/windigo
In one part the information indicates:
The command ssh -G has a different behavior on a system with Linux/Ebury on OpenSSH version 6.7 or earlier. A clean server will print
$ ssh -G
ssh: illegal option -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
[-D [bind_address:]port] [-E log_file] [-e escape_char]
[-F configfile] [-I pkcs11] [-i identity_file]
[-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
[-O ctl_cmd] [-o option] [-p port]
[-Q cipher | cipher-auth | mac | kex | key]
[-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
[-w local_tun[:remote_tun]] [user@]hostname [command]
to stderr but an infected server will only print the usage (note the missing ssh: illegal option -- G):
$ ssh -G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
[-D [bind_address:]port] [-E log_file] [-e escape_char]
[-F configfile] [-I pkcs11] [-i identity_file]
[-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
[-O ctl_cmd] [-o option] [-p port]
[-Q cipher | cipher-auth | mac | kex | key]
[-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
[-w local_tun[:remote_tun]] [user@]hostname [command]
One can use the following command to determine if the server he is on is compromised:
ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
I did the test and found that the live cd Daedalus 5.0 S.O have this bug/malware/issue, I attach some screenshots
of my test, and the test;
A) The version of the S.O
devuan@devuan:~$ uname -a
Linux devuan 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64 GNU/Linux
B ) The test of ssh
devuan@devuan:~$ ssh -G
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
[-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
[-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
[-i identity_file] [-J [user@]host[:port]] [-L address]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
[-Q query_option] [-R address] [-S ctl_path] [-W host:port]
[-w local_tun[:remote_tun]] destination [command [argument ...]]
This indicate tha the system have the ebury malware
C) In a clearer test
devuan@devuan:~$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System infected
I appreciated the time you take to read and solve this issue, thanks in advance
and have a nice day.
[Message part 5 (text/html, inline)]
[Test_version-1.png (image/png, attachment)]
[Test_2.png (image/png, attachment)]
[Test_3.png (image/png, attachment)]
Send a report that this bug log contains spam.
