From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 26 14:18:54 2016 Received: (at submit) by debbugs.gnu.org; 26 Dec 2016 19:18:54 +0000 Received: from localhost ([127.0.0.1]:55944 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cLanO-0005Zu-HU for submit@debbugs.gnu.org; Mon, 26 Dec 2016 14:18:54 -0500 Received: from eggs.gnu.org ([208.118.235.92]:41119) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cLanM-0005Zh-SJ for submit@debbugs.gnu.org; Mon, 26 Dec 2016 14:18:53 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cLanG-0005NH-Ff for submit@debbugs.gnu.org; Mon, 26 Dec 2016 14:18:47 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, UNPARSEABLE_RELAY autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:52504) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cLanG-0005ND-CL for submit@debbugs.gnu.org; Mon, 26 Dec 2016 14:18:46 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60323) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cLanE-0007LF-So for bug-guix@gnu.org; Mon, 26 Dec 2016 14:18:46 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cLanB-0005MQ-Pl for bug-guix@gnu.org; Mon, 26 Dec 2016 14:18:44 -0500 Received: from sender153-mail.zoho.com ([74.201.84.153]:25496) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cLanB-0005Lv-G5 for bug-guix@gnu.org; Mon, 26 Dec 2016 14:18:41 -0500 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=zapps768; d=zoho.com; h=date:from:to:subject:message-id:mime-version:content-type:user-agent; b=coTY3Mj8VGHso7uqWyClxqcjqqUeYdXzVOgTIEyaI4j6k2SHIA1yh2BKd7+juSubwlWMEIzBIqkN 904PAwzJHyrjYylwLgePcqH0Z58ma2lbbOmDfJu1cIJWUhx/XobC Received: from khaalida (ip68-96-178-131.lv.lv.cox.net [68.96.178.131]) by mx.zohomail.com with SMTPS id 148277991664143.139264652849874; Mon, 26 Dec 2016 11:18:36 -0800 (PST) Received: from localhost (khaalida [local]) by khaalida (OpenSMTPD) with ESMTPA id 8878c85b for ; Mon, 26 Dec 2016 19:18:35 +0000 (UTC) Date: Mon, 26 Dec 2016 11:18:35 -0800 From: dian_cecht@zoho.com To: bug-guix Subject: Possible virus found in icecat-45.5.1 Message-ID: <20161226191835.GA15226@khaalida> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Wanted to report a (possible) virus in icecat (45.5.1 for me, but someone on IRC was using 45.3.0 with at least one identical checksum of one of the related files). I'm not sure if this is a false positive, but I though it better to report it than to ignore it. Better to draw attention to a nonissue than ignore something dangerous. I run clamdscan over my home directory daily and ran into a virus report using it. I won't go into great detail of what I did, how, and why, but long story short I removed any and all instances of the virus, rebooted, ran guix pull (I had to remove files in /gnu/store because they were apparently infected. I wasn't sure how or why, but I don't question viruses too much wrt what they can and can't do), rescanned /gnu/store (which came out clean), then reinstalled icecat. The relavant clamdscan output follows: /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/html5-video-everywhere@lejenome.me.xpi: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/jid1-KtlZuoiikVfFew@jetpack.xpi: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/spyblock@gnu.org.xpi: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/features/loop@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/https-everywhere-eff@eff.org.xpi: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/omni.ja: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/jid1-KtlZuoiikVfFew@jetpack.xpi: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/html5-video-everywhere@lejenome.me.xpi: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/spyblock@gnu.org.xpi: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/features/loop@mozilla.org.xpi: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/https-everywhere-eff@eff.org.xpi: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/omni.ja: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/omni.ja: Win.Trojan.Toa-5370166-0 FOUND /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/omni.ja: Win.Trojan.Toa-5370166-0 FOUND and for completeness sake, sha1sums of the files in question: for i in $(cat pastebit-this.txt | cut -d':' -f1); do sha1sum $i; done a0798a225f833c5fc495b7d34f842f6895430c05 /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/html5-video-everywhere@lejenome.me.xpi 660a532ab26271d807484745549eb50c96e1d17d /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/jid1-KtlZuoiikVfFew@jetpack.xpi d1f71a8f48fb67096fd2317593662c93427ec200 /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/spyblock@gnu.org.xpi 2352c47726144e6f3b16dbbfd851767ec4da12f4 /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/features/loop@mozilla.org.xpi f514044393bbcb35fd416f8934cc5796668880de /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/https-everywhere-eff@eff.org.xpi e33f82770d29052967ea554a64fa3c2abbaa654b /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/omni.ja 660a532ab26271d807484745549eb50c96e1d17d /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/jid1-KtlZuoiikVfFew@jetpack.xpi a0798a225f833c5fc495b7d34f842f6895430c05 /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/html5-video-everywhere@lejenome.me.xpi d1f71a8f48fb67096fd2317593662c93427ec200 /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/spyblock@gnu.org.xpi 2352c47726144e6f3b16dbbfd851767ec4da12f4 /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/features/loop@mozilla.org.xpi f514044393bbcb35fd416f8934cc5796668880de /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/extensions/https-everywhere-eff@eff.org.xpi 46a63a6d5a0fc94ee2646a6079cba38fb16715d9 /gnu/store/4jv2jr91pl7p7gwsi4bincvd19gn29hi-icecat-45.5.1-gnu1/lib/icecat-45.5.1/omni.ja e33f82770d29052967ea554a64fa3c2abbaa654b /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/browser/omni.ja 46a63a6d5a0fc94ee2646a6079cba38fb16715d9 /gnu/store/90xjd0x6hylkcxhf3gg3xjzf5sm2aj4d-icecat-45.5.1-gnu1/lib/icecat-45.5.1/omni.ja I'm hoping this is a false positive. I run Guix ontop of Gentoo and have also found the same Trojan appearing in Firefox-related files in my home directory, as well as in Wine directories (I didn't record the exact directories, but I think they were something like ../drive_c/windows/sys?????/gecko/ or something like that. Don't trust this 100%). From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 26 15:11:19 2016 Received: (at 25278) by debbugs.gnu.org; 26 Dec 2016 20:11:19 +0000 Received: from localhost ([127.0.0.1]:55982 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cLbc7-0006qc-7C for submit@debbugs.gnu.org; Mon, 26 Dec 2016 15:11:19 -0500 Received: from sender153-mail.zoho.com ([74.201.84.153]:25327) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cLbc5-0006qU-Vd for 25278@debbugs.gnu.org; Mon, 26 Dec 2016 15:11:18 -0500 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=zapps768; d=zoho.com; h=date:from:to:subject:message-id:references:mime-version:content-type:in-reply-to:user-agent; b=RxkonL65x3Q6oQndN8mDvU0gTYdZvRNnKnRlHFMVo/2G3RvD0U3YMTwmyzVZcRGG/4YkYzdZDSSQ xs3BbZ/4rWDRkKXJMG4Jfge5gPySxtJ1B2/iAYX5q/3Wlshygs0X Received: from khaalida (ip68-96-178-131.lv.lv.cox.net [68.96.178.131]) by mx.zohomail.com with SMTPS id 148278307393433.259032901432874; Mon, 26 Dec 2016 12:11:13 -0800 (PST) Received: from localhost (khaalida [local]) by khaalida (OpenSMTPD) with ESMTPA id bc4c3965 for <25278@debbugs.gnu.org>; Mon, 26 Dec 2016 20:11:13 +0000 (UTC) Date: Mon, 26 Dec 2016 12:11:13 -0800 From: dian_cecht@zoho.com To: 25278@debbugs.gnu.org Subject: Re: bug#25278: Acknowledgement (Possible virus found in icecat-45.5.1) Message-ID: <20161226201112.GA17281@khaalida> References: <20161226191835.GA15226@khaalida> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: -3.8 (---) X-Debbugs-Envelope-To: 25278 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.8 (---) I just wanted to add that I went ahead and ran icecat-45.5.1 then rescanned ~/.mozilla and nothing related to the virus popped up with the scan. From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 26 17:05:24 2016 Received: (at 25278) by debbugs.gnu.org; 26 Dec 2016 22:05:24 +0000 Received: from localhost ([127.0.0.1]:56077 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cLdOW-00017t-4z for submit@debbugs.gnu.org; Mon, 26 Dec 2016 17:05:24 -0500 Received: from aibo.runbox.com ([91.220.196.211]:56441) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cLdOU-00017k-JY for 25278@debbugs.gnu.org; Mon, 26 Dec 2016 17:05:23 -0500 Received: from [10.9.9.210] (helo=mailfront10.runbox.com) by bars.runbox.com with esmtp (Exim 4.71) (envelope-from ) id 1cLdOS-0001tp-Jb; Mon, 26 Dec 2016 23:05:20 +0100 Received: from watchme.tor-exit.network ([163.172.209.46] helo=localhost) by mailfront10.runbox.com with esmtpsa (uid:892961 ) (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) id 1cLdOB-00030t-B8; Mon, 26 Dec 2016 23:05:03 +0100 From: ng0 To: 25278@debbugs.gnu.org Subject: Re: bug#25278: Acknowledgement (Possible virus found in icecat-45.5.1) In-Reply-To: <20161226201112.GA17281@khaalida> References: <20161226191835.GA15226@khaalida> <20161226201112.GA17281@khaalida> Date: Mon, 26 Dec 2016 22:05:24 +0000 Message-ID: <87mvfi4a8r.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 25278 Cc: dian_cecht@zoho.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) dian_cecht@zoho.com writes: > I just wanted to add that I went ahead and ran icecat-45.5.1 then rescanned > ~/.mozilla and nothing related to the virus popped up with the scan. > > > > > So this issue is done and can be closed? -- ♥Ⓐ ng0 PGP keys and more: https://n0is.noblogs.org/ http://ng0.chaosnet.org From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 26 18:57:56 2016 Received: (at 25278) by debbugs.gnu.org; 26 Dec 2016 23:57:56 +0000 Received: from localhost ([127.0.0.1]:56150 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cLf9P-0003mI-VY for submit@debbugs.gnu.org; Mon, 26 Dec 2016 18:57:56 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:39194) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cLf9N-0003m8-LE for 25278@debbugs.gnu.org; Mon, 26 Dec 2016 18:57:54 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id CC5A4207E5; Mon, 26 Dec 2016 18:57:52 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Mon, 26 Dec 2016 18:57:52 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=YqUWcnEdGSrli6JAgyguPuXp98M=; b=Q71mlE 8kRJOQqsbQMkD9riqO+bL+dXgOVdLFrM+S6EPICS/YK1SRqOMQdib6pwGL384K0y EfHFbmqIZA/l752s4JfbJgEBpXK/tSDtYjYWO8dwFI488RMZ3ic6itzdS/oFABfD oS4glNns7iKcoDS7qnKO9pnKl1UoRPQ7VzR2U= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=smtpout; bh=YqUWcnEdGSrli6 JAgyguPuXp98M=; b=fjm6yvAPA79bvlB9oR5ebmG9DynN9ZNlxoCmET6u/Kvb7Y U9p0AMk+Jo8YFgSbGO/IggelpOEZaAXJo2YTMBGQVnvCy5QXRs6vbXlXyw4AU7wC v7V0//9sbNfeQyEiSxwbTZOU+ij0S3QYDzXvBBA0NysthKpfDF1NVKiCANzJo= X-ME-Sender: X-Sasl-enc: 8rjE95uc0c4fhKXNReTrQj0EK/uPqezoJ6T2rRZYtdsu 1482796672 Received: from localhost (c-76-110-75-179.hsd1.fl.comcast.net [76.110.75.179]) by mail.messagingengine.com (Postfix) with ESMTPA id 7F10A24165; Mon, 26 Dec 2016 18:57:52 -0500 (EST) Date: Mon, 26 Dec 2016 18:57:50 -0500 From: Leo Famulari To: dian_cecht@zoho.com Subject: Re: bug#25278: Acknowledgement (Possible virus found in icecat-45.5.1) Message-ID: <20161226235750.GA23698@jasmine> References: <20161226191835.GA15226@khaalida> <20161226201112.GA17281@khaalida> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20161226201112.GA17281@khaalida> User-Agent: Mutt/1.7.2 (2016-11-26) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 25278 Cc: 25278@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Mon, Dec 26, 2016 at 12:11:13PM -0800, dian_cecht@zoho.com wrote: > I just wanted to add that I went ahead and ran icecat-45.5.1 then rescanned > ~/.mozilla and nothing related to the virus popped up with the scan. Are the files with the same SHA1 hashes still present? From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 26 19:20:53 2016 Received: (at 25278) by debbugs.gnu.org; 27 Dec 2016 00:20:53 +0000 Received: from localhost ([127.0.0.1]:56155 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cLfVc-0004Je-TJ for submit@debbugs.gnu.org; Mon, 26 Dec 2016 19:20:53 -0500 Received: from sender153-mail.zoho.com ([74.201.84.153]:25409) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cLfVa-0004JW-N5 for 25278@debbugs.gnu.org; Mon, 26 Dec 2016 19:20:51 -0500 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=zapps768; d=zoho.com; h=date:from:to:cc:subject:message-id:references:mime-version:content-type:in-reply-to:user-agent; b=VWLNvj0VcHvSWZcBhSq3uUVYoEqE8lWti7Mcw4j0JMxJfqGbhDCGzqXGqnvKN8eCLblCdHQGTxcd dGZIPff8Nzr+8LWu0hSKCY0tQsd4Rs0ccwgQgFN6K+X50GD5STmX Received: from khaalida (ip68-96-178-131.lv.lv.cox.net [68.96.178.131]) by mx.zohomail.com with SMTPS id 14827980481812.4770443389514867; Mon, 26 Dec 2016 16:20:48 -0800 (PST) Received: from localhost (khaalida [local]) by khaalida (OpenSMTPD) with ESMTPA id 15b1fa8f; Tue, 27 Dec 2016 00:20:47 +0000 (UTC) Date: Mon, 26 Dec 2016 16:20:47 -0800 From: dian_cecht@zoho.com To: Leo Famulari Subject: Re: bug#25278: Acknowledgement (Possible virus found in icecat-45.5.1) Message-ID: <20161227002047.GA19923@khaalida> References: <20161226191835.GA15226@khaalida> <20161226201112.GA17281@khaalida> <20161226235750.GA23698@jasmine> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20161226235750.GA23698@jasmine> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: -3.8 (---) X-Debbugs-Envelope-To: 25278 Cc: 25278@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.8 (---) On Mon, Dec 26, 2016 at 06:57:50PM -0500, Leo Famulari wrote: > On Mon, Dec 26, 2016 at 12:11:13PM -0800, dian_cecht@zoho.com wrote: > > I just wanted to add that I went ahead and ran icecat-45.5.1 then rescanned > > ~/.mozilla and nothing related to the virus popped up with the scan. > > Are the files with the same SHA1 hashes still present? So I rechecked the files listed in this bugreport and yes, the checksums are the same. However, they no longer list as viruses according to ClamAV. I checked my logs and I'm assuming that a database update fixed a false positive (freshclam updates the database every 2 hours on my machine, and, afaik, the virus definition was added in the last day or two). So it looks to me like it was simply a false positive. From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 26 20:41:43 2016 Received: (at 25278-done) by debbugs.gnu.org; 27 Dec 2016 01:41:43 +0000 Received: from localhost ([127.0.0.1]:56182 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cLglq-0006Br-Pf for submit@debbugs.gnu.org; Mon, 26 Dec 2016 20:41:42 -0500 Received: from sender153-mail.zoho.com ([74.201.84.153]:25375) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cLglp-0006Bi-Ap for 25278-done@debbugs.gnu.org; Mon, 26 Dec 2016 20:41:41 -0500 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=zapps768; d=zoho.com; h=date:from:to:cc:subject:message-id:references:mime-version:content-type:in-reply-to:user-agent; b=QQpgkXzE2BsAC2n2lFkOYM1CYUY3JjLsJIPgIkm5/JAjHM3C4I7UjV/+Y6eRNLo6f6fRNV4Kqo8k BRCjFbmBYR8M5dEz1lcraH8XgkKGXF3RYkiLFU6UaQiGGKYE65M8 Received: from khaalida (ip68-96-178-131.lv.lv.cox.net [68.96.178.131]) by mx.zohomail.com with SMTPS id 1482802897183344.7005906026935; Mon, 26 Dec 2016 17:41:37 -0800 (PST) Received: from localhost (khaalida [local]) by khaalida (OpenSMTPD) with ESMTPA id 202164a0; Tue, 27 Dec 2016 01:41:36 +0000 (UTC) Date: Mon, 26 Dec 2016 17:41:36 -0800 From: dian_cecht@zoho.com To: Leo Famulari Subject: Re: bug#25278: Acknowledgement (Possible virus found in icecat-45.5.1) Message-ID: <20161227014136.GA21067@khaalida> References: <20161226191835.GA15226@khaalida> <20161226201112.GA17281@khaalida> <20161226235750.GA23698@jasmine> <20161227002047.GA19923@khaalida> <20161227012415.GA14310@jasmine> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20161227012415.GA14310@jasmine> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: -3.8 (---) X-Debbugs-Envelope-To: 25278-done Cc: 25278-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.8 (---) On Mon, Dec 26, 2016 at 08:24:15PM -0500, Leo Famulari wrote: > On Mon, Dec 26, 2016 at 04:20:47PM -0800, dian_cecht@zoho.com wrote: > > On Mon, Dec 26, 2016 at 06:57:50PM -0500, Leo Famulari wrote: > > > On Mon, Dec 26, 2016 at 12:11:13PM -0800, dian_cecht@zoho.com wrote: > > > > I just wanted to add that I went ahead and ran icecat-45.5.1 then rescanned > > > > ~/.mozilla and nothing related to the virus popped up with the scan. > > > > > > Are the files with the same SHA1 hashes still present? > > > > So I rechecked the files listed in this bugreport and yes, the checksums are the > > same. However, they no longer list as viruses according to ClamAV. I checked my > > logs and I'm assuming that a database update fixed a false positive (freshclam > > updates the database every 2 hours on my machine, and, afaik, the virus > > definition was added in the last day or two). > > > > So it looks to me like it was simply a false positive. > > Good news! > > You can close the bug by sending a message to > <25278-done@debbugs.gnu.org>. Good to know. Thanks. From debbugs-submit-bounces@debbugs.gnu.org Tue Jan 03 15:16:18 2017 Received: (at 25278) by debbugs.gnu.org; 3 Jan 2017 20:16:18 +0000 Received: from localhost ([127.0.0.1]:40577 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cOVVJ-0001HV-VA for submit@debbugs.gnu.org; Tue, 03 Jan 2017 15:16:18 -0500 Received: from mail-qt0-f180.google.com ([209.85.216.180]:35430) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cOVVH-0001HI-TJ for 25278@debbugs.gnu.org; Tue, 03 Jan 2017 15:16:16 -0500 Received: by mail-qt0-f180.google.com with SMTP id c47so472980771qtc.2 for <25278@debbugs.gnu.org>; Tue, 03 Jan 2017 12:16:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craven.ch; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=gFsTHF+5OCXe2tIW0SAH65rEGyTPAawAD1mDMDzSpm0=; b=fdlTEB5nI4bip3LOfrl1ThONwdr27w6wwU7upU7XYlOCxFWGdmh2SHKSj9XoWnXV9V I4ALOFwmqgBs+2+WTavC7JQSzCpJRKBXfs9+T4IWt319UvoPAliubmBQ8usYZI3DA9S7 ofFyu5Z+vQRpHFv1VaeVqea6a7+/FObYkQZ90= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=gFsTHF+5OCXe2tIW0SAH65rEGyTPAawAD1mDMDzSpm0=; b=H4uW6khZwonhx/p09pblYDeOK/jbvtj48s12J5+d9vHo7O4SMY7Zb4EC6QF5sLeZET 8oQYx+K32PoovXYAn4qLzHCS39X38F5+jwke/ck/BZGvZo/o2UF7BNxR47sSbvacW2b7 kkqbQxBMMCoJ/oLJXjFy0NyDaKXxZjMa+UMWKVRSY75Ohg/6qRt4iTtcJhamDirtGs/0 Rqo9dtKolfcLIYG+lJYS2X1LFBxNekCdC2Ppeb5r+y4/UbT3+edSr1ST7hY4gG8Q+OlH abts6x4a//19CUgdHTMBN3GFaU0Lvn8CzSlPboJKQs5jgvVN/FoNsEoWQGW55lQJwA/T wuvQ== X-Gm-Message-State: AIkVDXLjW9ExRsfjq2QXOWZeylSRWfP/cYdVz1fM3KTYqH3bX68/VDZ+jtUU/1fYVfqtCJkFxPntBza5HLNC7Q== X-Received: by 10.200.49.106 with SMTP id h39mr58755871qtb.69.1483474570403; Tue, 03 Jan 2017 12:16:10 -0800 (PST) MIME-Version: 1.0 Received: by 10.12.133.38 with HTTP; Tue, 3 Jan 2017 12:16:10 -0800 (PST) X-Originating-IP: [151.248.146.13] In-Reply-To: <20161226191835.GA15226@khaalida> References: <20161226191835.GA15226@khaalida> From: David Craven Date: Tue, 3 Jan 2017 21:16:10 +0100 Message-ID: Subject: Re: bug#25278: Possible virus found in icecat-45.5.1 To: dian_cecht@zoho.com Content-Type: text/plain; charset=UTF-8 X-Spam-Score: -0.2 (/) X-Debbugs-Envelope-To: 25278 Cc: 25278@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.2 (/) > I'm hoping this is a false positive. I run Guix ontop of Gentoo and have also > found the same Trojan appearing in Firefox-related files in my home directory, > as well as in Wine directories (I didn't record the exact directories, but I > think they were something like ../drive_c/windows/sys?????/gecko/ or something > like that. Don't trust this 100%). It's an anti-viruses business model to find viruses everywhere. That's how they scare you into buying a license. They usually are overly optimistic with declaring something a virus. Besides, what's a windows virus going to do on a gentoo system? From unknown Mon Aug 18 19:29:25 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 01 Feb 2017 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator