ethtool trojan detected by NAI
David S. Johnson
dsjohnson at adelphia.net
Thu Jan 15 17:03:55 UTC 2004
David S. Johnson wrote:
> Jason Montleon wrote:
>
>> I caught output of my virusscan stating that /sbin/ethtool was a
>> trojan or
>> variant Linux/Exploit last night after updating to the new DAT
>> files. By
>> default the virus scan moves the files to a folder I've specified, so I
>> double checked that /sbin/ethtool did in fact no longer exist,
>> downloaded
>> the (presumably clean RPM from
>> http://download.fedora.us/fedora/fedora/1/i386/RPMS.os/, (couldn't
>> find and
>> md5sum for the rpm to compare against; perhaps just didnt try hard
>> enough)
>> rpm --force -ivh ethtool* and this is what I got:
>>
>> [root at xxx sbin]# /opt/mcafee/uvscan /sbin/ethtool
>> /sbin/ethtool
>> Found trojan or variant Linux/Exploit !!!
>> Please send a copy of the file to Network Associates
>>
>>
> I have ethtool-1.6-2 from RedHat's Fedora repository, and it scans
> clean with f-prot. Without going to fedora.us repository to compare,
> I would say it must be different, as this rpm goes into
> /usr/sbin/ethtool, not /sbin/ethtool.
>
Oops! I looked at the wrong system at home via ssh. That was a RHL 8.0
system. My FC1 system has ethtool-1.8-2.1, which *does* install into
/sbin/ethtool. However, it also scans clean with f-prot.
--
--------------------------------------------------------
"Oh scholar, if your scholarship benefits not Mankind,
you deserve not admiration but contempt." -- Kahlil Gibran
More information about the fedora-list
mailing list