Dear Moderator

Could you please check this out and post in relevant forums.

A quick comparison will show a suspicious DVD .iso file dated 1st April 2009 on the aarnet.edu.au server. I downloaded but didn't open the file and trashed and deleted it immediately, so I don't know what the payload if any is. I did notice my modem disconnecting a few times, but that may have been my ISP. Chkrootkit and rkhunter are ok, this morning.

This is not a joke, just think people should be aware. I don't know if other servers for Centos mirrors have been affected or not. Could not find anything about this on centos.org or googling.

Cheers and best wishes

Mazinoz

so.. why are you telling us and not www.aarnet.edu.au?

Interestingly AARNET took a long time to update whe n5.3 came out. I ended up using base URLs in yum since there was no sign that a 5.3 directory was being created. This was probably 6 hours post release. Maybe things just got screwed up.

I already have notified aarnet.edu.au, but maybe their webmaster isn't in today?, also centos.org and aussie.hq.centos.org. so get your facts right before you have another go at me!

As ISO D/L's have a SHA1 or MD5sum it would be easy to check if your DL was corrupted. Since you deleted the ISO you have no indication, and thus no reason, to shout wolf. Please don't tell us something is hacked unless you have some proof to show. If you have no means to check, then next time please use a less sensationalist thread title. LQ and the Linux Security forum will value quality of content over instant satisfaction or slashdotting any time. I'm gonna moderate this thread title to reflect the current situation. Thanks for understanding.

I guess the suspicion was because of the differing iso sizes.

Sorry - left my mind reading hat at home again.

Exactly the reason for my response: next to fish vs fishing rod issues, in this forum we should always aim to provide clarity not FUD or guesstimations.

My apologies if I was unclear, I thought pictures would explain the situation adequately. I don't have the luxury of a crash-test dummy machine at home. I was suspicious because of the similar sizes, except one was Mb and the other Gb, the date 1st April 2009, and because 37Mb was a bit small for a DVD iso. I thought I posted a ? on my title, implying that my statement was a question. I guess it was sensationalist, but I wanted to know if other people had more info about the situation, and I wanted to know urgently if they had been hacked or not. 'Hacking' or a 'joke' were the only terms I could think of at the time. I also just wanted to alert people to be wary until the matter was clarified.

[B]Some time later[/B] the web admin at aarnet.edu.au emailed me that it was just a failed download. I just thought it odd that they hadn't noticed the situation themselves and remedied it if that were the case, especially from an organisation like aarnet.edu.au.

Anyway the site is up again with an amended DVD iso.

I do appreciate your info on security issues. Guess I was just a bit paranoid this time.

Cheers

No problem. I agree we should trust mirrors to be and keep up to date and check what they mirror. However that does not exempt individuals from checking their downloads themselves because they have the means to verify things are OK. It's a good thread in that I hope it will remind people to actually check things, communicate and investigate things. Thanks for the feedback.