Join Log in
Score:10
Rougher avatar Server

ClamAV detected Kaiji malware on Ubuntu instance

pm flag
Rougher

Today clamAV scanned my AWS instances and detect 24 infected files on each. It looks like false positive due to several reasons:

  1. All these files are created in October 2022 (why were they detected only now?)
  2. SSH port for each instance is protected by MFA + password + VPN.

So, my question, what my next steps should be in this case? Should I remove these files, as I understood it can be system files that other apps can use.

2023-06-07T13:03:41.658+03:00   /snap/amazon-ssm-agent/6563/amazon-ssm-agent: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:03:42.909+03:00   /snap/amazon-ssm-agent/6563/ssm-agent-worker: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:03:44.659+03:00   /snap/amazon-ssm-agent/6563/ssm-cli: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:03:45.660+03:00   /snap/amazon-ssm-agent/6563/ssm-document-worker: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:03:46.910+03:00   /snap/amazon-ssm-agent/6563/ssm-session-logger: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:03:47.910+03:00   /snap/amazon-ssm-agent/6563/ssm-session-worker: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:03:49.411+03:00   /snap/amazon-ssm-agent/6312/amazon-ssm-agent: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:03:50.662+03:00   /snap/amazon-ssm-agent/6312/ssm-agent-worker: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:03:51.912+03:00   /snap/amazon-ssm-agent/6312/ssm-cli: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:03:52.912+03:00   /snap/amazon-ssm-agent/6312/ssm-document-worker: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:03:53.913+03:00   /snap/amazon-ssm-agent/6312/ssm-session-logger: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:03:55.413+03:00   /snap/amazon-ssm-agent/6312/ssm-session-worker: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:03:56.695+03:00   /snap/lxd/24061/bin/lxc: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:03:57.414+03:00   /snap/lxd/24061/bin/lxc-to-lxd: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:03:58.164+03:00   /snap/lxd/24061/bin/lxd-agent: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:03:58.915+03:00   /snap/lxd/24061/bin/lxd-benchmark: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:04:01.666+03:00   /snap/lxd/24061/bin/lxd-migrate: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:04:06.073+03:00   /snap/lxd/24061/bin/snap-query: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:04:12.420+03:00   /snap/lxd/23991/bin/lxc: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:04:13.170+03:00   /snap/lxd/23991/bin/lxc-to-lxd: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:04:13.920+03:00   /snap/lxd/23991/bin/lxd-agent: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:04:14.671+03:00   /snap/lxd/23991/bin/lxd-benchmark: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:04:16.171+03:00   /snap/lxd/23991/bin/lxd-migrate: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:04:21.073+03:00   /snap/lxd/23991/bin/snap-query: Unix.Malware.Kaiji-10003916-0 FOUND
5946
4 + 5
cn flag
Greg Askew
Does this answer your question? [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server)
0
Reply
Rougher avatar
pm flag
Rougher
@GregAskew I am looking for the specific answer for the specific problem. Also I am not sure still that it is a compromised server in my case. So, no
4
Reply
vn flag
ceejayoz
From the answers, it's probably safe to assume this is a false positive. However, on point #1, note that malware can pretty trivially make fake created/modified timestamps fo rfiles.
2
Reply
Andrew T. avatar
pe flag
Andrew T.
I hope someone who has enough reputation to [protect questions](https://serverfault.com/help/privileges/protect-questions) may protect this because it has garnered some low-quality "me too" answers.
2
Reply
cn flag
Greg Askew
@Rougher: that comment is auto-generated from the selection of the canonical question used to close questions about compromised servers. However, it appears this has transitioned from the usual noise of kompromat to a dumpster fire of deploying broken data files. https://github.com/Cisco-Talos/clamav/issues/944 and has been corrected in version 26932 of new garbage data files released yesterday. https://lists.clamav.net/pipermail/clamav-virusdb/2023-June/008315.html
0
Reply
Score:13
Craig avatar Server
ne flag
Craig

I submitted a false positive report to ClamAV at https://www.clamav.net/reports/fp

This was the description I submitted:

The attached "helper" file was retrieved by running:
docker cp "$(docker container create gcr.io/paketo-buildpacks/ca-certificates:3.6.2@sha256:87b389fa631c6d6bbdaef30b5b963b300a4cba87c0ab8e9d00e3e5c2496117d3 -d)":/cnb/buildpacks/paketo-buildpacks_ca-certificates/3.6.2/bin/helper .

clamscan run on that file outputs:
helper: Unix.Malware.Kaiji-10003916-0 FOUND

That docker image is from https://github.com/paketo-buildpacks/ca-certificates/releases/tag/v3.6.2

Unix.Malware.Kaiji-10003916-0 is being detected in many files - this is just one sample. This false positive, new today, was also raised on stackoverflow at https://serverfault.com/questions/1132808/clamav-detected-kaiji-malware-on-ubuntu-instance

I also ran the helper file through virustotal: https://www.virustotal.com/gui/file-analysis/NmUzNWM2MGVhZWVmNmU5ODAxYTExOWVhMTNkNGM1MGM6MTY4NjE0NzAzNg==

No scanners besides clamav detect a virus in this file.

An out of band update of the daily signature database was just published removing this signature: https://lists.clamav.net/pipermail/clamav-virusdb/2023-June/008315.html

With that, this false positive issue is now resolved.

The ClamAV project is also going to review its processes to prevent such false positives from occurring in the future.

I also reported this issue to ClamAV in their discord.

+ 1
Rougher avatar
pm flag
Rougher
Could you share their answer when they will answer you?
1
Reply
Score:3
Trevor avatar Server
ki flag
Trevor

ClamAV for me this morning (June 7 2023) is reporting Unix.Malware.Kaiji-10003916 found in various cloudwatch-agent, ssm-agent, gitlab and docker files on Amazon Linux. False alarms or I have a lot of cleanup to do!

+ 2
Rougher avatar
pm flag
Rougher
I also run today. Before every scanning, I run freshclamav. It was updated today from 26924 to 26931. Do you have the same version? So, do you think it is false positive?
0
Reply
Trevor avatar
ki flag
Trevor
Yes, 26931 was the daily database version used to scan
0
Reply
Score:2
avatar Server
ws flag
symcbean

All the "me too" posts suggest this is a false positive, however it would still be worthwhile to verify your checksums.

dpkg keeps a record of the md5 hashes of all the files it has installed at /var/lib/dpkg/info/.md5sums

To find the package which owns a file, use dpkg -S or search for its checksum above.

RPM also maintains a list a file hashes (see verify options).

+ 2
Andrew T. avatar
pe flag
Andrew T.
Sorry for commenting on your post, but perhaps you may consider to [protect the question](https://serverfault.com/help/privileges/protect-questions) to prevent more low-quality "me too" answers.
1
Reply
ws flag
symcbean
Although usually such posts are dicouraged here, in this instance they do add some value.
0
Reply
Score:1
Ben avatar Server
so flag
Ben

I'm also seeing this. I got some PHP webshell alerts from Sophos so was investigating and found this with clamav. Not sure it has anything to do with the alert from Sophos. Some of our instances used to run docker and my predecessor left it wide open and I cleaned all that up a long time ago but having googled kaiji I found something saying it was a botnet that exploited insecure docker installations. I ran one of the files through Virus Total and only ClamAV seems to think it's bad. I can't tell if it's a false positive or something new that only clam is picking up on right now

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.