Hello,
Is someone actually able to tell me if the list I submitted are false
positives or real trojans?
Thank you,
Birgit
On 23. 05. 14 15:28 , Alain Zidouemba wrote:
Thanks Birgit.
- Alain
On Fri, May 23, 2014 at 5:38 AM, DUCARROZ Birgit
<birgit.ducar...@unifr.ch>wrote:
oki. Here are the md5s of the most of the alerts:
f4b3cda094eb5c4c1ab0ce2ee53e0e5f
eb693fd5c83093ec70845f2ae111edd9
1c9b1eaef2cc4c55c05b2d0a4cc9d3da
fc04088eb26044a4a6f14e257152ee31
77cb6047daab16e9227204fb0a141394
2298d177a5a8e36bedfc84a230b96108
77cb6047daab16e9227204fb0a141394
77cb6047daab16e9227204fb0a141394
77cb6047daab16e9227204fb0a141394
77cb6047daab16e9227204fb0a141394
e32fef846556b7d2455a11835f50cb03
47cfe14d7b665f5324b94c412944a0e5
119db26d3cfbf660bef53f875a6196df
5a2210d0f9cbc3a0db01cfecd51364f8
5a2210d0f9cbc3a0db01cfecd51364f8
5a2210d0f9cbc3a0db01cfecd51364f8
5a2210d0f9cbc3a0db01cfecd51364f8
b47d4f505ba200a216d6bb5897603c06
4a4fef9bee6ef51cc9de56c9fbb7c5fc
8e6a199817effd7de20346d0bd13170e
a9b5c8216132bc64438f22a36cd09b7a
87ac4ccf6aa33b8fbfb80aee72619480
aa0b165e01d243ce43810b5cb6c473ac
8ad68b23b3e4c71f82eab9b6ffc07158
da63135571397425b14487d88d7a9d6e
db8f68512eea8922527cdbba73740774
5297cf87b3569dc8f577a9aaba26446c
3990511372761ec38a1c8ccffb9d37ca
681b7cc1afedf142dae47ef67c98c332
414002dc88dc0a3f653047d25ca49fbe
baa9976c323133b9638afbceb7affe81
fc6df0c9107d38fbb374ea8ece6de9fc
1b55ee9724f26277fcbc5a5cedab63e5
c3193eb5e383ffe3b4cb34f9a82b6d91
a590277f1cde6ff4c58dbc5682af0680
db5a2e1d49bf5a58f0d52e19957ce764
266c6c8c2e13ed19fb34e8f8388352c4
ffb6beb18b1f6b3955a59ad30c3928c5
4a0ffb5cdf684de730f2404b7be83757
3b33768d83da59ed83490d6d1f1e3e92
135c7633b1cd5f8f4f65d2dee099aa23
bc738b31483e8b6be0a7a043045a011e
8917f23ea6169b7e54f5d7569e2184b7
813de8d05d1a5a20ffdc61d961b4e000
038fee0e92aec9ce86a7d7caf59a500c
fc04088eb26044a4a6f14e257152ee31
fc04088eb26044a4a6f14e257152ee31
2524d60ef6d2ef87c8fd7e31ec723bef
346a15c88a439820736c0519d3ff39e0
7a23cde62d14667a69a2bc0cdc3fea0f
6184ce319b49c549ba9ce9e6a5ec4fd9
1c9b1eaef2cc4c55c05b2d0a4cc9d3da
1f25cdb1ab6aae385414adc60fd0a31f
bd4a2310fd5685e2cdd284c4d3556210
37cff33723b77a7ed8dcc2b625abc443
28a7c2eaf9496d5cf33ab043730c3c8c
2524d60ef6d2ef87c8fd7e31ec723bef
f888ca00784a096b13a9a02854ee9a20
3b33768d83da59ed83490d6d1f1e3e92
bc738b31483e8b6be0a7a043045a011e
135c7633b1cd5f8f4f65d2dee099aa23
8917f23ea6169b7e54f5d7569e2184b7
60fe5e50fbcd0d6b1830583ffec47801
ee058862528053302694b193968643a5
eb693fd5c83093ec70845f2ae111edd9
f46c42d218a0a16ffb5e5fa8dfc13249
eeaaf86088287cede457a6a3712cc079
440e888e38bd9886b125b23c31ef1801
9315ba9a21a33f230799f53d76ab6aff
82b3534476879db9cca52ec4d02a2679
1c9b1eaef2cc4c55c05b2d0a4cc9d3da
34452cfdf6846058dc01cb32b32657be
338108166b81204e2fd5ca532ae5ae14
37cff33723b77a7ed8dcc2b625abc443
f973c2962b62835e92742b9698d461f3
c3193eb5e383ffe3b4cb34f9a82b6d91
06ee0cdcdcefa6cd6c5ab0bac33afb3e
cc18e761ffb4b5aef8c2c6102cab6783
b0a24ed819ffc554a51abd4bf360ea89
6726b7d93822b6e605370e2df32fe321
0797907a3f3716e2247616dcc6b6ff36
84855f029b32f0a85eadc455bec3797e
0ef1cbe21692649d3b768637233bc411
fc6df0c9107d38fbb374ea8ece6de9fc
027dcb9c1dfa48cac65b6f529bec5c21
7f4c4f9cf4f31970cdddc85dc8d00fa0
c3193eb5e383ffe3b4cb34f9a82b6d91
9df9633bf33e5488986de0c942e33fae
bc738b31483e8b6be0a7a043045a011e
84bb4d12d454a56941a4eb15a0474150
08ba8e8942339643d09312119d8ffc3f
78ceb18607b38dcd290bd24c3196ba41
68c037d6b791400ac9b92ad192799d6d
8917f23ea6169b7e54f5d7569e2184b7
5ac2b20d5bb0ccea977e09c51fbbd1b9
3b33768d83da59ed83490d6d1f1e3e92
779b0aa2ada8834c12f34eba7710e50e
135c7633b1cd5f8f4f65d2dee099aa23
cd03e7335580d1e035e962734c801744
9a776ee1eaa1e164d109647970cd3585
e91991170459509664aa3d6209efd2eb
c3193eb5e383ffe3b4cb34f9a82b6d91
cc96618e63165bc031f9321229a94084
f4b39a6a822aa3e53325b71900dd6e59
d19bd53c3926df70f8345ccc55e3f1d4
194aab685f474136724e8ddbf4a03f9b
ea142a4b76756468bd35e9e479e0d64b
61650e0e765f19a9dc79081b6417e4fa
ad2b00cb5946c60227b0939f2913c403
358c7d33cd94f6f4ed73146159d8d8ed
fb3e5b630c6baa84285ddc3123bb8a2d
f3d3f36c34b9bba73c367f8604c47bbf
d474ad9c38679d83c78cdc29f7890bf2
4d604102194a4150f834d8ccda38e288
f973c2962b62835e92742b9698d461f3
fde7d2ff5a02f3b98ac28023cab092ca
eb693fd5c83093ec70845f2ae111edd9
f64bb9a4cfc5ad697cea18a29f41d099
fc6df0c9107d38fbb374ea8ece6de9fc
681b7cc1afedf142dae47ef67c98c332
e19af5b54914b3045dbe923b9b52808b
9a776ee1eaa1e164d109647970cd3585
9a776ee1eaa1e164d109647970cd3585
9778505b5f587e6abaac62f4ec709b31
b7146c28f937b07c1e3df73c650a2de0
b1ca954873c9452efb5374c12acee4a6
879ebef6d871ba3a27fed3482a93526f
08ba8e8942339643d09312119d8ffc3f
a91e4995c237e0c3848bfd8baeb3bba6
c24adf17f3bc1606e766ab3a4c441a4d
135c7633b1cd5f8f4f65d2dee099aa23
634528ccea8004f13612f3146611cbaa
8917f23ea6169b7e54f5d7569e2184b7
346a15c88a439820736c0519d3ff39e0
eb693fd5c83093ec70845f2ae111edd9
f46c42d218a0a16ffb5e5fa8dfc13249
08ba8e8942339643d09312119d8ffc3f
135c7633b1cd5f8f4f65d2dee099aa23
135c7633b1cd5f8f4f65d2dee099aa23
fc04088eb26044a4a6f14e257152ee31
eb693fd5c83093ec70845f2ae111edd9
038fee0e92aec9ce86a7d7caf59a500c
2f93f0d9215320db9fc2243867e5d6bc
e0a1b0470d8a7a7286acc4571fc82d9f
bc738b31483e8b6be0a7a043045a011e
135c7633b1cd5f8f4f65d2dee099aa23
1c9b1eaef2cc4c55c05b2d0a4cc9d3da
034da446d80d118d2a33528240fe7506
fbc0cb47a6e729b7d6723e3c4c45b82d
1ae13e36008b8fec094d3a6e2d9236a5
9a776ee1eaa1e164d109647970cd3585
cc96618e63165bc031f9321229a94084
00d634aac185696d25f4abce6f7f4441
194aab685f474136724e8ddbf4a03f9b
f3d3f36c34b9bba73c367f8604c47bbf
f973c2962b62835e92742b9698d461f3
5a3e6fac352988401876162cb7b5adc1
c3193eb5e383ffe3b4cb34f9a82b6d91
db7e3efd52c56957eb902089c5a51b1a
038fee0e92aec9ce86a7d7caf59a500c
bc738b31483e8b6be0a7a043045a011e
8917f23ea6169b7e54f5d7569e2184b7
3b33768d83da59ed83490d6d1f1e3e92
