Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HFS2 triggering a lot of false positives on VirusTotal #42

Open
greatwolf opened this issue Jan 3, 2024 · 8 comments
Open

HFS2 triggering a lot of false positives on VirusTotal #42

greatwolf opened this issue Jan 3, 2024 · 8 comments

Comments

@greatwolf
Copy link

A recent scan is triggering 16 different AV: https://www.virustotal.com/gui/file/42d14f9efe83cd9d695d0796232bd6e12d276c1262b6cf39d31cfcf64e128f11/detection

image

Can anything be done about this?
@rejetto
Copy link
Owner

rejetto commented Jan 3, 2024

It seems that HFS has been used as tool inside malicious activities, so several AV are considering it a possible clue of such activity.
They don't know/care that YOU downloaded it for YOUR purpose.

I guess that one possible thing to do is that people report it as a false risk.

btw, did you consider HFS3 ?

@greatwolf
Copy link
Author

yea I'm currently trying HFS3 out too. I just don't like how much bigger it is compared to HFS2 because of the used of node.js

@rejetto
Copy link
Owner

rejetto commented Jan 4, 2024

I see.
Just for sake of information, the server itself is 2.5 MB, of which more than half (1.5 MB) is the administration gui, the rest is node.

@Ptit-Philou
Copy link

I suggest to stop using HFS 2, as it can be easily hacked and you might loose your data and computer...
I reported an issue, as my server has been attacked : I was lucky not to loose files and control.
Just stop using HFS 2 : HFS 3 works fine, heaven if node.js is fat... :-)

@DRSDavidSoft
Copy link

@Ptit-Philou Same, I was lucky I didn't loose any files! Russian m****rs installed Keyloggers and RATs through HFS on two of my servers that were running HFS2. This could have ended much, much worse due to the fact that by default Windows Server comes with the Administrator account. I should have created a lower privilege account for HFS. Lesson learned the hard way! 😄

@DRSDavidSoft
Copy link

It appears the installed malware were a variety of these:

We're VERY lucky that the files weren't affected or damaged! Hopefully (at least as it appears) the hackers only resorted to install the RAT and these stealers on the server. We should ALL nuke the affected Windows machines and re-install everything from scratch. Backup everything.

@Ptit-Philou
Copy link

Not sure about Russia : it could come from Asia too... ;-)

@DRSDavidSoft
Copy link

I saw Chinese IPs in logs as well, but the successful infection is/was communicating with Russian-based web hosting. The attackers themselves might reside in other Cyrillic-speaking countries. In my experience, Chinese hackers usually use outdated/well-known attack vectors but Russian ones use bleeding edge exploits. 🤷🏻 Ah well, doesn't really matter where it came from, the important thing is that we were lucky that the files weren't damaged. We can always change leaked/compromised security keys and APIs later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rejetto @greatwolf @DRSDavidSoft @Ptit-Philou