This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.


For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.

Trojan in eggdrop module false positive ?

Discussion of Eggdrop's code and module programming in C.
Post Reply
j
juanamores
Master
Posts: 317
Joined: Sun Mar 15, 2015 9:59 am

Trojan in eggdrop module false positive ?

Post by juanamores »

I made a backup of my VPS on my PC and Avast antivirus detect a trojan in a file.
The path: \eggdrop\modules-1.6.21\
The file: seen.so
Detection: ELF:IRCBot-D [Trj]

Most likely is a false positive.
I've scanned the file using web total virus and here are the results:
https://www.virustotal.com/es/file/9747 ... 470704763/

Only Avast detect virus of 53 AVs.
If you do not understand my ideas is because I can not think in English, I help me with Google Translate. I only speak Spanish. Bear with me. Thanks :)
User avatar
caesar
Mint Rubber
Posts: 3778
Joined: Sun Oct 14, 2001 8:00 pm
Location: Mint Factory

Post by caesar »

False positive, nothing to worry about unless you got the file from another source other than the official one that might have tampered with the files.
Once the game is over, the king and the pawn go back in the same box.
j
juanamores
Master
Posts: 317
Joined: Sun Mar 15, 2015 9:59 am

Post by juanamores »

I sent the file to AVAST Laboratory.
I have confirmed that the virus detection is correct.
The truth is I do not think it virus.

I do not think 52 antivirus mistake .
It is a false positive!

This said AVAST :
Buenos días

Gracias por ponerse en contacto con Avast y enviarnos la muestra

El laboratorio de virus me informa de que es realmente un virus y la detección es correcta.

Reciba un cordial saludo
If you do not understand my ideas is because I can not think in English, I help me with Google Translate. I only speak Spanish. Bear with me. Thanks :)
User avatar
caesar
Mint Rubber
Posts: 3778
Joined: Sun Oct 14, 2001 8:00 pm
Location: Mint Factory

Post by caesar »

If and only if you got the eggdrop1.6.21.tar.gz (or whatever version you are using) from the official source aka. Eggheads.org site, then grab the non-compiled seen.c from the archive located in eggdrop1.6.21/src/mod/seen.mod, tell them that they are idiots cos it's a false positive result and uninstall the product.

I just got the seen.c file and here (link) is the virustotal result.
Once the game is over, the king and the pawn go back in the same box.
j
juanamores
Master
Posts: 317
Joined: Sun Mar 15, 2015 9:59 am

Post by juanamores »

I uploaded the file to

Code: Select all

https://mega.nz/#!cYsRhZzY
so they can scan.
encryption key for file:
!MUKHc7zBoMixKVPaw3VEZ7ra8TBsAZ5LqN80b430L9Y
I do not remember where I downloaded this eggdrop .
I used to download it from the official website, but this was a while ago.
If you do not understand my ideas is because I can not think in English, I help me with Google Translate. I only speak Spanish. Bear with me. Thanks :)
User avatar
caesar
Mint Rubber
Posts: 3778
Joined: Sun Oct 14, 2001 8:00 pm
Location: Mint Factory

Post by caesar »

I got the seen.so file from my own eggdrop that i know for sure i got from the official source and the virus scan has the same result.
Once the game is over, the king and the pawn go back in the same box.
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

I would assume they (Avast) classify it as a positive trojan, as eggdrops have been used to power malicious botnets in the past. To be honest, I'd almost expect them to classify any irc-client as an intrusion or trojan...

Sadly, I doubt they'll change their minds about it. Best bet is to get the binaries from a trusted source, or build them yourself, and do whatever you can to whitelist the file on your system.
NML_375
User avatar
caesar
Mint Rubber
Posts: 3778
Joined: Sun Oct 14, 2001 8:00 pm
Location: Mint Factory

Post by caesar »

Because they haven't marked more files and just the seen module makes me think that the file has some piece of code (for instance like writing something in a file) similar to what malicious botnets used, maybe got some inspiration from the seen module..

Anyway, I wouldn't be bothered by this if you got the source from Eggheads.org's website.
Once the game is over, the king and the pawn go back in the same box.
Post Reply