Virus warning from www.puppylinux.com/manuals.htm

Puppy related raves and general interest that doesn't fit anywhere else
Message
Author
oblivious
Posts: 303
Joined: Sat 14 Apr 2007, 05:59
Location: Western Australia

#61 Post by oblivious »

alienjeff wrote:@Barry
Assuming you use Windows from time to time, it's conceivable that your own Windows box may be compromised and the reinfection could be taking place quite close to home. Anyone else with admin privies to puppylinux(dot)com should check their systems for infection, too.
If the infection were coming from the machines of those creating the site content - can the puppy files themselves (ie the ibiblio downloads) be infected? Would infection be detected by virus scanners?

big_bass
Posts: 1740
Joined: Mon 13 Aug 2007, 12:21

#62 Post by big_bass »

BarryK wrote: Note, I have cleaned up my site, yet again.
For anyone who wants to help monitor the main page
a nice tool to keep an eye on things
name of the plug-in is called firebug
https://addons.mozilla.org/en-US/firefox/addon/1843

dillo shows hidden txt for a quick view
ftp://ibiblio.org/pub/linux/distributio ... eki-mu.pet

A positive note many people will be looking for changes made on the main page
I made a copy of the clean site so I can check if something else gets added

more eyes watching
more whistle blowers
we all use puppy and want it safer

I use the main page frequently and it
is annoying to try to use all the links and avoid a very
important source of information

I am happy that the main page is clean now

big_bass
Last edited by big_bass on Sat 08 Mar 2008, 21:06, edited 1 time in total.

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#63 Post by alienjeff »

^ Ditto my big_bass brother, aka "what he said." ;)

And thanks for the follow-up work, Barry!
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

Sage
Posts: 5536
Joined: Tue 04 Oct 2005, 08:34
Location: GB

#64 Post by Sage »

One is massively impressed by those who have contributed wisdom to this very serious matter that affects us all. Can one of them please get together with John (or Barry) in order to describe in a separate thread, or preferably another section, all the minute details as to what those of us without an IT background should do with our systems, including 'doze. That might include what files/statements/w.h.y. to search for, which utilities to use and where to obtain them such that they aren't themselves compromised, what to do if/when trojan, worm, whatever malware is found, etc. That is to say, not just the bland advice on virus and malware scanners. In the circumstances, this might be one of the best public services that such competent practitioners can offer.

As for Barry and Servage, it would appear that they might have violated the terms of their contract (or the contract is invalid?). That being the case, Australian Law is every bit as good as that in Europe or the USA and he should have absolutely no difficulty in recouping his unused subscription, possibly damages and certainly costs. If he is less than sure about the way hosting companies operate, there doesn't seem to be any shortage of folks here who could provide a notarised statement as evidence - last time I was in the USA this cost $1 for signature, $5 for the full package, £3 in the UK; money well spent, especially when it counts as costs.

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#65 Post by alienjeff »

Alien Update: Just checked the homepage and all pages accessed through the horizontal menu bar. Clean for now. Will continue to keep an eye on these. -aj
Last edited by alienjeff on Sun 09 Mar 2008, 03:37, edited 2 times in total.
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

advice on protection

#66 Post by prehistoric »

@Sage,
One is massively impressed by those who have contributed wisdom to this very serious matter that affects us all. Can one of them please get together with John (or Barry) in order to describe in a separate thread, or preferably another section, all the minute details as to what those of us without an IT background should do with our systems, including 'doze.
Since the impressive people are silent at the moment, I'll take a shot at this. That's a very reasonable thing to ask. However, if the server is in the hands of the opposition, there isn't a whole lot that is safe to do. I don't have a great deal of specific experience with Windoze malware, yet, even so, I can tell you that a single banner ad on a legitimate Italian newspaper site clobbered a friend's system, even though he had up-to-date protection and didn't click on the banner. That's only one of the exploits the Trojan at the end of the redirects was designed to try. Best advice: don't go into dark territory running Windoze and, definitely not running IE, and do use a Firewall. If you detect unreasonable activity, kill the browser immediately, and maybe even hit the power switch. Booting Puppy from a CD with "pfix=ram" makes this option pretty safe.

Recent updates for Firefox and Opera have fixes for some kinds of cross-site scripting. There are also extensions, like noscript for Firefox, that give you more control over the scripts your browser runs. Even so, I don't recommend using a browser to explore an infected site, unless you want to see what the infection does on a test machine. Some of this malware is of professional caliber, and it is really asking too much of ordinary users to have them deal with it.

First, we need to make sure the server is clean and it's vulnerabilities fixed. Second, we need to track down the malefactors. Some of the lack of detailed specifics here is because of this effort. When this episode is wrapped up we should have a much better idea of what to tell people. I can't promise full disclosure, of things I don't know, but I can promise to be part of the chorus requiring explanations.

Now back to alien and his regular sedition. Over to you, Jeff.

prehistoric

wingruntled

#67 Post by wingruntled »

Prehistoric
Well the names not Jeff but,Your advice was right on target. The Firefox & Seamonkey plugin, NoScript, adds a very high level of protection for surfing the net. There is no need to allow scripts in Most! Web pages, including this forum & puppylinux.com. In conjunction with NoScript, AdBlock Plus stops most un-needed advertising garbage from even coming through and then NoScript helps to stop the rest of the garbage. These two are a must in Windows & Linux.
A good firewall is also a must. Don’t rely on your broadband modem/router alone. I prefer a firewall that I can monitor traffic on the fly and block any connection instantly if I find a need. Unfortunately the only Linux firewall that I have found (Firestarter) that has real-time monitoring is not available for Puppy.
Now my advice for Windows users only. If you have a whole slew of programs loading on startup.
Get rid of them! Windows programs have a very bad habit of opening network ports for one reason or the other and leaving great big wholes for the flies to enter. In example: Instant Messengers, Any program that auto updates (Norton for one), Windows itself, Any program that checks for a songs title name & author, ANY P2P software,etc, etc, etc. A very good way to check and see if your system is a wide-open window is to go to Gibson Research and have your system scanned with their Shields Up port scan. If you are anything but “stealth

User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

#68 Post by BarryK »

For the record, to avoid unnecessary speculation, I haven't used Windows for a couple of years. I have only fired up Windows when I wanted to compare some hardware compatibility or something.

My web pages that have "IBM Websphere Homepage Builder" in the source were created about 3 years ago. If I ever need to update those old pages, I use SeaMonkey Composer.

I'm pretty sure my Linux boxes are clean, and I'm not uploading any files with viruses (etc) already in them!
[url]https://bkhome.org/news/[/url]

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#69 Post by alienjeff »

BarryK wrote:I'm pretty sure my Linux boxes are clean ...
Making f-prot your ally and cron your servant can change the "pretty" to "99%" ... ;)
Last edited by alienjeff on Sun 09 Mar 2008, 03:38, edited 1 time in total.
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

Th3_uN1Qu3
Posts: 141
Joined: Sun 27 May 2007, 17:31
Location: Bucharest, Romania

#70 Post by Th3_uN1Qu3 »

Adding to what wingruntled said about securing windoze:

Use Opera as your browser.

I have yet to see an exploit that works in Opera. Even those sites which get you full of trojans, like those IM (yahoo, msn etc) viruses which send spam links to everyone in your messenger list, just won't work in Opera. I tried navigating on one of those sites on my main computer with Opera after cleaning a friend's machine of that virus (and damn, it was pretty nasty!), and the script on the server gave an error. :D Also, Opera has content blocking too, and there is an ini file available for download which blocks over 95% of the ad servers.

Keep your antivirus updated (and for God's sake, DON'T USE NORTON), also have some antispyware software installed. I found the best to be Ad-Aware SE Personal 1.06r1, the old version. It's nice and fast, just that now you have to update the definitions file manually coz official support has been discontinued. But you can find the updated defs on any major software download site.

If you got infected, then HijackThis is the best and quickest way to get rid of it. My friend had that IM virus, and it was that bad that it closed the task manager and registry editor if you tried to open them, even in safe mode. But i could disable it from running at startup by using HJT, and then removing it was easy. If you don't know how to use HJT, you can find help on many forums. Or PM me your log and i'll handle it for you.

That'd be about it for those of you still running doze, this is a Linux forum anyway. :P
[b]Toshi Portege 4010[/b] | PIII Tualatin 933MHz | 512MB RAM | Cyberblade 16MB | 30GB | WiFi, IrDA | ~5 hrs runtime | WinMe :( |

[img]http://img230.imageshack.us/img230/8125/userbar654682fy5.gif[/img]

Sage
Posts: 5536
Joined: Tue 04 Oct 2005, 08:34
Location: GB

#71 Post by Sage »

That's some very helpful advice; thanks a bundle. As most will know, I've been an advocate of Opera for a long while, not just because it's small, fast and competent. Indeed, Opera in BSD is probably as safe as it gets simply because the cross-product of effort required with number of punters makes such a minority player very unattractive to the criminal fraternity.

At one time, the CIA/FBI asked for all instances of cybercrime to be reported to them. I had very useful feedback on one occasion from them. Highly improbable that GCHQ/Carnivore/Echelon has not been monitoring this thread, but it might be worth (a US citizen?) making a formal complaint. Those fellas outperform any other government department I've encountered anywhere in the world. There's a website somewhere for reporting incidents.

[http://www.lavasoft.com/support/securitycenter/blog/ provides defs.ref update files for manually updating Ad-aware v.1.06r1. Look on the far t.r.h.s ; scrolling may be necessary.]
'doze users could also avail themselves of the most excellent (Aussie) 98lite and have done with IE forever.
Last edited by Sage on Sun 09 Mar 2008, 10:10, edited 1 time in total.

oblivious
Posts: 303
Joined: Sat 14 Apr 2007, 05:59
Location: Western Australia

#72 Post by oblivious »

Sage wrote: I've been an advocate of Opera for a long while
I didn't know that. I like Opera but I've only recently discovered it and have used Firefox mostly. The thing is, I got no virus warning, no nothing, using Firefox (which is why I asked about it affecting only IE). (I'm sure I visited the site several times in the days leading up to this thread being posted, and I downloaded things.) The whole virus thing just creeps me out :cry:

Th3_uN1Qu3
Posts: 141
Joined: Sun 27 May 2007, 17:31
Location: Bucharest, Romania

#73 Post by Th3_uN1Qu3 »

oblivious wrote:
Sage wrote: I've been an advocate of Opera for a long while
I didn't know that. I like Opera but I've only recently discovered it and have used Firefox mostly. The thing is, I got no virus warning, no nothing, using Firefox (which is why I asked about it affecting only IE). (I'm sure I visited the site several times in the days leading up to this thread being posted, and I downloaded things.) The whole virus thing just creeps me out :cry:
It only affects IE as far as i know.

I used Firefox in the past too, but about 3 years ago my cousin told me about Opera, and i've been using it ever since. It's faster than Firefox and doesn't need any plugins for ad blocking and stuff, it just works out of the box. I've seen that there are many widgets available for Opera - i have yet to need to use one.

Btw, Opera Mini is the best thing that ever happened to my cellphone. :D
[b]Toshi Portege 4010[/b] | PIII Tualatin 933MHz | 512MB RAM | Cyberblade 16MB | 30GB | WiFi, IrDA | ~5 hrs runtime | WinMe :( |

[img]http://img230.imageshack.us/img230/8125/userbar654682fy5.gif[/img]

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

The Feds

#74 Post by prehistoric »

@Sage,

Here's an example of FBI work. botnet barons
The CastleCops site mentioned is also a good place for users of personal computers to get advice and help in dealing with spam and malware. They have forums devoted to specific security applications, such as, Hijack This and Zone Alarm. There are also places to upload examples of spam and malware. As you can see, the Feds do pay attention to them.

The U.S. has no monopoly on reliable law enforcement. Here's an example of the RCMP getting their man. Canadian hacking ring
(Brings back childhood memories of "Sgt. Preston". And, just why was "King" a "wonder dog", anyway?)

prehistoric

User avatar
jrb
Posts: 1536
Joined: Tue 11 Dec 2007, 19:56
Location: Smithers, BC, Canada

#75 Post by jrb »

The following is a Windows intrustion, Pure Puppians please ignore:

