setup.exe hijacked?
I've just tried downloading setup.exe from www.cygwin.com, only to find that it crashes when run on my WinXP x64 desktop. Verifying against the setup.exe.sig signature I see the following: gpg --verify setup.exe.sig setup.exe gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made Tue Jun 16 03:50:01 2009 GMTDT using DSA key ID 676041BA gpg: BAD signature from Cygwin cygwin@cygwin.com Running a diff on the strings output of the new file vs. a known good version of setup.exe, I see (amongst garbage) the following: http://lcontent.ebuddy.com/web_banners/invocation.html?z=575 HTTP/1.1 200 OK Vary: Accept-Encoding Content-Type: text/html ETag: -8517198137727078324 Accept-Ranges: bytes Last-Modified: Fri, 17 Apr 2009 07:25:16 GMT Content-Length: 1765 Date: Thu, 30 Jul 2009 13:44:32 GMT Server: lighttpd/1.4.13 Connection: close htmlheadstyle BODY{margin: 0 0 0 0;border:0;overflow:hidden;background:#e1eaf3;} /style script function get_url_param(name) { name = name.replace(/[\[]/,\\\[).replace(/[\]]/,\\\]); var regexS = [\\?]+name+=([^#]*); var regex = new RegExp( regexS ); var results = regex.exec( window.location.href ); if( results == null )return ; else return results[1]; function init(){ window.scroll(0, 100); document.domain = ebuddy.com; /script/headbody onload=init()centerscript type='text/javascript' !-- var tarid = get_url_param('t'); var exclude = get_url_param('e'); var zoneid = get_url_param('z'); var r = get_url_param('r'); var m3_u = (location.protocol=='https:'?'https://wad.adbasket.net/ajs.php':'http://wad.adbasket.net/ajs.php'); var m3_r = Math.floor(Math.random()*999); if (!document.MAX_used) document.MAX_used = ','; document.write (scr+ipt type='text/javascript' src='+m3_u); document.write (?zoneid= + zoneid); document.write (TARID= + tarid); document.write (exclude= + exclude); document.write ('cb=' + m3_r); document.write('r=' + r); if (document.MAX_used != ',') document.write (exclude= + document.MAX_used); document.write (document.charset ? 'charset='+document.charset : (document.characterSet ? 'charset='+document.characterSet : '')); document.write (loc= + escape(window.location)); if (document.referrer) document.write (referer= + escape(document.referrer)); if (document.context) document.write (context= + escape(document.context)); if (document.mmm_fo) document.write (mmm_fo=1); document.write ('\/scr+ipt); //--/script/center/body/html Any thoughts? Cheers, Mike -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: setup.exe hijacked?
Michael PARKER wrote: I've just tried downloading setup.exe from www.cygwin.com, only to find that it crashes when run on my WinXP x64 desktop. Verifying against the setup.exe.sig signature I see the following: gpg --verify setup.exe.sig setup.exe gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made Tue Jun 16 03:50:01 2009 GMTDT using DSA key ID 676041BA gpg: BAD signature from Cygwin cygwin@cygwin.com Running a diff on the strings output of the new file vs. a known good version of setup.exe, I see (amongst garbage) the following: Any thoughts? I can't reproduce this locally: $ wget http://cygwin.com/setup.exe --2009-09-10 11:09:45-- http://cygwin.com/setup.exe Resolving cygwin.com... 209.132.176.174 Connecting to cygwin.com|209.132.176.174|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 585728 (572K) [application/octet-stream] Saving to: `setup.exe' 100%[==] 585,728 121K/s in 5.2s 2009-09-10 11:09:51 (110 KB/s) - `setup.exe' saved [585728/585728] ad...@ubik /tmp $ wget http://cygwin.com/setup.exe.sig --2009-09-10 11:09:51-- http://cygwin.com/setup.exe.sig Resolving cygwin.com... 209.132.176.174 Connecting to cygwin.com|209.132.176.174|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 65 [application/octet-stream] Saving to: `setup.exe.sig' 100%[==] 65 --.-K/s in 0s 2009-09-10 11:09:51 (1.30 MB/s) - `setup.exe.sig' saved [65/65] ad...@ubik /tmp $ gpg --verify setup.exe.sig gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made Tue Jun 16 03:50:01 2009 GMTDT using DSA key ID 676041BA gpg: Good signature from Cygwin cygwin@cygwin.com ad...@ubik /tmp $ How did you download it? I would suspect your browser is hijacked; try wget. cheers, DaveK -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: setup.exe hijacked?
On 2009-09-10 08:04Z, Michael PARKER wrote: I've just tried downloading setup.exe from www.cygwin.com, only to find that it crashes when run on my WinXP x64 desktop. I downloaded it from there just now, and it has the same md5sum as a copy I had downloaded three months ago: 4f3f250cb9704fda2c241347cb689a8f Running a diff on the strings output of the new file vs. a known good version of setup.exe, I see (amongst garbage) the following: http://lcontent.ebuddy.com/web_banners/invocation.html?z=575 HTTP/1.1 200 OK Vary: Accept-Encoding Content-Type: text/html [...] Could it be that what you actually saved was not setup.exe but rather some 'ebuddy' message? -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: Re: setup.exe hijacked?
Greg, Dave, A repeat of my activities earlier (file download via IE8 *and* wget) shows the problem to have now gone away. I've still got a copy of the bad file - same file size as the good setup.exe but with a earlier timestamp: -rwx--+ 1 585728 Aug 5 2008 setup.exe_bad* -rwx--+ 1 585728 Sep 10 11:56 setup.exe* A file (OK, not difficult to fool) shows both to be: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit, UPX compressed --- A browser hijack is possible (and something I'll look into), although the fact I'm now able to download without problem (via both IE8 and wget) suggests otherwise. I've not rebooted in the meantime and besides, a download via wget was giving the same problem earlier. This latter observation may be explained by local proxy caching, though. The fact that the bad setup.exe crashed when executed suggests it might be corrupted in some way. Could some form of proxy issue result in transient data from two independent sources (the genuine setup.exe plus some transient ebuddy traffic) being merged into a single file? Interestingly, I see multiple WinXP crash dialogs when attmpting to run the bad executable. Not something I've seen with other crashing applications before. If either of you guys are sufficiently interested, I can send over a gzip'ed copy of the bad file. Thanks for the interest, Mike -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple