X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
From: "Dave Korn" <dave DOT korn AT artimi DOT com>
To: <cygwin AT cygwin DOT com>
References: <200801141637 DOT 35806 DOT rthomson AT roboticresearch DOT com>
Subject: RE: Possible compromised mirror
Date: Wed, 16 Jan 2008 18:49:31 -0000
Message-ID: <000301c85870$88001f70$2e08a8c0@CAM.ARTIMI.COM>
MIME-Version: 1.0
Content-Type: text/plain; 	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <200801141637.35806.rthomson@roboticresearch.com>
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Note-from-DJ: This may be spam

On 14 January 2008 21:38, Rob Thomson wrote:

> Earlier today, I installed Cygwin on the Windows XP partition of my laptop.
> I used the default package settings and selected the GA Tech mirror.  About
> halfway through the install, I got an error message which said something
> about a Cygwin dll file.  I didn't have a lot of time to read it because I
> was looking away when it popped up.  Right after that, I got a white screen
> (fullscreen) for a few seconds, followed by some porn images (also
> fullscreen).  I then got the windows desktop again.  Unfortunately I don't
> have any more details than this.

  It's pretty unlikely that there's any relation between these two events
except perhaps that a virus infecting your system might cause setup.exe to
fail.  All cygwin packages are md5 verified on download, and most of the
installation is just unpacking tarballs, it's not until the very end that a
few shell scripts are invoked, so prior to that stage nothing that's
downloaded is being executed, and therefore can't be the source of the
infection.

> This laptop is only one week old and I have been running linux on it for
> most of that time.  I have installed just a handful of programs on the
> windows partition (Firefox, Thunderbird, Inkscape, IrfanView, Office 2007,
> Epson printer drivers, The GIMP, Blender, Visual Studio Express) and have
> only used it occasionally, so while it is possible this could be
> caused by malware from some other source, it seems unlikely.  All of these
> applications were from reputable, official, sources.

  <sniff> Oh, so we're not "reputable" and "official" are we?  Huh!

> Again, I am unable to confirm that Cygwin contains the malware.  It is also
> possible it could have been from any of the other programs mentioned.  The
> Cygwin error message occurring immediately before the slideshow is the
> reason I suspect it.

  Ah, Humean logic.  There are a number of problems with that kind of
inductive process ... particularly when you're inducing from a single example.

> I have kept a copy of all of the files downloaded from the mirror and the
> Cygwin installer program itself.

  If you'd like some help debugging it, and because I'm fairly confident that
it's very much more likely that this is some independent virus than that a
cygwin mirror is infected, let's take this to the off-topic cygwin-talk list.

  http://cygwin.com/lists.html#cygwin-talk

  Download and run HijackThis, from
http://www.spywareinfo.com/~merijn/index.php
and post your scan log there (cygwin-talk, *not* back here on the main list)
and I'll take a look at it for you.


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/