Have I been hacked?

foudfou · 2024-04-18 14:21:37

Some scanner reported these files as malicious:

/usr/bin/kmod (kmod package) https://www.virustotal.com/gui/file/9b4 … fcf68879fc
/usr/bin/go (go package) https://www.virustotal.com/gui/file/4b2 … 603bee9798
/usr/lib/go/pkg/tool/linux_amd64/link (go package) https://www.virustotal.com/gui/file/e5b … 7f36497842

Hashes match on multiple Arch machines of mine.

Are these false positives?

c00ter · 2024-04-18 15:39:32

Dunno if you've been hacked but I have *never* seen a virus scanner that did not produce false positives in Linux.

d_fajardo · 2024-04-18 16:55:01

Some scanner reported these files as malicious:

Which scanner are we talking about?

loqs · 2024-04-18 17:16:24

The same scanners as in https://bbs.archlinux.org/viewtopic.php … 8#p2165518

Mrkd1904 · 2024-04-18 17:45:25

loqs wrote:

The same scanners as in https://bbs.archlinux.org/viewtopic.php … 8#p2165518

Not sure what you're seeing. But the post and subsequent thread got deleted.

schard · 2024-04-18 17:49:04

Not sure what you're seeing, but the linked thread was not deleted - I rather moved it into the TGN subforum.

Mrkd1904 · 2024-04-18 19:03:35

schard wrote:

Not sure what you're seeing, but the linked thread was not deleted - I rather moved it into the TGN subforum.

Well, without any type of notification i was simply seeing it was not there.

seth · 2024-04-18 20:21:32

You're getting mails notifications for threads you're subscribed to and you get autosubscribed to your own thread and schard posted when he moved the thread…

@d_fajardo, from the links I'd say virustotal and yes, those are most likely false positives.

@foudfou
Virus scanners are no black magic, they look for something that looks like suspicious byte patterns and they generally struggle A LOT with ELF binaries because they're heavily biased towared windows binaries (cause that's still where the vast majority of all malware is, specifically the known one)
https://www.google.com/search?q=virusto … tives#ip=1

If you want to know whether *you* have been hacked
1st off all don't boot the installed system, you want to inspect if offline from a guaranteed (well, as much as possible) clean system (live distro, if there's a root kit in your UEFI you're fucked, though)
2nd compare the hashes to the "suspicious" files with those downloaded from a server on said clean system, after making sure that the package signature is correct
3rd if they're the same, you haven't been hacked - we all have. Or your virus scanner provided a false positive.

Mrkd1904 · 2024-04-19 02:19:54

foudfou wrote:

Some scanner reported these files as malicious:
/usr/bin/kmod (kmod package) https://www.virustotal.com/gui/file/9b4 … fcf68879fc
/usr/bin/go (go package) https://www.virustotal.com/gui/file/4b2 … 603bee9798
/usr/lib/go/pkg/tool/linux_amd64/link (go package) https://www.virustotal.com/gui/file/e5b … 7f36497842
Hashes match on multiple Arch machines of mine.
Are these false positives?

For the record /usr/bin/kmod (https://www.virustotal.com/gui/file/9b4 … fcf68879fc) is on my system as well and also popping as malicious on VT. When i get the time, most likely this weekend, i'm going to drill down into the code to try and figure out which functions are tripping these detections.

Per the go binary - for posterity throw your /usr/lib/libgo.so.* at virustotal and see what it spits out. Also the same for if you have it in /usr/lib32.

@seth - and i got said email, which contained a link to nowhere, because he moved the thread.. the email notifications dont contain any content. Just that someone had posted.

Last edited by Mrkd1904 (2024-04-19 02:23:01)

seth · 2024-04-19 06:45:15

Check the privacy settings in your profile to get the post as mail body

Outswayer · 2024-04-19 07:42:32

just to add for anyone not aware - TGN is not visible when not logged in, at least that was something that surprised me. the post might appear deleted when trying to view it without logging in.

Last edited by Outswayer (2024-04-19 07:42:42)

fukawi2 · 2024-04-19 11:25:21

Bold added by me... The TGN subforum is a way to maintain the high quality of the forums in search results. By making it accessible only to logged in users, we prevent search engines from being able to index it.

If a topic you are posting in has been moved to this forum, consider it a slap on the wrist for ineffective discussion. Our hope is that people will think twice about whether or not their posts are truly useful before posting or will realize that the topic has been discussed to death and will either choose between letting it lie or taking action.
Please note topics moved to this forum are not locked or deleted; they are moved here in recognition of the fact that they are literally going nowhere. As this board is not indexed by search engines, it means that discussion can continue, but will not appear in future searches to clutter results with timebound or otherwise irrelevant threads.

NewArchUser0001 · 2024-04-20 05:57:28

I took a quick look at my system here and this system only installs files from the official Arch repo's and that's it and i don't use the AUR and i don't install things from other sources or other places and all three files you mentioned when i got the hashes for those on this system here match the infected files being shown in virus total.

I would tend to think they are false positives as well but it would be nice to know for sure whats going on and whats triggering the virus total scanners. each file is being detected by more then a dozen different virus scanners.

looking at the create date / time of the files (GO and Kmod) they match up date and time wise with the pacman.log for when they were last updated.

The Sha1 Hash for Kmod is ..:f04c2aa9147f557fba2fcf35d66493d02ae410e4
The Sha1 Hash for Go is .......:a0f12dae5637febcd66e31137e86d1490c38bf9a
The Sha1 Hash for Link is .....:7a0058601211e1038c9a59cf6837755fcc8eb016

seth · 2024-04-20 07:07:30

seth wrote:

Virus scanners are no black magic, they look for something that looks like suspicious byte patterns and they generally struggle A LOT with ELF binaries because they're heavily biased towared windows binaries (cause that's still where the vast majority of all malware is, specifically the known one)
https://www.google.com/search?q=virusto … tives#ip=1

If you want to know what byte pattern specifically you'll have to check for what the virus scanner snake oil overhyphed grep actually pretends to have found.
As an example how ridiculously easily these things go off: https://github.com/gopasspw/gopass/pull … 5152e73L69

The scanner figured that "ct := http.DetectContentType(in)" constituted malware.

NewArchUser0001 · 2024-04-20 14:38:33

This morning i checked the previous version of Kmod and Go on VirusTotal and VirusTotal is showing lots of positives for viruses on Go however Kmod comes back clean for the older version.

loqs · 2024-04-20 14:51:00

NewArchUser0001 wrote:

This morning i checked the previous version of Kmod and Go on VirusTotal and VirusTotal is showing lots of positives for viruses on Go however Kmod comes back clean for the older version.

What exact package versions were those?

NewArchUser0001 · 2024-04-20 15:03:08

loqs wrote:

NewArchUser0001 wrote:
This morning i checked the previous version of Kmod and Go on VirusTotal and VirusTotal is showing lots of positives for viruses on Go however Kmod comes back clean for the older version.
What exact package versions were those?

Kmod 31-1
Go 2:1.22.1-1

Now these are the older packages that pacman saves and so i extracted the GO program from that package and it has the same hash as the current one that's reporting the infections so i guess something else changed in the Go package that pacman downloaded that wasn't the main program and hence the update to the newer version of the package.

As for Kmod though that does show up clean for version 31-1and we are on Kmod 32-1

loqs · 2024-04-20 15:10:13

NewArchUser0001 wrote:

loqs wrote:
NewArchUser0001 wrote:
This morning i checked the previous version of Kmod and Go on VirusTotal and VirusTotal is showing lots of positives for viruses on Go however Kmod comes back clean for the older version.
What exact package versions were those?
Kmod 31-1
Go 2:1.22.1-1
Now these are the older packages that pacman saves and so i extracted the GO program from that package and it has the same hash as the current one that's reporting the infections so i guess something else changed in the Go package that pacman downloaded that wasn't the main program and hence the update to the newer version of the package.

/usr/bin/go is a symlink to /usr/lib/go/bin/go. The sha256sum for /usr/lib/go/bin/go from go 2:1.22.1-1 is f8b5a58c0f88dd94908056ab9f0332fb6534ceae38bf226e89dc1edee6f48881https://www.virustotal.com/gui/file/f8b … dee6f48881.

NewArchUser0001 · 2024-04-20 15:38:35

loqs wrote:

NewArchUser0001 wrote:
loqs wrote:
What exact package versions were those?
Kmod 31-1
Go 2:1.22.1-1
Now these are the older packages that pacman saves and so i extracted the GO program from that package and it has the same hash as the current one that's reporting the infections so i guess something else changed in the Go package that pacman downloaded that wasn't the main program and hence the update to the newer version of the package.
/usr/bin/go is a symlink to /usr/lib/go/bin/go. The sha256sum for /usr/lib/go/bin/go from go 2:1.22.1-1 is f8b5a58c0f88dd94908056ab9f0332fb6534ceae38bf226e89dc1edee6f48881https://www.virustotal.com/gui/file/f8b … dee6f48881.

You're right, I sent the wrong file up to VT once I sent the right one I had the same result as you did and the older version is clean thanks for the info there. So the previous version of GO and Kmod are both clean and the newest versions are the ones that VT has an issue with.

