Mikael can you provide the hash and/or virustotal link for the `/opt/netdata/bin/srv/netdata` sample?
Thanks, demonduck On Wed, Feb 5, 2020 at 9:01 AM Mikael Bak <[email protected]> wrote: > Hi list, > > I found another signature in the daily.ldb that needs to be removed, I > think. > > Scan results on all our servers running Netdata: > /opt/netdata/bin/srv/netdata: Unix.Dropper.Mirai-7540607-0 FOUND > > Found it in daily.ldb like this: > > Unix.Dropper.Mirai-7540607-0;Engine:51-255,Target:6;0&1&2&3&4;557365722d4167656e743a2025732f2573;4e6f206368696c642070726f63657373;436f6e6e656374696f6e207265736574206279206e6574776f726b;4e6f74206120736f636b6574;536f636b6574206e6f7420636f6e6e6563746564 > > Searching the netdata binary for the above hex values give me these > strings: > > User-Agent: %s/%s > No child process > Connection reset by network > Not a socket > Socket not connected > > I think this rule should also be removed. > > Best regards, > Mikael Bak > > _______________________________________________ > > clamav-users mailing list > [email protected] > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml >
_______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
