The officially official Devuan Forum!

xinomilo

Unknown

Registered: 2017-07-02

Posts: 315  

malware on devuan repos or false positives?

earlier today, got an lmd (linux malware detect) notification from the devuan packages mirror, that some file were infected and quarantined.
re-downloaded those files from a couple of other mirrors, still the same results with clamav+clamav-unofficial-sigs.

virustotal doesn't report any malware, but i'm not sure, they're using unofficial ruleset for clamav checks. strange that no other antivirus finds it though.

can some repository admin (or project member), verify these files (in reality these are gzipped Contents-$arch) ?
are those false positives perhaps?

thx in advance,

FILE HIT LIST:
{YARA}r57shell_php_php : /path/to/mirror/devuan/merged/dists/chimaera-backports/main/by-hash/SHA256/e8b658bc0b30120109470ac5b20c8be088f56b9024a49285c76d41d8694e2ce2
{YARA}r57shell_php_php : /path/to/mirror/devuan/merged/dists/chimaera-backports/main/by-hash/SHA256/fe1a7fca9e67d2677bbe17c44db8bd283dd382d76552f4bc40e67eb8fb0f7375
{YARA}r57shell_php_php : /path/to/mirror/devuan/merged/dists/chimaera-backports/main/by-hash/SHA256/e71a5fb0e45c4eecd8d884b9340eed1309e0f549ee58a0a781b6d001437d3649
{YARA}r57shell_php_php : /path/to/mirror/devuan/merged/dists/chimaera-backports/main/by-hash/SHA256/937166aadc617d54976267ff9269c38a3ccfe65b2b08e961756682c95f7b5b52
{YARA}r57shell_php_php : /path/to/mirror/devuan/merged/dists/chimaera-backports/main/by-hash/SHA256/29e3bede56b3b753c04f7afbb1eba55ee9f8ab994a20e6ee6d88b4f5dacb539a
{YARA}r57shell_php_php : /path/to/mirror/devuan/merged/dists/chimaera-backports/main/by-hash/SHA256/2832da4d5d778be5ef448f6ab32506ac5d39be77e77938d63ca64a445e1c5059

czeekaj

Member

Registered: 2019-06-12

Posts: 154  

Re: malware on devuan repos or false positives?

possible for gzip to provide a different hash depending on gzip version?

pcalvert

Member

Registered: 2017-05-15

Posts: 195  

Re: malware on devuan repos or false positives?

virustotal doesn't report any malware, but i'm not sure, they're using unofficial ruleset for clamav checks. strange that no other antivirus finds it though.

Only two of those have been submitted to VirusTotal. I searched VirusTotal for all of them, and only found these two:

https://www.virustotal.com/gui/file/fe1 … b8fb0f7375
https://www.virustotal.com/gui/file/29e … f5dacb539a

By the way, thanks for posting about this. I had never read about Linux Malware Detect (LMD) until I read your post.

---

Freespoke is a new search engine that respects user privacy and does not engage in censorship.
Another one is called Luxxle.

aluma

Member

Registered: 2022-10-26

Posts: 533  

Re: malware on devuan repos or false positives?

No security vendors and no sandboxes flagged this file as malicious  

https://www.virustotal.com/gui/file/fe1 … 75/summary

steve_v

Member

Registered: 2018-01-11

Posts: 343  

Re: malware on devuan repos or false positives?

Is this a troll, or are we really asking if gzipped package digests are malware?
The mind boggles.

---

Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.

xinomilo

Unknown

Registered: 2017-07-02

Posts: 315  

Re: malware on devuan repos or false positives?

possible for gzip to provide a different hash depending on gzip version?

nice catch, but no. hash is not similar to any other malware (if i understand correctly what you said).

xinomilo

Unknown

Registered: 2017-07-02

Posts: 315  

Re: malware on devuan repos or false positives?

Only two of those have been submitted to VirusTotal. I searched VirusTotal for all of them, and only found these two:
By the way, thanks for posting about this. I had never read about Linux Malware Detect (LMD) until I read your post.

personally submitted those to VT. clean there, only clamav unofficial sigs reports malware.

xinomilo

Unknown

Registered: 2017-07-02

Posts: 315  

Re: malware on devuan repos or false positives?