135c7633b1cd5f8f4f65d2dee099aa23
3dd983f08ba3e5c93b48150090632e59
37cff33723b77a7ed8dcc2b625abc443
24bf878ea2cd0e4aad3736eb61473dac
6568839e37176ff69e82bca37913c7f4
34452cfdf6846058dc01cb32b32657be
338108166b81204e2fd5ca532ae5ae14
dcced6eb64e254d071738e7b3632bfb5
9a776ee1eaa1e164d109647970cd3585
9a776ee1eaa1e164d109647970cd3585
9a776ee1eaa1e164d109647970cd3585
1eec732fa1f5d36e16c76bc84bc8ee0e
ddcca6704843f53f0749d90fc40a9ef2
c42ddb18a446db126b2c7825b641ca32
209d1894e5383eae26f7c55a4d2b395f
22c4a9f90ccc4eab7e41ccf8ffef0c9a
651b66dc04cee99277024f6549145be8
a9e5240f5dedf20dd3a0baf6f14a050a
83e1fa5040928b53b9d2e11a05407fa8
c3193eb5e383ffe3b4cb34f9a82b6d91
e3ed65914f31fcff17b8800869733438
1ab8630525fbd54b7ad54c9a366a74c3
a81b4f36869d30aa001b6de2a15607fc
552d82ddb132135460992e43d5ae868c
d547528d064892bd4d7609eb740c13bb
1557566d6104f70bfc042c31e8a2af2d
ee36b9324e62fa7e8e4c821143908e6f
6113f3ef3a0b26558ecea24fda47af06
8cbc4f519bc155b4d858b0ba0aa16869
f973c2962b62835e92742b9698d461f3
c3193eb5e383ffe3b4cb34f9a82b6d91
ffb6beb18b1f6b3955a59ad30c3928c5
f4b3cda094eb5c4c1ab0ce2ee53e0e5f
cc96618e63165bc031f9321229a94084
f3d3f36c34b9bba73c367f8604c47bbf
f011a57578ca43bf1ef1f65145a33ecb
fc6df0c9107d38fbb374ea8ece6de9fc
dd17e9cdef83b9742b0cfa24c9eaf6cd
2524d60ef6d2ef87c8fd7e31ec723bef
346a15c88a439820736c0519d3ff39e0
46d5161ecfdab546a10231f2feb7db55
f46c42d218a0a16ffb5e5fa8dfc13249
135c7633b1cd5f8f4f65d2dee099aa23
8917f23ea6169b7e54f5d7569e2184b7
08ba8e8942339643d09312119d8ffc3f
5fde21b2dc11fd9c2e2e7d4b92db3b0a
d2342da5e29c36eda08605aa6196eb84
4ae4dfca358947af85c91f27cfc3e52b
6ce085d2232b01f244cceae80d8e3663
db5a2e1d49bf5a58f0d52e19957ce764
266c6c8c2e13ed19fb34e8f8388352c4
83e1fa5040928b53b9d2e11a05407fa8
83e1fa5040928b53b9d2e11a05407fa8
cc96618e63165bc031f9321229a94084
00d634aac185696d25f4abce6f7f4441
f3d3f36c34b9bba73c367f8604c47bbf
194aab685f474136724e8ddbf4a03f9b
fc04088eb26044a4a6f14e257152ee31
7c146f987d7ebe995899ee22525e8b12
eb693fd5c83093ec70845f2ae111edd9
ee1a7c30427a8e81686a54e18282bca3
b4032344c17375638eb104baa70b3987
a197db858c792f2d8c78acd9cfaba3a2
901f086dda342a86e1ac9af4259ae67f
135c7633b1cd5f8f4f65d2dee099aa23
135c7633b1cd5f8f4f65d2dee099aa23
9a776ee1eaa1e164d109647970cd3585
0797907a3f3716e2247616dcc6b6ff36
9a776ee1eaa1e164d109647970cd3585
1c9b1eaef2cc4c55c05b2d0a4cc9d3da
1c9b1eaef2cc4c55c05b2d0a4cc9d3da
1c9b1eaef2cc4c55c05b2d0a4cc9d3da
b4c4e87e1fbda0a78dfb7bcabdb7a7e9
2524d60ef6d2ef87c8fd7e31ec723bef
f888ca00784a096b13a9a02854ee9a20
7c146f987d7ebe995899ee22525e8b12
20b0694f0a810133498980e705ec667e
6ef4ffca531c2d48c953115a45b43d0b
fc04088eb26044a4a6f14e257152ee31
20b0694f0a810133498980e705ec667e
2524d60ef6d2ef87c8fd7e31ec723bef
7e20d84afde66d47b213579dd7225371
e4274cbdc4d39a1b73e382bf07d8a551
e02662e9898e07461e12a905c1f6f11c
681b7cc1afedf142dae47ef67c98c332
fc6df0c9107d38fbb374ea8ece6de9fc
f3d3f36c34b9bba73c367f8604c47bbf
00d634aac185696d25f4abce6f7f4441
194aab685f474136724e8ddbf4a03f9b
cc96618e63165bc031f9321229a94084
9a776ee1eaa1e164d109647970cd3585
9a7e37b646cfc9f8ca43d101d9d1f580
6568839e37176ff69e82bca37913c7f4
8917f23ea6169b7e54f5d7569e2184b7
7383b7a9895640233fc714dcfc8bfc76
24bf878ea2cd0e4aad3736eb61473dac
135c7633b1cd5f8f4f65d2dee099aa23
038fee0e92aec9ce86a7d7caf59a500c
37cff33723b77a7ed8dcc2b625abc443
3dd983f08ba3e5c93b48150090632e59
d5d2879b7d80c96738f26da443c5af43
5f6b1473e32ff0c8c461a6fd3c571ea4
9a776ee1eaa1e164d109647970cd3585
fbc0cb47a6e729b7d6723e3c4c45b82d
6268bfab73d481ce860f0938388e11d3
On 23. 05. 14 10:26 , Al Varnell wrote:
We always do that right here.
-Al-
On Fri, May 23, 2014 at 01:23 AM, DUCARROZ Birgit wrote:
ok. Where do I have to submit the md5s ?
- Birgit
On 22. 05. 14 01:01 , Alain Zidouemba wrote:
The new signature will be out in the next few releases.
If you could, please provide the md5s or sha256s of the samples that
alerted.
Thanks,
- Alain
On Wednesday, May 21, 2014, DUCARROZ Birgit <birgit.ducar...@unifr.ch>
wrote:
Thank you a lot! When will it be replaced?
I had 317 "infected" files and now I don't know if they are false
positives or not.
Curiously chkrootkit gave me this:
< You have 1 process hidden for readdir command
< You have 1 process hidden for ps command
< chkproc: Warning: Possible LKM Trojan installed
but this message disappeared also one or two days later.
Since the most of the "infected" files are old, I wonder if they might
have been infected afterwards...
- Birgit
On 21. 05. 14 22:09 , Alain Zidouemba wrote:
It was dropped for performance reasons. We found it be generating some
false positives, such as the one you likely had. The signature
Unix.Trojan.ElkKnot will be replaced with a better performing one.
- Alain
On Wed, May 21, 2014 at 4:07 PM, DUCARROZ Birgit
<birgit.ducar...@unifr.ch>wrote:
Why has it been dropped? Should I believe now that I have this
trojan or
not?
On 21. 05. 14 14:31 , Alain Zidouemba wrote:
The signature "Unix.Trojan.ElkKnot" has been dropped from our
signature
set
a few releases ago.
- Alain
On Wed, May 21, 2014 at 5:46 AM, DUCARROZ Birgit
<birgit.ducar...@unifr.ch>wrote:
Sorry, I forgot to note my question:
Does somebody know what this might be?
When I am scanning now the same files, this messages does not
appear
again.
Actual version: ClamAV 0.97.8/19011/Wed May 21 09:48:13 2014
On 21. 05. 14 11:41 , DUCARROZ Birgit wrote:
Hi,
as of 05/13/2014 I had suddenly a lot of older files with
notification
Unix.Trojan.ElkKnot FOUND
Regards,
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
--
Birgit Ducarroz
Unix Systems Administration
Department of Informatics
University of Fribourg Switzerland
mailto:birgit.ducar...@unifr.ch
Phone: +41 (26) 300 8342
https://diuf.unifr.ch/people/ducarroz/
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
