Bug#981912: libsdes4j-java: provoked IDS to block download thinking it's Unix.Trojan.Chalubo

Martin Dorey HNAS-US-noreply at hitachivantara.com
Fri Feb 5 01:46:46 GMT 2021 

Package: libsdes4j-java
Version: 1.1.4-1.1
Severity: normal

Dear Maintainer,

This isn't a bug in the package, just a warning about a problem getting the package.
Our debmirror job has been failing:

 Download of pool/main/s/sdes4j/libsdes4j-java-doc_1.1.4-1.1_all.deb failed: 500 Status read failed: Connection reset by peer
 Download of pool/main/s/sdes4j/libsdes4j-java_1.1.4-1.1_all.deb failed: 500 Status read failed: Connection reset by peer

And our intrusion detection system (name and vendor unknown to me) has been firing off alerts like:

Total Alerts in Database:  3058

Last Email Time: 2021-02-03 17:20:02
Current Time:    2021-02-03 17:25:02

Total New Alerts: 1
Filter Matching : 1

+--------------------------------------------------------------------+
Alerts (shown: 1/available: 1) (limit: 50)
+--------------------------------------------------------------------+
Device : <elided>
Timestamp        : 2021-02-03 17:23:16
Protocol         : tcp
Alert Message    : MALWARE-CNC Unix.Trojan.Chalubo downloader connection (1:48281:3)
Session          : <elided>:37596 -> 64.50.233.100:80

[*] 0 more events originated from this Source IP

+---------------------------------------+
| Destination Port          Count
+---------------------------------------+
               80              1

+---------------------------------------+
|       Source IP          Count
+---------------------------------------+

         <elided>              1

Experimenting with manual downloads of eg http://google.com/libsdes suggests that any URL containing libsdes is blocked.
Using https appears to be a work around.


-- System Information:
Debian Release: 9.12
  APT prefers oldstable-updates
  APT policy: (990, 'oldstable-updates'), (990, 'oldstable'), (500, 'oldstable-debug'), (500, 'oldoldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-12-amd64 (SMP w/12 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libsdes4j-java depends on:
ii  libcommons-codec-java  1.10-1

libsdes4j-java recommends no packages.

Versions of packages libsdes4j-java suggests:
pn  libsdes4j-java-doc  <none>

More information about the pkg-java-maintainers mailing list