View previous topic :: View next topic |
Author |
Message |
x0fis n00b
Joined: 30 May 2013 Posts: 10
|
Posted: Sun Jan 11, 2015 7:28 pm Post subject: Found malware by clamscan |
|
|
Hello,
I'm running clamscan because something is spamming from our server(nothink in logs )
Code: | clamscan -r --bell -i |
outputs
Code: | /usr/lib64/perl5/vendor_perl/5.20.1/LWP/UserAgent.pm: winnow.malware.ts.url.886558.UNOFFICIAL FOUND
/usr/portage/distfiles/libwww-perl-6.05.tar.gz: winnow.malware.ts.url.886558.UNOFFICIAL FOUND
|
Maybe UserAgent.pm is attackers file? Where can I find more information like what type of malware is that, what does do, etc.?
I want to remove these files. So rm /usr/portage/distfiles/libwww-perl-6.05.tar.gz and then emerge -C dev-perl/libwww-perl-6.50.0 which belongs to UserAgent.pm and then emerge dev-perl/libwww-perl-6.50.0 back?
Thank you! |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Mon Jan 12, 2015 12:50 am Post subject: |
|
|
There's a distinct possibility that there's a false positive here... then again everyone who has libwww-perl-6.05.tar.gz may have the problem... I haven't tested this yet however...
Theoretically if the checksum on the tar.gz file matches the Gentoo repo, then emerging it again will still test positive. Try emerge -f libwww-perl and see if it downloads the same file again...
[EDIT]
I just freshclamed and scanned my copy of libwww-perl and there's no positive report on it... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
seminiva n00b
Joined: 16 Jun 2022 Posts: 1 Location: RF
|
Posted: Thu Jun 16, 2022 11:46 am Post subject: |
|
|
eccerr0r wrote: | There's a distinct possibility that there's a false positive here... then again everyone who has libwww-perl-6.05.tar.gz may have the problem... I haven't tested this yet however...
Theoretically if the checksum on the tar.gz file matches the Gentoo repo, then emerging it again will still test positive. Try emerge -f libwww-perl and see if it downloads the same file again...
[EDIT]
I just freshclamed and scanned my copy of libwww-perl and there's no positive report on it... |
I also think this is a false positive. For example, on one of my sites, a report appeared in the hosting control panel that there are 11 files with possible problems. As a result, these turned out to be junk pages from the caching plugin, which for some reason were created so crookedly and were not deleted when the cache was rebuilt. |
|
Back to top |
|
|
|