ethtool trojan detected by NAI
Andy Green
fedora at warmcat.com
Thu Jan 15 17:16:28 UTC 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 15 January 2004 16:31, Jason Montleon wrote:
> I caught output of my virusscan stating that /sbin/ethtool was a trojan or
Here's some info from my hopefully clean Fedora system:
[agreen at fastcat agreen]$ md5sum /sbin/ethtool
febe7cd9294fc766dfa4126298b9f7ec /sbin/ethtool
[agreen at fastcat agreen]$ rpm -q ethtool
ethtool-1.8-2.1
[agreen at fastcat agreen]$ ll /sbin/ethtool
- -rwxr-xr-x 1 root root 83684 Sep 5 21:14 /sbin/ethtool
A way forward would be to use scp FROM ANOTHER MACHINE to snarf the evil
ethtool. Don't scp it from your suspect machine to the other machine, or you
may give someone your password to the other machine.
Then run md5sum on it from the other machine and see what you see. The
concept is that md5sum on your local machine may have been rootkitted along
with ethtool.
But most likely it is just a random binary match... or maybe on code to put
the network interface into promiscuous or something.
- -Andy
- --
Find your answer without waiting for replies....
Searchable list archives at
http://marc.theaimsgroup.com/?l=fedora-list&r=1&w=2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFABsrsjKeDCxMJCTIRAlcJAJ9znK5DetXkGCglXz/J/rMLKhohTwCfRTI3
nD4HX/jrsK5NeYmMr4GDamA=
=WAkb
-----END PGP SIGNATURE-----
More information about the fedora-list
mailing list