今天收到一封Google Code的邮件,说我的PyPoxySwitch项目含有恶意软件,已经被“拿下”了。原文如下:
Hi pyproxyswitch project owner, We have detected malware in your project hosted on Google Code. To make the web safer, we have taken down your project. You must remove this malware before we can republish your project. More information about how to clean your computers and your project can be found here: http://code.google.com/p/support/wiki/FAQ#What_should_I_do_when_I_am_notified_that_my_project_contains_mal Once you have fixed the problem, reply to this email to request a review of your project. The Google Code team
我到我的项目主页上一看,赫然写着:“Scheduled for deletion due to Violation of TOS.” 天,我冤啊,自从2009-08-20项目建立一直好好的,而且2009-12-9以来我一直没更新过,怎么现在冒出个恶意软件? 我用Virustotal扫了一下,果然发现了所谓的“恶意软件”:
文件 PyProxySwitch.zip 接收于 2010.04.10 06:50:10 (UTC)
反病毒引擎 版本 最后更新 扫描结果
a-squared 4.5.0.50 2010.04.10 -
AhnLab-V3 5.0.0.2 2010.04.09 -
AntiVir 7.10.6.55 2010.04.09 SPR/Tool.3212
Antiy-AVL 2.0.3.7 2010.04.09 Server-Proxy/Win32.3proxy.gen
Authentium 5.2.0.5 2010.04.09 -
Avast 4.8.1351.0 2010.04.09 -
Avast5 5.0.332.0 2010.04.09 -
AVG 9.0.0.787 2010.04.09 -
BitDefender 7.2 2010.04.10 -
CAT-QuickHeal 10.00 2010.04.09 -
ClamAV 0.96.0.3-git 2010.04.10 -
Comodo 4552 2010.04.10 ApplicUnsaf.Win32.ServerProxy.3proxy.~B
DrWeb 5.0.2.03300 2010.04.10 -
eSafe 7.0.17.0 2010.04.08 Win32.Server.Proxy.P
eTrust-Vet 35.2.7418 2010.04.09 -
F-Prot 4.5.1.85 2010.04.09 -
F-Secure 9.0.15370.0 2010.04.10 -
Fortinet 4.0.14.0 2010.04.08 Misc/3proxy
GData 19 2010.04.10 -
Ikarus T3.1.1.80.0 2010.04.10 not-a-virus:Server-Proxy.Win32.3proxy
Jiangmin 13.0.900 2010.04.10 -
Kaspersky 7.0.0.125 2010.04.10 not-a-virus:Server-Proxy.Win32.3proxy.bq
McAfee-GW-Edition 6.8.5 2010.04.09 Riskware.Tool.3212
Microsoft 1.5605 2010.04.10 Program:Win32/TinyProxy
NOD32 5014 2010.04.09 a variant of Win32/3Proxy.O
Norman 6.04.11 2010.04.09 Suspicious_Gen2.ABHVU
nProtect 2009.1.8.0 2010.04.06 -
Panda 10.0.2.2 2010.04.09 Trj/CI.A
PCTools 7.0.3.5 2010.04.10 Hacktool.Proxy
Prevx 3.0 2010.04.10 -
Rising 22.42.04.03 2010.04.09 -
Sophos 4.52.0 2010.04.10 -
Sunbelt 6159 2010.04.10 -
Symantec 20091.2.0.41 2010.04.10 Hacktool.Proxy
TheHacker 6.5.2.0.259 2010.04.10 -
TrendMicro 9.120.0.1004 2010.04.10 BKDR_AGENT.DZ
VBA32 3.12.12.4 2010.04.09 -
ViRobot 2010.4.10.2270 2010.04.10 -
VirusBuster 5.0.27.0 2010.04.09 -
附加信息
File size: 981967 bytes
MD5...: c2a195f137c7c8f023817e961f3921f0
SHA1..: 5b8e0ce011395c63b3bc152104fbb660851549e1
SHA256: 69e63f67d511a35e16466b313a9455b11a23e8a21e99879829c57ab02c50ab08
ssdeep: 12288:kPfmm2U+XfFbI2m1EOjFCgckemc5GJVNINxUfz3C/AdE0b9p6dHtLjguz3 yai9OZ:kPx78fy0gcks0JXIvUfm6t6n3SHGtBuS
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set -
pdfid.: -
trid..: ZIP compressed archive (100.0%)
sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99
终于明白了,Kder做的这个项目是个快速切换代理的程序,自带了几个代理程序(3proxy,polipo,ip_relay),其中3proxy由于比较强大(俄国人写的),可能有人用它作过后门代理之类的,被上面一些杀软报为Malware了。最令我哭笑不得的是卡巴居然报的是not-a-virus,3proxy和Kaspersky都是俄罗斯出的,呵呵,有照顾? 这可是太可惜了,没办法,只好先把3poxy删了再说吧。 可是,就是想删除文件也不那么容易。 我费了九牛二虎之力也没找到怎么删除Download列表里面的文件,后来一查才知道: Google Code里的文件一旦上传,并且被人下载过,就不能删除(刚刚上传的文件,如果没被下载过就可以删除),只能标记为deprecated,或者联系管理员手动删除,不过不用担心这些文件会使你的项目空间不足,空间容量会自动增加。 参见:http://osdir.com/ml/HostingatGoogleCode/2009-02/msg00116.html
However, once a file has been out there for a period of time and has been downloaded a number of times, it is too late. The file is already cached in many places around the internet and you can only deprecate it.. Don't worry about the space that it takes up, quota are just there to limit abuse, we are happy to increase the quota for legitimate OSS projects as needed. If you discover late that some file that you thought was good and that has been out there for a while, actually contains sensitive data or something, then file an issue in the "support" project and we will manually take the file down for you.
(这里有一个如何删除GoogleCode上文件的方法,可是我试了,不行: Delete a file from Google Code Hosted Project http://www.techquark.com/2009/09/delete-file-from-google-code-hosted.html ) Download里面的文件不能删,仓库里面的总该可以吧?可是……
hg push http authorization required realm: Google Code Mercurial Repository user: password: pushing to https://pyproxyswitch.googlecode.com/hg/ searching for changes abort: authorization failed
我移除了本地仓库里的3proxy,想把更改push到服务器的repository,却出现了上面的错误,真的无语了。 于是我只好给管理员发邮件了,目前还没有回复,不过应该不难解决。

您也许想再看看这些: