源里有病毒？

[chinaz]

不知道这个主题是否应该发在这里。
在内网用apt-mirror镜像了ubuntu11.04的old源，因为开了smb服务器，昨天用clamav全盘扫描，结果发现如下信息：

ubuntu/pool/universe/s/sanitizer/sanitizer_1.76.orig.tar.gz: Exploit.WMF.Gen-1 FOUND
ubuntu/pool/universe/s/sqlmap/sqlmap_0.6.4.orig.tar.gz: PHP.Shell-32 FOUND
ubuntu/pool/universe/n/nautilus-clamscan/nautilus-clamscan_0.2.2.orig.tar.gz: ClamAV-Test-File FOUND
ubuntu/pool/universe/n/nepenthes/nepenthes_0.2.2.orig.tar.gz: Trojan.Downloader.Bat FOUND
ubuntu/pool/universe/m/mailscanner/mailscanner_4.79.11.orig.tar.gz: Eicar-Test-Signature-1 FOUND
ubuntu/pool/universe/p/pymilter-milters/pymilter-milters_0.8.13.orig.tar.gz: Suspect.DoubleExtension-zippwd-12 FOUND
ubuntu/pool/universe/p/pymilter/pymilter_0.9.3.orig.tar.gz: Exploit.IFrame.Gen FOUND
ubuntu/pool/universe/libm/libmail-deliverystatus-bounceparser-perl/libmail-deliverystatus-bounceparser-perl_1.525.orig.tar.gz: Worm.Mytob.LC FOUND

上面这些只是源代码，那相应的deb文件是否安全呢？可能是clamav没扫描deb文件内部而略过了，然后我就找到了其中一个报毒sqlmap的deb包，解压缩，再扫描，结果如下：

