NEWS FROM THE LAB - Monday, October 25, 2004

Case fedora-redhat.com Posted by Mikko @ 10:06 GMT

Fake site
During the weekend somebody, using fake registration data, registered domain fedora-redhat.com. Which is awfully similar to the official homepage of the Fedora project, which is at fedora.redhat.com. Fedora is a free operating system supported by Red Hat linux.

Then somebody did a fairly large spam run, targeting Linux users with a message that claimed a security vulnerability has been found and the fix is available at fedora-redhat.com.

Fake site
The file itself (which is offline by now) seems to be a fairly typical rootkit.

Red Hat has posted on advisory on this. At first this seemed weird, as they dated their advisory Saturday 23rd, while the fedora-redhat.com domain was apparently registered only on 24th and the spam headers we've seen show they were sent on 24th.

However, we just got confirmation from Red Hat Security Response Team that there was an earlier, similar spam run on Saturday the 23rd...expect the link in that spam was pointing to a web page on a University server. Apparently the attacker didn't get too good results so he decided to register the website and retry on Sunday.