possible viri in tarballs?

All of lore.kernel.org
 help / color / mirror / Atom feed

* possible viri in tarballs?
@ 2014-02-05 14:15 Gene Heskett
  2014-02-05 14:35 ` Mihai Donțu
  2014-02-05 18:24 ` Gene Heskett
  0 siblings, 2 replies; 9+ messages in thread
From: Gene Heskett @ 2014-02-05 14:15 UTC (permalink / raw)
  To: linux-kernel

Greetings;

I recently brought a daily system scan by clamscan back to life, and its 
emailing me this:

/home/gene/src/linux-3.8.2/Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND
/home/gene/src/linux-3.12.6/Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND
/home/gene/src/linux-3.8.3/Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND
/home/gene/src/linux-3.12.9/Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND
/home/gene/src/linux-3.4.36/Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND
/home/gene/src/linux-3.0.69/Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND
/home/gene/src/linux-3.2.40/Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND

Repeat for several other kernel trees.
FP or ??

Cheers, Gene
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

NOTICE: Will pay 100 USD for an HP-4815A defective but
complete probe assembly.


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: possible viri in tarballs?
  2014-02-05 14:15 possible viri in tarballs? Gene Heskett
@ 2014-02-05 14:35 ` Mihai Donțu
  2014-02-05 15:10   ` Gene Heskett
  2014-02-05 18:24 ` Gene Heskett
  1 sibling, 1 reply; 9+ messages in thread
From: Mihai Donțu @ 2014-02-05 14:35 UTC (permalink / raw)
  To: Gene Heskett; +Cc: linux-kernel

On Wed, 5 Feb 2014 09:15:34 -0500 Gene Heskett wrote:
> I recently brought a daily system scan by clamscan back to life, and
> its emailing me this:
> 
> /home/gene/src/linux-3.8.2/Documentation/usb/gadget_multi.txt:
> MBL_400944.UNOFFICIAL
> FOUND /home/gene/src/linux-3.12.6/Documentation/usb/gadget_multi.txt:
> MBL_400944.UNOFFICIAL
> FOUND /home/gene/src/linux-3.8.3/Documentation/usb/gadget_multi.txt:
> MBL_400944.UNOFFICIAL
> FOUND /home/gene/src/linux-3.12.9/Documentation/usb/gadget_multi.txt:
> MBL_400944.UNOFFICIAL
> FOUND /home/gene/src/linux-3.4.36/Documentation/usb/gadget_multi.txt:
> MBL_400944.UNOFFICIAL
> FOUND /home/gene/src/linux-3.0.69/Documentation/usb/gadget_multi.txt:
> MBL_400944.UNOFFICIAL
> FOUND /home/gene/src/linux-3.2.40/Documentation/usb/gadget_multi.txt:
> MBL_400944.UNOFFICIAL FOUND
> 
> Repeat for several other kernel trees.
> FP or ??

Most likely a FP, but try: https://www.virustotal.com/

-- 
Mihai Donțu

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: possible viri in tarballs?
  2014-02-05 14:35 ` Mihai Donțu
@ 2014-02-05 15:10   ` Gene Heskett
  0 siblings, 0 replies; 9+ messages in thread
From: Gene Heskett @ 2014-02-05 15:10 UTC (permalink / raw)
  To: Mihai Donțu; +Cc: linux-kernel

On Wednesday 05 February 2014, Mihai Donțu wrote:
>On Wed, 5 Feb 2014 09:15:34 -0500 Gene Heskett wrote:
>> I recently brought a daily system scan by clamscan back to life, and
>> its emailing me this:
>> 
>> /home/gene/src/linux-3.8.2/Documentation/usb/gadget_multi.txt:
>> MBL_400944.UNOFFICIAL
>> FOUND /home/gene/src/linux-3.12.6/Documentation/usb/gadget_multi.txt:
>> MBL_400944.UNOFFICIAL
>> FOUND /home/gene/src/linux-3.8.3/Documentation/usb/gadget_multi.txt:
>> MBL_400944.UNOFFICIAL
>> FOUND /home/gene/src/linux-3.12.9/Documentation/usb/gadget_multi.txt:
>> MBL_400944.UNOFFICIAL
>> FOUND /home/gene/src/linux-3.4.36/Documentation/usb/gadget_multi.txt:
>> MBL_400944.UNOFFICIAL
>> FOUND /home/gene/src/linux-3.0.69/Documentation/usb/gadget_multi.txt:
>> MBL_400944.UNOFFICIAL
>> FOUND /home/gene/src/linux-3.2.40/Documentation/usb/gadget_multi.txt:
>> MBL_400944.UNOFFICIAL FOUND
>> 
>> Repeat for several other kernel trees.
>> FP or ??
>
>Most likely a FP, but try: https://www.virustotal.com/

I'll report it as an FP then.  I didn't know about that site. thanks.

Cheers, Gene
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

NOTICE: Will pay 100 USD for an HP-4815A defective but
complete probe assembly.


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: possible viri in tarballs?
  2014-02-05 14:15 possible viri in tarballs? Gene Heskett
  2014-02-05 14:35 ` Mihai Donțu
@ 2014-02-05 18:24 ` Gene Heskett
  2014-02-05 19:52   ` Theodore Ts'o
  1 sibling, 1 reply; 9+ messages in thread
From: Gene Heskett @ 2014-02-05 18:24 UTC (permalink / raw)
  To: linux-kernel

On Wednesday 05 February 2014, Gene Heskett wrote:
>Greetings;
>
>I recently brought a daily system scan by clamscan back to life, and its
>emailing me this:
>
>/home/gene/src/linux-3.8.2/Documentation/usb/gadget_multi.txt:
>MBL_400944.UNOFFICIAL FOUND
>/home/gene/src/linux-3.12.6/Documentation/usb/gadget_multi.txt:
>MBL_400944.UNOFFICIAL FOUND
>/home/gene/src/linux-3.8.3/Documentation/usb/gadget_multi.txt:
>MBL_400944.UNOFFICIAL FOUND
>/home/gene/src/linux-3.12.9/Documentation/usb/gadget_multi.txt:
>MBL_400944.UNOFFICIAL FOUND
>/home/gene/src/linux-3.4.36/Documentation/usb/gadget_multi.txt:
>MBL_400944.UNOFFICIAL FOUND
>/home/gene/src/linux-3.0.69/Documentation/usb/gadget_multi.txt:
>MBL_400944.UNOFFICIAL FOUND
>/home/gene/src/linux-3.2.40/Documentation/usb/gadget_multi.txt:
>MBL_400944.UNOFFICIAL FOUND
>
>Repeat for several other kernel trees.
>FP or ??
>
>Cheers, Gene

Someone thought its an FP, so I took this to the clamav list and got some 
links, it is a highest threat Password revealer first seen by 

<http://www.threatexpert.com/reports.aspx?find=PSWTool.Win32.PassViewer.av&x=11&y=9>

on 12/07/2011.

Over on <http://www.malwarepatrol.net/cgi/search.pl?id=400944>

You will see more history.

So that file needs sanitized.  I was under the impression that a file with 
the .txt extension was supposed to be pure ascii text, but its loaded to 
the gills with some sort of markup crap.  And I have at least 20 copies of 
it.

Cheers, Gene
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

NOTICE: Will pay 100 USD for an HP-4815A defective but
complete probe assembly.


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: possible viri in tarballs?
  2014-02-05 18:24 ` Gene Heskett
@ 2014-02-05 19:52   ` Theodore Ts'o
  2014-02-05 20:08     ` Roger Heflin
  2014-02-05 20:47     ` Gene Heskett
  0 siblings, 2 replies; 9+ messages in thread
From: Theodore Ts'o @ 2014-02-05 19:52 UTC (permalink / raw)
  To: Gene Heskett; +Cc: linux-kernel

On Wed, Feb 05, 2014 at 01:24:59PM -0500, Gene Heskett wrote:
> >/home/gene/src/linux-3.2.40/Documentation/usb/gadget_multi.txt:
> >MBL_400944.UNOFFICIAL FOUND
> 
> You will see more history.
> 
> So that file needs sanitized.  I was under the impression that a file with 
> the .txt extension was supposed to be pure ascii text, but its loaded to 
> the gills with some sort of markup crap.  And I have at least 20 copies of 
> it.

Huh?   There are lines with 

* Overview

...

** Linux host drivers

...

in that file, sure.  But I'd hardly call that "loaded to the gills
with markup crap".

If the file was had any amount of XML or XHTML2, that would be markup
crap.  But some Twiki style ascii markup is hardly a problem -- it
looks just fine when viewed in a text reader.

      	   	     	       	 - Ted

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: possible viri in tarballs?
  2014-02-05 19:52   ` Theodore Ts'o
@ 2014-02-05 20:08     ` Roger Heflin
  2014-02-05 20:49       ` Gene Heskett
  2014-02-05 20:47     ` Gene Heskett
  1 sibling, 1 reply; 9+ messages in thread
From: Roger Heflin @ 2014-02-05 20:08 UTC (permalink / raw)
  To: Theodore Ts'o, Gene Heskett, Kernel development list

Gene,

How big is the file you have?      Here is what I have, and this is
from several different kernels.

 wc gadget_multi.txt
 150  830 5482 gadget_multi.tx

cksum gadget_multi.txt
3973522114 5482 gadget_multi.txt

ls -l gadget_multi.txt
-rw-rw-r-- 1 root root 5482 Dec 20 09:51 gadget_multi.txt

If you size/cksum is different something modified your file


On Wed, Feb 5, 2014 at 1:52 PM, Theodore Ts'o <tytso@mit.edu> wrote:
> On Wed, Feb 05, 2014 at 01:24:59PM -0500, Gene Heskett wrote:
>> >/home/gene/src/linux-3.2.40/Documentation/usb/gadget_multi.txt:
>> >MBL_400944.UNOFFICIAL FOUND
>>
>> You will see more history.
>>
>> So that file needs sanitized.  I was under the impression that a file with
>> the .txt extension was supposed to be pure ascii text, but its loaded to
>> the gills with some sort of markup crap.  And I have at least 20 copies of
>> it.
>
> Huh?   There are lines with
>
> * Overview
>
> ...
>
> ** Linux host drivers
>
> ...
>
> in that file, sure.  But I'd hardly call that "loaded to the gills
> with markup crap".
>
> If the file was had any amount of XML or XHTML2, that would be markup
> crap.  But some Twiki style ascii markup is hardly a problem -- it
> looks just fine when viewed in a text reader.
>
>                                  - Ted
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: possible viri in tarballs?
  2014-02-05 19:52   ` Theodore Ts'o
  2014-02-05 20:08     ` Roger Heflin
@ 2014-02-05 20:47     ` Gene Heskett
  2014-02-06 15:16       ` Theodore Ts'o
  1 sibling, 1 reply; 9+ messages in thread
From: Gene Heskett @ 2014-02-05 20:47 UTC (permalink / raw)
  To: Theodore Ts'o, linux-kernel

On Wednesday 05 February 2014, Theodore Ts'o wrote:
>On Wed, Feb 05, 2014 at 01:24:59PM -0500, Gene Heskett wrote:
>> >/home/gene/src/linux-3.2.40/Documentation/usb/gadget_multi.txt:
>> >MBL_400944.UNOFFICIAL FOUND
>> 
>> You will see more history.
>> 
>> So that file needs sanitized.  I was under the impression that a file
>> with the .txt extension was supposed to be pure ascii text, but its
>> loaded to the gills with some sort of markup crap.  And I have at
>> least 20 copies of it.
>
>Huh?   There are lines with
>
>* Overview
>
>...
>
>** Linux host drivers
>
>...
>
>in that file, sure.  But I'd hardly call that "loaded to the gills
>with markup crap".
>
>If the file was had any amount of XML or XHTML2, that would be markup
>crap.  But some Twiki style ascii markup is hardly a problem -- it
>looks just fine when viewed in a text reader.
>
>      	   	     	       	 - Ted

I was using mc's f3 function. I agree, it looks fine in less, or even 
gedit.  I am going to filter it, you do as you feel is correct.

Thanks Ted.

Cheers, Gene
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

NOTICE: Will pay 100 USD for an HP-4815A defective but
complete probe assembly.


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: possible viri in tarballs?
  2014-02-05 20:08     ` Roger Heflin
@ 2014-02-05 20:49       ` Gene Heskett
  0 siblings, 0 replies; 9+ messages in thread
From: Gene Heskett @ 2014-02-05 20:49 UTC (permalink / raw)
  To: linux-kernel

On Wednesday 05 February 2014, Roger Heflin wrote:
>Gene,
>
>How big is the file you have?      Here is what I have, and this is
>from several different kernels.
>
> wc gadget_multi.txt
> 150  830 5482 gadget_multi.tx
>
>cksum gadget_multi.txt
>3973522114 5482 gadget_multi.txt
>
>ls -l gadget_multi.txt
>-rw-rw-r-- 1 root root 5482 Dec 20 09:51 gadget_multi.txt
>
>If you size/cksum is different something modified your file

They crosscheck as identical to yours.
>
>On Wed, Feb 5, 2014 at 1:52 PM, Theodore Ts'o <tytso@mit.edu> wrote:
>> On Wed, Feb 05, 2014 at 01:24:59PM -0500, Gene Heskett wrote:
>>> >/home/gene/src/linux-3.2.40/Documentation/usb/gadget_multi.txt:
>>> >MBL_400944.UNOFFICIAL FOUND
>>> 
>>> You will see more history.
>>> 
>>> So that file needs sanitized.  I was under the impression that a file
>>> with the .txt extension was supposed to be pure ascii text, but its
>>> loaded to the gills with some sort of markup crap.  And I have at
>>> least 20 copies of it.
>> 
>> Huh?   There are lines with
>> 
>> * Overview
>> 
>> ...
>> 
>> ** Linux host drivers
>> 
>> ...
>> 
>> in that file, sure.  But I'd hardly call that "loaded to the gills
>> with markup crap".
>> 
>> If the file was had any amount of XML or XHTML2, that would be markup
>> crap.  But some Twiki style ascii markup is hardly a problem -- it
>> looks just fine when viewed in a text reader.
>> 
>>                                  - Ted
>> 
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-kernel"
>> in the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>> Please read the FAQ at  http://www.tux.org/lkml/
>
>--
>To unsubscribe from this list: send the line "unsubscribe linux-kernel"
>in the body of a message to majordomo@vger.kernel.org
>More majordomo info at  http://vger.kernel.org/majordomo-info.html
>Please read the FAQ at  http://www.tux.org/lkml/


Cheers, Gene
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

NOTICE: Will pay 100 USD for an HP-4815A defective but
complete probe assembly.


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: possible viri in tarballs?
  2014-02-05 20:47     ` Gene Heskett
@ 2014-02-06 15:16       ` Theodore Ts'o
  0 siblings, 0 replies; 9+ messages in thread
From: Theodore Ts'o @ 2014-02-06 15:16 UTC (permalink / raw)
  To: Gene Heskett; +Cc: linux-kernel

On Wed, Feb 05, 2014 at 03:47:07PM -0500, Gene Heskett wrote:
> >If the file was had any amount of XML or XHTML2, that would be markup
> >crap.  But some Twiki style ascii markup is hardly a problem -- it
> >looks just fine when viewed in a text reader.
> 
> I was using mc's f3 function. I agree, it looks fine in less, or even 
> gedit.  I am going to filter it, you do as you feel is correct.

Well, in any case, if a couple of lines which are prefixed by
asterisks where all the characters are otherwise english words in a
full ASCII text gets declared "malware", that's probably be best
demonstratoin about why many Anti-Virus companies are selling pure
snake oil, and someone should be demanding their money back.  :-)

      	       	       	      	 	   	 - Ted

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2014-02-06 15:16 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-05 14:15 possible viri in tarballs? Gene Heskett
2014-02-05 14:35 ` Mihai Donțu
2014-02-05 15:10   ` Gene Heskett
2014-02-05 18:24 ` Gene Heskett
2014-02-05 19:52   ` Theodore Ts'o
2014-02-05 20:08     ` Roger Heflin
2014-02-05 20:49       ` Gene Heskett
2014-02-05 20:47     ` Gene Heskett
2014-02-06 15:16       ` Theodore Ts'o

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.