Re: ethtool trojan detected by NAI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Jan 15, 2004 at 05:16:28PM +0000, Andy Green wrote:
> On Thursday 15 January 2004 16:31, Jason Montleon wrote:
> 
> > I caught output of my virusscan stating that /sbin/ethtool was a trojan or
> 
> Here's some info from my hopefully clean Fedora system:
> 
> [agreen@fastcat agreen]$ md5sum /sbin/ethtool
> febe7cd9294fc766dfa4126298b9f7ec  /sbin/ethtool
> [agreen@fastcat agreen]$ rpm -q ethtool
> ethtool-1.8-2.1
> [agreen@fastcat agreen]$ ll /sbin/ethtool
> -rwxr-xr-x    1 root     root        83684 Sep  5 21:14 /sbin/ethtool

Did you verify it against the RPM package? I did:

[root@charlesc mail]# which ethtool
/sbin/ethtool
[root@charlesc mail]# md5sum `which ethtool`
b33eb8e074b4a77311bf8cf8de6cf12b  /sbin/ethtool
[root@charlesc mail]# rpm -qf `which ethtool`
ethtool-1.8-2.1
[root@charlesc mail]# rpm -V ethtool
[root@charlesc mail]# ll `which ethtool`
-rwxr-xr-x    1 root     root        83684 Sep  5 14:14 /sbin/ethtool


Notice that while my length and date agree with yours, my time and
md5sum do not.

I don't use a virus scanner, so can't say if I got a hit, false or
not.

After writing this, I checked on four systems I have around here. One
is my firewall, presumed compromised :-); one my desktop, probably not
compromised; one a test machine which is rarely turned on, probably
not compromised, and one my laptop, probably not compromised (and
which has not been on any network other than mine since FC1 was
installed on a fresh install).

Results: Date and time agree on all four. Two have the length reported
above. All report different md5sums. All pass "rpm -V ethtool", but in
two cases (where I just upgraded the kernel) I get messages about
prelinking and dependencies.

Question: is prelinking the culprit on the length and md5sum
differences?

-- 

Charles Curley                  /"\    ASCII Ribbon Campaign
Looking for fine software       \ /    Respect for open standards
and/or writing?                  X     No HTML/RTF in email
http://www.charlescurley.com    / \    No M$ Word docs in email

Key fingerprint = CE5C 6645 A45A 64E4 94C0  809C FFF6 4C48 4ECD DFDB

Attachment: pgpuaUFB70UoO.pgp
Description: PGP signature

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux