This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

/usr/local/bin/dataupload.plx, what is it and what is it doing?

What is /usr/local/bin/dataupload.plx doing and why?

 

I noticed an unexpected email from my UTM software appliance (home use).

Current software version...: 9.703003
# crontab -l
# DO NOT EDIT THIS FILE - edit the master and reinstall. # (- installed on Mon Aug 24 20:36:33 2020) # (Cron version V5.0 -- $Id: crontab.c,v 1.12 2004/01/23 18:56:42 vixie Exp $) 0 1 * * * /usr/local/bin/dataupload.plx > /dev/null #
# ls -l /usr/local/bin/dataupload.plx
-rwxr-xr-x 1 root root 93292 Aug 24 21:39 /usr/local/bin/dataupload.plx

 

I almost certainly would not have noticed this had standard error been redirected too.

 

A few notes:

u2d-ohelp9-9.1086 ?

/var/log/webadmin/*/*/*

/tmp/*/*.eip & /tmp/*/*.tar.gz

ip addresses, what more?

upload to something fronted by cloudfront?

 

 

Edit:  Note, incomplete answers will not be considered as an accepted answer.  Details on what the plx is doing, why it is doing so and why this appears to have been silently rolled out are not insignificant to the post.  Further questions in the replies are also important.



This thread was automatically locked due to age.
  • Do you have the SophosLabs feedback option enabled?  Probably part of that.  You can find this setting under Management/System Settings/Scan Settings tab.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • "Send suspicious content to SophosLabs for analysis" is not enabled.

     

  • Hello - I am a Sophos UTM home user as well and I received the same email. I have used the same UTM software for many years now and this is the first time I have seen this message. Can't help but think the worst ... is this a 0-day exploit attempt? 

    Firmware version 9.702-1

     

    Cron <root@utm> /usr/local/bin/dataupload.plx > /dev/null

    I noticed dataupload.plx is an ELF binary file that was created on August 24th @ 20:39 

    Please let me know what is going on here. 

     

     
  • Hi all, 

    Please don't be alarmed, this script was part of a Sophos-issued update and the purpose was to collect additional telemetry for SophosLabs. This was not an attack on SG UTM, and the cronjob is expected. 

  • What data is collected?  Where is later processed and stored?

    Where does one opt-out of this collection?  (or depending on where someone is: where is the opt-in?)

    Why was it distributed as an ohelp update and not in another form?

  • Same here. Got this mail now second time (yesterday and today) from two UTM-Instances.

  • Me to, sadly. But, mail wasn't sent to sophos, my mailservers intercepted them. No good luck for sophos, sorry. Nice idea, sadly failed :-) Many black heads are more clever!

    By the way, I think sophos (in former times Astaro fw) is a European company. I.e., up to 12/31/2021 ... when Great Britain should pffer the papers how they want to leave the controlled. So far the

    REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
    https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02016R0679-20160504

    acutally should also apply to Sophos as (yet) European company.

    Furthermore I don't think it's a good idea of a secrutiy equipment manufacturer to slip the users a silent, not agreed data collection, not to inform about it and not to build-in a switch where you can disable it.

    I'm totally disappointed from sophos, good products back or forth. That's not a confidenc-building measure, sorry!

    Greetinx

    moose


  • Same thing happened to me this morning.  None of the emails will get back to Sophos, because of the way our mail is routed, but that's not really the point is it?

    This product prides itself on providing security - it should not circumvent that security because the developer of the product wants statistics, without...

     

    a) Informing the customer this is happening

    b) giving the customer the option to opt out.

     

    Come on guys - sort it out!

  • so do I take it from this undeliverable email that the script doesn't work

     

    To: root
    Cc: 
    Bcc: 
    Date: Wed, 26 Aug 2020 01:00:03 +0100 (BST)
    Subject: Cron <root@another> /usr/local/bin/dataupload.plx > /dev/null
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed

      0   158    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
    158   158    0     0  158   158      0    400 --:--:-- --:--:-- --:--:--  1717

  • What I do not understand, why this is suddenly occurring now, because I am not using the latest version of the UTM at all. Didn't update since many month.