On Wed, Dec 14, 2011 at 11:04:00PM +0000, David Scott wrote: >Sorry about the delay. > >I've attached a copy of the relevant logs from Kaspersky; having >downloaded the two BD rom sets, highlighting the suspect packages. > >I was using the http://mirror.ox.ac.uk/debian/ mirror.
... >14/12/2011 01:05:07 WGET.EXE Web Anti-Virus Detected: >Trojan-Downloader.BAT.Ftp.z >http://mirror.ox.ac.uk/debian/pool/main/n/nepenthes/nepenthes_0.2.2-6_amd64.deb//data.tar.gz//data.tar//./usr/share/doc/nepenthes/README.VFS > >14/12/2011 01:08:25 WGET.EXE Web Anti-Virus Detected: >Exploit.HTML.Iframe.FileDownload >http://mirror.ox.ac.uk/debian/pool/main/p/pymilter-milters/python-milter-docs_0.8.13-5_all.deb//data.tar.gz//data.tar//./usr/share/doc/python-milter-docs/examples/honey > >14/12/2011 05:53:10 WGET.EXE Web Anti-Virus Detected: >Exploit.HTML.Iframe.FileDownload >http://us.cdimage.debian.org/cdimage/snapshot/Debian/pool/main/p/pymilter-milters/python-milter-docs_0.8.13-5_all.deb//data.tar.gz//data.tar//./usr/share/doc/python-milter-docs/examples/honey > >14/12/2011 07:49:23 WGET.EXE Web Anti-Virus Detected: >Backdoor.PHP.WebShell.ao >http://mirror.ox.ac.uk/debian/pool/main/s/sqlmap/sqlmap_0.6.4-1_all.deb//data.tar.gz//data.tar//./usr/share/sqlmap/shell/backdoor.php > >14/12/2011 09:14:37 WGET.EXE Web Anti-Virus Detected: >Exploit.HTML.Iframe.FileDownload >http://mirror.ox.ac.uk/debian/pool/main/p/pymilter-milters/python-milter-docs_0.8.13-5_all.deb//data.tar.gz//data.tar//./usr/share/doc/python-milter-docs/examples/honey > >14/12/2011 09:14:45 WGET.EXE Web Anti-Virus Detected: >Exploit.HTML.Iframe.FileDownload >http://us.cdimage.debian.org/cdimage/snapshot/Debian/pool/main/p/pymilter-milters/python-milter-docs_0.8.13-5_all.deb//data.tar.gz//data.tar//./usr/share/doc/python-milter-docs/examples/honey > >14/12/2011 10:54:56 WGET.EXE Web Anti-Virus Detected: >Exploit.HTML.Iframe.FileDownload >http://mirror.ox.ac.uk/debian/pool/main/libm/libmime-explode-perl/libmime-explode-perl_0.38-2_amd64.deb//data.tar.gz//data.tar//./usr/share/doc/libmime-explode-perl/examples/testmsgs/viraldoc.msg.gz//viraldoc.msg > >14/12/2011 11:04:37 WGET.EXE Web Anti-Virus Detected: >Backdoor.PHP.WebShell.ao >http://us.cdimage.debian.org/cdimage/snapshot/Debian/pool/main/s/sqlmap/sqlmap_0.6.4-1_all.deb//data.tar.gz//data.tar//./usr/share/sqlmap/shell/backdoor.php > >14/12/2011 11:04:38 WGET.EXE Web Anti-Virus Detected: >Exploit.HTML.Iframe.FileDownload >http://us.cdimage.debian.org/cdimage/snapshot/Debian/pool/main/libm/libmime-explode-perl/libmime-explode-perl_0.38-2_amd64.deb//data.tar.gz//data.tar//./usr/share/doc/libmime-explode-perl/examples/testmsgs/viraldoc.msg.gz//viraldoc.msg > The first one looks very much like a false positive. The others look like (repeated, in some cases?) explicit examples of malware in the Debian packages, used for self-testing by scanners by the looks of it. -- Steve McIntyre, Cambridge, UK. [email protected] "I suspect most samba developers are already technically insane... Of course, since many of them are Australians, you can't tell." -- Linus Torvalds -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
