From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.54) id 1FNEsO-0001cs-4v for garchives@archives.gentoo.org; Sat, 25 Mar 2006 19:56:45 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.6/8.13.5) with SMTP id k2PJtCW6016763; Sat, 25 Mar 2006 19:55:12 GMT Received: from mach.qrypto.org (connectioncable-084.headoff.net [217.30.222.84] (may be forged)) by robin.gentoo.org (8.13.6/8.13.5) with SMTP id k2PJnoOe014018 for ; Sat, 25 Mar 2006 19:49:53 GMT Received: (qmail 31383 invoked from network); 25 Mar 2006 19:49:50 -0000 Received: from unknown (HELO ?192.168.0.2?) (gentoo@192.168.0.2) by 192.168.0.1 with ESMTPA; 25 Mar 2006 19:49:50 -0000 Subject: Re: [gentoo-user] Re: Who put this in my distfiles?! From: Rumen Yotov To: gentoo-user@lists.gentoo.org In-Reply-To: References: <1143311904.7877.17.camel@mach.qrypto.org> Content-Type: multipart/signed; micalg=sha1; protocol="application/x-pkcs7-signature"; boundary="=-1tJePRb4WeOtOknFvRrz" Organization: personal Date: Sat, 25 Mar 2006 21:49:52 +0200 Message-Id: <1143316192.7877.31.camel@mach.qrypto.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 X-Archives-Salt: a40d755a-9cf9-486f-81de-304c17842e05 X-Archives-Hash: 213e82c244be3e61619875e17aeb4d01 --=-1tJePRb4WeOtOknFvRrz Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sat, 2006-03-25 at 19:20 +0000, Mick wrote: > Rumen Yotov wrote: >=20 > > On Sat, 2006-03-25 at 18:03 +0000, Mick wrote: > >> Hi All, > >>=20 > >> I don't know what to make of the attached. I found it in my distfiles= .=20 > >> I > >> can't think how I could have saved anything like that in there myself.= =20 > >> As far as I know portage would not save anything like that there (no > >> package > >> that I know of). What else could it be? > >>=20 > >> Has this box been compromised? > >> -- > >> Regards, > >> Mick > > Hi, > > Check the time of creation and if there're more files with nearly equal > > time/date. Check against time/date of merged packages (genlop --help). > > Scan with 'rkhunter & chkrootkit' preferably from a LiveCD. > > PS: there's a very little probability for an existence of some typo in > > some ebuild which could fetch this file from another URL. Or the worst > > scenario - some Gentoo mirror might have being compromised. > > No more ideas for the time being. Backup your data first. >=20 > Thanks Rumen. Both ckrootkit and rkhunter come up clean. On the same da= y I > had updated the following packages: > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > # genlop -l --date 2005-05-25 --date 2005-05-26 > * sys-apps/debianutils >=20 > Wed May 25 19:12:29 2005 >>> sys-apps/debianutils-2.13.1-r1 > Wed May 25 19:13:53 2005 >>> app-forensics/chkrootkit-0.45 > Wed May 25 19:16:57 2005 >>> dev-util/strace-4.5.11 > Wed May 25 19:29:53 2005 >>> www-client/mozilla-bin-1.7.8 > Wed May 25 19:30:47 2005 >>> www-client/mozilla-firefox-bin-1.0.4 > Wed May 25 19:31:35 2005 >>> www-client/opera-7.54-r3 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > However, the suspect file was (apparently) stored there slightly earlier: > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > # ls -la /usr/portage/distfiles/index.html=20 > -rw-r--r-- 1 root portage 37070 May 25=20 > 2005 /usr/portage/distfiles/index.html > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > The other thing I noticed is that I have a number of M$Windoze font > executables all over portage; e.g. impact32.exe, georgi32.exe, etc. I > cannot remember if I copied them over from my WinXP partition, but even i= f > I did, why would I ever save these in /usr/portage/distfiles?!! Are thes= e > files used by Linux? >=20 > I never use browsers as root and can't remember using wget for a plain ht= ml > page (as opposed to a download). I don't want to get all paranoid > unnecessarily, but I remember reading something about doing a double emer= ge > --sync, using different rsync servers and then comparing file signatures > before an emerge. Do I need to start looking into how to do this, or is > there a simpler explanation for the state of my box? > --=20 > Regards, > Mick >=20 Hi Mick, There's no problem with *these* exe files they (eventually) are part of "media-fonts/corefonts", check if you have this installed. Another way to check is using "w" "who", "ps" "lsof", "tcpdump" etc. looking for another user with 'root'|'other-user' rights logged-in. But as a final solution it's best to reinstall, sorry ! IMHO there's a real chance that this is caused by an error in some ebuild, so nothing scary, but there's of course no guarantee. Regards.Rumen --=-1tJePRb4WeOtOknFvRrz Content-Type: application/x-pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJ4DCCBOww ggLUoAMCAQICAwHjjDANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wNjAyMDUxMTAwNDlaFw0w NzAyMDUxMTAwNDlaMDsxGDAWBgNVBAMTD0NBY2VydCBXb1QgVXNlcjEfMB0GCSqGSIb3DQEJARYQ cnVtZW5AcXJ5cHRvLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM12ApV52RJl w6+Fpr5iE3/SeTNOJWuzHySWlu8UPxbyEDMQN3PiiSgxyucG7roLjtR4KYLMl4trrbWLHY75l3Ux oeFrOjEERQ6VX179fN4wrW09mj8rr7wQPcaCwfQUzeU94WdXdVFUwcZBSAEcLBoN1lNLS80rd19F wMkfxEximDRWZ2E+ts8wM9p2TFZQNjOJZ1cHY563Zu5zSG0Fr/P6PYgGmMAytqJbt8mn0ASpmGAp N7c9HMouXOoA5CIgZaQy+l9/ibPWl4399h6+nbiWZvGSmo4Mt4sepjysYcFNBev2EcjzRZvhXkIP TDk0nojCkRjXFoZPeUP4tCmCmw0CAwEAAaOBujCBtzAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG+EIB DQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0 dHA6Ly93d3cuQ0FjZXJ0Lm9yZzAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9v Y3NwLmNhY2VydC5vcmcwGwYDVR0RBBQwEoEQcnVtZW5AcXJ5cHRvLm9yZzANBgkqhkiG9w0BAQUF AAOCAgEAINAgGWjujvzp5B5z//iJxYgmU0JDKQEb36H5osJf7DWCrvDp/F8kmhrNWZHxbNXvWcBP Hcz0R5TWjRPGlVMrZw5oSzmERe0MsHItso1EYu7bxkl57cXTIclw5SQxvuF5VtMrqgFR/gWRAik5 U6QL99lJBX8F6i6G8visXvoW2mHcY7x9Zx2pZL5/CVywLI38bJV6he3NKJUtcyuH++kB+iicyUZg TYSeKXXOKFDOzPBffMjQ4s8L4bdD7jMhyULhTIldkXDe8Gnw5AQWbdVdG1Jf9Sh5/a/NmQWce+i3 QOaFATewgS5J8jfQSMYzZP820RGxA6W6txVxcCcMWaU8UiZON+frf5Mlr2XxTcJbqwNMZwNPTMmH MKTwC6l1BqlOjbQlOYcWdOH8Oa+CCcsStPo74JYZBho79al1/y1JCK/Te1spgMt3NjEKGTk/ggfZ wlxfNK7hQeFBKBzyybLmSSeicYezBlYLlUhqvASxletn/IC5idV+ojJGfcKR4iniHNXId0TOs5kJ qvoiQCmN6/NqpTwOYn4YIOTjbffDSJ7BGB05Q7H5pAnzUI2Yovd+5zDxFEznKreY7mx4xgzhWa0b Bk28M18pVnCIJijkpkX/svBCRu69faA9e4JTMLKGJ8CUPTx33VeLG8rYh05nS//HQ2m2CMlBVcZq cnUq6oswggTsMIIC1KADAgECAgMB44wwDQYJKoZIhvcNAQEFBQAweTEQMA4GA1UEChMHUm9vdCBD QTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25p bmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwHhcNMDYwMjA1 MTEwMDQ5WhcNMDcwMjA1MTEwMDQ5WjA7MRgwFgYDVQQDEw9DQWNlcnQgV29UIFVzZXIxHzAdBgkq hkiG9w0BCQEWEHJ1bWVuQHFyeXB0by5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDNdgKVedkSZcOvhaa+YhN/0nkzTiVrsx8klpbvFD8W8hAzEDdz4okoMcrnBu66C47UeCmCzJeL a621ix2O+Zd1MaHhazoxBEUOlV9e/XzeMK1tPZo/K6+8ED3GgsH0FM3lPeFnV3VRVMHGQUgBHCwa DdZTS0vNK3dfRcDJH8RMYpg0VmdhPrbPMDPadkxWUDYziWdXB2Oet2buc0htBa/z+j2IBpjAMrai W7fJp9AEqZhgKTe3PRzKLlzqAOQiIGWkMvpff4mz1peN/fYevp24lmbxkpqODLeLHqY8rGHBTQXr 9hHI80Wb4V5CD0w5NJ6IwpEY1xaGT3lD+LQpgpsNAgMBAAGjgbowgbcwDAYDVR0TAQH/BAIwADBW BglghkgBhvhCAQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg b3ZlciB0byBodHRwOi8vd3d3LkNBY2VydC5vcmcwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAB hhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMBsGA1UdEQQUMBKBEHJ1bWVuQHFyeXB0by5vcmcwDQYJ KoZIhvcNAQEFBQADggIBACDQIBlo7o786eQec//4icWIJlNCQykBG9+h+aLCX+w1gq7w6fxfJJoa zVmR8WzV71nATx3M9EeU1o0TxpVTK2cOaEs5hEXtDLByLbKNRGLu28ZJee3F0yHJcOUkMb7heVbT K6oBUf4FkQIpOVOkC/fZSQV/BeouhvL4rF76Ftph3GO8fWcdqWS+fwlcsCyN/GyVeoXtzSiVLXMr h/vpAfoonMlGYE2Enil1zihQzszwX3zI0OLPC+G3Q+4zIclC4UyJXZFw3vBp8OQEFm3VXRtSX/Uo ef2vzZkFnHvot0DmhQE3sIEuSfI30EjGM2T/NtERsQOlurcVcXAnDFmlPFImTjfn63+TJa9l8U3C W6sDTGcDT0zJhzCk8AupdQapTo20JTmHFnTh/DmvggnLErT6O+CWGQYaO/Wpdf8tSQiv03tbKYDL dzYxChk5P4IH2cJcXzSu4UHhQSgc8smy5kknonGHswZWC5VIarwEsZXrZ/yAuYnVfqIyRn3CkeIp 4hzVyHdEzrOZCar6IkApjevzaqU8DmJ+GCDk4233w0iewRgdOUOx+aQJ81CNmKL3fucw8RRM5yq3 mO5seMYM4VmtGwZNvDNfKVZwiCYo5KZF/7LwQkbuvX2gPXuCUzCyhifAlD08d91XixvK2IdOZ0v/ x0NptgjJQVXGanJ1KuqLMYIDMzCCAy8CAQEwgYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UE CxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9y aXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAwHjjDAJBgUrDgMCGgUAoIIB hzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNjAzMjUxOTQ5NTJa MCMGCSqGSIb3DQEJBDEWBBQBBypLc36076dXzzW3/5hzzaV3njCBkQYJKwYBBAGCNxAEMYGDMIGA MHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBj YWNlcnQub3JnAgMB44wwgZMGCyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0Ex HjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5n IEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMB44wwDQYJKoZI hvcNAQEBBQAEggEAQElRu0mTquC4VRUbMUHNv4ok3na5tJO6t6zkcby6W/xfIqV2udugw9GzIVGk EmsdyQsELhJ3cAx3X8so1rEQojil+MfFbN3/bnNx3ge3nm5AZ37LtIoQpF4WrqydcFtUsME8yg1s 8LxBt/bjiHDo7cBHIXILYAyweOKMG3tVA4GBMJprJ6Ob+O55gBQHhGZiyXvSO9+RrGnXeNv9msxL gub9quNE6Os3aP/rYs5C4oCwsO7Qblezntx2hww6CNCZyYj/KW3RiSpqR1qvuuaCvZU6wN/R+GD/ wvfTzOfSJcSCX6TZFRyzwuxzaNSpxaMg5eQFvsZdRf36oILseqPxLAAAAAAAAA== --=-1tJePRb4WeOtOknFvRrz-- -- gentoo-user@gentoo.org mailing list