egghelp.org community Forum Index
[ egghelp.org home | forum home ]
egghelp.org community
Discussion of eggdrop bots, shell accounts and tcl scripts.
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Trojan in eggdrop module false positive ?

 
Post new topic   Reply to topic    egghelp.org community Forum Index -> Modules & Programming
View previous topic :: View next topic  
Author Message
juanamores
Master


Joined: 15 Mar 2015
Posts: 317

PostPosted: Mon Aug 08, 2016 9:04 pm    Post subject: Trojan in eggdrop module false positive ? Reply with quote

I made a backup of my VPS on my PC and Avast antivirus detect a trojan in a file.
The path: \eggdrop\modules-1.6.21\
The file: seen.so
Detection: ELF:IRCBot-D [Trj]

Most likely is a false positive.
I've scanned the file using web total virus and here are the results:
https://www.virustotal.com/es/file/9747d59e90bcc5c56c93bee2e4a35ed45c0317be879c97ded5632e0933370096/analysis/1470704763/

Only Avast detect virus of 53 AVs.
_________________
If you do not understand my ideas is because I can not think in English, I help me with Google Translate. I only speak Spanish. Bear with me. Thanks Smile
Back to top
View user's profile Send private message
caesar
Ass Kicker


Joined: 14 Oct 2001
Posts: 3475
Location: Area 51

PostPosted: Tue Aug 09, 2016 1:20 am    Post subject: Reply with quote

False positive, nothing to worry about unless you got the file from another source other than the official one that might have tampered with the files.
_________________
You may say anything about me, but at least don't misspell my name. xD
Back to top
View user's profile Send private message
juanamores
Master


Joined: 15 Mar 2015
Posts: 317

PostPosted: Tue Aug 09, 2016 7:06 pm    Post subject: Reply with quote

I sent the file to AVAST Laboratory.
I have confirmed that the virus detection is correct.
The truth is I do not think it virus.

I do not think 52 antivirus mistake .
It is a false positive!

This said AVAST :
Quote:
Buenos días

Gracias por ponerse en contacto con Avast y enviarnos la muestra

El laboratorio de virus me informa de que es realmente un virus y la detección es correcta.

Reciba un cordial saludo

_________________
If you do not understand my ideas is because I can not think in English, I help me with Google Translate. I only speak Spanish. Bear with me. Thanks Smile
Back to top
View user's profile Send private message
caesar
Ass Kicker


Joined: 14 Oct 2001
Posts: 3475
Location: Area 51

PostPosted: Wed Aug 10, 2016 2:30 am    Post subject: Reply with quote

If and only if you got the eggdrop1.6.21.tar.gz (or whatever version you are using) from the official source aka. Eggheads.org site, then grab the non-compiled seen.c from the archive located in eggdrop1.6.21/src/mod/seen.mod, tell them that they are idiots cos it's a false positive result and uninstall the product.

I just got the seen.c file and here (link) is the virustotal result.
_________________
You may say anything about me, but at least don't misspell my name. xD
Back to top
View user's profile Send private message
juanamores
Master


Joined: 15 Mar 2015
Posts: 317

PostPosted: Wed Aug 10, 2016 8:39 pm    Post subject: Reply with quote

I uploaded the file to
Code:
https://mega.nz/#!cYsRhZzY
so they can scan.
encryption key for file:
Quote:
!MUKHc7zBoMixKVPaw3VEZ7ra8TBsAZ5LqN80b430L9Y

I do not remember where I downloaded this eggdrop .
I used to download it from the official website, but this was a while ago.
_________________
If you do not understand my ideas is because I can not think in English, I help me with Google Translate. I only speak Spanish. Bear with me. Thanks Smile
Back to top
View user's profile Send private message
caesar
Ass Kicker


Joined: 14 Oct 2001
Posts: 3475
Location: Area 51

PostPosted: Thu Aug 11, 2016 1:27 am    Post subject: Reply with quote

I got the seen.so file from my own eggdrop that i know for sure i got from the official source and the virus scan has the same result.
_________________
You may say anything about me, but at least don't misspell my name. xD
Back to top
View user's profile Send private message
nml375
Revered One


Joined: 04 Aug 2006
Posts: 2835

PostPosted: Fri Aug 12, 2016 2:03 pm    Post subject: Reply with quote

I would assume they (Avast) classify it as a positive trojan, as eggdrops have been used to power malicious botnets in the past. To be honest, I'd almost expect them to classify any irc-client as an intrusion or trojan...

Sadly, I doubt they'll change their minds about it. Best bet is to get the binaries from a trusted source, or build them yourself, and do whatever you can to whitelist the file on your system.
_________________
NML_375, idling at #eggdrop@IrcNET
Back to top
View user's profile Send private message
caesar
Ass Kicker


Joined: 14 Oct 2001
Posts: 3475
Location: Area 51

PostPosted: Sat Aug 13, 2016 1:53 am    Post subject: Reply with quote

Because they haven't marked more files and just the seen module makes me think that the file has some piece of code (for instance like writing something in a file) similar to what malicious botnets used, maybe got some inspiration from the seen module..

Anyway, I wouldn't be bothered by this if you got the source from Eggheads.org's website.
_________________
You may say anything about me, but at least don't misspell my name. xD
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    egghelp.org community Forum Index -> Modules & Programming All times are GMT - 4 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Forum hosting provided by Reverse.net

Powered by phpBB © 2001, 2005 phpBB Group
subGreen style by ktauber