Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Maldetect Log and other log question/s?


  • Please log in to reply
4 replies to this topic

#1 auto1571

auto1571

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:20 PM

Posted 12 August 2017 - 05:14 PM

Hi again,

 

I am currently on my brothers PC which he asked me to have a look at. He is using Linux Mint Cinnamon (Ubuntu Edition). Basically can anyone tell me if the following are false positives:

 

Malware Detect Log

 

 

FILE HIT LIST:
{YARA}Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php : /home/user/maldetect-1.6.1/files/sigs/md5v2.dat
{YARA}Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php : /home/user/maldetect-1.6.1/files/sigs/hex.dat
{YARA}Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php : /home/user/maldetect-1.6.1/files/sigs/md5.dat
{YARA}Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php : /home/user/maldetect-1.6.1/files/sigs/rfxn.ndb
{YARA}Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php : /home/user/maldetect-1.6.1/files/sigs/rfxn.hdb
{YARA}Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php : /home/user/maldetect-current.tar.gz

 

One thing I've noticed is that on the right are maldetect directories which makes me think that for that reason alone they must be false positive.

 

 

 

Secondly any help with this rkhunter log below would great:

 

 

rkhunter -c --enable all --disable none --rwo #"This was the command I used."

Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script, ASCII text executable #"I understand that this is common with rkhunter."

Warning: The following processes are using deleted files: #"Not sure about these.
         Process: /usr/lib/firefox/firefox    PID: 17280    File: /dev/shm/org.chromium.lTZzzo
         Process: /usr/lib/firefox/firefox    PID: 17424    File: /dev/shm/org.chromium.2ZqJx0

 

 

#"also not sure about the following, although I think these too might be a common occurrence with rkhunter."
Warning: File '/tmp/mintUpdate/5nobdcfg' (score: 241) contains some suspicious content and should be checked.
Warning: File '/tmp/hsperfdata_root/11122' (score: 231) contains some suspicious content and should be checked.
Warning: Checking for files with suspicious contents [ Warning ]
Warning: Process '/sbin/dhclient' (PID 1202) is listening on the network.
Warning: Process '/usr/sbin/arpalert' (PID 1518) is listening on the network.
Warning: Suspicious file types found in /dev:
         /dev/shm/pulse-shm-3631982513: data
         /dev/shm/mono.16736: data
         /dev/shm/pulse-shm-4064380086: data
         /dev/shm/pulse-shm-279309449: data
         /dev/shm/pulse-shm-1315930689: data
         /dev/shm/pulse-shm-2368141916: data
         /dev/shm/pulse-shm-958827448: AmigaOS bitmap font
Warning: Hidden directory found: /etc/.java

 



BC AdBot (Login to Remove)

 


#2 Al1000

Al1000

  • Global Moderator
  • 8,054 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:03:20 AM

Posted 13 August 2017 - 10:00 AM

Hi,

I would expect these all to be false positives, and suggest uploading any suspicious files to Virus Total.

#3 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 908 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 14 August 2017 - 12:28 AM

For the first bunch of detections, see .... https://serverfault.com/questions/840052/clamav-and-maldet-are-these-quarantined-or-infected#840119

 

 

YARA is a tool used by various malware protections used for creating description of malware families based on textual of binary patters. The detected malware, "Safe0ver Shell -Safe Mod Bypass By Evilc0der.php" seems to a PHP webshell, an exploit tool that is most likely used to gain shell access on vulnerable servers running PHP.

However, the locations where the malware was found are on directories where either CalmAV or MalDet stores their signature files. Also, to be active, the detected malware should be in the original form (MIME type application/x-httpd-php), which it is not. The signature files must contain enough information about the malware in order to detect it, which may cause false positives when the signature files are scanned with a malware detection tool.

The output seems to be from ClamAV.

 

For the rkhunter "detections", as Al says, they're likely to be FP's, but if you're worried, scan them at VT where they'll be scanned by a battery of AV scanners, which will give you a much better idea as to whether they are actually infected or not.


Edited by Gary R, 14 August 2017 - 12:29 AM.


#4 auto1571

auto1571
  • Topic Starter

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:20 PM

Posted 14 August 2017 - 08:11 AM

Thanks for the helps guys.



#5 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 908 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 AM

Posted 14 August 2017 - 08:42 AM

You're welcome. :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users