Is this a troll, or are we really asking if gzipped package digests are malware?
The mind boggles.

question was about gzip package reported as malware, not digests.
and btw, do you check every gzip package content you use? how do you know its only digests?

xinomilo

Unknown

Registered: 2017-07-02

Posts: 315  

Re: malware on devuan repos or false positives?

anyway, put them on ignore list, didn't see anything alarming while examining packages.
---
would be nice to get feedback though. but "mirror master" seems absent. :
pkgmaster ip changes once again - no notification to mirror operators,
mirror mailing list doesn't work (no messages get through..),
a simple question about reported malware in contents, doesn't get any official feedback
what's up?

EDX-0

Member

Registered: 2020-12-12

Posts: 54  

Re: malware on devuan repos or false positives?

i mean, php is not great but calling it malware isn't a bit too much?

pcalvert

Member

Registered: 2017-05-15

Posts: 195  

Re: malware on devuan repos or false positives?

a simple question about reported malware in contents, doesn't get any official feedback
what's up?

If you haven't done so already, try the mailing list:

https://mailinglists.dyne.org/cgi-bin/m … stinfo/dng

---

Freespoke is a new search engine that respects user privacy and does not engage in censorship.
Another one is called Luxxle.

ralph.ronnquist

Administrator

From: Battery Point, Tasmania, AUS

Registered: 2016-11-30

Posts: 1,131  

Re: malware on devuan repos or false positives?

The paths

/path/to/mirror/devuan/merged/dists/chimaera-backports/main/by-hash/SHA256/e8b658bc0b30120109470ac5b20c8be088f56b9024a49285c76d41d8694e2ce2

et al are all compressed Packages files, i.e. so called "digests", and evidently that "tool" can't handle them.

steve_v

Member

Registered: 2018-01-11

Posts: 343  

Re: malware on devuan repos or false positives?

a simple question about reported malware in contents, doesn't get any official feedback
what's up?

Why should blindingly obvious false-positives from third-party software warrant an "official" response?
Do you expect official comment on bugs and deficiencies in every other random piece of software in existence as well, or is it just bugs in generic "anti malware" heuristics that warrant panic from everyone but the purveyor of such patterns?

This kind of pants-on-fire response to generic-pattern false-positives is an infuriatingly common waste of developer time, from people freaking out about one-man github projects tripping microsofts "uncommon software" filters, to anti-malware scanners trying to quarantine each other's pattern definitions, to generic matches on innocuous text files. It's all equally bullshit, and all a problem that needs to be dealt with by the anti-malware vendor (or an end-user whitelist), not the innocent party being smeared by these defective tools.

Last edited by steve_v (2023-10-20 00:31:08)

---

Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.

zapper

Member

Registered: 2017-05-29

Posts: 856  

Re: malware on devuan repos or false positives?

False positives do occur by clamav supposedly,  but I don't think malware is in the debian repos. That sounds straight up nuts.

I could understand if people thought node, java or similar to have malware in it, or some of the linux frameworks that are heavily bloated, but even then, unixlike repos don't have the problems you described, at least 90% of the time anyhow.

Possibly less problematic if its a desktop/laptop and not a server.

Last edited by zapper (2023-10-20 03:04:22)

---

Freedom is never more than one generation away from extinction. Feelings are not facts
If you wish to be humbled, try to exalt yourself long term  If you wish to be exalted, try to humble yourself long term
Favourite operating systems: Hyperbola Devuan OpenBSD
Peace Be With us All!

xinomilo

Unknown

Registered: 2017-07-02

Posts: 315  

Re: malware on devuan repos or false positives?

If you haven't done so already, try the mailing list:

https://mailinglists.dyne.org/cgi-bin/m … stinfo/dng

dng is just a users general list, and toxic. unsubscribed years ago.
but there was another list for mirror operators. not currently working for reasons unknown.

xinomilo

Unknown

Registered: 2017-07-02

Posts: 315  

Re: malware on devuan repos or false positives?

i mean, php is not great but calling it malware isn't a bit too much?

where did you read that php is malware? maybe in another post, there was no such reference here. (?)

xinomilo

Unknown

Registered: 2017-07-02

Posts: 315  

Re: malware on devuan repos or false positives?

The paths

/path/to/mirror/devuan/merged/dists/chimaera-backports/main/by-hash/SHA256/e8b658bc0b30120109470ac5b20c8be088f56b9024a49285c76d41d8694e2ce2

et al are all compressed Packages files, i.e. so called "digests", and evidently that "tool" can't handle them.

that tool (clamav really) was running for years scanning all server files. this is the 1st time i got notifications and though i immediately thought of it as false positives, i guessed it'd be better to get official confirmation...
and not all "digests" give false positives notifications.

aluma

Member

Registered: 2022-10-26

Posts: 533  

Re: malware on devuan repos or false positives?

that tool (clamav really) was running for years scanning all server files. this is the 1st time i got notifications and though i immediately thought of it as false positives, i guessed it'd be better to get official confirmation...
and not all "digests" give false positives notifications.

Why is it needed if after years of use this is its first message and it’s false? Or am I missing something?

Regards.

pcalvert

Member

Registered: 2017-05-15

Posts: 195  

Re: malware on devuan repos or false positives?

Is LMD still alerting on those package digest files? I downloaded those files today, and then installed clamav and LMD. I ran maldet manually and had it analyze those files. It didn't find anything.

---

Freespoke is a new search engine that respects user privacy and does not engage in censorship.
Another one is called Luxxle.

czeekaj

Member

Registered: 2019-06-12

Posts: 154  

Re: malware on devuan repos or false positives?

I'd be careful with some git repos or even possible for spoofing to MitM attack package distribution.

Ideally if you had a rsync of a mirror locally you could update systems through a lan connection much more securely without having to go through internet hoops.

pcalvert

Member

Registered: 2017-05-15

Posts: 195  

Re: malware on devuan repos or false positives?

I'd be careful with some git repos or even possible for spoofing to MitM attack package distribution.

Some Debian derivatives (e.g., Kicksecure) run apt through Tor to help prevent such attacks. It seems like a good idea, but I imagine that some people will find that it is painfully slow, especially if they are accustomed to very fast internet access. A good VPN would almost certainly be faster.

---

Freespoke is a new search engine that respects user privacy and does not engage in censorship.
Another one is called Luxxle.

steve_v

Member

Registered: 2018-01-11

Posts: 343  

Re: malware on devuan repos or false positives?

TOR is not a "MitM" defence, it's an anonymous routing network. Thrashing said network with generic bulk traffic that has no need for anonymisation achieves nothing but making the network slower for everyone.
Since I'm running a TOR node, that means your "good idea" is potentially wasting my bandwidth.

APT already has release signing and package checksums, specifically to combat MitM attacks. If you want in-transit encryption as well, use an HTTPS mirror, that's what they're for.
If you're extra paranoid you can always verify packages certificates and signing keys manually, but unless you're inside a network that blocks normal access to the repository mirrors or have a pressing need to hide the fact that you are running Devuan, using TOR is just stupid.

Seriously, the amount of ridiculous tinfoil-hat "security" misadvice floating about these days is just tiring. Stop already.

---

Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.

pcalvert

Member

Registered: 2017-05-15

Posts: 195  

Re: malware on devuan repos or false positives?

that tool (clamav really) was running for years scanning all server files. this is the 1st time i got notifications and though i immediately thought of it as false positives, i guessed it'd be better to get official confirmation...
and not all "digests" give false positives notifications.

In retrospect, I think it would have been better to contact the developer of LMD and ask him or her why LMD thinks that there is malicious PHP code in those files. That way, you would have a better chance of receiving an answer, and from the person most qualified to answer the question. And you would more than likely give the developer an opportunity to improve his software. It appears that someone else may have done that since the problem now seems to be gone (according to my testing).

---

Freespoke is a new search engine that respects user privacy and does not engage in censorship.
Another one is called Luxxle.

xinomilo

Unknown

Registered: 2017-07-02

Posts: 315  

Re: malware on devuan repos or false positives?

Why is it needed if after years of use this is its first message and it’s false? Or am I missing something?

yes, you're missing something, "1st message on devuan mirror files" is more accurate.

xinomilo

Unknown

Registered: 2017-07-02

Posts: 315  

Re: malware on devuan repos or false positives?

Is LMD still alerting on those package digest files? I downloaded those files today, and then installed clamav and LMD. I ran maldet manually and had it analyze those files. It didn't find anything.

did you install clamav-unofficial-sigs as well? that's what's giving the false positive. not default clamav signatures. and that's why virustotal doesn't report it either (they don't use unofficial sigs).

in my case, i put those files on ignore list, after examining them. don't know if lmd would report those again.