MS-DTYP · 2024-04-22 10:21:19

I've taken a look into "kmod" with a disassembler and the file looks like an ordinary "kmod" to me. Of course, I can't speak for every byte.

Regarding Go, detecting Go files as viruses is quite normal for antivirus software, it's just the way it is.

Last edited by MS-DTYP (2024-04-22 10:22:59)

NewArchUser0001 · 2024-04-22 11:41:54

MS-DTYP wrote:

I've taken a look into "kmod" with a disassembler and the file looks like an ordinary "kmod" to me. Of course, I can't speak for every byte.
Regarding Go, detecting Go files as viruses is quite normal for antivirus software, it's just the way it is.

And yet previous versions of the same files are clean? If this were one or two detection's that VT was hitting on that would be one thing, but each file has like 14+ different hits from the various AV vendors.

loqs · 2024-04-22 11:51:53

NewArchUser0001 wrote:

MS-DTYP wrote:
Regarding Go, detecting Go files as viruses is quite normal for antivirus software, it's just the way it is.
And yet previous versions of the same files are clean? If this were one or two detection's that VT was hitting on that would be one thing, but each file has like 14+ different hits from the various AV vendors.

Was it a change in the code or the tool chain? Has any human review found an issue with the binary or the source?
Edit:
I just built kmod locally in a clean chroot and that triggered 0 detections. I am not using that build but if you are worried about kmod you could make and use such a build.

Last edited by loqs (2024-04-22 12:18:37)

NewArchUser0001 · 2024-04-22 12:31:32

loqs wrote:

NewArchUser0001 wrote:
MS-DTYP wrote:
Regarding Go, detecting Go files as viruses is quite normal for antivirus software, it's just the way it is.
And yet previous versions of the same files are clean? If this were one or two detection's that VT was hitting on that would be one thing, but each file has like 14+ different hits from the various AV vendors.
Was it a change in the code or the tool chain? Has any human review found an issue with the binary or the source?
Edit:
I just built kmod locally in a clean chroot and that triggered 0 detections. I am not using that build but if you are worried about kmod you could make and use such a build.

I don't use any of the stuff that has the issues but i find it interesting that you managed to get a clean AV score on VT and yet these 3 official files from the arch repo's are triggering heavy detection's. Maybe the people who are responsible for the package that put them in the repo need to look at their tool chain or whatever to see what that issue is.

loqs · 2024-04-22 12:38:16

NewArchUser0001 wrote:

I don't use any of the stuff that has the issues but i find it interesting that you managed to get a clean AV score on VT and yet these 3 official files from the arch repo's are triggering heavy detection's. Maybe the people who are responsible for the package that put them in the repo need to look at their tool chain or whatever to see what that issue is.

I built the package the same way the maintainers do. The difference being the time of the build so different tool chain and dependencies. Your system is a container so does not need kmod?

ugjka · 2024-04-22 12:56:54

Ah yeah, go is popular among malware writers so they just flag the language itself as virus and everyone who uses it and then call it a day

Arch Linux

#1 2024-04-18 14:21:37

Have I been hacked?

#2 2024-04-18 15:39:32

Re: Have I been hacked?

#3 2024-04-18 16:55:01

Re: Have I been hacked?

#4 2024-04-18 17:16:24

Re: Have I been hacked?

#5 2024-04-18 17:45:25

Re: Have I been hacked?

#6 2024-04-18 17:49:04

Re: Have I been hacked?

#7 2024-04-18 19:03:35

Re: Have I been hacked?

#8 2024-04-18 20:21:32

Re: Have I been hacked?

#9 2024-04-19 02:19:54

Re: Have I been hacked?

#10 2024-04-19 06:45:15

Re: Have I been hacked?

#11 2024-04-19 07:42:32

Re: Have I been hacked?

#12 2024-04-19 11:25:21

Re: Have I been hacked?

#13 2024-04-20 05:57:28

Re: Have I been hacked?

#14 2024-04-20 07:07:30

Re: Have I been hacked?

#15 2024-04-20 14:38:33

Re: Have I been hacked?

#16 2024-04-20 14:51:00

Re: Have I been hacked?

#17 2024-04-20 15:03:08

Re: Have I been hacked?

#18 2024-04-20 15:10:13

Re: Have I been hacked?

#19 2024-04-20 15:38:35

Re: Have I been hacked?

#20 2024-04-22 10:21:19

Re: Have I been hacked?

#21 2024-04-22 11:41:54

Re: Have I been hacked?

#22 2024-04-22 11:51:53

Re: Have I been hacked?

#23 2024-04-22 12:31:32

Re: Have I been hacked?

#24 2024-04-22 12:38:16

Re: Have I been hacked?

#25 2024-04-22 12:56:54

Re: Have I been hacked?

Board footer