Verified here with the latest uvscan and dat 4314. Phil --------------------------------------------- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: fedora-list-admin@xxxxxxxxxx > [mailto:fedora-list-admin@xxxxxxxxxx]On Behalf Of Alexander Dalloz > Sent: 15 January 2004 17:37 > To: fedora-list@xxxxxxxxxx > Subject: Re: ethtool trojan detected by NAI > > > Am Do, den 15.01.2004 schrieb Jason Montleon um 17:31: > > I caught output of my virusscan stating that /sbin/ethtool > was a trojan or > > variant Linux/Exploit last night after updating to the new > DAT files. By > > default the virus scan moves the files to a folder I've > specified, so I > > double checked that /sbin/ethtool did in fact no longer > exist, downloaded > > the (presumably clean RPM from > > http://download.fedora.us/fedora/fedora/1/i386/RPMS.os/, > (couldn't find and > > md5sum for the rpm to compare against; perhaps just didnt > try hard enough) > > rpm --force -ivh ethtool* and this is what I got: > > > > [root@xxx sbin]# /opt/mcafee/uvscan /sbin/ethtool > > /sbin/ethtool > > Found trojan or variant Linux/Exploit !!! > > Please send a copy of the file to Network Associates > > > > Anyone at RedHat/Fedora have insight. I'm guessing a false > positive at this > > point, but of course would prefer to be certain. A full > system scan with > > Mcafee (uvscan --allole --ignore-links --move > > /opt/mcafee/infected --mime --recursive --program --secure > --summary --afc > > 192 /) and ChkRootKit finds nothing else out the > ordinary.besides this, and > > has never before the 4314 DAT's. I'm also sending the file > to NAI so they > > can analyze it as well, but thought someone here might have > already noticed > > and heard back. > > > > Jason > > Hi Jason! > > I can confirm this. With uvscan version 4.2.40 and dat file 4313 the > scan of /sbin/ethtool was ok. So I just updated the dat file > to 4314 and > got the exploit warning as well. > > Alexander > > > -- > Alexander Dalloz | Enger, Germany > PGP key valid: made 13.07.1999 > PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653 > > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list >
