Virus warning from www.puppylinux.com/manuals.htm

Puppy related raves and general interest that doesn't fit anywhere else
Message
Author
DigitalCrypto
Posts: 12
Joined: Sun 26 Aug 2007, 19:19

#41 Post by DigitalCrypto »

I am one of the people that took it deep in the anus on this thing. Unfortunately a lot of my dev software only works on Windows and it's not too often that I get the alerts for virii or use IE. Thankfully I do keep archives and many backups off-machine.

I was running clamAV when this happened and it was a rather quick infection. Incidentally, F-Prot was the only tool that caught it, after the fact.

I had some 35 password/key loggers and trojans installed in less than 30 minutes time. I ended up fdisking ftw. It cost me a day's worth of time to remedy/rebuild and am I dumber for having trusted Puppy websites to be secure.

BTW Word Press is a popular target for hackers. It's riddled with security holes and cross sight scripting vulnerabilities.

If you want secure, powerful, flexible and simple you should definitely check into Drupal.

@Jeff: You are completely correct. It only takes a little bit of patience to sneak something into Puppy legitimately (even as a simple package) that can cause a serious problem. It's very easy to misbehave when you are not denied root access to any part of the OS.

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

IFRAME EXPLOIT PERSISTS

#42 Post by alienjeff »

Either it was missed in the sweep or it's back.

http://puppylinux.com/links.htm

I checked all pages in the main page's menu bar, but that's the extent of my searching. To go any deeper is the job of the owner, not the visitor.

Barry: please leave Dingo be and clean the dog run.
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#43 Post by alienjeff »

IRC user ralphv caught the following that's on puppylinux(dot)com's main page:

Code: Select all

</body></html><!--ngz-->
<div style="position:absolute;left:-200000px">| <a href="http://transplants.org/images/Titles/pharmacy/arimidex/">arimidex</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/standing tall/">female standing tall</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/accutane/">accutane</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/relafen/">relafen</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/zyban/">zyban</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/lipitor/">lipitor</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/zithromax/">zithromax</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/doxycycline/">doxycycline</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/zyvox/">zyvox</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/diflucan/">diflucan</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/prednisone/">prednisone</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/poisonous crap/">poisonous crap</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/lamisil/">lamisil</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/standing tall/">standing tall</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/wellbutrin/">wellbutrin</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/zoloft/">zoloft</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/paxil/">paxil</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/clomid/">clomid</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/celebrex/">celebrex</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/ultram/">ultram</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/poisonous crap/">poisonous crap</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/lexapro/">lexapro</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/zyrtec/">zyrtec</a> </div>
<!--ngzf-->
Barry have any stock in pharmaceuticals? If not, stop feeding the bots and spiders.
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

John Doe
Posts: 1681
Joined: Mon 01 Aug 2005, 04:46
Location: Michigan, US

#44 Post by John Doe »

clearly Servage's box has been completely compromised.

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#45 Post by alienjeff »

It has been just over 42-hours since I last posted about this.

puppylinux(dot)com still has the IFRAME EXPLOIT embedded in the main page, and the links page still has the pharmaceutical links at the bottom of the source code.

Unless this matter is tended to, sooner or later someone (it won't be me) is going to very ungently report this on DistroWatch and/or similar on-line rags.

P.S.

@John Doe

Clearly neither Servage nor anyone else is doing anything about this. :?
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

wingruntled

#46 Post by wingruntled »

Sure enough :(
And I just got done from a complete reinstall of of everything, so this isn't a cache or worm issue.
Not yet anyway :/

User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

#47 Post by BarryK »

alienjeff wrote:Clearly neither Servage nor anyone else is doing anything about this. :?
See my latest blog post.
If Servage doesn't fix it soon, I'm moving. Unfortunately I paid for a year and have only been there a few months.

I can reupload everything again, which is what I have been doing, but I am leaving it as-is for now so that Servage can see its condition.

I'll wait a bit longer, not much longer, then reupload everything again.
[url]https://bkhome.org/news/[/url]

wingruntled

#48 Post by wingruntled »

but I am leaving it as-is for now so that Servage can see its condition.
Not smart!
In the mean time all Windows vistitors inquirering about Puppy gets blasted with a trojan.

muggins
Posts: 6724
Joined: Fri 20 Jan 2006, 10:44
Location: hobart

#49 Post by muggins »

In the mean time all Windows vistitors inquirering about Puppy gets blasted with a trojan.
It's definitely not good if any puppy sites are hosting any malware. But, if it's true that these things are specifically targetting ActiveX vulnerabilities in IE, how come we haven't seen any response from Microsoft support? I mean, Bill does post regularly to the forum, doesn't he?

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#50 Post by alienjeff »

@Barry
Thanks for the update. To leave the iframe exploit online is as much as supporting the black hats. Instead of passively waiting for the techs at Servage to check the pages live, if and when they ever get around to it, please consider:

1) copying and saving the the HTML from both the index and links pages,
2) upload clean index and links pages, and
3) attach appropriate excerpts of HTML to correspondence with Servage.

I noted that several of your puppylinux(dot)com pages were generated using IBM WebSphere Studio Homepage Builder V6.0.0 for Windows. Assuming you use Windows from time to time, it's conceivable that your own Windows box may be compromised and the reinfection could be taking place quite close to home. Anyone else with admin privies to puppylinux(dot)com should check their systems for infection, too.

It would be sad if at the end of the day it turned out to be a case of either tail or ghost chasing ...

@Community
Going by this thread, two of "our own" have been infected, though there may be more and we haven't heard from them. They may be a tad embarrassed to display soiled laundry.

Regardless of how some of us feel about the monster of Redmond that is Microsoft, it's important to remember that a many of us may very well may have been introduced to Puppy while still using IE.

Also remember the old saw about Linux being inherently safe from virii, trojans and such. Puppy could take a devastating publicity hit should the wrong person innocently visit puppylinux(dot)com and click "links" in the menu bar. When I say devastating, I mean a publicity hit that would make the infamous Mark South Distrowatch Dramarama barely a blip on the radar screen.

Please don't ask me to spell it out any further. Use your own imagination.

Think about it.
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

wingruntled

#51 Post by wingruntled »

Warning for all forum users:
Turn off :display email address: in your user profile. I didn’t realize till yesterday that this phpBB version doesn’t use an internal mail server for sending emails to other users.
Your email address is displayed with as little as a mouse-over. This makes it so easy for anyone to gather ALL emails, from everybody registered on this rather old and buggy version of phpBB.
There is a script out there that can gather all your email addresses in just a minute or two.
Email spam is as bad as that crap in a can. LOL

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

email address

#52 Post by prehistoric »

@wingruntled,

I was embarrassed to find that out some time before the changeover, while using a friend's machine to view the forum. Makes me wonder what else we haven't noticed.

wingruntled

#53 Post by wingruntled »

@prehistoric
I just can’t help but wonder why somebody got so hacked off at the Puppy community to launch such an intensive cross site attack. These are not some random attacks.
Thanks for having some others look into this problem. :)

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#54 Post by alienjeff »

Image
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

wingruntled

#55 Post by wingruntled »

If I told you once I told you a thousand times!
Get your hands off that, aj. You know you don’t know nothin’ bout machinery.
ROFLMAO

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

I've got the answer!

#56 Post by prehistoric »

After checking Barry's (now static) blog, I just had a brilliant insight.
And here is the response from Servage:

Hello Barry

We are sorry to hear about your hacking issue. Kindly remove all the file contents in your account, change all the passwords, reupload all the contents. Make sure that you are not using any insecure script in your account and also try to avoid the 777 file permissions as they make the files world writable and hence vulnerable.

Thank you! :)

Kind regards,
Scott, Support
Servage Hosting

'Scott' is telling me to do what I have just told him that I have already done!
Quick! Pick up the telephone and warn Servage. Their customer service department is currently staffed with 'bots.

prehistoric

wingruntled

#57 Post by wingruntled »

Servage doesn’t have phone support. They are as useless as OO’s on a bull.

User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

#58 Post by BarryK »

You need to see their second reply, at puppylinux.com/blog.

Note, I have cleaned up my site, yet again.
[url]https://bkhome.org/news/[/url]

User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

#59 Post by BarryK »

I also changed my passwords again. So, we wait and see if my site gets compromised again....
I dunno, maybe the previous time I changed my password wasn't enough and it was somehow discovered. Well, right now my site seems to be clean and I have brand spanking new passwords, so we shall see.
[url]https://bkhome.org/news/[/url]

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

the Servage 'botnet

#60 Post by prehistoric »

O.K., Barry, my first hypothesis was too conservative. Servage is staffed entirely by 'bots.

This is a pity, If there were any humans available I would send them a link to this article. computerworld article

Post Reply