Trojans and Backdoor detected in 6.13?
manic hook - July 9, 2009 - 09:10
Just downloaded Drupal 6.13
When I extracted the files from the tar.gz file, my Trend Micro anti-virus alerted that 3 files are infected.
modules/color/color.install - BKDR_IRCBOT.BZQ
modules/profile/profile-wrapper.tpl.php - TROJ_SWIZZOR.KXV
modules/translation/translation.module - TROJ_FRAUDLO.LL
Is it a false positive or there's something wrong with the download?
FALSE POSITIVE. Locked thread too. chx.
Same here...
Same here..., but I've only seen the color.install and profile wrapper. Must be a false detection.
Also the same
already send this to trendmicro support.
Regards,
cyaneo
++++++++++++++++++
http://www.zen-cart.at
++++++++++++++++++
We too
We've got the same.
Disabling trendimicro.
Vito
Site hosting company's anti-virus now deleting these files
I'm running into this too. My site hosting company's anti-virus is now deleting these files on our sites, and preventing their upload, causing errors on live sites.
Further information
I have found that the file translation.module is also being flagged on Drupal 6.12 sites.
.
http://baheyeldin.com/technology/drupal/trendmicro-officescan-reports-fa...
Michelle
---
Coulee Region Online: Social networking and area information. You're welcome to visit but please don't make an account unless you want to join the community.
False positive
Is it really a false positive???
Yes
It is.
Michelle
---
Coulee Region Online: Social networking and area information. You're welcome to visit but please don't make an account unless you want to join the community.
Thank you! :)
Thank you! :)
Don't think it's false reports
Hi, I've received virus messages for every single color.install file that I've got on my hard drive (all various Drupal 5 versions).
The color.install files are NOT plain text anymore, I tried to open one in Dreamweaver, it returned cryptic signs.
At the same time that TrendMicro reported the viruses, Spyware Doctor reported 2 trojans, Backdoor.Ciadoor!sd5 and Backdoor.Delf!ct.
I don't believe that these are false reports at all. I've been working hard on getting rid of fthe viruses and trojans since then.
=-=
drupal.org and/or drupal core downloads are not packaged with virus's. Either you already had a virus or there is some other issue at hand that has nothing to do with drupal.
Avast isn't reporting anything with regards to drupal 6.13 nor is Nortons, or Symantec. Thus the common denominator in this thread is TrendMicro
I just downloaded a fresh
I just downloaded a fresh copy of 6.13 and color.install is a text file as expected.
Has anyone officially contacted Trend Micro?
Has anyone from the drupal team (maybe someoane form the security team?) officially contacted Trend Micro / protested for this false alarm?
=-=
I'd be curious if downloading other php scripts produces the same issue before anyone from drupal became involved. If it's php across the board, these users machines could already be infected with something that is wreaking havoc on php files of some sort.
Other Scripts - Negative
I've had the same issues as described above. Additionally, I keep previous versions archived. Today Trend Micro ran a scan and removed ALL of the .tar.gz's from my hard drive. I think I had every version of 6, but I know I had 6.5-6.13 stored locally, and they're all gone.
On the suggestion of VeryMisunderstood above, I downloaded some other OS/CMS scripts, as well as Drupal again:
I ran Trend Micro on every one of them. The Drupal's were the only one's that TM flagged and quarantined. The results were as follows:
File: color.install (drupal-5-19.tar.gz)
Threat name: BKDR_IRCBOT.BZQ
File: color.install (drupal-6.13.tar.gz)
Threat name: BKDR_IRCBOT.BZQ
File: profile-wrapper.tpl.php (drupal-6.13.tar.gz)
Threat name: TROJ_SWIZZOR.KXV
File: translation.module (drupal-6.13.tar.gz)
Threat name: TROJ_FRAUDLO.LL
The three names (BKDR_IRCBOT.BZQ, TROJ_SWIZZOR.KXV, TROJ_FRAUDLO.LL) are in TM's July 08, 2009 Pattern Release. They do not appear to be in the Feb 09 pattern release. I am bamboozled as to why TM is snagging only Drupal files. I would be very curious to know if any other AV software brands are snagging Drupal files as well. Since this TM pattern release is only a few days old, would it make sence that other AV's may soon be rolling out new pattern releases which would affect drupal as well?
Oh yeah, I almost forgot the part that made me get that "not so good feeling in my stomach": , TM quarantined the files out of my testing server as well as ALL drupal sites backup zips on the drive.
Could this be a drupal problem or do you think it is indeed a trend micro problem?
Thoughts?
YT2S
=-=
for example: profile wrapper only contains XHTML. Why it would be picked up as a virus doesn't make sense.