setup.exe hijacked?

2009-09-10 Thread Michael PARKER 
I've just tried downloading setup.exe from www.cygwin.com, only to find that it 
crashes when run on my WinXP x64 desktop. 

Verifying against the setup.exe.sig signature I see the following:

 gpg --verify setup.exe.sig setup.exe
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Tue Jun 16 03:50:01 2009 GMTDT using DSA key ID 676041BA
gpg: BAD signature from Cygwin cygwin@cygwin.com

Running a diff on the strings output of the new file vs. a known good 
version of setup.exe, I see (amongst garbage) the following:

 http://lcontent.ebuddy.com/web_banners/invocation.html?z=575
 HTTP/1.1 200 OK
 Vary: Accept-Encoding
 Content-Type: text/html
 ETag: -8517198137727078324
 Accept-Ranges: bytes
 Last-Modified: Fri, 17 Apr 2009 07:25:16 GMT
 Content-Length: 1765
 Date: Thu, 30 Jul 2009 13:44:32 GMT
 Server: lighttpd/1.4.13
 Connection: close
 htmlheadstyle
 BODY{margin: 0 0 0 0;border:0;overflow:hidden;background:#e1eaf3;}
 /style
 script
 function get_url_param(name) { 
 name = name.replace(/[\[]/,\\\[).replace(/[\]]/,\\\]); 
 var regexS = [\\?]+name+=([^#]*); 
 var regex = new RegExp( regexS ); 
 var results = regex.exec( window.location.href ); 
 if( results == null )return ; 
 else return results[1];
 function init(){
 window.scroll(0, 100);
 document.domain = ebuddy.com;
 /script/headbody onload=init()centerscript type='text/javascript'
 !--
var tarid = get_url_param('t');
var exclude = get_url_param('e');
var zoneid = get_url_param('z');
var r = get_url_param('r');
var m3_u = 
 (location.protocol=='https:'?'https://wad.adbasket.net/ajs.php':'http://wad.adbasket.net/ajs.php');
var m3_r = Math.floor(Math.random()*999);
if (!document.MAX_used) document.MAX_used = ',';
document.write (scr+ipt type='text/javascript' src='+m3_u);
document.write (?zoneid= + zoneid);
document.write (TARID= + tarid);   
document.write (exclude= + exclude);
document.write ('cb=' + m3_r);
document.write('r=' + r);
if (document.MAX_used != ',') document.write (exclude= + 
 document.MAX_used);
document.write (document.charset ? 'charset='+document.charset : 
 (document.characterSet ? 'charset='+document.characterSet : ''));
document.write (loc= + escape(window.location));
if (document.referrer) document.write (referer= + 
 escape(document.referrer));
if (document.context) document.write (context= + 
 escape(document.context));
if (document.mmm_fo) document.write (mmm_fo=1);
document.write ('\/scr+ipt);
 //--/script/center/body/html

Any thoughts?

Cheers,

Mike


--
Problem reports:   http://cygwin.com/problems.html
FAQ:   http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info:  http://cygwin.com/ml/#unsubscribe-simple

Re: setup.exe hijacked?

2009-09-10 Thread Dave Korn 
Michael PARKER wrote:
 I've just tried downloading setup.exe from www.cygwin.com, only to find that 
 it crashes when run on my WinXP x64 desktop. 
 
 Verifying against the setup.exe.sig signature I see the following:
 
 gpg --verify setup.exe.sig setup.exe
 gpg: WARNING: using insecure memory!
 gpg: please see http://www.gnupg.org/faq.html for more information
 gpg: Signature made Tue Jun 16 03:50:01 2009 GMTDT using DSA key ID 676041BA
 gpg: BAD signature from Cygwin cygwin@cygwin.com
 
 Running a diff on the strings output of the new file vs. a known good 
 version of setup.exe, I see (amongst garbage) the following:

 Any thoughts?

  I can't reproduce this locally:

 $ wget http://cygwin.com/setup.exe
 --2009-09-10 11:09:45--  http://cygwin.com/setup.exe
 Resolving cygwin.com... 209.132.176.174
 Connecting to cygwin.com|209.132.176.174|:80... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 585728 (572K) [application/octet-stream]
 Saving to: `setup.exe'
 
 100%[==] 585,728  121K/s   in 5.2s
 
 2009-09-10 11:09:51 (110 KB/s) - `setup.exe' saved [585728/585728]
 
 
 ad...@ubik /tmp
 $ wget http://cygwin.com/setup.exe.sig
 --2009-09-10 11:09:51--  http://cygwin.com/setup.exe.sig
 Resolving cygwin.com... 209.132.176.174
 Connecting to cygwin.com|209.132.176.174|:80... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 65 [application/octet-stream]
 Saving to: `setup.exe.sig'
 
 100%[==] 65  --.-K/s   in 0s
 
 2009-09-10 11:09:51 (1.30 MB/s) - `setup.exe.sig' saved [65/65]
 
 
 ad...@ubik /tmp
 $ gpg --verify setup.exe.sig
 gpg: WARNING: using insecure memory!
 gpg: please see http://www.gnupg.org/faq.html for more information
 gpg: Signature made Tue Jun 16 03:50:01 2009 GMTDT using DSA key ID 676041BA
 gpg: Good signature from Cygwin cygwin@cygwin.com
 
 ad...@ubik /tmp
 $

  How did you download it?  I would suspect your browser is hijacked; try wget.

cheers,
  DaveK


--
Problem reports:   http://cygwin.com/problems.html
FAQ:   http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info:  http://cygwin.com/ml/#unsubscribe-simple

Re: setup.exe hijacked?

2009-09-10 Thread Greg Chicares 
On 2009-09-10 08:04Z, Michael PARKER wrote:
 I've just tried downloading setup.exe from www.cygwin.com,
 only to find that it crashes when run on my WinXP x64 desktop. 

I downloaded it from there just now, and it has the same
md5sum as a copy I had downloaded three months ago:
  4f3f250cb9704fda2c241347cb689a8f

 Running a diff on the strings output of the new file vs. a
 known good version of setup.exe, I see (amongst garbage)
 the following:
 
 http://lcontent.ebuddy.com/web_banners/invocation.html?z=575
 HTTP/1.1 200 OK
 Vary: Accept-Encoding
 Content-Type: text/html
[...]

Could it be that what you actually saved was not setup.exe
but rather some 'ebuddy' message?

--
Problem reports:   http://cygwin.com/problems.html
FAQ:   http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info:  http://cygwin.com/ml/#unsubscribe-simple

Re: Re: setup.exe hijacked?

2009-09-10 Thread Michael PARKER 
Greg, Dave,

A repeat of my activities earlier (file download via IE8 *and* wget) shows the 
problem to have now gone away.

I've still got a copy of the bad file - same file size as the good 
setup.exe but with a earlier timestamp:

-rwx--+  1 585728 Aug  5  2008 setup.exe_bad*
-rwx--+  1 585728 Sep 10 11:56 setup.exe* 

A file (OK, not difficult to fool) shows both to be:

MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit, UPX compressed

---

A browser hijack is possible (and something I'll look into), although the fact 
I'm now able to download without problem (via both IE8 and wget) suggests 
otherwise. I've not rebooted in the meantime and besides, a download via wget 
was giving the same problem earlier. This latter observation may be explained 
by local proxy caching, though.

The fact that the bad setup.exe crashed when executed suggests it might be 
corrupted in some way. Could some form of proxy issue result in transient data 
from two independent sources (the genuine setup.exe plus some transient 
ebuddy traffic) being merged into a single file?

Interestingly, I see multiple WinXP crash dialogs when attmpting to run the 
bad executable. Not something I've seen with other crashing applications 
before. 

If either of you guys are sufficiently interested, I can send over a gzip'ed 
copy of the bad file.

Thanks for the interest,

Mike





--
Problem reports:   http://cygwin.com/problems.html
FAQ:   http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info:  http://cygwin.com/ml/#unsubscribe-simple