[gentoo-user] Who put this in my distfiles?!

[gentoo-user] Who put this in my distfiles?!

[Mick]

[-- Attachment #1: Type: text/plain, Size: 323 bytes --]

Hi All,

I don't know what to make of the attached.  I found it in my distfiles.  I
can't think how I could have saved anything like that in there myself.  As
far as I know portage would not save anything like that there (no package
that I know of).  What else could it be?

Has this box been compromised?
-- 
Regards,
Mick

[-- Attachment #2: index.html --]
[-- Type: text/html, Size: 38450 bytes --]

Re: [gentoo-user] Who put this in my distfiles?!

[Rumen Yotov]

[-- Attachment #1: Type: text/plain, Size: 891 bytes --]

On Sat, 2006-03-25 at 18:03 +0000, Mick wrote:
> Hi All,
> 
> I don't know what to make of the attached.  I found it in my distfiles.  I
> can't think how I could have saved anything like that in there myself.  As
> far as I know portage would not save anything like that there (no package
> that I know of).  What else could it be?
> 
> Has this box been compromised?
> -- 
> Regards,
> Mick
Hi,
Check the time of creation and if there're more files with nearly equal
time/date. Check against time/date of merged packages (genlop --help).
Scan with 'rkhunter & chkrootkit' preferably from a LiveCD.
PS: there's a very little probability for an existence of some typo in
some ebuild which could fetch this file from another URL. Or the worst
scenario - some Gentoo mirror might have being compromised.
No more ideas for the time being. Backup your data first.
HTH.Rumen

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3409 bytes --]

[gentoo-user] Re: Who put this in my distfiles?!

[Mick]

Rumen Yotov wrote:

> On Sat, 2006-03-25 at 18:03 +0000, Mick wrote:
>> Hi All,
>> 
>> I don't know what to make of the attached.  I found it in my distfiles. 
>> I
>> can't think how I could have saved anything like that in there myself. 
>> As far as I know portage would not save anything like that there (no
>> package
>> that I know of).  What else could it be?
>> 
>> Has this box been compromised?
>> --
>> Regards,
>> Mick
> Hi,
> Check the time of creation and if there're more files with nearly equal
> time/date. Check against time/date of merged packages (genlop --help).
> Scan with 'rkhunter & chkrootkit' preferably from a LiveCD.
> PS: there's a very little probability for an existence of some typo in
> some ebuild which could fetch this file from another URL. Or the worst
> scenario - some Gentoo mirror might have being compromised.
> No more ideas for the time being. Backup your data first.

Thanks Rumen.  Both ckrootkit and rkhunter come up clean.  On the same day I
had updated the following packages:
===================================
# genlop -l --date 2005-05-25 --date 2005-05-26
 * sys-apps/debianutils

     Wed May 25 19:12:29 2005 >>> sys-apps/debianutils-2.13.1-r1
     Wed May 25 19:13:53 2005 >>> app-forensics/chkrootkit-0.45
     Wed May 25 19:16:57 2005 >>> dev-util/strace-4.5.11
     Wed May 25 19:29:53 2005 >>> www-client/mozilla-bin-1.7.8
     Wed May 25 19:30:47 2005 >>> www-client/mozilla-firefox-bin-1.0.4
     Wed May 25 19:31:35 2005 >>> www-client/opera-7.54-r3
===================================

However, the suspect file was (apparently) stored there slightly earlier:
===================================
# ls -la /usr/portage/distfiles/index.html 
-rw-r--r--  1 root portage 37070 May 25 
2005 /usr/portage/distfiles/index.html
===================================

The other thing I noticed is that I have a number of M$Windoze font
executables all over portage;  e.g. impact32.exe, georgi32.exe, etc.  I
cannot remember if I copied them over from my WinXP partition, but even if
I did, why would I ever save these in /usr/portage/distfiles?!!  Are these
files used by Linux?

I never use browsers as root and can't remember using wget for a plain html
page (as opposed to a download).  I don't want to get all paranoid
unnecessarily, but I remember reading something about doing a double emerge
--sync, using different rsync servers and then comparing file signatures
before an emerge.  Do I need to start looking into how to do this, or is
there a simpler explanation for the state of my box?
-- 
Regards,
Mick

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Who put this in my distfiles?!

[Rumen Yotov]

[-- Attachment #1: Type: text/plain, Size: 3292 bytes --]

On Sat, 2006-03-25 at 19:20 +0000, Mick wrote:
> Rumen Yotov wrote:
> 
> > On Sat, 2006-03-25 at 18:03 +0000, Mick wrote:
> >> Hi All,
> >> 
> >> I don't know what to make of the attached.  I found it in my distfiles. 
> >> I
> >> can't think how I could have saved anything like that in there myself. 
> >> As far as I know portage would not save anything like that there (no
> >> package
> >> that I know of).  What else could it be?
> >> 
> >> Has this box been compromised?
> >> --
> >> Regards,
> >> Mick
> > Hi,
> > Check the time of creation and if there're more files with nearly equal
> > time/date. Check against time/date of merged packages (genlop --help).
> > Scan with 'rkhunter & chkrootkit' preferably from a LiveCD.
> > PS: there's a very little probability for an existence of some typo in
> > some ebuild which could fetch this file from another URL. Or the worst
> > scenario - some Gentoo mirror might have being compromised.
> > No more ideas for the time being. Backup your data first.
> 
> Thanks Rumen.  Both ckrootkit and rkhunter come up clean.  On the same day I
> had updated the following packages:
> ===================================
> # genlop -l --date 2005-05-25 --date 2005-05-26
>  * sys-apps/debianutils
> 
>      Wed May 25 19:12:29 2005 >>> sys-apps/debianutils-2.13.1-r1
>      Wed May 25 19:13:53 2005 >>> app-forensics/chkrootkit-0.45
>      Wed May 25 19:16:57 2005 >>> dev-util/strace-4.5.11
>      Wed May 25 19:29:53 2005 >>> www-client/mozilla-bin-1.7.8
>      Wed May 25 19:30:47 2005 >>> www-client/mozilla-firefox-bin-1.0.4
>      Wed May 25 19:31:35 2005 >>> www-client/opera-7.54-r3
> ===================================
> 
> However, the suspect file was (apparently) stored there slightly earlier:
> ===================================
> # ls -la /usr/portage/distfiles/index.html 
> -rw-r--r--  1 root portage 37070 May 25 
> 2005 /usr/portage/distfiles/index.html
> ===================================
> 
> The other thing I noticed is that I have a number of M$Windoze font
> executables all over portage;  e.g. impact32.exe, georgi32.exe, etc.  I
> cannot remember if I copied them over from my WinXP partition, but even if
> I did, why would I ever save these in /usr/portage/distfiles?!!  Are these
> files used by Linux?
> 
> I never use browsers as root and can't remember using wget for a plain html
> page (as opposed to a download).  I don't want to get all paranoid
> unnecessarily, but I remember reading something about doing a double emerge
> --sync, using different rsync servers and then comparing file signatures
> before an emerge.  Do I need to start looking into how to do this, or is
> there a simpler explanation for the state of my box?
> -- 
> Regards,
> Mick
> 
Hi Mick,
There's no problem with *these* exe files they (eventually) are part of
"media-fonts/corefonts", check if you have this installed.
Another way to check is using "w" "who", "ps" "lsof", "tcpdump" etc.
looking for another user with 'root'|'other-user' rights logged-in.
But as a final solution it's best to reinstall, sorry !
IMHO there's a real chance that this is caused by an error in some
ebuild, so nothing scary, but there's of course no guarantee.
Regards.Rumen

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3409 bytes --]