Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
apr-util Xml.Exploit.CVE_2013_3860-3 FOUND
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Zebbeman
n00b
n00b


Joined: 14 Jun 2003
Posts: 69

PostPosted: Fri Oct 14, 2016 2:25 pm    Post subject: apr-util Xml.Exploit.CVE_2013_3860-3 FOUND Reply with quote

Hello,
When I run clamscan on a new dev server I get a positive:
Code:

~ # clamscan /usr/portage/distfiles/apr-util-1.5.4.tar.bz2
/usr/portage/distfiles/apr-util-1.5.4.tar.bz2: Xml.Exploit.CVE_2013_3860-3 FOUND


Then I did:
Code:

~ # equery check apr-util
* Checking dev-libs/apr-util-1.5.4 ...
   57 out of 57 files passed


I also get this from chkrootkit:
Code:

~ # chkrootkit -q
fopen: No such file or directory
/bin/ls: cannot access write: No such file or directory
Possible Linux/Ebury - Operation Windigo installetd
Warning: Possible Slapper Worm installed (25851/sshd)


I found that ssh was checked with the old behavior of ssh -G regarding Linux/Ebury so I am guessing that is okay.

What do I do next? Am I infected?
Back to top
View user's profile Send private message
Apheus
Guru
Guru


Joined: 12 Jul 2008
Posts: 418

PostPosted: Fri Oct 14, 2016 2:39 pm    Post subject: Reply with quote

Seems to be just a unit test in the apr-util distfile, designed to test for exactly that vulnerability:

https://www.reddit.com/r/sysadmin/comments/4tx2ao/clamav_found_billionlaughsxml_exploit_cve_2013/

Edit: The chkrootkit outputs about Ebury and Slapper are completely unrelated, /me thinks. You should check them independently of the apr-util distfile.
_________________
My phrenologist says I'm stupid.
Back to top
View user's profile Send private message
Zebbeman
n00b
n00b


Joined: 14 Jun 2003
Posts: 69

PostPosted: Fri Oct 14, 2016 3:29 pm    Post subject: Reply with quote

Thanks for your quick reply!

I saw that article and got stuck with Xml.Exploit.CVE_2013_3860-1 vs. Xml.Exploit.CVE_2013_3860-3 and was not sure it was the same (1 vs. 3). I could not identify slapper and I have checked ebury in every way with no trace of actual infection so I guess I am still partly concerned.

I will keep this open a while longer to see if anyone has any additional input.

Thanks!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum