X-Recipient:	archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status:	No, hits=-0.2 required=5.0 tests=BAYES_40
X-Spam-Check-By:	sourceware.org
Reply-To:	<michael DOT parker AT st DOT com>
From:	Michael PARKER <michael DOT parker AT st DOT com>
To:	<cygwin AT cygwin DOT com>
Subject:	setup.exe hijacked?
Date:	Thu, 10 Sep 2009 09:04:55 +0100
Message-ID:	<7515D3C005374AED9E2BCFDA491CCF2F@st.com>
MIME-Version:	1.0
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com

I've just tried downloading setup.exe from www.cygwin.com, only to find tha=
t it crashes when run on my WinXP x64 desktop.=20

Verifying against the setup.exe.sig signature I see the following:

> gpg --verify setup.exe.sig setup.exe
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Tue Jun 16 03:50:01 2009 GMTDT using DSA key ID 676041BA
gpg: BAD signature from "Cygwin <cygwin AT cygwin DOT com>

Running a diff on the "strings" output of the new file vs. a "known good" v=
ersion of setup.exe, I see (amongst garbage) the following:

> http://lcontent.ebuddy.com/web_banners/invocation.html?z=3D575
> HTTP/1.1 200 OK
> Vary: Accept-Encoding
> Content-Type: text/html
> ETag: "-8517198137727078324"
> Accept-Ranges: bytes
> Last-Modified: Fri, 17 Apr 2009 07:25:16 GMT
> Content-Length: 1765
> Date: Thu, 30 Jul 2009 13:44:32 GMT
> Server: lighttpd/1.4.13
> Connection: close
> <html><head><style>
> BODY{margin: 0 0 0 0;border:0;overflow:hidden;background:#e1eaf3;}
> </style>
> <script>
> function get_url_param(name) {=20
>     name =3D name.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");=20
>     var regexS =3D "[\\?&]"+name+"=3D([^&#]*)";=20
>     var regex =3D new RegExp( regexS );=20
>     var results =3D regex.exec( window.location.href );=20
>     if( results =3D=3D null )    return "";=20
>     else return results[1];
> function init(){
>     window.scroll(0, 1000000);
> document.domain =3D "ebuddy.com";
> </script></head><body onload=3D"init()"><center><script type=3D'text/java=
script'>
> <!--
>    var tarid =3D get_url_param('t');
>    var exclude =3D get_url_param('e');
>    var zoneid =3D get_url_param('z');
>    var r =3D get_url_param('r');
>    var m3_u =3D (location.protocol=3D=3D'https:'?'https://wad.adbasket.ne=
t/ajs.php':'http://wad.adbasket.net/ajs.php');
>    var m3_r =3D Math.floor(Math.random()*99999999999);
>    if (!document.MAX_used) document.MAX_used =3D ',';
>    document.write ("<scr"+"ipt type=3D'text/javascript' src=3D'"+m3_u);
>    document.write ("?zoneid=3D" + zoneid);
>    document.write ("&TARID=3D" + tarid);=20=20=20
>    document.write ("&exclude=3D" + exclude);
>    document.write ('&cb=3D' + m3_r);
>    document.write('&r=3D' + r);
>    if (document.MAX_used !=3D ',') document.write ("&exclude=3D" + docume=
nt.MAX_used);
>    document.write (document.charset ? '&charset=3D'+document.charset : (d=
ocument.characterSet ? '&charset=3D'+document.characterSet : ''));
>    document.write ("&loc=3D" + escape(window.location));
>    if (document.referrer) document.write ("&referer=3D" + escape(document=
.referrer));
>    if (document.context) document.write ("&context=3D" + escape(document.=
context));
>    if (document.mmm_fo) document.write ("&mmm_fo=3D1");
>    document.write ("'><\/scr"+"ipt>");
> //--></script></center></body></html>

Any thoughts?

Cheers,

Mike


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -