ethtool trojan detected by NAI
Alexander Dalloz
alexander.dalloz at uni-bielefeld.de
Thu Jan 15 17:37:06 UTC 2004
Am Do, den 15.01.2004 schrieb Jason Montleon um 17:31:
> I caught output of my virusscan stating that /sbin/ethtool was a trojan or
> variant Linux/Exploit last night after updating to the new DAT files. By
> default the virus scan moves the files to a folder I've specified, so I
> double checked that /sbin/ethtool did in fact no longer exist, downloaded
> the (presumably clean RPM from
> http://download.fedora.us/fedora/fedora/1/i386/RPMS.os/, (couldn't find and
> md5sum for the rpm to compare against; perhaps just didnt try hard enough)
> rpm --force -ivh ethtool* and this is what I got:
>
> [root at xxx sbin]# /opt/mcafee/uvscan /sbin/ethtool
> /sbin/ethtool
> Found trojan or variant Linux/Exploit !!!
> Please send a copy of the file to Network Associates
>
> Anyone at RedHat/Fedora have insight. I'm guessing a false positive at this
> point, but of course would prefer to be certain. A full system scan with
> Mcafee (uvscan --allole --ignore-links --move
> /opt/mcafee/infected --mime --recursive --program --secure --summary --afc
> 192 /) and ChkRootKit finds nothing else out the ordinary.besides this, and
> has never before the 4314 DAT's. I'm also sending the file to NAI so they
> can analyze it as well, but thought someone here might have already noticed
> and heard back.
>
> Jason
Hi Jason!
I can confirm this. With uvscan version 4.2.40 and dat file 4313 the
scan of /sbin/ethtool was ok. So I just updated the dat file to 4314 and
got the exploit warning as well.
Alexander
--
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
More information about the fedora-list
mailing list