clamscan * -r
DEBIAN/md5sums: OK
DEBIAN/control: OK
sqlmap_0.6.4-1_all.deb: OK
usr/share/man/man1/sqlmap.1.gz: OK
usr/share/python-support/sqlmap.private: OK
usr/share/doc/sqlmap/copyright: OK
usr/share/doc/sqlmap/changelog.Debian.gz: OK
usr/share/doc/sqlmap/README.html: OK
usr/share/doc/sqlmap/examples/sqlmap.conf.gz: OK
usr/share/doc/sqlmap/AUTHORS: OK
usr/share/sqlmap/xml/queries.xml: OK
usr/share/sqlmap/xml/errors.xml: OK
usr/share/sqlmap/xml/banner/oracle.xml: OK
usr/share/sqlmap/xml/banner/server.xml: OK
usr/share/sqlmap/xml/banner/generic.xml: OK
usr/share/sqlmap/xml/banner/mssql.xml: OK
usr/share/sqlmap/xml/banner/cookie.xml: OK
usr/share/sqlmap/xml/banner/sharepoint.xml: OK
usr/share/sqlmap/xml/banner/x-powered-by.xml: OK
usr/share/sqlmap/xml/banner/mysql.xml: OK
usr/share/sqlmap/xml/banner/x-aspnet-version.xml: OK
usr/share/sqlmap/xml/banner/postgresql.xml: OK
usr/share/sqlmap/xml/banner/servlet.xml: OK
usr/share/sqlmap/shell/uploader.asp: OK
usr/share/sqlmap/shell/backdoor.jsp: PHP.Shell-31 FOUND
usr/share/sqlmap/shell/backdoor.php: PHP.Shell-32 FOUND
usr/share/sqlmap/shell/uploader.php: OK
usr/share/sqlmap/sqlmap: OK
usr/share/sqlmap/lib/utils/__init__.py: OK
usr/share/sqlmap/lib/utils/resume.py: OK
usr/share/sqlmap/lib/utils/google.py: OK
usr/share/sqlmap/lib/utils/parenthesis.py: OK
usr/share/sqlmap/lib/contrib/multipartpost.py: OK
usr/share/sqlmap/lib/contrib/__init__.py: OK
usr/share/sqlmap/lib/techniques/__init__.py: OK
usr/share/sqlmap/lib/techniques/blind/timebased.py: OK
usr/share/sqlmap/lib/techniques/blind/__init__.py: OK
usr/share/sqlmap/lib/techniques/blind/inference.py: OK
usr/share/sqlmap/lib/techniques/inband/__init__.py: OK
usr/share/sqlmap/lib/techniques/inband/union/use.py: OK
usr/share/sqlmap/lib/techniques/inband/union/__init__.py: OK
usr/share/sqlmap/lib/techniques/inband/union/test.py: OK
usr/share/sqlmap/lib/techniques/outband/__init__.py: OK
usr/share/sqlmap/lib/techniques/outband/stacked.py: OK
usr/share/sqlmap/lib/__init__.py: OK
usr/share/sqlmap/lib/parse/handler.py: OK
usr/share/sqlmap/lib/parse/banner.py: OK
usr/share/sqlmap/lib/parse/configfile.py: OK
usr/share/sqlmap/lib/parse/headers.py: OK
usr/share/sqlmap/lib/parse/cmdline.py: OK
usr/share/sqlmap/lib/parse/__init__.py: OK
usr/share/sqlmap/lib/parse/html.py: OK
usr/share/sqlmap/lib/parse/queriesfile.py: OK
usr/share/sqlmap/lib/controller/action.py: OK
usr/share/sqlmap/lib/controller/handler.py: OK
usr/share/sqlmap/lib/controller/checks.py: OK
usr/share/sqlmap/lib/controller/__init__.py: OK
usr/share/sqlmap/lib/controller/controller.py: OK
usr/share/sqlmap/lib/core/unescaper.py: OK
usr/share/sqlmap/lib/core/session.py: OK
usr/share/sqlmap/lib/core/shell.py: OK
usr/share/sqlmap/lib/core/progress.py: OK
usr/share/sqlmap/lib/core/target.py: OK
usr/share/sqlmap/lib/core/option.py: OK
usr/share/sqlmap/lib/core/readlineng.py: OK
usr/share/sqlmap/lib/core/common.py: OK
usr/share/sqlmap/lib/core/dump.py: OK
usr/share/sqlmap/lib/core/data.py: OK
usr/share/sqlmap/lib/core/datatype.py: OK
usr/share/sqlmap/lib/core/update.py: OK
usr/share/sqlmap/lib/core/__init__.py: OK
usr/share/sqlmap/lib/core/agent.py: OK
usr/share/sqlmap/lib/core/settings.py: OK
usr/share/sqlmap/lib/core/convert.py: OK
usr/share/sqlmap/lib/core/optiondict.py: OK
usr/share/sqlmap/lib/core/exception.py: OK
usr/share/sqlmap/lib/request/proxy.py: OK
usr/share/sqlmap/lib/request/basic.py: OK
usr/share/sqlmap/lib/request/__init__.py: OK
usr/share/sqlmap/lib/request/connect.py: OK
usr/share/sqlmap/lib/request/comparison.py: OK
usr/share/sqlmap/lib/request/inject.py: OK
usr/share/sqlmap/txt/user-agents.txt: OK
usr/share/sqlmap/plugins/dbms/postgresql.py: OK
usr/share/sqlmap/plugins/dbms/mssqlserver.py: OK
usr/share/sqlmap/plugins/dbms/__init__.py: OK
usr/share/sqlmap/plugins/dbms/oracle.py: OK
usr/share/sqlmap/plugins/dbms/mysql.py: OK
usr/share/sqlmap/plugins/__init__.py: OK
usr/share/sqlmap/plugins/generic/takeover.py: OK
usr/share/sqlmap/plugins/generic/fingerprint.py: OK
usr/share/sqlmap/plugins/generic/enumeration.py: OK
usr/share/sqlmap/plugins/generic/__init__.py: OK
usr/share/sqlmap/plugins/generic/filesystem.py: OK
usr/bin/sqlmap: Symbolic link

----------- SCAN SUMMARY -----------
Known viruses: 3122586
Engine version: 0.97.8
Scanned directories: 30
Scanned files: 94
Infected files: 2
Data scanned: 1.06 MB
Data read: 0.66 MB (ratio 1.60:1)
Time: 8.386 sec (0 m 8 s)

