View previous topic :: View next topic |
Author |
Message |
Zebbeman n00b
Joined: 14 Jun 2003 Posts: 69
|
Posted: Fri Oct 14, 2016 2:25 pm Post subject: apr-util Xml.Exploit.CVE_2013_3860-3 FOUND |
|
|
Hello,
When I run clamscan on a new dev server I get a positive:
Code: |
~ # clamscan /usr/portage/distfiles/apr-util-1.5.4.tar.bz2
/usr/portage/distfiles/apr-util-1.5.4.tar.bz2: Xml.Exploit.CVE_2013_3860-3 FOUND
|
Then I did:
Code: |
~ # equery check apr-util
* Checking dev-libs/apr-util-1.5.4 ...
57 out of 57 files passed
|
I also get this from chkrootkit:
Code: |
~ # chkrootkit -q
fopen: No such file or directory
/bin/ls: cannot access write: No such file or directory
Possible Linux/Ebury - Operation Windigo installetd
Warning: Possible Slapper Worm installed (25851/sshd)
|
I found that ssh was checked with the old behavior of ssh -G regarding Linux/Ebury so I am guessing that is okay.
What do I do next? Am I infected? |
|
Back to top |
|
|
Apheus Guru
Joined: 12 Jul 2008 Posts: 422
|
|
Back to top |
|
|
Zebbeman n00b
Joined: 14 Jun 2003 Posts: 69
|
Posted: Fri Oct 14, 2016 3:29 pm Post subject: |
|
|
Thanks for your quick reply!
I saw that article and got stuck with Xml.Exploit.CVE_2013_3860-1 vs. Xml.Exploit.CVE_2013_3860-3 and was not sure it was the same (1 vs. 3). I could not identify slapper and I have checked ebury in every way with no trace of actual infection so I guess I am still partly concerned.
I will keep this open a while longer to see if anyone has any additional input.
Thanks! |
|
Back to top |
|
|
|