Am Do, den 15.01.2004 schrieb Jason Montleon um 17:31: > I caught output of my virusscan stating that /sbin/ethtool was a trojan or > variant Linux/Exploit last night after updating to the new DAT files. By > default the virus scan moves the files to a folder I've specified, so I > double checked that /sbin/ethtool did in fact no longer exist, downloaded > the (presumably clean RPM from > http://download.fedora.us/fedora/fedora/1/i386/RPMS.os/, (couldn't find and > md5sum for the rpm to compare against; perhaps just didnt try hard enough) > rpm --force -ivh ethtool* and this is what I got: > > [root@xxx sbin]# /opt/mcafee/uvscan /sbin/ethtool > /sbin/ethtool > Found trojan or variant Linux/Exploit !!! > Please send a copy of the file to Network Associates > > Anyone at RedHat/Fedora have insight. I'm guessing a false positive at this > point, but of course would prefer to be certain. A full system scan with > Mcafee (uvscan --allole --ignore-links --move > /opt/mcafee/infected --mime --recursive --program --secure --summary --afc > 192 /) and ChkRootKit finds nothing else out the ordinary.besides this, and > has never before the 4314 DAT's. I'm also sending the file to NAI so they > can analyze it as well, but thought someone here might have already noticed > and heard back. > > Jason Hi Jason! I can confirm this. With uvscan version 4.2.40 and dat file 4313 the scan of /sbin/ethtool was ok. So I just updated the dat file to 4314 and got the exploit warning as well. Alexander -- Alexander Dalloz | Enger, Germany PGP key valid: made 13.07.1999 PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