In all the years I used Windows, and I still use it to run my scanner, I found the best safeguard to be Norton Ghost, now Acronis True Image. Partition your harddrive and store all your personal files on a seperate partition, you can reset My Documents to this new partition. If you're sure your C: drive is clean build an image. If you add new software build a new image. I always keep the 1st and the last. If you have ANY kind of software trouble copy the image back to the C: drive, update your antivirus and spyware files immediately, scan your personal files, and your good to go. As well this eliminates the need for System Restore. You can turn it off and delete the Restore files. This has gotten rid of virus infections for me on several occasions. Once, even before I realized I had one, and before McAfee came out with the data file.

proxy
Posts: 2
Joined: Sun 09 Mar 2008, 18:01

Servage

#76 Post by proxy »

i had problems recently with servage with exploit Iframe trojan found on my websites : here i wrote about it on my blog
http://www.proxyutza.com/2008/03/07/exp ... infection/

wingruntled

#77 Post by wingruntled »

The general consensus of servage is. You get what you pay for (sarcasm) and most of the time it’s less of what they claim and more of what they refuse to acknowledge. The TYPES of some sites that they host draws a very clear picture really.

User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

Re: Servage

#78 Post by BarryK »

proxy wrote:i had problems recently with servage with exploit Iframe trojan found on my websites : here i wrote about it on my blog
http://www.proxyutza.com/2008/03/07/exp ... infection/
I got that too. I was getting the top-level index.html files in each of my domains repeatedly compromised. On other occasions it was the index.html or index.php files in each directory, and on other occasions also other html files. In other words, it seems to be different exploits at different times.

My trouble started after I installed WordPress, which you also have. I upgraded WordPress to latest version, but perhaps that was too late. I did repeatedly upload my files and I changed my control panel password.

Right now we are watching my site to see if it gets compromised. This last time, as well as re-uploading the files, and removing all scripts as well as WordPress, I also changed both control panel and ftp passwords -- I haven't changed the ftp password before, as I didn't see how anyone could discover it.

Anyway, it's interesting that we have WordPress as a common factor, and maybe Servage is not the culprit.

Anyway, if my site gets hacked this time, I'll know it is Servage's fault. So we are all waiting with bated breath (perhaps the hacker is reading this too, unfortunately -- I'm getting paranoid!).
[url]https://bkhome.org/news/[/url]

jamesbond
Posts: 3433
Joined: Mon 26 Feb 2007, 05:02
Location: The Blue Marble

#79 Post by jamesbond »

Unfortunately I have to break the bad news - puppylinux.com index page is hacked again here at 12:38pm AEDT - which is is only a few hours after Barry's last post. It contains the drugs link again ... :shock:

Sample below:

Code: Select all

<small>No part of this page is to be reproduced anywhere else. I have found
that there is a problem where parts of my web pages are being inserted
at other sites, then not updated, whereas I am updating my pages
regularly. This is not a desirable situation, so please just link to my
pages.</small></div>
      </td>
    </tr>
  </tbody>

</table>
<br>
</body></html>
<font style='position: absolute;overflow: hidden;height: 0;width: 0'>
<a href="http://csulb.edu/~jbanuelo/aaa/new/vi/tmp.php?q=buy-standing tall.htm" title="buy standing tall">buy standing tall</a> 
<a href="http://csulb.edu/~jbanuelo/aaa/new/vi/tmp.php?q=buy-standing tall-online.htm" title="buy standing tall online">buy standing tall online</a> 
<a href="http://csulb.edu/~jbanuelo/aaa/new/vi/tmp.php?q=buy-standing tall-online-standing tall.htm" title="buy standing tall online standing tall">buy standing tall online standing tall</a> 
<a href="http://csulb.edu/~jbanuelo/aaa/new/vi/tmp.php?q=standing tall-buy.htm" title="standing tall buy">standing tall buy</a> 
<a href="http://csulb.edu/~jbanuelo/aaa/new/vi/tmp.php?q=where-to-buy-standing tall.htm" title="where to buy standing tall">where to buy standing tall</a> 
<a href="http://csulb.edu/~jbanuelo/aaa/new/vi/tmp.php?q=buy-standing tall-now-online.htm" title="buy standing tall now online">buy standing tall now online</a> 
... and others follow (a very long list)
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]

wingruntled

#80 Post by wingruntled »

Tuuxxx better check his site too then.

Post Reply