Closed unstppbl closed 5 years ago
blacktop
commented
5 years ago It is strange that it is saying it got a signal killed error on a lot of them
Did you Ctrl+C malware while it was scanning?
It also looks like you might have a lot of stopped containers (from when you were running with elasticsearch being down)
You can clean up the stopped containers by running: docker container prune
blacktop
commented
5 years ago Can you clarify what you mean by: Sometimes the scan process even ?
unstppbl
commented
5 years ago Sorry, Sometimes the scan process even this is not meant to be in issue :)
I didn't do Ctrl+C.
Cleaned all the stopped containers and ran scan again:
#### File
| Field | Value |
| ------ | ---------------------------------------------------------------- |
| Name | shell.php |
| Path | shell.php |
| Size | 24.72kB |
| MD5 | ea42a072eb9144794123989b7d2c9aee |
| SHA1 | e844b8e24ce7d0ab7c50b3591189779c69705471 |
| SHA256 | c213374cc1914f28bc3ff3cacbc6d30b6fd4a2c6c3b0e2f5d449268f1400feb4 |
#### NSRL Database
- Not Found :question:
#### VirusTotal
| Ratio | Link | API | Scanned |
|------------|--------------|-------------|-------------|
| 47% | [link](https://www.virustotal.com/file/c213374cc1914f28bc3ff3cacbc6d30b6fd4a2c6c3b0e2f5d449268f1400feb4/analysis/1509674703/) | Public | 2017-11-03 02:05:03 |
time="2018-08-02T05:10:25Z" level=fatal msg="failed to index malice/shadow_server results: failed to update sample with id: tV8L-WQBFaNqWmQ-DEv-: elastic: Error 409 (Conflict): [samples][tV8L-WQBFaNqWmQ-DEv-]: version conflict, current version [3] is different than the one provided [2] [type=version_conflict_engine_exception]" category=intel hash=e844b8e24ce7d0ab7c50b3591189779c69705471 plugin=shadow_server
#### Yara
#### Magic
| Field | Value |
|-------------|------------------------|
| Mime | text/x-php |
| Description | PHP script, ASCII text, with very long lines |
#### SSDeep
- `768:nfPnl6REZCvSEa1fBodEs3m5ZVu7/7dXztH:NN1fBguYzfH`
#### TRiD
- Warning: file seems to be plain text/ASCII
- TrID is best suited to analyze binary files!
- 100.0% (.PHP) PHP source (5000/1)
#### Exiftool
| Field | Value |
|-------------|----------------------|
| error | signal: killed |
time="2018-08-02T05:11:37Z" level=fatal msg="exit status 2" category=av path=/malware/c213374cc1914f28bc3ff3cacbc6d30b6fd4a2c6c3b0e2f5d449268f1400feb4 plugin=avast
time="2018-08-02T05:12:00Z" level=fatal msg="exit status 150" category=av path=/malware/c213374cc1914f28bc3ff3cacbc6d30b6fd4a2c6c3b0e2f5d449268f1400feb4 plugin=avg
time="2018-08-02T05:12:03Z" level=fatal msg="signal: killed" category=av path=/malware/c213374cc1914f28bc3ff3cacbc6d30b6fd4a2c6c3b0e2f5d449268f1400feb4 plugin=clamav
2018/08/02 05:12:05 signal: killed
time="2018-08-02T05:12:08Z" level=fatal msg="failed to index malice/fprot results: failed to update sample with id: tV8L-WQBFaNqWmQ-DEv-: elastic: Error 409 (Conflict): [samples][tV8L-WQBFaNqWmQ-DEv-]: version conflict, current version [6] is different than the one provided [5] [type=version_conflict_engine_exception]" category=av path=/malware/c213374cc1914f28bc3ff3cacbc6d30b6fd4a2c6c3b0e2f5d449268f1400feb4 plugin=fprot
#### F-Secure
| Infected | Result | Engine | Updated |
|:-------------:|:-----------:|:-----------:|:------------:|
| false | | | |
time="2018-08-02T05:12:09Z" level=fatal msg="signal: killed" category=av path=/malware/c213374cc1914f28bc3ff3cacbc6d30b6fd4a2c6c3b0e2f5d449268f1400feb4 plugin=bitdefender
time="2018-08-02T05:12:09Z" level=fatal msg="signal: killed" category=av path=/malware/c213374cc1914f28bc3ff3cacbc6d30b6fd4a2c6c3b0e2f5d449268f1400feb4 plugin=escan
time="2018-08-02T05:12:21Z" level=fatal msg="failed to index malice/windows-defender results: failed to update sample with id: tV8L-WQBFaNqWmQ-DEv-: elastic: Error 409 (Conflict): [samples][tV8L-WQBFaNqWmQ-DEv-]: version conflict, current version [6] is different than the one provided [5] [type=version_conflict_engine_exception]" category=av path=/malware/c213374cc1914f28bc3ff3cacbc6d30b6fd4a2c6c3b0e2f5d449268f1400feb4 plugin=windows_defender
time="2018-08-02T05:12:27Z" level=fatal msg="signal: killed" category=av path=/malware/c213374cc1914f28bc3ff3cacbc6d30b6fd4a2c6c3b0e2f5d449268f1400feb4 plugin=sophos
it might be you do not have enough resources in your VM to run malice. It requres a lot of RAM because of elasticsearch
please reopen if that is not the issue
changemenemo
commented
5 years ago 6G of RAM for a 30MB pdf. Don't know if the size of the file has anything to do with it but so you know.
still a 409 error with virustotal
time="2018-11-29T00:45:02Z" level=fatal msg="failed to index malice/virustotal results: failed to update sample with id: RYrtXGcBjIpm6xqHErD5: elastic: Error 409 (Conflict): [samples][RYrtXGcBjIpm6xqHErD5]: version conflict, current version [2] is different than the one provided [1] [type=version_conflict_engine_exception]" category=intel hash= plugin=virustotal
Output of
go version:Output of
docker version:Output of
docker info:Additional environment details (AWS, VirtualBox, physical, Docker For Mac, Docker Toolbox, docker-machine, etc.):
Steps to reproduce the issue:
docker run -d \ -p 9200:9200 \ -name malice-elastic \ -e ES_JAVA_OPTS="-Xms2g -Xmx2g" \ malice/elasticsearchmalice scan shell.phpDescribe the results you received:
Describe the results you expected: As you can see several plugins got killed
Additional information you deem important (e.g. issue happens only occasionally): Sometimes the scan process even