[clamav-users] More FP: Unix.Dropper.Mirai-7540607-0
demonduck
demonduck at sourcefire.com
Wed Feb 5 14:29:38 UTC 2020
Mikael can you provide the hash and/or virustotal link for the
`/opt/netdata/bin/srv/netdata` sample?
Thanks,
demonduck
On Wed, Feb 5, 2020 at 9:01 AM Mikael Bak <mikael.bak at techteamer.com> wrote:
> Hi list,
>
> I found another signature in the daily.ldb that needs to be removed, I
> think.
>
> Scan results on all our servers running Netdata:
> /opt/netdata/bin/srv/netdata: Unix.Dropper.Mirai-7540607-0 FOUND
>
> Found it in daily.ldb like this:
>
> Unix.Dropper.Mirai-7540607-0;Engine:51-255,Target:6;0&1&2&3&4;557365722d4167656e743a2025732f2573;4e6f206368696c642070726f63657373;436f6e6e656374696f6e207265736574206279206e6574776f726b;4e6f74206120736f636b6574;536f636b6574206e6f7420636f6e6e6563746564
>
> Searching the netdata binary for the above hex values give me these
> strings:
>
> User-Agent: %s/%s
> No child process
> Connection reset by network
> Not a socket
> Socket not connected
>
> I think this rule should also be removed.
>
> Best regards,
> Mikael Bak
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200205/ef5a36e2/attachment.htm>
More information about the clamav-users
mailing list