I copied the binary from a friend's woody box, and ran f-prot against it, and didn't find anything. I've included the md5 of hs binary as well.
$ f-prot ./ssh-copy-id Virus scanning report - 15 January 2004 @ 12:08 F-PROT ANTIVIRUS Program version: 4.2.1 Engine version: 3.13.4 VIRUS SIGNATURE FILES SIGN.DEF created 9 January 2004 SIGN2.DEF created 9 January 2004 MACRO.DEF created 12 January 2004 Search: ./ssh-copy-id Action: Report only Files: Attempt to identify files Switches: <none> Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 1 Time: 0:00 No viruses or suspicious files/boot sectors were found. $ md5sum ./ssh-copy-id a36ef875ba1c83e0c6d7cbf276e7f0f0 ./ssh-copy-id Regards, Josh --- Asim Saglam <[EMAIL PROTECTED]> wrote: > Dear all, > > Can anybody explain the following? > > My virus scanner reported the following after the > scan tonight: > > /usr/bin/ssh-copy-id > Found trojan or variant > UNIX/Exploit-SSHIDEN !!! > Please send a copy of the file to > Network Associates > The file has been renamed. > > I used the following virus-scanner: > > Virus Scan for Linux v4.16.0 > Copyright (c) 1992-2003 Networks Associates > Technology Inc. All rights > reserved. > (408) 988-3832 LICENSED COPY - Nov 13 2001 > > Scan engine v4.2.40 for Linux. > Virus data file v4314 created Jan 14 2004 > Scanning for 84549 viruses, trojans and variants. > > As mentioned by McAfee in > http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100960 > I removed the ssh package and installed it again. > However the file > /usr/bin/ssh-copy-id gets installed again with the > same contents and the > same creation date. > > My sources.list looks like: > deb ftp://download.xs4all.nl/pub/mirror/debian/ > stable main non-free contrib > deb-src ftp://download.xs4all.nl/pub/mirror/debian/ > stable main non-free > contrib > deb http://non-us.debian.org/debian-non-US > stable/non-US main contrib > non-free > deb-src http://non-us.debian.org/debian-non-US > stable/non-US main > contrib non-free > deb http://security.debian.org/ stable/updates main > contrib non-free > deb file:/home/debs/ pakketten/ > > Furthermore ls -al gives: > -rwxr-xr-x 1 root root 1115 Sep 19 > 10:07 /usr/bin/ssh-copy-id > > Output of uname -a: > Linux <snip> 2.4.23 #1 Sun Dec 28 12:46:20 CET 2003 > i686 unknown > > > The content of ssh-copy-id gives: > #!/bin/sh > > # Shell script to install your identity.pub on a > remote machine > # Takes the remote machine name as an argument. > # Obviously, the remote machine must accept password > authentication, > # or one of the other keys in your ssh-agent, for > this to work. > > ID_FILE="${HOME}/.ssh/identity.pub" > > if [ "-i" = "$1" ]; then > shift > # check if we have 2 parameters left, if so the > first is the new ID file > if [ -n "$2" ]; then > if expr "$1" : ".*\.pub" ; then > ID_FILE="$1" > else > ID_FILE="$1.pub" > fi > shift # and this should leave $1 as the > target name > fi > else > if [ x$SSH_AUTH_SOCK != x ] ; then > GET_ID="$GET_ID ssh-add -L" > fi > fi > > if [ -z "`eval $GET_ID`" -a -r "${ID_FILE}" ] ; then > GET_ID="cat ${ID_FILE}" > fi > > if [ -z "`eval $GET_ID`" ]; then > echo "$0: ERROR: No identities found" > exit 1 > fi > > { eval "$GET_ID" ; } | ssh $1 "umask 077; test -d > .ssh || mkdir .ssh ; > cat >> .ssh/authorized_keys" > > cat <<EOF > Now try logging into the machine, with "ssh '$1'", > and check in: > > .ssh/authorized_keys > > to make sure we haven't added extra keys that you > weren't expecting. > > EOF > > > > > -- > To UNSUBSCRIBE, email to > [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > >
