Re: Suspicious Debian 10.0.0 download behaviour.
Hi,
Rick <mt.osmond@bigpond.com> wrote:
> Debian admin,
>
> earlier today I used the download link from Distrowatch to download
> Debian 10.0.0 and got this Swedish link:
>
> /https://caesar.ftp.acc.umu.se/debian-cd/10.0.0-live/amd64/iso-hybrid/debian-live-10.0.0-amd64-cinnamon.iso/
debian-www is for maintaining the webpages of debian.org only.
You might want to post this at debian-live@lists.debian.org instead.
Holger
> Everything proceeded as normal right through to completion of the full
> 2.4GB download and then *surprisingly I was asked to enter my admin
> password and there was another suspicious request window as well.* I
> was highly suspicious and didn't enter any passwords and instead
> cancelled both of those requests. I looked for the downloaded file
> and there was none to be found anywhere on my file system so it appears
> something was downloaded and then when I cancelled it the file was deleted.
>
> I then noticed that the original download site
> (https://cdimage.debian.org/debian-cd/10.0.0-live/amd64/iso-hybrid/debian-live-10.0.0-amd64-gnome.iso)
> on Distrowatch was different from the one that the file had downloaded
> from - ie. it had been redirected. That looked very suspicious so I
> contacted Distrowatch who told me that they simply provide Debian links
> provided by you and that it would be advisable to let you know there is
> some irregularity.
>
> I have now downloaded a "live" version of Debian 10.0.0 from another
> site and it boots and runs OK.
>
> The download behaviour may be OK, but is not at all usual. It could be
> that the site has mixed the Debian files with other files that need
> password protection, but it could also be malicious.
>
> I will leave it with you.
>
> Best wishes, and keep up your much appreciated effort.
>
> Rick
>
>
--
Holger Wansing <hwansing@mailbox.org>
PGP-Fingerprint: 496A C6E8 1442 4B34 8508 3529 59F1 87CA 156E B076
Reply to: