LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 05-28-2013, 10:16 AM   #1
the_penguinator
Member
 
Registered: Jan 2009
Location: Canada
Distribution: slackware -current, OpenBSD, OSX
Posts: 161

Rep: Reputation: 20
Python-2.7.4 on mirrors marked as infected


this is interesting

Quote:
ftp> open elektroni.phys.tut.fi
Connected to elektroni.phys.tut.fi.
...etc...
ftp> get Python-2.7.4.tar.xz
local: Python-2.7.4.tar.xz remote: Python-2.7.4.tar.xz
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for Python-2.7.4.tar.xz (10250644 bytes).
550-Transfer failed. The file Python-2.7.4.tar.xz is infected with the virus W32/BZip.AGENT!tr. File quarantined as .
550 *
I wanted to reinstall this file as I was experiencing an inability to get the upgrade via slackpkg. Question though, if the file is compromised, why have they left it on the servers?
 
Old 05-28-2013, 10:20 AM   #2
Thor_2.0
Senior Member
 
Registered: Nov 2007
Location: Somewhere on my hard drive...
Distribution: Manjaro
Posts: 2,178
Blog Entries: 23

Rep: Reputation: 278Reputation: 278Reputation: 278
The other question is : if a file is infected with something that is clearly meant for the ***dows platform, and your PC (Linux) is configured not to be able to run it...does it pose a risk?
 
Old 05-28-2013, 10:33 AM   #3
the_penguinator
Member
 
Registered: Jan 2009
Location: Canada
Distribution: slackware -current, OpenBSD, OSX
Posts: 161

Original Poster
Rep: Reputation: 20
Quote:
Originally Posted by Thor_2.0 View Post
The other question is : if a file is infected with something that is clearly meant for the ***dows platform, and your PC (Linux) is configured not to be able to run it...does it pose a risk?
not to my slackbox I suppose, but you do install this Python file as root, and if the W32 malware unpacks itself and has the capability of running nmap, id's Winboxen and goes to work...but it is curious why some presumably W32 malware has been packed into a linux software package...
 
Old 05-28-2013, 11:02 AM   #4
JohnB316
LQ Newbie
 
Registered: Jan 2007
Distribution: VectorLinux
Posts: 19

Rep: Reputation: 0
Quote:
Originally Posted by the_penguinator View Post
this is interesting



I wanted to reinstall this file as I was experiencing an inability to get the upgrade via slackpkg. Question though, if the file is compromised, why have they left it on the servers?
Could the server you access have been compromised? It would be valuable to see whether you get the same error message from other Slackware mirrors. If the same package on other Slackware mirrors gives you the same warning message about virus infection, then there are other problems that TBDFL may need to investigate.
 
Old 05-28-2013, 11:16 AM   #5
torimus
Member
 
Registered: Apr 2013
Distribution: Slackware
Posts: 81

Rep: Reputation: Disabled
no time to investigate it but can anybody check if does match to the official signature ?

http://slackware.osuosl.org/slackwar...7.4.tar.xz.asc
 
Old 05-28-2013, 11:47 AM   #6
Petri Kaukasoina
Member
 
Registered: Mar 2007
Posts: 241

Rep: Reputation: 86
Did you run the ftp command on the Slackware box? Have you installed some kind of virus protection on that Slackware system?

If you run it on Slackware and have not installed virus protection, I bet you do not connect directly to elektroni.phys.tut.fi but your connection goes through some kind of virus "protection" middle box, with broken virus id database. That would explain your earlier problems, too.
 
Old 05-28-2013, 11:57 AM   #7
Petri Kaukasoina
Member
 
Registered: Mar 2007
Posts: 241

Rep: Reputation: 86
Quote:
Originally Posted by JohnB316 View Post
Could the server you access have been compromised?
No. The MD5 checksum of Python-2.7.4.tar.xz checked locally at elektroni.phys.tut.fi is the same as listed in CHECKSUMS.md5. And gpg validates Python-2.7.4.tar.xz.asc as a good signature from "Benjamin Peterson <benjamin@python.org>".
 
Old 05-28-2013, 12:03 PM   #8
gmgf
Member
 
Registered: Jun 2012
Location: France
Distribution: Slackware Zenwalk
Posts: 166

Rep: Reputation: Disabled
python-2.7.5 is available

changelog here:

http://hg.python.org/cpython/file/ab...2788/Misc/NEWS

Issue #17843: Removed test data file that was triggering false-positive virus
57 warnings with certain antivirus software.
58
 
1 members found this post helpful.
Old 05-28-2013, 12:11 PM   #9
the_penguinator
Member
 
Registered: Jan 2009
Location: Canada
Distribution: slackware -current, OpenBSD, OSX
Posts: 161

Original Poster
Rep: Reputation: 20
Quote:
Originally Posted by torimus View Post
no time to investigate it but can anybody check if does match to the official signature ?

http://slackware.osuosl.org/slackwar...7.4.tar.xz.asc
the Python-2.7.4.tar.xz files on mirror.csclub.uwaterloo.ca and elektroni.phys.tut.fi do match the official signature of the file hosted at osuosl.org
 
Old 05-28-2013, 04:48 PM   #10
volkerdi
Slackware Maintainer
 
Registered: Dec 2002
Location: Minnesota
Distribution: Slackware! :-)
Posts: 853

Rep: Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658Reputation: 1658
False virus signature matches are quite common, though it's not quite as bad as it once was. Back when we were using .tgz it happened much more, probably because the viruses were using that compression scheme as well. A hit in an xz compressed file could be a sign that they're switching to that now. Most of the time the hits would come in the kde-l10n packages... the Russian package used to get hits all the time, probably on some common word or phrase that was nowhere near the unique signature the people working on the virus definition database thought it was.

I've probably been sent thousands of emails with subjects like "VIRUS found in Slackware!". I used to try to explain what was happening, but it was mostly useless. The reporter always had much more faith in their virus software than whatever I was saying, and even if I finally got them to understand then they often expected I'd help them convince the virus software people that a fix was needed (I did try this early on for a false hit on the Nutcracker virus, and found their ears were just as deaf).

In no case has one of these hits on Slackware files ever turned out to be real.
 
4 members found this post helpful.
Old 05-29-2013, 01:25 PM   #11
the_penguinator
Member
 
Registered: Jan 2009
Location: Canada
Distribution: slackware -current, OpenBSD, OSX
Posts: 161

Original Poster
Rep: Reputation: 20
Quote:
Originally Posted by volkerdi View Post
False virus signature matches are quite common, -snip-.

In no case has one of these hits on Slackware files ever turned out to be real.
good to hear Pat, this is the first false positive I think I've ever encountered.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
cannot d/l python from -current mirrors the_penguinator Slackware 4 05-21-2013 08:37 AM
How do I verify marked packets? MikeyCarter Linux - Networking 2 06-20-2010 11:22 AM
Update Fedora 12 Alpha fails: python-simplejson "No more mirrors to try" dpeirce Fedora 2 09-30-2009 11:44 AM
LXer: Python Python Python (aka Python 3) LXer Syndicated Linux News 0 08-05-2009 08:30 PM
marked detoriation in performance! :( irfanhab Slackware 12 12-14-2004 07:35 AM


All times are GMT -5. The time now is 04:35 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration