On Monday 25 October 2004 06:35, Sindre Pedersen Bjordal wrote: > IANAL, but this must be a legal issue, as there's clearly a trademark > violation. It's also fraud. The "patch" is actually a script compiled into C using SHC (http://www.datsi.fi.upm.es/~frosal/sources/shc.html), which installs a Binary RPM (fileutils-patch.bin). You can run "rpm2cpio" on the file, but you're not going to see much unless you can read machine code or diff between the included "ls" and your local "/bin/ls". As the shc appears to encrypt the actual script with rc4, there's not much to gain from inst.c either. Although, we know the crook ran shc with the options: shc -v -r -T -f redhat. I suspect it just installs a rootkit and overwrites (--replacefiles) all the common utilities to ensure that an intruder can always get in possibly modifying /etc/passwd and friends. Before playing with it, make sure your PATH does not contain "." before /bin, et al. And don't poke it while you're root. take care, -- -jeff
