Re: ethtool trojan detected by NAI

["David S. Johnson" <dsjohnson adelphia net>]

David S. Johnson wrote:

> Jason Montleon wrote:
>
> > I caught output of my virusscan stating that /sbin/ethtool was a 
> > trojan or
> > variant Linux/Exploit last night after updating to the new DAT 
> > files.  By
> > default the virus scan moves the files to a folder I've specified, so I
> > double checked that /sbin/ethtool did in fact no longer exist, 
> > downloaded
> > the (presumably clean RPM from
> > http://download.fedora.us/fedora/fedora/1/i386/RPMS.os/, (couldn't 
> > find and
> > md5sum for the rpm to compare against; perhaps just didnt try hard 
> > enough)
> > rpm --force -ivh ethtool* and this is what I got:
> >
> > [root xxx sbin]# /opt/mcafee/uvscan /sbin/ethtool
> > /sbin/ethtool
> >        Found trojan or variant Linux/Exploit !!!
> >        Please send a copy of the file to Network Associates
> >  
> I have ethtool-1.6-2 from RedHat's Fedora repository, and it scans 
> clean with f-prot.  Without going to fedora.us repository to compare, 
> I would say it must be different, as this rpm goes into 
> /usr/sbin/ethtool, not /sbin/ethtool.
Oops!  I looked at the wrong system at home via ssh.  That was a RHL 8.0 
system.  My FC1 system has ethtool-1.8-2.1, which *does* install into 
/sbin/ethtool.  However, it also scans clean with f-prot.

--
--------------------------------------------------------
  "Oh scholar, if your scholarship benefits not Mankind,
   you deserve not admiration but contempt." -- Kahlil Gibran