Maybe infection

Arnaudbb · January 31, 2022, 8:04am

Hello,

Today two of my server sent email from clamscan cron, it write about certbot letsencrypt is infected.

See it by yourself /snap/certbot/1582/lib/python3.8/site-packages/pip/_vendor/distlib/t32.exe: Win.Malware.Generic-9937882-0 FOUND /snap/certbot/1582/lib/python3.8/site-packages/pip/_vendor/distlib/t64.exe: Win.Malware.Generic-9937882-0 FOUND /snap/certbot/1582/lib/python3.8/site-packages/pip/_vendor/distlib/w32.exe: Win.Malware.Generic-9937882-0 FOUND /snap/certbot/1582/lib/python3.8/site-packages/pip/_vendor/distlib/w64.exe: Win.Malware.Generic-9937882-0 FOUND /snap/certbot/1670/lib/python3.8/site-packages/pip/_vendor/distlib/t32.exe: Win.Malware.Generic-9937882-0 FOUND /snap/certbot/1670/lib/python3.8/site-packages/pip/_vendor/distlib/t64-arm.exe: Win.Malware.Generic-9937882-0 FOUND /snap/certbot/1670/lib/python3.8/site-packages/pip/_vendor/distlib/t64.exe: Win.Malware.Generic-9937882-0 FOUND /snap/certbot/1670/lib/python3.8/site-packages/pip/_vendor/distlib/w32.exe: Win.Malware.Generic-9937882-0 FOUND /snap/certbot/1670/lib/python3.8/site-packages/pip/_vendor/distlib/w64-arm.exe: Win.Malware.Generic-9937882-0 FOUND /snap/certbot/1670/lib/python3.8/site-packages/pip/_vendor/distlib/w64.exe: Win.Malware.Generic-9937882-0 FOUND

----------- SCAN SUMMARY ----------- Known viruses: 8605152 Engine version: 0.103.5 Scanned directories: 71354 Scanned files: 385802 Infected files: 10 Total errors: 18771 Data scanned: 30559.83 MB Data read: 252197.83 MB (ratio 0.12:1) Time: 5770.730 sec (96 m 10 s) Start Date: 2022:01:31 02:00:02 End Date: 2022:01:31 03:36:12

Is it true?

I don’t know where I need write this. Somebody can help please?

Thanks Arnaud

James-Carroll · January 31, 2022, 10:29am

It’s likely a false positive, but you can ask ClamAV to review it here, and the store listing shows the primary contact to be their Github Issues tracker, so it’s likely worth getting in touch with them directly too.

Arnaudbb · January 31, 2022, 11:20am

Thank you for this information.

I see after it was an old certbot version, a new one is already installed without clamav signal, so i removed the old version from the servers.

Thanks

jocado · January 31, 2022, 6:49pm

FYI - related thread on clamav-users list, looks like it was an error: https://www.mail-archive.com/clamav-users@lists.clamav.net/msg51536.html

Cheers, Just