ethtool trojan detected by NAI
Jason Montleon
monty19 at hotmail.com
Thu Jan 15 16:31:36 UTC 2004
I caught output of my virusscan stating that /sbin/ethtool was a trojan or
variant Linux/Exploit last night after updating to the new DAT files. By
default the virus scan moves the files to a folder I've specified, so I
double checked that /sbin/ethtool did in fact no longer exist, downloaded
the (presumably clean RPM from
http://download.fedora.us/fedora/fedora/1/i386/RPMS.os/, (couldn't find and
md5sum for the rpm to compare against; perhaps just didnt try hard enough)
rpm --force -ivh ethtool* and this is what I got:
[root at xxx sbin]# /opt/mcafee/uvscan /sbin/ethtool
/sbin/ethtool
Found trojan or variant Linux/Exploit !!!
Please send a copy of the file to Network Associates
Anyone at RedHat/Fedora have insight. I'm guessing a false positive at this
point, but of course would prefer to be certain. A full system scan with
Mcafee (uvscan --allole --ignore-links --move
/opt/mcafee/infected --mime --recursive --program --secure --summary --afc
192 /) and ChkRootKit finds nothing else out the ordinary.besides this, and
has never before the 4314 DAT's. I'm also sending the file to NAI so they
can analyze it as well, but thought someone here might have already noticed
and heard back.
Jason
More information about the fedora-list
mailing list