================华丽的分割线====================

然后我又用f-prot for linux 扫描了一下这个镜像的源，又有发现：

[Found possible virus] <W32/CodeCru-based!Maximus (not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.97.6+dfsg.orig.tar.gz->(packed)->clamav-0.97.6+dfsg/test/.split/split.clam-yc.exeaa
[Contains infected objects] /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.97.6+dfsg.orig.tar.gz
[Found possible virus] <W32/CodeCru-based!Maximus (not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.97+dfsg.orig.tar.gz->(packed)->clamav-0.97+dfsg/test/.split/split.clam-yc.exeaa
[Contains infected objects] /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.97+dfsg.orig.tar.gz
[Found possible virus] <W32/CodeCru-based!Maximus (not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.97.5+dfsg.orig.tar.gz->(packed)->clamav-0.97.5+dfsg/test/.split/split.clam-yc.exeaa
[Contains infected objects] /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.97.5+dfsg.orig.tar.gz
[Found virus] <JS/NoClose.Q (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/d/dbacl/dbacl_1.12.orig.tar.gz->(packed)->dbacl-1.12/src/tests/sample.spam-10->(qp)
[Found virus] <JS/NoClose.Q (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/d/dbacl/dbacl_1.12.orig.tar.gz->(packed)->dbacl-1.12/src/tests/verify.email-scripts
[Found downloader] <BAT/DownldFTP.Z (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/n/nepenthes/nepenthes_0.2.2.orig.tar.gz->(packed)->nepenthes-0.2.2/doc/README.VFS
[Contains infected objects] /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/n/nepenthes/nepenthes_0.2.2.orig.tar.gz
[Found exploit] <HTML/IFrame.F (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/p/pymilter-milters/pymilter-milters_0.8.13.orig.tar.gz->(packed)->pymilter-milters-0.8.13/test/honey->(qp)
[Found exploit] <HTML/IFrame.F (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/p/pymilter-milters/pymilter-milters_0.8.13.orig.tar.gz->(packed)->pymilter-milters-0.8.13/test/virus4->(qp)
[Contains infected objects] /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/p/pymilter-milters/pymilter-milters_0.8.13.orig.tar.gz
[Found exploit] <HTML/IFrame.F (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/p/pymilter/pymilter_0.9.3.orig.tar.gz->pymilter-0.9.3.tar->pymilter-0.9.3/test/virus4->(qp)
[Found exploit] <HTML/IFrame.F (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/p/pymilter/pymilter_0.9.3.orig.tar.gz->pymilter-0.9.3.tar->pymilter-0.9.3/test/honey->(qp)
[Found exploit] <HTML/IFrame.F (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/p/pymilter/pymilter_0.9.3.orig.tar.gz->pymilter-0.9.3.tar->pymilter-0.9.3/test/honey.out->(qp)
[Found exploit] <HTML/IFrame.F (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/p/pymilter/pymilter_0.9.3.orig.tar.gz->pymilter-0.9.3.tar->pymilter-0.9.3/test/virus4.out->(qp)
[Contains infected objects] /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/p/pymilter/pymilter_0.9.3.orig.tar.gz
[Found worm] <W32/Mytob.QO@mm (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/libm/libmail-deliverystatus-bounceparser-perl/libmail-deliverystatus-bounceparser-perl_1.525.orig.tar.gz->Mail-DeliveryStatus-BounceParser-1.525.tar->Mail-DeliveryStatus-BounceParser-1.525/t/corpus/virus-caused-multiple-weird-reports.msg->account-password.zip->account-password.htm .pif
[Contains infected objects] /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/libm/libmail-deliverystatus-bounceparser-perl/libmail-deliverystatus-bounceparser-perl_1.525.orig.tar.gz
[Found exploit] <HTML/IFrame.F (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/libm/libmime-explode-perl/libmime-explode-perl_0.38.orig.tar.gz->MIME-Explode-0.38.tar->MIME-Explode-0.38/testmsgs/viraldoc.msg->(qp)
[Contains infected objects] /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/libm/libmime-explode-perl/libmime-explode-perl_0.38.orig.tar.gz


注意看这些E文，每出现一个“Found”就表示发现一个病毒（或木马）。数了数好像有很多found。。。
不知道这些病毒会产生何种作用，而且还在官方的源里，这事各位怎么看？

[maplebeats]

和php和jsp写的病毒？？OMG

[sevk]

估计只是后门吧，只能修改一下网页或数据库，一般没有root权限的吧？

[eleven.i386]

貌似你扫描的这些本身就有黑客工具, 里面自带了一些 webshell 也不足为奇 , clamav 不仅仅扫描病毒会报告, 后门之类的东西一样会报告呢. sqlmap nmap 等等 一堆的开源黑客工具 在源内, 所以在阅读这些报告的时候 先看看是否出现在不应该出现的地方. 在sqlmap上出现 是合理的

[lainme]

其它的不知道。sqlmap那个不是中了病毒或后门。

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers

其实你可以去launchpad查查：

https://bugs.launchpad.net/ubuntu/+sour ... bug/592871

[luojie-dune]

old release ...

[eexpress]

感染安装的缓存啊。危险。deb里面可以挂pre-install等各种脚本，而且执行就是root。
只是能确定真有病毒？安装包都带校验的啊。你找别人机器比较下那些包的md5试试。

[hometow1]

关注看看。

Sent from my XT912 using Tapatalk

[jinjiachen]

如果有 还敢用不