Re: possible malware in db48 port

[Bill Cole]

On 21 Jan 2020, at 18:11, Artemio González López via macports-users 
wrote:


Bitdefender has flagged two files from the db48 MacPorts port 
installed in my Mac, namely


/opt/local/lib/db48/libdb_cxx-4.8.dylib
/opt/local/var/macports/software/db48/db48-4.8.30_4.darwin_17.x86_64.tbz2

which seem to be infected by something called

Gen:Variant.Application.MAC.Koiot.575


The is not an indication of a specific 'infection' but rather a generic 
heuristic match with characteristics seen in known malware. This is NOT 
a match with any specific known malware.



Does this sound plausible,


I believe Bitdefender flagged it. I don't believe it is worth concern. I 
have no reason to believe that a Bitdefender generic match it worth 
anything. Do you?



or is it more likely a false positive?


It's nothing. It's not a 'positive' of any sort, it's an almost random 
assertion that a file has some vague characteristics in common with 
unspecified malware.


Generic matches by "antivirus" programs that do not document those 
patterns are worse than worthless. Your use of Bitdefender has wasted 
your valuable time.


In any case, I am thinking of reinstalling the port. Is this possible, 
and how should I proceed? (uninstall first, perhaps, but what about 
dependents?).


You can't make Bitdefender worthwhile software by reinstalling Berkeley 
DB 4.8.


I have machines with these local source builds of the db48 port, 
v4.8.30_4:


Darwin10/i386
Darwin15/x86_64
Darwin17/x86_64
Darwin18/x86_64

All of these now show the same 5 junk hits at VirusTotal on their 
libdb_cxx-4.8.dylib. The first 2 did not show any hits in years-old 
tests, but they hit when rescanned in the last few hours. I also have 
downloaded the pristine source from Oracle, patched it to fix naming 
conflicts, and built it without using anything from MacPorts. That 
libdb_cxx-4.8.dylib hits at VT identically to the 4 other builds I have.


It is certainly possible that the source code of BerkeleyDB v4.8.30 has 
been compromised at its definitive repository by some 
as-yet-unidentified MacOS X malware which has unspecified similarities 
to some unspecified  known malware which is only known to 5 3rd-rate AV 
tools, 4 of which give it the same name which is unreferenced anywhere.


It is more likely that those junk AV packages have detected the use of 
BerkeleyDB v4.8.30 (one of the most ubiquitous open source libraries in 
existence) by some malware and have deemed some of its characteristics 
as being indicative of malware, incorrectly.


If you are a paying customer of Bitdefender, I urge you to ask them what 
this detection actually means and ask that they justify the waste of 
your time over this apparently pointless "detection." They owe you an 
explanation.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)

Re: possible malware in db48 port

[Dave Allured - NOAA Affiliate via macports-users]

On Tue, Jan 21, 2020 at 6:12 PM Christopher Chavez 
wrote:

> On 1/21/2020 7:03 PM, Christopher Chavez wrote:
> > VirusTotal doesn't report anything for
> > http://packages.macports.org/db48/db48-4.8.30_4.darwin_17.x86_64.tbz2:
> > see
> >
> https://www.virustotal.com/gui/url/c368d42293be904ef4710ad8ac1790b476e48ccdc8763c0267def2985222aad5/
>
> …although the report the archive itself (instead of the URL) *does*
> report a few positives, including BitDefender:
>
> https://www.virustotal.com/gui/file/20ab2a1bb6af8cf2b55a8fb5903adb3e3627fc8bd7b2f0937786be5567947629/
> ; I'm not sure why the URL report doesn't indicate this.
>

Another version of this file, recently built from source on my local Mac,
got the same 5 positives as the Macports binary version.  This does not
bode well for rebuilding as a remedy.

https://www.virustotal.com/gui/file/11faee65deeb057dfab168ad915b3f08a8a0c72eb2cf47d4fe2ea7c26c6179e1/detection

Thanks for the great tool, Chris.  I did not know about this one.

Re: possible malware in db48 port

[Christopher Chavez]

On 1/21/2020 7:03 PM, Christopher Chavez wrote:

VirusTotal doesn't report anything for
http://packages.macports.org/db48/db48-4.8.30_4.darwin_17.x86_64.tbz2:
see
https://www.virustotal.com/gui/url/c368d42293be904ef4710ad8ac1790b476e48ccdc8763c0267def2985222aad5/


…although the report the archive itself (instead of the URL) *does*
report a few positives, including BitDefender:
https://www.virustotal.com/gui/file/20ab2a1bb6af8cf2b55a8fb5903adb3e3627fc8bd7b2f0937786be5567947629/
; I'm not sure why the URL report doesn't indicate this.

Re: possible malware in db48 port

[Christopher Chavez]

On 1/21/2020 5:11 PM, Artemio González López via macports-users wrote:

Bitdefender has flagged two files from the db48 MacPorts port installed
in my Mac, namely

/opt/local/lib/db48/libdb_cxx-4.8.dylib
/opt/local/var/macports/software/db48/db48-4.8.30_4.darwin_17.x86_64.tbz2

which seem to be infected by something called

Gen:Variant.Application.MAC.Koiot.575

Does this sound plausible, or is it more likely a false positive? In any
case, I am thinking of reinstalling the port. Is this possible, and how
should I proceed? (uninstall first, perhaps, but what about dependents?).



Here’s what ls reports about this files:

-rwxr-xr-x  1 macports  admin  1302356 Sep 27  2017
/opt/local/lib/db48/libdb_cxx-4.8.dylib
-rw-r--r--  1 macports  wheel  19951871 Mar 15  2018
/opt/local/var/macports/software/db48/db48-4.8.30_4.darwin_17.x86_64.tbz2


VirusTotal doesn't report anything for
http://packages.macports.org/db48/db48-4.8.30_4.darwin_17.x86_64.tbz2:
see
https://www.virustotal.com/gui/url/c368d42293be904ef4710ad8ac1790b476e48ccdc8763c0267def2985222aad5/

But extracting libdb_cxx-4.8.dylib from that archive and uploading, it
*does* report positive from BitDefender and a few other engines, however
most other engines do not detect anything: see
https://www.virustotal.com/gui/file/2ce2eb2cc146cff38a87c2243dc125b60836f379fbd763e7963d7a9c05e54f0e/

Re: possible malware in db48 port

[Ryan Schmidt]

On Jan 21, 2020, at 17:11, Artemio González López wrote:

> Bitdefender has flagged two files from the db48 MacPorts port installed in my 
> Mac, namely
> 
> /opt/local/lib/db48/libdb_cxx-4.8.dylib
> /opt/local/var/macports/software/db48/db48-4.8.30_4.darwin_17.x86_64.tbz2

db48-4.8.30_4.darwin_17.x86_64.tbz2 contains everything installed by the db48 
port, which includes libdb_cxx-4.8.dylib.

> which seem to be infected by something called
> 
> Gen:Variant.Application.MAC.Koiot.575
> 
> Does this sound plausible, or is it more likely a false positive?

It seems unlikely to me. If you got the binary of this port from our server 
(which I think you did; see below), then that would mean that our server is 
infected, and I find that unlikely. If on the other hand MacPorts built it for 
you on your own computer, I guess it's possible that an existing virus 
infection on your computer was copied into this file. I'm not familiar with 
this virus or how it works or what it does. A third possibility is that db 
4.8.30 as distributed by its developers contains this virus. That too seems 
unlikely.


> In any case, I am thinking of reinstalling the port. Is this possible, and 
> how should I proceed? (uninstall first, perhaps, but what about dependents?).

You can rebuild the port with:

sudo port -n upgrade --force db48

If you want to be sure that you receive a binary from us, you would use:

sudo port -nb upgrade --force db48

If on the other hand you want to ensure a build from source, to rule out a 
problem with our binary, you would use:

sudo port -ns upgrade --force db48


> Here’s what ls reports about this files:
> 
> -rwxr-xr-x  1 macports  admin  1302356 Sep 27  2017 
> /opt/local/lib/db48/libdb_cxx-4.8.dylib
> -rw-r--r--  1 macports  wheel  19951871 Mar 15  2018 
> /opt/local/var/macports/software/db48/db48-4.8.30_4.darwin_17.x86_64.tbz2


Those are the exact sizes and, in the case of libdb_cxx-4.8.dylib, the exact 
date of those files as distributed by our server. As such, I expect that 
reinstalling the port from our binary will change nothing. You can build from 
source to see if that changes anything.

possible malware in db48 port

[Artemio González López via macports-users]

Bitdefender has flagged two files from the db48 MacPorts port installed in my 
Mac, namely

/opt/local/lib/db48/libdb_cxx-4.8.dylib
/opt/local/var/macports/software/db48/db48-4.8.30_4.darwin_17.x86_64.tbz2

which seem to be infected by something called

Gen:Variant.Application.MAC.Koiot.575

Does this sound plausible, or is it more likely a false positive? In any case, 
I am thinking of reinstalling the port. Is this possible, and how should I 
proceed? (uninstall first, perhaps, but what about dependents?).

Thanks for your help,

P.S.

Here’s what ls reports about this files:

-rwxr-xr-x  1 macports  admin  1302356 Sep 27  2017 
/opt/local/lib/db48/libdb_cxx-4.8.dylib
-rw-r--r--  1 macports  wheel  19951871 Mar 15  2018 
/opt/local/var/macports/software/db48/db48-4.8.30_4.darwin_17.x86_64.tbz2


Artemio Gonzalez Lopez
artem...@mac.com



smime.p7s
Description: S/MIME cryptographic signature

Re: Migrating from Sierra on one box to High Sierra on another

[Ryan Schmidt]

On Jan 21, 2020, at 03:54, Chris Jones wrote:

> On 21/01/2020 1:28 am, Dave Horsfall wrote:
> 
>> I don't have web access right now, hence the list...
>> My ancient Sierra MacBook failed (graphics board which is no longer 
>> available) but I have been offered a more recent second-hand one for a 
>> reasonable price, and it will run High Sierra (I don't want Mojave just yet).
>> What's the procedure to update all the existing ports i.e. is there such a 
>> thing as "port upgrade all" to do "the right thing"?  I have the old system 
>> drive available (external USB - long story) and can slurp the appropriate 
>> files over (I don't like restoring using Time Machine, and the Capsule may 
>> not be up to date anyway, as I was working when the video disappeared).
>> I know that I have to recompile my own stuff.
>> Anything else that I should know about?  I like to be forewarned, and 
>> remember that I don't have web access right now.
> 
> As with any OS upgrade, follow the instructions at
> 
> https://trac.macports.org/wiki/Migration

Since you don't have web access, I'll reproduce the main part of that page here:


> Migration procedure 
> 
> Install the latest version of Xcode and the Xcode command-line tools 
> 
> Update the development tools by ​installing Xcode 
> . Open the Xcode application 
> once after installation and follow any prompts.
> 
> Install the command line tools package as well (run xcode-select --install).
> 
> Reinstall MacPorts base system 
> To reinstall, simply install the base MacPorts system 
>  for your new platform.
> 
> Update your macports.conf (if not default) 
> 
> If your macports.conf (typically at /opt/local/etc/macports/macports.conf) 
> contains uncommented settings for universal_archs or build_arch, you will 
> likely want to update them, since unlike earlier OS versions, the compiler on 
> Snow Leopard and later will build for x86_64 by default on systems that 
> support it. Default values are fine for most users, so unless you know you 
> need something different, just comment out these two lines.
> 
> Several other settings in macports.conf have changed their defaults over the 
> years. Take a moment to compare each line of your macports.conf with the 
> corresponding line in macports.conf.defaultin the same directory. Unless you 
> know a reason why a line in your settings file should be different from the 
> defaults, adopt the line from the defaults file.
> 
> Reinstall your ports 
> Save the list of installed ports:
> port -qv installed > myports.txt
> (optional) Save the list of requested ports:
> port echo requested | cut -d ' ' -f 1 > requested.txt
> Uninstall all installed ports:
> sudo port -f uninstall installed
> Clean any partially-completed builds:
> sudo rm -rf /opt/local/var/macports/build/*
> Download and execute the restore_ports script. (If you installed MacPorts 
> from source and used a custom prefix, then you'll need to use the -p option 
> when you run restore_ports.tcl; see ./restore_ports.tcl -h.)
> curl --location --remote-name 
> https://github.com/macports/macports-contrib/raw/master/restore_ports/restore_ports.tcl
> chmod +x restore_ports.tcl
> xattr -d com.apple.quarantine restore_ports.tcl
> sudo ./restore_ports.tcl myports.txt
> Note: ports that are not available on your new platform will be skipped, with 
> only a warning message. 
> (optional) Restore requested status: If you saved the list of requested 
> ports, you can now restore the requested flags for your newly installed ports 
> to their former states.
> sudo port unsetrequested installed
> xargs sudo port setrequested < requested.txt
> Warning: if a port in requested.txt was not installed in the previous step, 
> the iterative setrequested will terminate, leaving some ports still marked as 
> not-requested. Edit requested.txtto remove any ports that were not installed 
> and repeat this step. Double-check your desired ports are set as requested 
> with port echo requested.



If your new machine is old enough to run Sierra, and if you have not yet set up 
or put any of your data on the new machine, then the simplest way to proceed 
might be to clone your old machine's disk to your new machine (using Carbon 
Copy Cloner, SuperDuper, or similar), then boot up from your new machine's 
internal disk and upgrade to High Sierra, and then follow the migration 
instructions as normal.

Re: Migrating from Sierra on one box to High Sierra on another

[Chris Jones]

As with any OS upgrade, follow the instructions at

https://trac.macports.org/wiki/Migration

On 21/01/2020 1:28 am, Dave Horsfall wrote:

I don't have web access right now, hence the list...

My ancient Sierra MacBook failed (graphics board which is no longer 
available) but I have been offered a more recent second-hand one for a 
reasonable price, and it will run High Sierra (I don't want Mojave just 
yet).


What's the procedure to update all the existing ports i.e. is there such 
a thing as "port upgrade all" to do "the right thing"?  I have the old 
system drive available (external USB - long story) and can slurp the 
appropriate files over (I don't like restoring using Time Machine, and 
the Capsule may not be up to date anyway, as I was working when the 
video disappeared).


I know that I have to recompile my own stuff.

Anything else that I should know about?  I like to be forewarned, and 
remember that I don't have web access right now.


Thanks.

-- Dave