X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
From: Rob Thomson <rthomson AT roboticresearch DOT com>
To: cygwin AT cygwin DOT com
Subject: Possible compromised mirror
Date: Mon, 14 Jan 2008 16:37:35 -0500
User-Agent: KMail/1.9.6 (enterprise 0.20070907.709405)
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain;   charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <200801141637.35806.rthomson@roboticresearch.com>
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Note-from-DJ: This may be spam

Hello, I've come across an issue which may be the result of a compromised 
Cygwin mirror.  The mirror in question is ftp.gtlib.gatech.edu.

Earlier today, I installed Cygwin on the Windows XP partition of my laptop.  I 
used the default package settings and selected the GA Tech mirror.  About 
halfway through the install, I got an error message which said something 
about a Cygwin dll file.  I didn't have a lot of time to read it because I 
was looking away when it popped up.  Right after that, I got a white screen 
(fullscreen) for a few seconds, followed by some porn images (also 
fullscreen).  I then got the windows desktop again.  Unfortunately I don't 
have any more details than this.

This laptop is only one week old and I have been running linux on it for most 
of that time.  I have installed just a handful of programs on the windows 
partition (Firefox, Thunderbird, Inkscape, IrfanView, Office 2007, Epson 
printer drivers, The GIMP, Blender, Visual Studio Express) and have only used 
it occasionally, so while it is possible this could be 
caused by malware from some other source, it seems unlikely.  All of these 
applications were from reputable, official, sources.

I have scanned the entire windows partition with ClamAV but it did not detect 
anything, so this is probably something new.

Again, I am unable to confirm that Cygwin contains the malware.  It is also 
possible it could have been from any of the other programs mentioned.  The 
Cygwin error message occurring immediately before the slideshow is the reason 
I suspect it.

I have kept a copy of all of the files downloaded from the mirror and the 
Cygwin installer program itself.

-Rob

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/