ethtool trojan detected by NAI

Charles Curley charlescurley at charlescurley.com
Thu Jan 15 18:16:10 UTC 2004 

On Thu, Jan 15, 2004 at 05:16:28PM +0000, Andy Green wrote:
> On Thursday 15 January 2004 16:31, Jason Montleon wrote:
> 
> > I caught output of my virusscan stating that /sbin/ethtool was a trojan or
> 
> Here's some info from my hopefully clean Fedora system:
> 
> [agreen at fastcat agreen]$ md5sum /sbin/ethtool
> febe7cd9294fc766dfa4126298b9f7ec  /sbin/ethtool
> [agreen at fastcat agreen]$ rpm -q ethtool
> ethtool-1.8-2.1
> [agreen at fastcat agreen]$ ll /sbin/ethtool
> -rwxr-xr-x    1 root     root        83684 Sep  5 21:14 /sbin/ethtool

Did you verify it against the RPM package? I did:

[root at charlesc mail]# which ethtool
/sbin/ethtool
[root at charlesc mail]# md5sum `which ethtool`
b33eb8e074b4a77311bf8cf8de6cf12b  /sbin/ethtool
[root at charlesc mail]# rpm -qf `which ethtool`
ethtool-1.8-2.1
[root at charlesc mail]# rpm -V ethtool
[root at charlesc mail]# ll `which ethtool`
-rwxr-xr-x    1 root     root        83684 Sep  5 14:14 /sbin/ethtool


Notice that while my length and date agree with yours, my time and
md5sum do not.

I don't use a virus scanner, so can't say if I got a hit, false or
not.

After writing this, I checked on four systems I have around here. One
is my firewall, presumed compromised :-); one my desktop, probably not
compromised; one a test machine which is rarely turned on, probably
not compromised, and one my laptop, probably not compromised (and
which has not been on any network other than mine since FC1 was
installed on a fresh install).

Results: Date and time agree on all four. Two have the length reported
above. All report different md5sums. All pass "rpm -V ethtool", but in
two cases (where I just upgraded the kernel) I get messages about
prelinking and dependencies.

Question: is prelinking the culprit on the length and md5sum
differences?

-- 

Charles Curley                  /"\    ASCII Ribbon Campaign
Looking for fine software       \ /    Respect for open standards
and/or writing?                  X     No HTML/RTF in email
http://www.charlescurley.com    / \    No M$ Word docs in email

Key fingerprint = CE5C 6645 A45A 64E4 94C0  809C FFF6 4C48 4ECD DFDB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040115/e6de9621/attachment-0001.sig>

More information about the fedora-list mailing list