System infected

[freezr]

I read about an SSH vulnerability on the Devuan forum:

[devuan-dev] bug#858: Detection of ebury malware in debuan system

And I tried the test on FreeBSD too:

ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

And I got:

System infected

?

Should we be concerned?

?

 

[ralphbsz]

Wrong. Modern ssh versions have -G as a valid flag, and don't print an error message about it any longer. I think the web page that warns about this must be old or ancient.

 

[fmc000]

From ssh(1):

     -G      Causes ssh to print its configuration after evaluating Host and
             Match blocks and exit.

 

[daridro]

I suggest to harden your configuration by following these instructions: ssh-hardening

 

[iRobbery]

perhaps also useful

SSH Configuration Auditor

www.sshaudit.com

 

[Emrion]

This malware is for linux, not FreeBSD. I doubt the coders had time to adapt it. They already fight each day against the detection methods.

By the way, I'm also infected. ?

It seems that openssh 6.7 is old. And the article tells that doesn't work for newer openssh versions.

$ ssh -V
OpenSSH_9.5p1, OpenSSL 3.0.12 24 Oct 2023

(14.0-RELEASE not updated)

This explains that.

 

[VladiBG]

An SSH connection enabling the Ebury backdoor contains hexadecimal-encoded data (for Ebury before version 1.7) or base64-encoded data (for Ebury version 1.7 and later, first seen in 2019). Since version 1.8, spaces are ignored. Here are three examples of malicious client identification strings:

• SSH-2.0-b479ec723a2ba590d6c4a0bf40f4ba
• SSH-2.0-XDbxdCP/G9Dcd1qDCE+t
• SSH-2.0-FcZpUkMuIY 2MfBBDvOJdFBTFUw==

malware-ioc/windigo/README.adoc at master · eset/malware-ioc

Indicators of Compromises (IOC) of our various investigations - eset/malware-ioc

github.com