Slashdot Mirror

← Back to Stories (view on slashdot.org)

Beware 'Fedora-Redhat' Fake Security Alert

Posted by timothy on from the don't-get-took dept.

rixdaffy writes "I just received an email from the 'Redhat Security Team' telling me that I needed to download some tar file from fedora-redhat.com. Besides the fact that I don't use Red Hat/Fedora, I immediately smelled something fishy. Maybe it's not the first trojan targeted at Linux users, but together with the official sounding domain, it could trick some users into downloading and running the binary. It looks like Red Hat is already aware of the issue." According to Red Hat's page, "These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code." Update: 10/25 01:32 GMT by T : One borked link, unborked.

40 of 628 comments (clear)

  1. Re:We knew this day would come by Stevyn · · Score: 5, Funny

    I wouldn't worry, they're probably on the forums trying to find the command to install it.

  2. Whois by rsrsharma · · Score: 1, Funny

    Whois of fedora-redhat.com:

    Domain Name.......... fedora-redhat.com
    Creation Date........ 2004-10-24
    Registration Date.... 2004-10-24
    Expiry Date.......... 2005-10-24
    Organisation Name.... Raymond Jackson
    Organisation Address. 224 Cedar Avenue
    Organisation Address.
    Organisation Address. New York
    Organisation Address. 95301
    Organisation Address. NY
    Organisation Address. UNITED STATES

    Admin Name........... Raymond Jackson
    Admin Address........ 224 Cedar Avenue
    Admin Address........
    Admin Address........ New York
    Admin Address........ 95301
    Admin Address........ NY
    Admin Address........ UNITED STATES
    Admin Email.......... rayjackson23@yahoo.com
    Admin Phone.......... +1.2098994533
    Admin Fax............

    Tech Name............ YahooDomains TechContact
    Tech Address......... 701 First Ave.
    Tech Address.........
    Tech Address......... Sunnyvale
    Tech Address......... 94089
    Tech Address......... CA
    Tech Address......... UNITED STATES
    Tech Email........... domain.tech@YAHOO-INC.COM
    Tech Phone........... +1.6198813096
    Tech Fax............. +1.6198813010
    Name Server.......... yns1.yahoo.com
    Name Server.......... yns2.yahoo.com

    Looks like somebody's gonna get arrested. ;)

  3. Surprisingly by Mentorix · · Score: 4, Funny

    Running untrusted code can result in system compromise.

    Everyone checks the gpg signatures right?

  4. Use the /. effect for good by JamesTRexx · · Score: 3, Funny

    Now if each time when someone tries this sort of thing gets their server posted here on slashdot, we could actually do something good with the slashdot effect and put their server up in smoke before much damage is done. :-D

    --
    home
  5. Re:I wonder... by Forezt · · Score: 4, Funny

    or better yet, it Microsoft paid the Yankee group to do it for them, and then do an "independent study" on it.

  6. PHEW! by big+daddy+kane · · Score: 5, Funny

    I'm sure glad I'm using windows!

    1. Re:PHEW! by Anonymous Coward · · Score: 0, Funny

      Sooner or later, one of these is gonna compile under Cygwin...

  7. Linux - Where the malware comes with the source by cranos · · Score: 5, Funny

    Dammit why does Linux have to be so complicated, I mean damn you have to compile your own viruses and everything!!!!

    1. Re:Linux - Where the malware comes with the source by /dev/trash · · Score: 5, Funny

      You think you have it bad? I run Gentoo. I'm still compiling all the files needed for this one to run.

  8. Re:Finally... by Fapestniegd · · Score: 5, Funny

    Debian has been weeding out incompetent users with its "impossible to use" installer for years.

    It keeps the "Mandrake Crew" off of the debian-users lists.

  9. Coding 0, Grammar 0. by monoi · · Score: 5, Funny
    Anybody running RedHat and Fedora are strongly adviced to apply this patch!

    But I am running SUSE! Am I adviced in similar fashion? Perhaps I too should applying patch lest SUSE found vulnerability also? Thankyou to www.fedora-redhat.com for adviced me in this helpful manner against remote attackers!

  10. Re:Trademark infringement... by }InFuZeD{ · · Score: 2, Funny

    Ok, that was a horrible misspelling of malicious :|

  11. Re:text of site by justforaday · · Score: 4, Funny

    Thanks for posting that! Whew, I sure am glad I managed to get that patch installed before anyone was able to take over my system...

    --
    I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
  12. Stupidity by enginuitor · · Score: 3, Funny

    The funniest part is that the code (a shell script compiled into C code, then into a binary, to obfuscate its purpose) failed miserably on my test systems, both Knoppix AND Fedora Core 2. It spat out a bunch of errors which completely revealed the fact that it was trying to add a user, start sshd, etc. C'mon, if you're gonna terrorize the Linux world, at least do it right!

  13. Checksum by jesser · · Score: 4, Funny

    >md5sum fileutils-1.0.6.patch.tar.gz

    68349c219d941209af8f7c968b89d622 *fileutils-1.0.6.patch.tar.gz

    So you can be sure you're getting the real fake patch.

    --
    The shareholder is always right.
  14. Re:Christ, they didn't do a very good job... by frankthechicken · · Score: 5, Funny

    This was version 0.1 of the trojan, and is not yet ready for public release. With helpful contributions like your, we hope to use the "many eyes" approach, in keeping with the OSS philosophy, to form a complete and fully featured trojan.

    Thus we would like to thank you for your generous time in helping this valuable project reach its full potential.

    You may also like to take note of our web site www.bugzilla-Fedora-Redhat.com, where we have set up a forum dedicated to improving our product.

  15. Re:Here's what WHOIS says: by Anonymous Coward · · Score: 5, Funny

    Don't forget the domain that the script emails, root@addlebrain.com

    Sorry to dissapoint you, but I doubt he owns the domain - they offer free webmail, so it's likely he just signed up for an account. Presumably they didn't stop anyone from getting the username 'root' - I signed up for 'administrator' just now (password 'monkey' if you don't believe me) with no problems.

  16. Probabilities: by reality-bytes · · Score: 5, Funny



    If the Antivirus companies were responsible, they'd have done a better job.

    If Microsoft was responsible, they wouldn't have included any source code.

    If SCO was responsible, they'd have included sourcecode and then sued you for running it

    All things taken into consideration, I'm with 'other' on this one ;)

    --
    Ripping an new rectum in the fabric of spacetime.
  17. I love it! by jd · · Score: 5, Funny
    Linux geek comes across an obvious trojan. What does said geek do? E-mail the site admin? DoS the source site? Noooooo. They set up a sandbox environment and run it, to see what happens!


    (Mind you, I'm no better. First time I got a computer virus, when I was running MSDOS, my first reaction was to run a binary diff against a clean version of the file, and disassemble the result to see what it did. Do you know if there's a cure for this?)

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    1. Re:I love it! by /dev/trash · · Score: 2, Funny

      Marriage.

  18. Re:Use SPF to protect yourself from phishing by Bloater · · Score: 2, Funny

    How do we know this isn't a trojan ;)

  19. Re: I'll try it... Execution results! by OmegaBlac · · Score: 3, Funny
    But it fails and spits out a bunch of errors!
    Sounds like my last kernel compile.
  20. Re: I'll try it... Execution results! by schon · · Score: 4, Funny

    Surely we just have to send a load of bogus reports to root@addlebrain.com and he'll have a fun time trying to find the genuine ones.

    If you do, make sure the IP addresses are of .mil and .gov sites. :o)

  21. Re:Contents of inst.c... by nomadic · · Score: 5, Funny

    It's safe to view, as long as you don't go trying to compile and run it! :-p

    Hey, stop trying to deny my GPL rights you Windows-loving tyrant!

  22. I knew it by ganhawk · · Score: 2, Funny

    I knew, my habit of not updating my systems would help me someday.

    --
    Python script to convert photos into "artsy" portraits: http://p2pbridge.sf.net/pyPortrait/
  23. Re:Real link? by Saeger · · Score: 2, Funny

    And I think I'll "benchmark" the site a few million times.

    /usr/sbin/ab2 -n 10000000 -c 10 'http://www.fedora-redhat.com/?you=asshole&garbage =XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXX'
    This is ApacheBench, Version 2.0.40-dev <$Revision: 1.121.2.8 $> apache-2.0
    Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
    Copyright (c) 1998-2002 The Apache Software Foundation, http://www.apache.org/

    Benchmarking www.fedora-redhat.com (be patient)

    --
    Power to the Peaceful
  24. Blow by blow by Anonymous Coward · · Score: 2, Funny

    It appears the human body maintains a temperature of approximately 98.6'F... lemmie shove a thermometer up my @ss, and I'll report back my findings here.

  25. Re:Real link? by Saeger · · Score: 3, Funny
    I guess I should have viewed the source of that site before I fired that line off, seeing as the site hotlinks an image on redhat.com.

    Oops.

    --
    --
    Power to the Peaceful
  26. Re:Stupid Tricks? by Rie+Beam · · Score: 4, Funny

    "What can be done to prevent this from happening in the future? What failsafes can be built into Linux to prevent people with less than average pc skills from destroying their systems?"

    No monitor.

  27. Re:Christ, they didn't do a very good job... by WindBourne · · Score: 2, Funny

    What do you mean it is not done??? It has the MS quality control stamp all over it. It is not a bug, it is a feature. :):):)

    --
    I prefer the "u" in honour as it seems to be missing these days.
  28. Re:Christ, they didn't do a very good job... by Puff+Daddy · · Score: 2, Funny

    Don't you mean www.bugzilla-Fedora-RedHat.com?

  29. Re: I'll try it... Execution results! by WindBourne · · Score: 2, Funny
    You can do better.
    Try:
    • 216.250.128.21
    • 207.46.144.188

    These are more than good enough.
    --
    I prefer the "u" in honour as it seems to be missing these days.
  30. Re:look at this in a diffrent way by dtfinch · · Score: 2, Funny

    I can just imagine...

    "Attached is a sexy picture of Anna Kournikova.
    To view the picture, simply:
    1) save the attachment
    2) su -
    3) tar -xjf anna.tar.gz
    4) ./configure
    5) make
    6) make install
    7) anna"

  31. This is what happens... by the+angry+liberal · · Score: 3, Funny

    Maybe it's not the first trojan targeted at Linux users, but together with the official sounding domain, it could trick some users into downloading and running the binary.

    This is an unfortunate reality today. Back in my day, the only way to be a real Linux guru was to compile and build your system from scratch using a dev box.

    Nowadays, any average person can easily install Linux and instantly become "31337". Today's typical Linux user has no idea what half the files on his system do, or where they came from. Unforunately, the majority of you with moderator points fall into this category so my post is doomed!

    I would advise those who are new to Linux to visit the Linux From Scratch website and set aside a weekend of learning. There is no better method for gaining useful knowledge regarding the reduction of hard drive clutter and increasiong optimization, and security.

  32. Re: text (Why? Because.) by Thing+1 · · Score: 5, Funny

    This is an honor virus. Please forward to all your friends, then format your hard drive(s). Thank you.

    --
    I feel fantastic, and I'm still alive.
  33. Re:Jobs by Anonymous Coward · · Score: 1, Funny

    In India or U.S.?

  34. Re:Christ, they didn't do a very good job... by mcrbids · · Score: 2, Funny

    What's interesting, is that I actually got this message as a forward from one of my clients, who uses Progeny updates.

    I was in a hurry, I didn't even think about the fact that Redhat is not Progeny, so my response was to simply run "yum update", a quick preview (there was only like two, not very important packages to update) and that was it. All of about 5 minutes, and I did nothing further, since the kernel wasn't updated and no running services were affected.

    I forgot all about it until now, reading this article!

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  35. Re: text (Why? Because.) by Stephen+Samuel · · Score: 4, Funny

    This is a buggy honor virus. Please format your hard drive(s) and then pass it to all your friends.
    Thank you.

    --
    Free Software: Like love, it grows best when given away.
  36. Re:Christ, they didn't do a very good job... by david_costanzo · · Score: 3, Funny

    It's more than just a faulty presentation--the whole premise is innane:

    Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges.

    ls and mkdir are running as a network server with root privileges? How did that happen?

    Besides, we all know RedHat systems configure ls and mkdir to change to low-privilege users (lsnobody and mkdirnobody) after accepting the connection (unless you modify /etc/ls.conf or /etc/mkdir.conf, that is).

  37. Re:Christ, they didn't do a very good job... by wheany · · Score: 3, Funny

    Besides, we all know RedHat systems configure ls and mkdir to change to low-privilege users

    We do?