Re: Blu-ray Debian .jigdo's...
On Wed, Dec 14, 2011 at 11:04:00PM +0000, David Scott wrote:
>Sorry about the delay.
>
>I've attached a copy of the relevant logs from Kaspersky; having
>downloaded the two BD rom sets, highlighting the suspect packages.
>
>I was using the http://mirror.ox.ac.uk/debian/ mirror.
...
>14/12/2011 01:05:07 WGET.EXE Web Anti-Virus Detected: Trojan-Downloader.BAT.Ftp.z http://mirror.ox.ac.uk/debian/pool/main/n/nepenthes/nepenthes_0.2.2-6_amd64.deb//data.tar.gz//data.tar//./usr/share/doc/nepenthes/README.VFS
>14/12/2011 01:08:25 WGET.EXE Web Anti-Virus Detected: Exploit.HTML.Iframe.FileDownload http://mirror.ox.ac.uk/debian/pool/main/p/pymilter-milters/python-milter-docs_0.8.13-5_all.deb//data.tar.gz//data.tar//./usr/share/doc/python-milter-docs/examples/honey
>14/12/2011 05:53:10 WGET.EXE Web Anti-Virus Detected: Exploit.HTML.Iframe.FileDownload http://us.cdimage.debian.org/cdimage/snapshot/Debian/pool/main/p/pymilter-milters/python-milter-docs_0.8.13-5_all.deb//data.tar.gz//data.tar//./usr/share/doc/python-milter-docs/examples/honey
>14/12/2011 07:49:23 WGET.EXE Web Anti-Virus Detected: Backdoor.PHP.WebShell.ao http://mirror.ox.ac.uk/debian/pool/main/s/sqlmap/sqlmap_0.6.4-1_all.deb//data.tar.gz//data.tar//./usr/share/sqlmap/shell/backdoor.php
>14/12/2011 09:14:37 WGET.EXE Web Anti-Virus Detected: Exploit.HTML.Iframe.FileDownload http://mirror.ox.ac.uk/debian/pool/main/p/pymilter-milters/python-milter-docs_0.8.13-5_all.deb//data.tar.gz//data.tar//./usr/share/doc/python-milter-docs/examples/honey
>14/12/2011 09:14:45 WGET.EXE Web Anti-Virus Detected: Exploit.HTML.Iframe.FileDownload http://us.cdimage.debian.org/cdimage/snapshot/Debian/pool/main/p/pymilter-milters/python-milter-docs_0.8.13-5_all.deb//data.tar.gz//data.tar//./usr/share/doc/python-milter-docs/examples/honey
>14/12/2011 10:54:56 WGET.EXE Web Anti-Virus Detected: Exploit.HTML.Iframe.FileDownload http://mirror.ox.ac.uk/debian/pool/main/libm/libmime-explode-perl/libmime-explode-perl_0.38-2_amd64.deb//data.tar.gz//data.tar//./usr/share/doc/libmime-explode-perl/examples/testmsgs/viraldoc.msg.gz//viraldoc.msg
>14/12/2011 11:04:37 WGET.EXE Web Anti-Virus Detected: Backdoor.PHP.WebShell.ao http://us.cdimage.debian.org/cdimage/snapshot/Debian/pool/main/s/sqlmap/sqlmap_0.6.4-1_all.deb//data.tar.gz//data.tar//./usr/share/sqlmap/shell/backdoor.php
>14/12/2011 11:04:38 WGET.EXE Web Anti-Virus Detected: Exploit.HTML.Iframe.FileDownload http://us.cdimage.debian.org/cdimage/snapshot/Debian/pool/main/libm/libmime-explode-perl/libmime-explode-perl_0.38-2_amd64.deb//data.tar.gz//data.tar//./usr/share/doc/libmime-explode-perl/examples/testmsgs/viraldoc.msg.gz//viraldoc.msg
The first one looks very much like a false positive. The others look
like (repeated, in some cases?) explicit examples of malware in the
Debian packages, used for self-testing by scanners by the looks of it.
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"I suspect most samba developers are already technically insane... Of
course, since many of them are Australians, you can't tell." -- Linus Torvalds
Reply to: