Re: Re: Unix.Trojan.Vali-6606621-0 FOUND
It’s 99% false positive from ClamAV, because I found this on one of my servers, so I ordered a fresh new one and after distro updates I only installed ClamAV and did a full scan and it reported systemd-mount being infected.
Re: Unix.Trojan.Vali-6606621-0 FOUND
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, Jul 14, 2018 at 05:50:19PM +0200, Hubert Hauser wrote: > Hello! > > Here's my /etc/apt/sources.list: [...] > I don't download anything outside from above lists. Then debsum's your friend (if you trust Debian, that is). Cheers - -- tomás -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAltKR9UACgkQBcgs9XrR2kY8VgCfUQJfCSTXfzSJOVpneUu2nMn+ 84QAniVJ/YNdjbfYVVciP1wqDhMB0wS1 =TVsG -END PGP SIGNATURE-
Re: Unix.Trojan.Vali-6606621-0 FOUND
On 07/14/2018 11:50 AM, Hubert Hauser wrote: Hello! Please don't top post. Ric -- My father, Victor Moore (Vic) used to say: "There are two Great Sins in the world... ..the Sin of Ignorance, and the Sin of Stupidity. Only the former may be overcome." R.I.P. Dad. http://linuxcounter.net/user/44256.html
Re: Unix.Trojan.Vali-6606621-0 FOUND
Hi! I would like to include results from VirusTotal: https://www.virustotal.com/#/file/3a17685ad710bcec4cb19238a60cc48675f1af5526e3b254dc092e8404f33e4f/detection https://www.virustotal.com/#/file/939f9091292841910b59ba626a17070c0d2b823b6915ae3fbdbfabdc12eb1f06/detection Only ClamAV detects virus. It seems for me like false positive. Is ClamAV enough good antivirus at the days? -- Best wishes, Hubert Hauser. On 14/07/18 17:50, Hubert Hauser wrote: > Hello! > > Here's my /etc/apt/sources.list: > > deb http://deb.debian.org/debian stable main > deb-src http://deb.debian.org/debian stable main > deb http://deb.debian.org/debian stable-updates main > deb-src http://deb.debian.org/debian stable-updates main > deb http://security.debian.org/ stable/updates main > deb-src https://security.debian.org/ stable/updates main > > I don't download anything outside from above lists. > > -- > Best regards, > Hubert Hauser. > > On 14/07/18 17:41, to...@tuxteam.de wrote: >> On Sat, Jul 14, 2018 at 04:52:50PM +0200, Hubert Hauser wrote: >> > Hello! >> >> > I have recently received a following mail from root >> > : >> >> > Please see the log file attached. >> >> > clamav-2018-07-14.log >> >> > /usr/bin/messages.mailutils: Unix.Trojan.Vali-6606621-0 FOUND >> > /usr/bin/systemd-mount: Unix.Trojan.Vali-6606621-0 FOUND >> >> Hm. Throwing that into a search engine of my trust (no, not Google) >> turns up lots of strange-looking websites. >> >> If you have installed all your packages from a trusted source (what's >> in your /etc/apt/sources.list?), you might want to double-check with >> debsums whether those files mentioned by clamav have changed from the >> original. >> >> With dpkg -S you can find out which package those files came with. >> >> Cheers >> -- tomás > > > signature.asc Description: OpenPGP digital signature
Re: Unix.Trojan.Vali-6606621-0 FOUND
Hello! Here's my /etc/apt/sources.list: deb http://deb.debian.org/debian stable main deb-src http://deb.debian.org/debian stable main deb http://deb.debian.org/debian stable-updates main deb-src http://deb.debian.org/debian stable-updates main deb http://security.debian.org/ stable/updates main deb-src https://security.debian.org/ stable/updates main I don't download anything outside from above lists. -- Best regards, Hubert Hauser. On 14/07/18 17:41, to...@tuxteam.de wrote: > On Sat, Jul 14, 2018 at 04:52:50PM +0200, Hubert Hauser wrote: > > Hello! > > > I have recently received a following mail from root > > : > > > Please see the log file attached. > > > clamav-2018-07-14.log > > > /usr/bin/messages.mailutils: Unix.Trojan.Vali-6606621-0 FOUND > > /usr/bin/systemd-mount: Unix.Trojan.Vali-6606621-0 FOUND > > Hm. Throwing that into a search engine of my trust (no, not Google) > turns up lots of strange-looking websites. > > If you have installed all your packages from a trusted source (what's > in your /etc/apt/sources.list?), you might want to double-check with > debsums whether those files mentioned by clamav have changed from the > original. > > With dpkg -S you can find out which package those files came with. > > Cheers > -- tomás > signature.asc Description: OpenPGP digital signature
Re: Unix.Trojan.Vali-6606621-0 FOUND
On 18-07-14 16:52:50, Hubert Hauser wrote: /usr/bin/messages.mailutils: Unix.Trojan.Vali-6606621-0 FOUND /usr/bin/systemd-mount: Unix.Trojan.Vali-6606621-0 FOUND For what it's worth, this has also come up on the Arch Mailing List. I've also seen it on Gentoo [0] and Linux Questions [1]. The packages aren't the same but the flagged virus is. [0] https://forums.gentoo.org/viewtopic-p-8240598.html?sid=cd126a3cc81b2c0c114ae7fcd962f1af [1] https://www.linuxquestions.org/questions/showthread.php?p=5878457#post5878457 signature.asc Description: PGP signature
Re: Unix.Trojan.Vali-6606621-0 FOUND
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, Jul 14, 2018 at 04:52:50PM +0200, Hubert Hauser wrote: > Hello! > > I have recently received a following mail from root > : > > Please see the log file attached. > > clamav-2018-07-14.log > > /usr/bin/messages.mailutils: Unix.Trojan.Vali-6606621-0 FOUND > /usr/bin/systemd-mount: Unix.Trojan.Vali-6606621-0 FOUND Hm. Throwing that into a search engine of my trust (no, not Google) turns up lots of strange-looking websites. If you have installed all your packages from a trusted source (what's in your /etc/apt/sources.list?), you might want to double-check with debsums whether those files mentioned by clamav have changed from the original. With dpkg -S you can find out which package those files came with. Cheers - -- tomás -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAltKGZsACgkQBcgs9XrR2kaSXACeMJ+hotD/FiTi+NjLdh3hg0St 1qkAmwUKucMNNi+QIlpb8R5KdWZ413OF =yN+h -END PGP SIGNATURE-
Re: Unix.Trojan.Vali-6606621-0 FOUND
Am Samstag, 14. Juli 2018, 16:52:50 CEST schrieb Hubert Hauser: Hi Hubert, it is not sure, this is really a virus. A virusscanner just looks at singantures, which look like a virus. However, you may check for differences between the original package and your installed binaries. If there are none, you may check also the source code (if you are coder). If you are unsure, you may ask the debian security team for help (if you are using debian/stable). The packages you are looking for are "mailutils" and "systemd". apt-file search /usr/bin/messages.mailutils apt-file search /usr/bin/systemd-mount Hope this helps. Best regards Hans > Hello! > > I have recently received a following mail from root > : > > Please see the log file attached. > > clamav-2018-07-14.log > > /usr/bin/messages.mailutils: Unix.Trojan.Vali-6606621-0 FOUND > /usr/bin/systemd-mount: Unix.Trojan.Vali-6606621-0 FOUND > > --- SCAN SUMMARY --- > > Known viruses: 9549712 > Engine version: 0.99.4 > Scanned directories: 22397 > Scanned files: 98762 > Infected files: 2 > Total errors: 18457 > Data scanned: 4463.86 MB > Data read: 4123.41 MB (ratio 1.08:1) > Time: 927.686 sec (15 m 27 s) > > Which package can contain this virus? What should I do to remove it? Is > it serious threat?