This is the mail archive of the
cygwin
mailing list for the Cygwin project.
setup.exe hijacked?
- From: Michael PARKER <michael dot parker at st dot com>
- To: <cygwin at cygwin dot com>
- Date: Thu, 10 Sep 2009 09:04:55 +0100
- Subject: setup.exe hijacked?
- Reply-to: <michael dot parker at st dot com>
I've just tried downloading setup.exe from www.cygwin.com, only to find that it crashes when run on my WinXP x64 desktop.
Verifying against the setup.exe.sig signature I see the following:
> gpg --verify setup.exe.sig setup.exe
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Tue Jun 16 03:50:01 2009 GMTDT using DSA key ID 676041BA
gpg: BAD signature from "Cygwin <cygwin@cygwin.com>
Running a diff on the "strings" output of the new file vs. a "known good" version of setup.exe, I see (amongst garbage) the following:
> http://lcontent.ebuddy.com/web_banners/invocation.html?z=575
> HTTP/1.1 200 OK
> Vary: Accept-Encoding
> Content-Type: text/html
> ETag: "-8517198137727078324"
> Accept-Ranges: bytes
> Last-Modified: Fri, 17 Apr 2009 07:25:16 GMT
> Content-Length: 1765
> Date: Thu, 30 Jul 2009 13:44:32 GMT
> Server: lighttpd/1.4.13
> Connection: close
> <html><head><style>
> BODY{margin: 0 0 0 0;border:0;overflow:hidden;background:#e1eaf3;}
> </style>
> <script>
> function get_url_param(name) {
> name = name.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
> var regexS = "[\\?&]"+name+"=([^&#]*)";
> var regex = new RegExp( regexS );
> var results = regex.exec( window.location.href );
> if( results == null ) return "";
> else return results[1];
> function init(){
> window.scroll(0, 1000000);
> document.domain = "ebuddy.com";
> </script></head><body onload="init()"><center><script type='text/javascript'>
> <!--
> var tarid = get_url_param('t');
> var exclude = get_url_param('e');
> var zoneid = get_url_param('z');
> var r = get_url_param('r');
> var m3_u = (location.protocol=='https:'?'https://wad.adbasket.net/ajs.php':'http://wad.adbasket.net/ajs.php');
> var m3_r = Math.floor(Math.random()*99999999999);
> if (!document.MAX_used) document.MAX_used = ',';
> document.write ("<scr"+"ipt type='text/javascript' src='"+m3_u);
> document.write ("?zoneid=" + zoneid);
> document.write ("&TARID=" + tarid);
> document.write ("&exclude=" + exclude);
> document.write ('&cb=' + m3_r);
> document.write('&r=' + r);
> if (document.MAX_used != ',') document.write ("&exclude=" + document.MAX_used);
> document.write (document.charset ? '&charset='+document.charset : (document.characterSet ? '&charset='+document.characterSet : ''));
> document.write ("&loc=" + escape(window.location));
> if (document.referrer) document.write ("&referer=" + escape(document.referrer));
> if (document.context) document.write ("&context=" + escape(document.context));
> if (document.mmm_fo) document.write ("&mmm_fo=1");
> document.write ("'><\/scr"+"ipt>");
> //--></script></center></body></html>
Any thoughts?
Cheers,
Mike
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple