Fake Emails about Emergency Security Update
Jeff Pitman
symbiont at berlios.de
Mon Oct 25 02:48:41 UTC 2004
On Monday 25 October 2004 06:35, Sindre Pedersen Bjordal wrote:
> IANAL, but this must be a legal issue, as there's clearly a trademark
> violation.
It's also fraud. The "patch" is actually a script compiled into C using
SHC (http://www.datsi.fi.upm.es/~frosal/sources/shc.html), which
installs a Binary RPM (fileutils-patch.bin). You can run "rpm2cpio" on
the file, but you're not going to see much unless you can read machine
code or diff between the included "ls" and your local "/bin/ls". As
the shc appears to encrypt the actual script with rc4, there's not much
to gain from inst.c either. Although, we know the crook ran shc with
the options: shc -v -r -T -f redhat.
I suspect it just installs a rootkit and overwrites (--replacefiles) all
the common utilities to ensure that an intruder can always get in
possibly modifying /etc/passwd and friends. Before playing with it,
make sure your PATH does not contain "." before /bin, et al. And don't
poke it while you're root.
take care,
--
-jeff
More information about the fedora-devel-list
mailing list