ethtool trojan detected by NAI

Charles Curley charlescurley at charlescurley.com
Thu Jan 15 19:52:21 UTC 2004 

On Thu, Jan 15, 2004 at 07:44:09PM +0100, Leonard den Ottolander wrote:
> Hi Charles,
> 
> > > -rwxr-xr-x    1 root     root        83684 Sep  5 21:14 /sbin/ethtool
> 
> > -rwxr-xr-x    1 root     root        83684 Sep  5 14:14 /sbin/ethtool
> > 
> > 
> > Notice that while my length and date agree with yours, my time and
> > md5sum do not.
> 
> I explained the md5sum mismatch in my other post (indeed prelink). 

You did, and I ran your command line on three of the four machines
(after forcing prelink on the two I had just updated). They agree:

[root at issola root]# /usr/sbin/prelink -N --verify --md5 /sbin/ethtool
664b71f93f11aac80957f19273288f01  /sbin/ethtool

One machine of the four does not have prelink on it, and it gave the
same md5sum.

[root at jhereg root]# md5sum `which ethtool`
664b71f93f11aac80957f19273288f01  /sbin/ethtool


> The difference in date is because your RTC probably uses local time,
> and his GMT.

Good point.


> 
> > Question: is prelinking the culprit on the length and md5sum
> > differences?
> 
> I haven't read anything on length mismatches.

OK. I note that the description of prelink in "rpm -qif
/usr/sbin/prelink" indicates that it modifies both libraries and
executables. It does not indicate whether prelink changes the length.

If the different lengths give different md5sums, but when you run the
md5sum through prelink and get the same md5sum, I conjecture that
prelink accounts for the length difference.

Also, if I examine the ctime, it shows the time when I last ran
prelink. E.g:

[root at issola root]# ll -c `which ethtool`
-rwxr-xr-x    1 root     root        83456 Jan 15 12:15 /sbin/ethtool

On the machine which does not have prelink, the ctime is the
installation date.

-- 

Charles Curley                  /"\    ASCII Ribbon Campaign
Looking for fine software       \ /    Respect for open standards
and/or writing?                  X     No HTML/RTF in email
http://www.charlescurley.com    / \    No M$ Word docs in email

Key fingerprint = CE5C 6645 A45A 64E4 94C0  809C FFF6 4C48 4ECD DFDB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040115/07a05b61/attachment-0001.sig>

More information about the fedora-list mailing list