不知道这个主题是否应该发在这里。
在内网用apt-mirror镜像了ubuntu11.04的old源,因为开了smb服务器,昨天用clamav全盘扫描,结果发现如下信息:
ubuntu/pool/universe/s/sanitizer/sanitizer_1.76.orig.tar.gz: Exploit.WMF.Gen-1 FOUND
ubuntu/pool/universe/s/sqlmap/sqlmap_0.6.4.orig.tar.gz: PHP.Shell-32 FOUND
ubuntu/pool/universe/n/nautilus-clamscan/nautilus-clamscan_0.2.2.orig.tar.gz: ClamAV-Test-File FOUND
ubuntu/pool/universe/n/nepenthes/nepenthes_0.2.2.orig.tar.gz: Trojan.Downloader.Bat FOUND
ubuntu/pool/universe/m/mailscanner/mailscanner_4.79.11.orig.tar.gz: Eicar-Test-Signature-1 FOUND
ubuntu/pool/universe/p/pymilter-milters/pymilter-milters_0.8.13.orig.tar.gz: Suspect.DoubleExtension-zippwd-12 FOUND
ubuntu/pool/universe/p/pymilter/pymilter_0.9.3.orig.tar.gz: Exploit.IFrame.Gen FOUND
ubuntu/pool/universe/libm/libmail-deliverystatus-bounceparser-perl/libmail-deliverystatus-bounceparser-perl_1.525.orig.tar.gz: Worm.Mytob.LC FOUND
上面这些只是源代码,那相应的deb文件是否安全呢?可能是clamav没扫描deb文件内部而略过了,然后我就找到了其中一个报毒sqlmap的deb包,解压缩,再扫描,结果如下:
clamscan * -r
DEBIAN/md5sums: OK
DEBIAN/control: OK
sqlmap_0.6.4-1_all.deb: OK
usr/share/man/man1/sqlmap.1.gz: OK
usr/share/python-support/sqlmap.private: OK
usr/share/doc/sqlmap/copyright: OK
usr/share/doc/sqlmap/changelog.Debian.gz: OK
usr/share/doc/sqlmap/README.html: OK
usr/share/doc/sqlmap/examples/sqlmap.conf.gz: OK
usr/share/doc/sqlmap/AUTHORS: OK
usr/share/sqlmap/xml/queries.xml: OK
usr/share/sqlmap/xml/errors.xml: OK
usr/share/sqlmap/xml/banner/oracle.xml: OK
usr/share/sqlmap/xml/banner/server.xml: OK
usr/share/sqlmap/xml/banner/generic.xml: OK
usr/share/sqlmap/xml/banner/mssql.xml: OK
usr/share/sqlmap/xml/banner/cookie.xml: OK
usr/share/sqlmap/xml/banner/sharepoint.xml: OK
usr/share/sqlmap/xml/banner/x-powered-by.xml: OK
usr/share/sqlmap/xml/banner/mysql.xml: OK
usr/share/sqlmap/xml/banner/x-aspnet-version.xml: OK
usr/share/sqlmap/xml/banner/postgresql.xml: OK
usr/share/sqlmap/xml/banner/servlet.xml: OK
usr/share/sqlmap/shell/uploader.asp: OK
usr/share/sqlmap/shell/backdoor.jsp: PHP.Shell-31 FOUND
usr/share/sqlmap/shell/backdoor.php: PHP.Shell-32 FOUND
usr/share/sqlmap/shell/uploader.php: OK
usr/share/sqlmap/sqlmap: OK
usr/share/sqlmap/lib/utils/__init__.py: OK
usr/share/sqlmap/lib/utils/resume.py: OK
usr/share/sqlmap/lib/utils/google.py: OK
usr/share/sqlmap/lib/utils/parenthesis.py: OK
usr/share/sqlmap/lib/contrib/multipartpost.py: OK
usr/share/sqlmap/lib/contrib/__init__.py: OK
usr/share/sqlmap/lib/techniques/__init__.py: OK
usr/share/sqlmap/lib/techniques/blind/timebased.py: OK
usr/share/sqlmap/lib/techniques/blind/__init__.py: OK
usr/share/sqlmap/lib/techniques/blind/inference.py: OK
usr/share/sqlmap/lib/techniques/inband/__init__.py: OK
usr/share/sqlmap/lib/techniques/inband/union/use.py: OK
usr/share/sqlmap/lib/techniques/inband/union/__init__.py: OK
usr/share/sqlmap/lib/techniques/inband/union/test.py: OK
usr/share/sqlmap/lib/techniques/outband/__init__.py: OK
usr/share/sqlmap/lib/techniques/outband/stacked.py: OK
usr/share/sqlmap/lib/__init__.py: OK
usr/share/sqlmap/lib/parse/handler.py: OK
usr/share/sqlmap/lib/parse/banner.py: OK
usr/share/sqlmap/lib/parse/configfile.py: OK
usr/share/sqlmap/lib/parse/headers.py: OK
usr/share/sqlmap/lib/parse/cmdline.py: OK
usr/share/sqlmap/lib/parse/__init__.py: OK
usr/share/sqlmap/lib/parse/html.py: OK
usr/share/sqlmap/lib/parse/queriesfile.py: OK
usr/share/sqlmap/lib/controller/action.py: OK
usr/share/sqlmap/lib/controller/handler.py: OK
usr/share/sqlmap/lib/controller/checks.py: OK
usr/share/sqlmap/lib/controller/__init__.py: OK
usr/share/sqlmap/lib/controller/controller.py: OK
usr/share/sqlmap/lib/core/unescaper.py: OK
usr/share/sqlmap/lib/core/session.py: OK
usr/share/sqlmap/lib/core/shell.py: OK
usr/share/sqlmap/lib/core/progress.py: OK
usr/share/sqlmap/lib/core/target.py: OK
usr/share/sqlmap/lib/core/option.py: OK
usr/share/sqlmap/lib/core/readlineng.py: OK
usr/share/sqlmap/lib/core/common.py: OK
usr/share/sqlmap/lib/core/dump.py: OK
usr/share/sqlmap/lib/core/data.py: OK
usr/share/sqlmap/lib/core/datatype.py: OK
usr/share/sqlmap/lib/core/update.py: OK
usr/share/sqlmap/lib/core/__init__.py: OK
usr/share/sqlmap/lib/core/agent.py: OK
usr/share/sqlmap/lib/core/settings.py: OK
usr/share/sqlmap/lib/core/convert.py: OK
usr/share/sqlmap/lib/core/optiondict.py: OK
usr/share/sqlmap/lib/core/exception.py: OK
usr/share/sqlmap/lib/request/proxy.py: OK
usr/share/sqlmap/lib/request/basic.py: OK
usr/share/sqlmap/lib/request/__init__.py: OK
usr/share/sqlmap/lib/request/connect.py: OK
usr/share/sqlmap/lib/request/comparison.py: OK
usr/share/sqlmap/lib/request/inject.py: OK
usr/share/sqlmap/txt/user-agents.txt: OK
usr/share/sqlmap/plugins/dbms/postgresql.py: OK
usr/share/sqlmap/plugins/dbms/mssqlserver.py: OK
usr/share/sqlmap/plugins/dbms/__init__.py: OK
usr/share/sqlmap/plugins/dbms/oracle.py: OK
usr/share/sqlmap/plugins/dbms/mysql.py: OK
usr/share/sqlmap/plugins/__init__.py: OK
usr/share/sqlmap/plugins/generic/takeover.py: OK
usr/share/sqlmap/plugins/generic/fingerprint.py: OK
usr/share/sqlmap/plugins/generic/enumeration.py: OK
usr/share/sqlmap/plugins/generic/__init__.py: OK
usr/share/sqlmap/plugins/generic/filesystem.py: OK
usr/bin/sqlmap: Symbolic link
----------- SCAN SUMMARY -----------
Known viruses: 3122586
Engine version: 0.97.8
Scanned directories: 30
Scanned files: 94
Infected files: 2
Data scanned: 1.06 MB
Data read: 0.66 MB (ratio 1.60:1)
Time: 8.386 sec (0 m 8 s)
================华丽的分割线====================
然后我又用f-prot for linux 扫描了一下这个镜像的源,又有发现:
[Found possible virus] <W32/CodeCru-based!Maximus (not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.97.6+dfsg.orig.tar.gz->(packed)->clamav-0.97.6+dfsg/test/.split/split.clam-yc.exeaa
[Contains infected objects] /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.97.6+dfsg.orig.tar.gz
[Found possible virus] <W32/CodeCru-based!Maximus (not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.97+dfsg.orig.tar.gz->(packed)->clamav-0.97+dfsg/test/.split/split.clam-yc.exeaa
[Contains infected objects] /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.97+dfsg.orig.tar.gz
[Found possible virus] <W32/CodeCru-based!Maximus (not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.97.5+dfsg.orig.tar.gz->(packed)->clamav-0.97.5+dfsg/test/.split/split.clam-yc.exeaa
[Contains infected objects] /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.97.5+dfsg.orig.tar.gz
[Found virus] <JS/NoClose.Q (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/d/dbacl/dbacl_1.12.orig.tar.gz->(packed)->dbacl-1.12/src/tests/sample.spam-10->(qp)
[Found virus] <JS/NoClose.Q (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/d/dbacl/dbacl_1.12.orig.tar.gz->(packed)->dbacl-1.12/src/tests/verify.email-scripts
[Found downloader] <BAT/DownldFTP.Z (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/n/nepenthes/nepenthes_0.2.2.orig.tar.gz->(packed)->nepenthes-0.2.2/doc/README.VFS
[Contains infected objects] /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/n/nepenthes/nepenthes_0.2.2.orig.tar.gz
[Found exploit] <HTML/IFrame.F (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/p/pymilter-milters/pymilter-milters_0.8.13.orig.tar.gz->(packed)->pymilter-milters-0.8.13/test/honey->(qp)
[Found exploit] <HTML/IFrame.F (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/p/pymilter-milters/pymilter-milters_0.8.13.orig.tar.gz->(packed)->pymilter-milters-0.8.13/test/virus4->(qp)
[Contains infected objects] /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/p/pymilter-milters/pymilter-milters_0.8.13.orig.tar.gz
[Found exploit] <HTML/IFrame.F (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/p/pymilter/pymilter_0.9.3.orig.tar.gz->pymilter-0.9.3.tar->pymilter-0.9.3/test/virus4->(qp)
[Found exploit] <HTML/IFrame.F (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/p/pymilter/pymilter_0.9.3.orig.tar.gz->pymilter-0.9.3.tar->pymilter-0.9.3/test/honey->(qp)
[Found exploit] <HTML/IFrame.F (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/p/pymilter/pymilter_0.9.3.orig.tar.gz->pymilter-0.9.3.tar->pymilter-0.9.3/test/honey.out->(qp)
[Found exploit] <HTML/IFrame.F (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/p/pymilter/pymilter_0.9.3.orig.tar.gz->pymilter-0.9.3.tar->pymilter-0.9.3/test/virus4.out->(qp)
[Contains infected objects] /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/p/pymilter/pymilter_0.9.3.orig.tar.gz
[Found worm] <W32/Mytob.QO@mm (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/libm/libmail-deliverystatus-bounceparser-perl/libmail-deliverystatus-bounceparser-perl_1.525.orig.tar.gz->Mail-DeliveryStatus-BounceParser-1.525.tar->Mail-DeliveryStatus-BounceParser-1.525/t/corpus/virus-caused-multiple-weird-reports.msg->account-password.zip->account-password.htm .pif
[Contains infected objects] /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/libm/libmail-deliverystatus-bounceparser-perl/libmail-deliverystatus-bounceparser-perl_1.525.orig.tar.gz
[Found exploit] <HTML/IFrame.F (exact, not disinfectable)> /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/libm/libmime-explode-perl/libmime-explode-perl_0.38.orig.tar.gz->MIME-Explode-0.38.tar->MIME-Explode-0.38/testmsgs/viraldoc.msg->(qp)
[Contains infected objects] /home/user/ubuntu/mirror/old-releases.ubuntu.com/ubuntu/pool/universe/libm/libmime-explode-perl/libmime-explode-perl_0.38.orig.tar.gz
注意看这些E文,每出现一个“Found”就表示发现一个病毒(或木马)。数了数好像有很多found。。。
不知道这些病毒会产生何种作用,而且还在官方的源里,这事各位怎么看?
源里有病毒?
版面规则
我们都知道新人的确很菜,也喜欢抱怨,并且带有浓厚的Windows习惯,但既然在这里询问,我们就应该有责任帮助他们解决问题,而不是直接泼冷水、简单的否定或发表对解决问题没有任何帮助的帖子。乐于分享,以人为本,这正是Ubuntu的精神所在。
我们都知道新人的确很菜,也喜欢抱怨,并且带有浓厚的Windows习惯,但既然在这里询问,我们就应该有责任帮助他们解决问题,而不是直接泼冷水、简单的否定或发表对解决问题没有任何帮助的帖子。乐于分享,以人为本,这正是Ubuntu的精神所在。
- chinaz
- 帖子: 238
- 注册时间: 2007-02-07 9:23
- maplebeats
- 帖子: 378
- 注册时间: 2011-02-16 1:17
- sevk
- 帖子: 2060
- 注册时间: 2007-05-08 16:26
- 系统: arch
- 来自: 火星内核某分子内某原子核内
- 联系:
Re: 源里有病毒?
估计只是后门吧,只能修改一下网页或数据库,一般没有root权限的吧?
笔记本 :
F208S : gentoo
A460P i3G D6 : UBUNTU + WIN7
UN43D1 : UBUNTU + WIN7
1000人超级QQ群 LINUX + WIN : 31465544 或 18210387
F208S : gentoo
A460P i3G D6 : UBUNTU + WIN7
UN43D1 : UBUNTU + WIN7
1000人超级QQ群 LINUX + WIN : 31465544 或 18210387
-
- 帖子: 67
- 注册时间: 2011-11-26 12:55
- 联系:
Re: 源里有病毒?
貌似你扫描的这些本身就有黑客工具, 里面自带了一些 webshell 也不足为奇 , clamav 不仅仅扫描病毒会报告, 后门之类的东西一样会报告呢. sqlmap nmap 等等 一堆的开源黑客工具 在源内, 所以在阅读这些报告的时候 先看看是否出现在不应该出现的地方. 在sqlmap上出现 是合理的
- lainme
- 论坛版主
- 帖子: 7805
- 注册时间: 2008-09-13 19:17
- 系统: Arch Linux (x86_64)
- 联系:
Re: 源里有病毒?
其它的不知道。sqlmap那个不是中了病毒或后门。
https://bugs.launchpad.net/ubuntu/+sour ... bug/592871
其实你可以去launchpad查查:sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers
https://bugs.launchpad.net/ubuntu/+sour ... bug/592871
- luojie-dune
- 帖子: 22033
- 注册时间: 2007-07-30 18:28
- 系统: Linux
- 来自: 空气中
Re: 源里有病毒?
old release ...
- eexpress
- 帖子: 58428
- 注册时间: 2005-08-14 21:55
- 来自: 长沙
Re: 源里有病毒?
感染安装的缓存啊。危险。deb里面可以挂pre-install等各种脚本,而且执行就是root。
只是能确定真有病毒?安装包都带校验的啊。你找别人机器比较下那些包的md5试试。
只是能确定真有病毒?安装包都带校验的啊。你找别人机器比较下那些包的md5试试。
● 鸣学
- hometow1
- 帖子: 472
- 注册时间: 2007-12-15 18:19
- 系统: UBUNTU16.04
- 来自: 永夜港
-
- 帖子: 2148
- 注册时间: 2012-12-16 15:43
- 系统: debian
Re: 源里有病毒?
如果有 还敢用不