ethtool trojan detected by NAI

Randal, Phil prandal at herefordshire.gov.uk
Thu Jan 15 17:48:43 UTC 2004 

Verified here with the latest uvscan and dat 4314.

Phil

---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 

> -----Original Message-----
> From: fedora-list-admin at redhat.com
> [mailto:fedora-list-admin at redhat.com]On Behalf Of Alexander Dalloz
> Sent: 15 January 2004 17:37
> To: fedora-list at redhat.com
> Subject: Re: ethtool trojan detected by NAI
> 
> 
> Am Do, den 15.01.2004 schrieb Jason Montleon um 17:31:
> > I caught output of my virusscan stating that /sbin/ethtool 
> was a trojan or
> > variant Linux/Exploit last night after updating to the new 
> DAT files.  By
> > default the virus scan moves the files to a folder I've 
> specified, so I
> > double checked that /sbin/ethtool did in fact no longer 
> exist, downloaded
> > the (presumably clean RPM from
> > http://download.fedora.us/fedora/fedora/1/i386/RPMS.os/, 
> (couldn't find and
> > md5sum for the rpm to compare against; perhaps just didnt 
> try hard enough)
> > rpm --force -ivh ethtool* and this is what I got:
> > 
> > [root at xxx sbin]# /opt/mcafee/uvscan /sbin/ethtool
> > /sbin/ethtool
> >         Found trojan or variant Linux/Exploit !!!
> >         Please send a copy of the file to Network Associates
> > 
> > Anyone at RedHat/Fedora have insight.  I'm guessing a false 
> positive at this
> > point, but of course would prefer to be certain.  A full 
> system scan with
> > Mcafee (uvscan --allole --ignore-links --move
> > /opt/mcafee/infected --mime --recursive --program --secure 
> --summary --afc
> > 192 /) and ChkRootKit finds nothing else out the 
> ordinary.besides this, and
> > has never before the 4314 DAT's.  I'm also sending the file 
> to NAI so they
> > can analyze it as well, but thought someone here might have 
> already noticed
> > and heard back.
> > 
> > Jason
> 
> Hi Jason!
> 
> I can confirm this. With uvscan version 4.2.40 and dat file 4313 the
> scan of /sbin/ethtool was ok. So I just updated the dat file 
> to 4314 and
> got the exploit warning as well.
> 
> Alexander
> 
> 
> -- 
> Alexander Dalloz | Enger, Germany
> PGP key valid: made 13.07.1999
> PGP fingerprint: 2307 88FD 2D41 038E 7416  14CD E197 6E88 ED69 5653
> 
> 
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>

More information about the fedora-list mailing list