search

owncloud / core

:cloud: ownCloud web server core (Files, DAV, etc.)
https://owncloud.com
GNU Affero General Public License v3.0
8.38k stars 2.05k forks source link

Maleware Detect after Upgrade #10202

Closed Thomanji closed 10 years ago

Thomanji commented 10 years ago

Hi,

After upgrading to 7.0.1 I got a message from Linux Malware Detect v1.4.2 that there is a male-ware on the install on my system. Are these files below legit or is is in dead a male ware?

malware detect scan report for web-528194.dmni.net: SCAN ID: 080614-0318.3050 TIME: Aug 6 03:19:20 -0400 PATH: /var/www/html RANGE: 2 days TOTAL FILES: 10260 TOTAL HITS: 7 TOTAL CLEANED: 0

NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 080614-0318.3050 FILE HIT LIST: {SA}stat.strlength : /var/www/html/owncloud/3rdparty/zxcvbn/js/zxcvbn.min.js {SA}stat.strlength : /var/www/html/owncloud/3rdparty/Patchwork/PHP/Shim/charset/from.cp950.ser {SA}stat.strlength : /var/www/html/owncloud/3rdparty/Patchwork/PHP/Shim/charset/from.cp936.ser {SA}stat.strlength : /var/www/html/owncloud/3rdparty/Patchwork/PHP/Shim/charset/from.big5.ser {SA}stat.strlength : /var/www/html/owncloud/3rdparty/Patchwork/PHP/Shim/charset/from.cp949.ser {SA}stat.strlength : /var/www/html/owncloud/apps/files_texteditor/js/vendor/ace/src-noconflict/mode-xquery.js

{SA}stat.strlength : /var/www/html/owncloud/apps/files_texteditor/js/vendor/ace/src-noconflict/mode-jsoniq.js

Linux Malware Detect v1.4.2 < proj@rfxn.com >

KKyang commented 10 years ago

Is this confirm or not? My IP just being blocked cause of UDP: Host Sweep. Just to make sure if it is this problem or other problems. @karlitschek @DeepDiver1975

DeepDiver1975 commented 10 years ago

@LukasReschke can you please have a look? THX

LukasReschke commented 10 years ago

As far I can see from the "Linux Malware Detect" script available from https://github.com/rfxn/linux-malware-detect the warning "stat.strlength" is caused by having a long uninterrupted string in a file. (see https://github.com/rfxn/linux-malware-detect/blob/b7e86d19f000417c1ec42b3ddb569a0edc5fbf92/files/conf.maldet#L227)

Detecting potential malicious files based on the length strings is very error prone. This is therefore very likely a false positive. You can verify this yourself by comparing the hash sums (e.g. md5) of the files on your file-system and then the one in the release from owncloud.org. If those matches you have no reason to worry, if not please upload a copy of those files somewhere and post the link to them here.

KKyang commented 10 years ago

Thanks!

Thomanji commented 10 years ago

Thank you for the support.