[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Blu-ray Debian .jigdo's...

On Wed, Dec 14, 2011 at 11:04:00PM +0000, David Scott wrote:
>Sorry about the delay.
>
>I've attached a copy of the relevant logs from Kaspersky; having
>downloaded the two BD rom sets, highlighting the suspect packages.
>
>I was using the http://mirror.ox.ac.uk/debian/ mirror.

...

>14/12/2011 01:05:07	WGET.EXE	Web Anti-Virus	Detected: Trojan-Downloader.BAT.Ftp.z			http://mirror.ox.ac.uk/debian/pool/main/n/nepenthes/nepenthes_0.2.2-6_amd64.deb//data.tar.gz//data.tar//./usr/share/doc/nepenthes/README.VFS		
>14/12/2011 01:08:25	WGET.EXE	Web Anti-Virus	Detected: Exploit.HTML.Iframe.FileDownload			http://mirror.ox.ac.uk/debian/pool/main/p/pymilter-milters/python-milter-docs_0.8.13-5_all.deb//data.tar.gz//data.tar//./usr/share/doc/python-milter-docs/examples/honey		
>14/12/2011 05:53:10	WGET.EXE	Web Anti-Virus	Detected: Exploit.HTML.Iframe.FileDownload			http://us.cdimage.debian.org/cdimage/snapshot/Debian/pool/main/p/pymilter-milters/python-milter-docs_0.8.13-5_all.deb//data.tar.gz//data.tar//./usr/share/doc/python-milter-docs/examples/honey		
>14/12/2011 07:49:23	WGET.EXE	Web Anti-Virus	Detected: Backdoor.PHP.WebShell.ao			http://mirror.ox.ac.uk/debian/pool/main/s/sqlmap/sqlmap_0.6.4-1_all.deb//data.tar.gz//data.tar//./usr/share/sqlmap/shell/backdoor.php		
>14/12/2011 09:14:37	WGET.EXE	Web Anti-Virus	Detected: Exploit.HTML.Iframe.FileDownload			http://mirror.ox.ac.uk/debian/pool/main/p/pymilter-milters/python-milter-docs_0.8.13-5_all.deb//data.tar.gz//data.tar//./usr/share/doc/python-milter-docs/examples/honey		
>14/12/2011 09:14:45	WGET.EXE	Web Anti-Virus	Detected: Exploit.HTML.Iframe.FileDownload			http://us.cdimage.debian.org/cdimage/snapshot/Debian/pool/main/p/pymilter-milters/python-milter-docs_0.8.13-5_all.deb//data.tar.gz//data.tar//./usr/share/doc/python-milter-docs/examples/honey		
>14/12/2011 10:54:56	WGET.EXE	Web Anti-Virus	Detected: Exploit.HTML.Iframe.FileDownload			http://mirror.ox.ac.uk/debian/pool/main/libm/libmime-explode-perl/libmime-explode-perl_0.38-2_amd64.deb//data.tar.gz//data.tar//./usr/share/doc/libmime-explode-perl/examples/testmsgs/viraldoc.msg.gz//viraldoc.msg		
>14/12/2011 11:04:37	WGET.EXE	Web Anti-Virus	Detected: Backdoor.PHP.WebShell.ao			http://us.cdimage.debian.org/cdimage/snapshot/Debian/pool/main/s/sqlmap/sqlmap_0.6.4-1_all.deb//data.tar.gz//data.tar//./usr/share/sqlmap/shell/backdoor.php		
>14/12/2011 11:04:38	WGET.EXE	Web Anti-Virus	Detected: Exploit.HTML.Iframe.FileDownload			http://us.cdimage.debian.org/cdimage/snapshot/Debian/pool/main/libm/libmime-explode-perl/libmime-explode-perl_0.38-2_amd64.deb//data.tar.gz//data.tar//./usr/share/doc/libmime-explode-perl/examples/testmsgs/viraldoc.msg.gz//viraldoc.msg		

The first one looks very much like a false positive. The others look
like (repeated, in some cases?) explicit examples of malware in the
Debian packages, used for self-testing by scanners by the looks of it.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"I suspect most samba developers are already technically insane... Of
 course, since many of them are Australians, you can't tell." -- Linus Torvalds
Reply to: