Fake Emails about Emergency Security Update

Jeff Pitman symbiont at berlios.de
Mon Oct 25 02:48:41 UTC 2004


On Monday 25 October 2004 06:35, Sindre Pedersen Bjordal wrote:
> IANAL, but this must be a legal issue, as there's clearly a trademark
> violation.

It's also fraud.  The "patch" is actually a script compiled into C using 
SHC (http://www.datsi.fi.upm.es/~frosal/sources/shc.html), which 
installs a Binary RPM (fileutils-patch.bin).  You can run "rpm2cpio" on 
the file, but you're not going to see much unless you can read machine 
code or diff between the included "ls" and your local "/bin/ls".  As 
the shc appears to encrypt the actual script with rc4, there's not much 
to gain from inst.c either.  Although, we know the crook ran shc with 
the options: shc -v -r -T -f redhat.  

I suspect it just installs a rootkit and overwrites (--replacefiles) all 
the common utilities to ensure that an intruder can always get in 
possibly modifying /etc/passwd and friends.  Before playing with it, 
make sure your PATH does not contain "." before /bin, et al.  And don't 
poke it while you're root.

take care,
-- 
-jeff




More information about the fedora-devel-list mailing list