Mikael can you provide the hash and/or virustotal link for the `/opt/netdata/bin/srv/netdata` sample?

Thanks,
demonduck


On Wed, Feb 5, 2020 at 9:01 AM Mikael Bak <mikael.bak@techteamer.com> wrote:
Hi list,

I found another signature in the daily.ldb that needs to be removed, I think.

Scan results on all our servers running Netdata:
/opt/netdata/bin/srv/netdata: Unix.Dropper.Mirai-7540607-0 FOUND

Found it in daily.ldb like this:
Unix.Dropper.Mirai-7540607-0;Engine:51-255,Target:6;0&1&2&3&4;557365722d4167656e743a2025732f2573;4e6f206368696c642070726f63657373;436f6e6e656374696f6e207265736574206279206e6574776f726b;4e6f74206120736f636b6574;536f636b6574206e6f7420636f6e6e6563746564

Searching the netdata binary for the above hex values give me these strings:

User-Agent: %s/%s
No child process
Connection reset by network
Not a socket
Socket not connected

I think this rule should also be removed.

Best regards,
Mikael Bak

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml