alohahelo 0 Posted ... Hello, friends. I am investigating an intrusion. Some anti-rootkit solutions for Linux mention that these files from hybrid-analysis are suspicious. However, when I analyze them in VirusTotal, the name “Eddie” appears. Does this mean that it is related to the Eddie client, or should I investigate further? Thank you very much for responding to my security concerns! 1. https://hybrid-analysis.com/sample/2d877bed6f13810bc024cb5d53651d2c792f2047e1e2ccb6cea58b67460d418e 2. https://hybrid-analysis.com/sample/80a0e1625ed38e108e70708d119b58c8a3e94c448557922faaa6476830fd3739 3. https://hybrid-analysis.com/sample/9f33b6fa29396ef1e46082238076e61ef0064892dd84f008608abd09fa48b20a -- Quote Share this post Link to post
alohahelo 0 Posted ... I'm going to publish some domains that the aforementioned files link to, apparently related to Eddie (I don't know, I need more information). canonical-bos01.cdn.snapcraftcontent.com dashboard.snapcraft.io snapcraft.io api.snapcraft.io birthpopuptypesapplyimagebeinguppernoteseveryshowsmeansextramatchtrackknownearlybegansuperpapernorthlearngivennamedendedtermspartsgroupbrandusingwomanfalsereadyaudiotakeswhile.com thing.org/multiheardpowerstandtokensolid genretrucklooksvalueframe.net http://bugs.freedesktop.org/enter_bug.cgi?product=cairo http://cairographics.org x.org http://www.winimage.com/zlibdll www.winimage.com data.rel.ro Quote Share this post Link to post
Tech Jedi Alex 1496 Posted ... Eddie is built on Mono, so Mono libraries are necessary. Now the question is whether you looked at Eddie Portable or the installed one, because only the portable one ships those .so files itself. The installed one uses the system ones provided by differently named packages. That "suspicious" libmonoposixhelper.so is in mono-runtime-common in Ubuntu, for example. For the links you posted, snapcraft.io is the homepage for Canonical's container format, Snap, and Cairo is a rendering API. That excessively long domain exceeds the maximum domain name length, some of the domains are nonexistent, and data.rel.ro is not a domain but probably references Relocation Read-Only, or relro for short, a security thing used in linkers like GNU ld, falsely labeled a domain, as there is a section in the binary file created by it called .data.rel.ro. In my eyes, if you downloaded Ubuntu from ubuntu.com, you get your package updates from archive.ubuntu.com and you downloaded Eddie from eddie.website, there is zero chance you're dealing with some intrusion or other. More likely, that Hybrid Analysis toolkit is massively spooking you… 1 alohahelo reacted to this Quote Hide Tech Jedi Alex's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
alohahelo 0 Posted ... I am on Debian 12. Thank you. I assumed it was a false positive because I trust AirVPN greatly. I believe I installed the Eddie client via apt: http://eddie.website/repository/apt stable InRelease I am not using a portable version. Best regards and thank you for your response. Quote Share this post Link to post
Not connected, Your IP: 216.73.216.54
Online: 35882 users - 419058 Mbit/s total BW