# apr-util Xml.Exploit.CVE_2013_3860-3 FOUND

## Zebbeman

Hello,

When I run clamscan on a new dev server I get a positive:

```

~ # clamscan /usr/portage/distfiles/apr-util-1.5.4.tar.bz2 

/usr/portage/distfiles/apr-util-1.5.4.tar.bz2: Xml.Exploit.CVE_2013_3860-3 FOUND

```

Then I did:

```

~ # equery check apr-util

* Checking dev-libs/apr-util-1.5.4 ...

   57 out of 57 files passed

```

I also get this from chkrootkit:

```

~ # chkrootkit -q

fopen: No such file or directory

/bin/ls: cannot access write: No such file or directory

Possible Linux/Ebury - Operation Windigo installetd

Warning: Possible Slapper Worm installed (25851/sshd)

```

I found that ssh was checked with the old behavior of ssh -G regarding Linux/Ebury so I am guessing that is okay.

What do I do next? Am I infected?

----------

## Apheus

Seems to be just a unit test in the apr-util distfile, designed to test for exactly that vulnerability:

https://www.reddit.com/r/sysadmin/comments/4tx2ao/clamav_found_billionlaughsxml_exploit_cve_2013/

Edit: The chkrootkit outputs about Ebury and Slapper are completely unrelated, /me thinks. You should check them independently of the apr-util distfile.

----------

## Zebbeman

Thanks for your quick reply!

I saw that article and got stuck with Xml.Exploit.CVE_2013_3860-1 vs. Xml.Exploit.CVE_2013_3860-3 and was not sure it was the same (1 vs. 3). I could not identify slapper and I have checked ebury in every way with no trace of actual infection so I guess I am still partly concerned.

I will keep this open a while longer to see if anyone has any additional input.

Thanks!

----------

