[clamav-users] [Fwd: [sanesecurity] Hacking Team detection]

Gene Heskett gheskett at wdtv.com
Fri Aug 7 12:25:42 EDT 2015


On Friday 07 August 2015 09:48:37 Bowie Bailey wrote:

> On 8/7/2015 9:20 AM, Gene Heskett wrote:
> > On Friday 07 August 2015 04:46:31 Steve Basford wrote:
> >> Just in case it's useful...
> >>
> >> ---------------------------- Original Message
> >> ---------------------------- Subject: [sanesecurity] Hacking Team
> >> detection
> >> From:    "Steve Basford" <steveb_clamav at sanesecurity.com>
> >> Date:    Fri, August 7, 2015 9:43 am
> >> To:      sanesecurity_announce at freelists.org
> >> Cc:      sanesecurity at freelists.org
> >> -------------------------------------------------------------------
> >>--- ----
> >>
> >> Rook Security (www.rooksecurity.com) have analysed the recent
> >> Hacking Team data dump (400GB) and produced a utility to scan
> >> systems for these files.
> >>
> >> Sanesecuriy have converted their analysis into 435 hashes into
> >> ClamAV database format.
> >>
> >> With Rook Security’s permission, I’ve placed a new database:
> >>
> >> hackingteam.hsb
> >>
> >> on the mirrors for distribution.
> >>
> >> Note the hashes are for Windows, Linux and Mac OSx systems.
> >
> > Steve:
> > Thank you, but for those of us who haven't played with our
> > configuration for quite a while as its been Just Working(TM) for a
> > year or more, a pointer to a URL showing how to incorporate this
> > into the working configs we have would be appropriate.
>
> If you are already using some of Sanesecurity's signatures, take a
> look at the update scripts you are currently using and add
> hackingteam.hsb to the list of databases.
>
> If not, take a look here for some scripts you can use to get the
> databases: http://sanesecurity.com/usage/linux-scripts/
>
> hackingteam.hsb is probably not in the config for those scripts yet,
> so you'll have to add it.

I have not been able to find a list of subfiles, just a couple of mirror 
links in my freshclam.conf. So I have a tail on the freshclam.log, and 
I have changed the AllowSuplementaryGroups from false to true in my 
freshclam.conf.  And then changed it back to false after reading the man page.

We'll see what it logs when it next runs.  Since I am a freeloader and 
extreme senior citizen on SS for income, I slowed my freshclam, down to 
12x a day, so it will be nearly 2 hours before I see that result. I have 
even considered lowering that to 4x a day just to save the mirrors bandwidth.  
And just did.

I added it to /etc/clamav/freshclam.conf as:

ExtraDatabase hackingteam.hsb

after consulting the man page, it wasn't mentioned in the default 
freshclam.conf at all, but on a restart of /etc/init.d/clamav-freshclam,
neither the plain name, nor the .hsb version is found, as something is 
adding an additional .cvd to the name in the fetch command.  
It logged this:

Fri Aug  7 12:19:35 2015 -> freshclam daemon 0.98.7 (OS: linux-gnu, ARCH: i386, CPU: i486)
Fri Aug  7 12:19:35 2015 -> ClamAV update process started at Fri Aug  7 12:19:35 2015
Fri Aug  7 12:19:35 2015 -> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
Fri Aug  7 12:19:35 2015 -> daily.cld is up to date (version: 20769, sigs: 1511910, f-level: 63, builder: neo)
Fri Aug  7 12:19:35 2015 -> bytecode.cld is up to date (version: 266, sigs: 47, f-level: 63, builder: anvilleg)
Fri Aug  7 12:19:35 2015 -> WARNING: getfile: hackingteam.hsb.cvd not found on remote server (IP: 194.8.197.22)
Fri Aug  7 12:19:35 2015 -> WARNING: Can't download hackingteam.hsb.cvd from db.us.clamav.net
Fri Aug  7 12:19:36 2015 -> Trying again in 5 secs...
Fri Aug  7 12:19:41 2015 -> ClamAV update process started at Fri Aug  7 12:19:41 2015
Fri Aug  7 12:19:41 2015 -> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
Fri Aug  7 12:19:41 2015 -> daily.cld is up to date (version: 20769, sigs: 1511910, f-level: 63, builder: neo)
Fri Aug  7 12:19:41 2015 -> bytecode.cld is up to date (version: 266, sigs: 47, f-level: 63, builder: anvilleg)
Fri Aug  7 12:19:41 2015 -> Trying host db.us.clamav.net (128.199.133.36)...
Fri Aug  7 12:19:41 2015 -> WARNING: getfile: hackingteam.hsb.cvd not found on remote server (IP: 128.199.133.36)
Fri Aug  7 12:19:41 2015 -> WARNING: Can't download hackingteam.hsb.cvd from db.us.clamav.net
Fri Aug  7 12:19:41 2015 -> Trying again in 5 secs...
Fri Aug  7 12:19:46 2015 -> ClamAV update process started at Fri Aug  7 12:19:46 2015
Fri Aug  7 12:19:46 2015 -> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
Fri Aug  7 12:19:46 2015 -> daily.cld is up to date (version: 20769, sigs: 1511910, f-level: 63, builder: neo)
Fri Aug  7 12:19:46 2015 -> bytecode.cld is up to date (version: 266, sigs: 47, f-level: 63, builder: anvilleg)
Fri Aug  7 12:19:47 2015 -> WARNING: getfile: hackingteam.hsb.cvd not found on remote server (IP: 69.163.100.14)
Fri Aug  7 12:19:47 2015 -> WARNING: Can't download hackingteam.hsb.cvd from db.us.clamav.net
Fri Aug  7 12:19:47 2015 -> Trying again in 5 secs...
Fri Aug  7 12:19:52 2015 -> ClamAV update process started at Fri Aug  7 12:19:52 2015
Fri Aug  7 12:19:52 2015 -> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
Fri Aug  7 12:19:52 2015 -> daily.cld is up to date (version: 20769, sigs: 1511910, f-level: 63, builder: neo)
Fri Aug  7 12:19:52 2015 -> bytecode.cld is up to date (version: 266, sigs: 47, f-level: 63, builder: anvilleg)
Fri Aug  7 12:19:52 2015 -> Trying host db.us.clamav.net (69.12.162.28)...
Fri Aug  7 12:19:52 2015 -> WARNING: getfile: hackingteam.hsb.cvd not found on remote server (IP: 69.12.162.28)
Fri Aug  7 12:19:52 2015 -> WARNING: Can't download hackingteam.hsb.cvd from db.us.clamav.net
Fri Aug  7 12:19:52 2015 -> Trying again in 5 secs...
Fri Aug  7 12:19:57 2015 -> ClamAV update process started at Fri Aug  7 12:19:57 2015
Fri Aug  7 12:19:57 2015 -> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
Fri Aug  7 12:19:57 2015 -> daily.cld is up to date (version: 20769, sigs: 1511910, f-level: 63, builder: neo)
Fri Aug  7 12:19:57 2015 -> bytecode.cld is up to date (version: 266, sigs: 47, f-level: 63, builder: anvilleg)
Fri Aug  7 12:19:57 2015 -> Trying host db.us.clamav.net (198.148.78.4)...
Fri Aug  7 12:19:57 2015 -> WARNING: getfile: hackingteam.hsb.cvd not found on remote server (IP: 198.148.78.4)
Fri Aug  7 12:19:57 2015 -> ERROR: Can't download hackingteam.hsb.cvd from db.us.clamav.net
Fri Aug  7 12:19:58 2015 -> Giving up on db.us.clamav.net...
Fri Aug  7 12:19:58 2015 -> ClamAV update process started at Fri Aug  7 12:19:58 2015
Fri Aug  7 12:19:58 2015 -> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
Fri Aug  7 12:19:58 2015 -> daily.cld is up to date (version: 20769, sigs: 1511910, f-level: 63, builder: neo)
Fri Aug  7 12:19:58 2015 -> bytecode.cld is up to date (version: 266, sigs: 47, f-level: 63, builder: anvilleg)
Fri Aug  7 12:19:58 2015 -> ERROR: Can't download hackingteam.hsb.cvd from database.clamav.net
Fri Aug  7 12:19:58 2015 -> Giving up on database.clamav.net...
Fri Aug  7 12:19:58 2015 -> Update failed. Your network may be down or none of the mirrors listed 
in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons.
Fri Aug  7 12:19:58 2015 -> --------------------------------------

It may be that it has not made it to the u.s. mirrors yet.  Or that I 
have no clue what I am doing.  Please correct me in that event.

Thank you all.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>



More information about the clamav-users mailing list