Re: antivir - net-tools - trojan horse

[Tom Mitchell <mitch48@xxxxxxxxxxxxx>]

On Sat, 13 Dec 2003, Olaf Mueller wrote:
> 
> checking my filesystem with antivir (H+BEDV Datentechnik GmbH,
> AntiVir / Linux Version 2.0.9-6, VDF version: 6.23.0.9 created 12 Dec
> 2003) runs into the following alert. Antivir says that the files
> /usr/share/locale/<pt_BR,fr,de,cs>/LC_MESSAGES/net-tools.mo are
> infected with trojan horse "TR/HackToolX.RK.1".

What is the md5sum result for each of these suspect files on your
system. As far as I can tell FC1 and RH9 have identicle bits so
if true this is _interesting_.

I did check one (fr) against norton on yahoo mail's attachment
scanner and it was ok. By chance is this file system shared
samba/NFS/pcnfs with a Microsoft OS or perhaps is your system
dual boot where you share this file system with multiple OSs?
Wine?

Anyhow here is the set of md5sum values for my copies of these
files. Do others have different values?  What are your md5sum 
check values?

On Fedora (FC1):
$ md5sum /usr/share/locale/{pt_BR,fr,de,cs}/LC_MESSAGES/net-tools.mo
7d8730b30d88256c63e9b60be387c65a  /usr/share/locale/pt_BR/LC_MESSAGES/net-tools.mo
d4fa9ed7191ad0a00cf2556950414922  /usr/share/locale/fr/LC_MESSAGES/net-tools.mo
18bed885c2f7a319a0ad2e80c7ca3941  /usr/share/locale/de/LC_MESSAGES/net-tools.mo
f5586f3464a9d1f46bf760bc3436d6d6  /usr/share/locale/cs/LC_MESSAGES/net-tools.mo

Also the normal beginner advice that you might not need, be sure
to operate as a normal (not root) user whenever possible. The
normal file and directory permissions protect the files from
being messed with in simple ways.  Check file dates, permissions,
ownership and the directories too.

Here are my file and dir permissions by way of example:
$ ls -l /usr/share/locale/{pt_BR,fr,de,cs}/LC_MESSAGES/net-tools.mo
-rw-r--r--    1 root     root        46605 Feb 11  2003 /usr/share/locale/cs/LC_MESSAGES/net-tools.mo
-rw-r--r--    1 root     root        46671 Feb 11  2003 /usr/share/locale/de/LC_MESSAGES/net-tools.mo
-rw-r--r--    1 root     root        40920 Feb 11  2003 /usr/share/locale/fr/LC_MESSAGES/net-tools.mo
-rw-r--r--    1 root     root        48498 Feb 11  2003 /usr/share/locale/pt_BR/LC_MESSAGES/net-tools.mo
$ ls -ld /usr/share/locale/{pt_BR,fr,de,cs}/LC_MESSAGES/
drwxr-xr-x    2 root     root        16384 Dec 10 22:53 /usr/share/locale/cs/LC_MESSAGES/
drwxr-xr-x    2 root     root        16384 Dec 10 22:53 /usr/share/locale/de/LC_MESSAGES/
drwxr-xr-x    2 root     root        16384 Dec 10 22:53 /usr/share/locale/fr/LC_MESSAGES/
drwxr-xr-x    2 root     root        16384 Dec 10 22:53 /usr/share/locale/pt_BR/LC_MESSAGES/

-- 
	T o m  M i t c h e l l
	mitch48 -a*t- yahoo-dot-com