[dokuwiki] Re: DokuWiki for Windows with MicroApache is Infected with a Trojan
- From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
- To: DokuWiki Mailinglist <dokuwiki@xxxxxxxxxxxxx>
- Date: Tue, 15 Dec 2020 22:59:48 +0100
Hi,
thanks for the info.
4. A few seconds later, BitDefender told me it was cleaning a malicious file.
Further examination told me that libsqlite3.dll was infected with the
Gen:Variant.Razy trojan.
According to
https://malwaretips.com/blogs/remove-gen-variant-razy
Gen:Variant.Razy is not actually any specific trojan, but a heuristic
scanner that tries to identify trojan behavior.
Their heuristic might be pretty simple: an UPX compressed executable
that opens a network connection.
- In the firewall log, mapache.exe made a connection to the ip address
216.105.38.15/0. I do not recognize this IP address, and there is no reason I
can think of that an internal web server intended purely for testing purposes
should be making a connection to an external IP address without my knowledge.
That's the IP address of slashdot.org. If you looked at wiki:syntax
your wiki will have made this connection to fetch their RSS feed for
the part of the syntax description that explains RSS feed syntax.
- Device Vulnerability: We detected a change in your device's settings that
allows it to execute setup files from media drives as soon as they are
inserted in the drive without your knowledge. Automatic execution of unknown
files may harm your device. (I did not make this change. I assume the trojan
must have done it.)
This is actually the only suspicious thing. I fired up a Windows 10 VM
and did the following:
* checked the autoplay settings (based on this article
https://www.techrepublic.com/article/how-to-disable-autoplay-and-autorun-in-windows-10/)
* the default was on, I turned it off
* I downloaded a fresh copy of DokuWiki with MicroApache
* unpacked it and ran the run command, waited for it to start
* opened the autoplay settings again. the setting was still off
So I can not really reproduce this. Did you ever disable this setting
before? Maybe it was just another thing your scanner checked just when
it was doing it's thing about the Gen:Variant.Razy heuristics and it
found the default and complained?
Btw, I get a different MD5 hash when I download the MicroApache version (with
no plugins selected)
07fafd29844aa01192ac7fede69afa8b
I was talking about the hash for only the libsqlite3.dll file - not
the whole download.
Because of the above log entries in BitDefender, I do not believe this to be
a false alarm.
The thing is that the files on the server are exactly as I created
them in November. They are created through a script on a Linux system
where they are downloaded directly from the different upstream
sources. There is no Windows-System involved that could infect them
during the build.
If we assume that the upstream files are clear and there is no way my
local files can be infected and those files are exactly as the files
on the server, a false alarm seems to be the only reasonable
explanation.
As I said, similar false alarms seem to be triggered somewhat
frequently for UPX packed binaries:
https://github.com/upx/upx/issues?q=is%3Aissue+virus
Andi
--
splitbrain.org
--
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist
Other related posts:
