Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Posibly victim of Unix.Malware.Caldera #441

Open
Polar-Tang opened this issue Jan 10, 2025 · 0 comments
Open

Posibly victim of Unix.Malware.Caldera #441

Polar-Tang opened this issue Jan 10, 2025 · 0 comments
Labels
question Further information is requested

Comments

@Polar-Tang
Copy link

Hello, my OS was executing arbitrary dpkg query, so i first stopped /usr/bin/dpkg-query, then i did a scan with clamscan and this notice me of the precense of the executable of caldero pluging, /var/lib/caldera, as this plugin execute instructions on the target host, and then send results back to the C2 server i think it's avaible to execute dpkg-query bypassing the cron.service instruction, and even executing deb_nopackfiles when dpkg query is disabled.
I have remove the malware and i'd be happy if you confirm that sandcat could do all of this, because i want to be 100% sure that this was the malware i have removed
@Polar-Tang Polar-Tang added the question Further information is requested label Jan 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Polar-Tang