This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

RE: Possible compromised mirror


On 14 January 2008 21:38, Rob Thomson wrote:

> Earlier today, I installed Cygwin on the Windows XP partition of my laptop.
> I used the default package settings and selected the GA Tech mirror.  About
> halfway through the install, I got an error message which said something
> about a Cygwin dll file.  I didn't have a lot of time to read it because I
> was looking away when it popped up.  Right after that, I got a white screen
> (fullscreen) for a few seconds, followed by some porn images (also
> fullscreen).  I then got the windows desktop again.  Unfortunately I don't
> have any more details than this.

  It's pretty unlikely that there's any relation between these two events
except perhaps that a virus infecting your system might cause setup.exe to
fail.  All cygwin packages are md5 verified on download, and most of the
installation is just unpacking tarballs, it's not until the very end that a
few shell scripts are invoked, so prior to that stage nothing that's
downloaded is being executed, and therefore can't be the source of the
infection.

> This laptop is only one week old and I have been running linux on it for
> most of that time.  I have installed just a handful of programs on the
> windows partition (Firefox, Thunderbird, Inkscape, IrfanView, Office 2007,
> Epson printer drivers, The GIMP, Blender, Visual Studio Express) and have
> only used it occasionally, so while it is possible this could be
> caused by malware from some other source, it seems unlikely.  All of these
> applications were from reputable, official, sources.

  <sniff> Oh, so we're not "reputable" and "official" are we?  Huh!

> Again, I am unable to confirm that Cygwin contains the malware.  It is also
> possible it could have been from any of the other programs mentioned.  The
> Cygwin error message occurring immediately before the slideshow is the
> reason I suspect it.

  Ah, Humean logic.  There are a number of problems with that kind of
inductive process ... particularly when you're inducing from a single example.

> I have kept a copy of all of the files downloaded from the mirror and the
> Cygwin installer program itself.

  If you'd like some help debugging it, and because I'm fairly confident that
it's very much more likely that this is some independent virus than that a
cygwin mirror is infected, let's take this to the off-topic cygwin-talk list.

  http://cygwin.com/lists.html#cygwin-talk

  Download and run HijackThis, from
http://www.spywareinfo.com/~merijn/index.php
and post your scan log there (cygwin-talk, *not* back here on the main list)
and I'll take a look at it for you.


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]