Beware 'Fedora-Redhat' Fake Security Alert 628
rixdaffy writes "I just received an email from the 'Redhat Security Team' telling me that I needed to download some tar file from fedora-redhat.com. Besides the fact that I don't use Red Hat/Fedora, I immediately smelled something fishy. Maybe it's not the first trojan targeted at Linux users, but together with the official sounding domain, it could trick some users into downloading and running the binary. It looks like Red Hat is already aware of the issue." According to Red Hat's page, "These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code." Update: 10/25 01:32 GMT by T : One borked link, unborked.
I'll try it... (Score:5, Interesting)
Stay tuned.
Stupid Tricks? (Score:5, Interesting)
Re:I'll try it... (Score:2, Interesting)
Re: I'll try it... Execution results! (Score:4, Interesting)
From shc's manpage:
Definitly doing something then, at least viewing the parent post.
Re:text of site (Score:4, Interesting)
Beyond those obvious problems, the "best" targets of something like this (businesses) would have people who know better than this. Those people would know how a patch file would work. At miniumum the "./inst" section should say "make install", which is much more common. So this would only effect the "newbie" Linux user. Last of all, I would expect that anything RedHat issued would say something like "or get the update through Red Carpet (or whatever their 'Windows Update' is called)".
This isn't a very well made forgery. They could have easily taken a true RedHat advisory and modified it so the language would be better and sound more plausable. They could have at LEAST gotten someone who knows English better.
Does anyone else find it strange someone would go through all the trouble of registering a domain-name to run this scam? Why not say "download it off the (such and such) mirror at ftp://120.584.391.568/pub/mirror/redhat/patches/pa tch_file.tar.gz" or something like that. Use any domain name and make it look like a mirror. When was the last time any company put a file for users at "(domainname).com/file.tar.gz"? Never.
Most people could have done better, IMHO.
Unauthorized use of RedHat Logo and name (Score:2, Interesting)
My question is: can these a**holes get away with using the 'fedora' name instead?
ps. I am not affilated with RH in anyway.
Copyright © 2004 All rights reserved. Redhat is a registered trademark of Redhat (only). No soup for you.
Re:We knew this day would come (Score:5, Interesting)
Allowing only registered executables to run could be set up to prevent such things. Microsoft signs their patches and programs too, but no regular user will ever check.
Incorporate such functions in the OS or GUI. Harass the user whenever an executable or shared library is introduced to the system: "Here are the certifications, do you trust this?"
Limiting permissions up to the user level is not enough anymore: VM based environments such as Java and
First time I saw a similar feature was in Kerio Personal Firewall, which would ask everytime a new program would attempt to connect somewhere, or have something connect to a port it opened. It was simple and effective, and the 'harassment' was more than worth it (SP2 does something similar, but it's flawed*).
In conclusion. I want to say that I believe if all people had:
1) Startup Monitor [mlin.net] - Painfully simple, no one should be without it.
2) Kerio Personal Firewall [kerio.com], or equivalent
3) An executable monitor as described above.
* SP2 tells you when an executable tries to connect, and waits for you to decide if you want to block it, but it *does* allow the connection to work until you decide what to do with it. Furthermore, I'm not sure if it can tell if an executable was replaced with a compromised version (Kerio has MD5 hashes)
Re:Here's what WHOIS says: (Score:2, Interesting)
Ones a teacher, one is guilty of child abuse (something to be unpopular for) and one just lost a football game today (/thinks of ace ventura plot)
Updated version from a couple of days ago... (Score:4, Interesting)
Whoever is behind this certainly seems to be doing a very sloppy job of it. Yahoo, Melbourne IT, Stanford, hosting at "everyone.net"; hardly a who's who of dodgy companies and "bullet proof" service providers, is it? Frankly, I'm expecting to be reading a Slashdot story about a bust by the end of the week, and that's being generous.
Re:I'll try it... (Score:1, Interesting)
Re:We knew this day would come (Score:5, Interesting)
And allowing only registered executables to run is a bad thing. Who should decide?
On my computer, I should decide, and the registration dealie should provide me with the information I need to make the decision.
The two parts of Microsoft's weird DRM thing I disagree with (with regards to running executables) are that the key is inaccessible to me, stashed somewhere in the BIOS, and that Microsoft is the one who decides what is safe and what isn't.
everyone now.... (Score:1, Interesting)
Let's use all of his bandwidth quota up.
Re:Real link? (Score:3, Interesting)
I'm running the following script on my box, and I recommend others to do the same.
while true; do wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.g
If enough people do the same, either the site is taken offline, or we're gonna cost him a pretty penny.
Re:I'll try it... (Score:1, Interesting)
Every port is open? Is it running tcpdump?
Probably is compromised.
Re: I'll try it... Execution results! (Score:5, Interesting)
notifying the appropriate people.... (Score:3, Interesting)
abuse@above.net
Subject : malware using your netblock to propagate
http://it.slashdot.org/article.pl?sid =04/10/24/2352234&tid=172&tid=110&tid=218&tid=106
The story reports on a linux trojan that, after installing, emails a
report back to root@addlebrain.com. The MX record for addlebrain.com
points to sitemail.everyone.net. It would reduce the effect of this if
you could shut down that email account.
Better yet, you should gather the list of infected IPs and then inform
the owners.
Damian Menscher
--
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| <menscher@uiuc.edu> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
-=#| The above opinions are not necessarily those of my employers. |#=-
Re:The guy seems to be Romanian (Score:2, Interesting)
Comment removed (Score:3, Interesting)
Re:We knew this day would come (Score:3, Interesting)
Really? IMHO computers probably are as easy as cars. i.e. if my car needs some maintenance, I don't do it myself (at least, not for anything but the most simple stuff - I wouldn't know where to start), I go to the garage and pay someone who knows what he's doing to fix it. The same applies to computers - if you need some maintenance doing to your computer and you don't know enough to do it yourself then you should be paying a professional to look at it.
Too many people have an attitude of "it should be simple enough for me to maintain" when it comes to computers - I have to ask why? How many people strip down their car engine and then are left with a pile of bits on the floor with no clue how to put them back together and blame the car manufacturer for not making it "easy enough"?
Just because a computer plugs into the wall like a toaster doesn't mean that the user has a "right" to be able to maintain it without any training. I think people need to get out of the idea that computers are things which you buy and then they don't need any upkeep - computers are definately things that you buy and then need maintenance every so often. Some of us are knowledgable to do it ourselves, but the rest should get a professional to sort it out. Maybe manufacturers specifying that a computer requires a yearly service by a professional engineer would be a good idea?