Spyware in Firefox??
Spyware in Firefox??
The first symptom I noticed was I couldn't connect to Google or Yahoo search. Eventually I connected to Google but it wasn't Google's page source. This is the page source:
<html>
<head>
<title>Goggle.com</title>
</head>
<frameset rows="0,*" framespacing="0" border="0">
<frame frameborder="0" name="disclaimer" src="disclaimer.html" noresize="noresize" scrolling=no>
<frame frameborder="0" name="prize" src="http://lsjmp.com/12/135.htm?r=135&u=519" noresize="noresize">
<noframes>
<body>
<br>
<br>
<br>
<a href="http://lsjmp.com/12/130.htm?r=130&u=519">Clean your computer now! Click Here!</a>
</body>
</noframes>
</frameset>
</html>
I seemed to be able to connect with other sites just fine. I started and restarted the computer and no change.
I deleted /root/.mozilla directory and it seems okay now.
Just thought I'd update you all. If anyone else has funny behavior like this let me (us) know, okay?
----------------------
Software Information
Puppy v1.0.3
Firefox v.1.0.4
Icewm
A few extensions installed, not many
Java - disabled
Java script - disabled
Allow sites to install software - enabled
<html>
<head>
<title>Goggle.com</title>
</head>
<frameset rows="0,*" framespacing="0" border="0">
<frame frameborder="0" name="disclaimer" src="disclaimer.html" noresize="noresize" scrolling=no>
<frame frameborder="0" name="prize" src="http://lsjmp.com/12/135.htm?r=135&u=519" noresize="noresize">
<noframes>
<body>
<br>
<br>
<br>
<a href="http://lsjmp.com/12/130.htm?r=130&u=519">Clean your computer now! Click Here!</a>
</body>
</noframes>
</frameset>
</html>
I seemed to be able to connect with other sites just fine. I started and restarted the computer and no change.
I deleted /root/.mozilla directory and it seems okay now.
Just thought I'd update you all. If anyone else has funny behavior like this let me (us) know, okay?
----------------------
Software Information
Puppy v1.0.3
Firefox v.1.0.4
Icewm
A few extensions installed, not many
Java - disabled
Java script - disabled
Allow sites to install software - enabled
Bruce,
Since April 17th, I have seen 6 different Firefox exploits posted to the web. The proof of concept code for the malicious code you encountered was posted that day.
Mozilla Firefox Sidebar Code Execution Proof of Concept Exploit
http://www.frsirt.com/exploits/20050416.MFSA200539.php
babbs
Since April 17th, I have seen 6 different Firefox exploits posted to the web. The proof of concept code for the malicious code you encountered was posted that day.
Mozilla Firefox Sidebar Code Execution Proof of Concept Exploit
http://www.frsirt.com/exploits/20050416.MFSA200539.php
babbs
That wasn't the problem. In fact I first discovered it using the Firefox search box in the upper right corner of the browser. When Google didn't work I tried Yahoo.GuestToo wrote:also, be sure you are trying to access google.com and not goggle.com
google is a search engine
goggle is a web site waiting for people that make spelling mistakes
Even more spooky - Dillo didn't work either.
More spooky - I pinged Google and used the IP address from ping and still had the same problem.
System wide problem? I prefer to think not. I think maybe Google's IP wrong address got cached or something.
But just to verify that it wasn't goggle I typed in I just tried it and got a different page - it doesn't even match the source code I posted.
Something exploited the browser since yesterday. I made a clean install of Puppy v1.0.3 yesterday.
that sounds like a dns problem ... i think i read somewhere that google's ip was being redirected by hijacked dns servers ... that would be an internet problem, not on your machine
hijackers often modify your hosts file (/etc/hosts) and redirect urls like google to other ip's ... you will see it right away if you look in your hosts file ... you can make your hosts file read-only by typing chmod a-w /etc/hosts
i'm running Firefox 1.0.4 ... it's easy to install the latest Firefox (or Mozilla Suite, or Opera) ... just download, unzip and run
hijackers often modify your hosts file (/etc/hosts) and redirect urls like google to other ip's ... you will see it right away if you look in your hosts file ... you can make your hosts file read-only by typing chmod a-w /etc/hosts
i'm running Firefox 1.0.4 ... it's easy to install the latest Firefox (or Mozilla Suite, or Opera) ... just download, unzip and run
Remember that Yahoo was also doing the same thing.
I'd prefer to think that the Internet was the problem. I've never had a problem like this one with Firefox or Linux for that matter.
The hosts file gives me an idea. Maybe I'll put google and frequently visited sites in the hosts file. Isn't there a utility for looking up name -> IP in Linux?
I used ping but I think there is a better utility.
I'd prefer to think that the Internet was the problem. I've never had a problem like this one with Firefox or Linux for that matter.
The hosts file gives me an idea. Maybe I'll put google and frequently visited sites in the hosts file. Isn't there a utility for looking up name -> IP in Linux?
I used ping but I think there is a better utility.
Here is an article that may shed some light:
( http://isc.sans.org/presentations/dnspoisoning.php )
( http://isc.sans.org/presentations/dnspoisoning.php )
<<More at the link above>>March 2005 DNS Poisoning Summary
compiled by Kyle Haugsness
Note: As of April 3rd, this episode of DNS poisoning is not fully mitigated or explained yet. We will update this text as more details become available
########################################################################
##
## DNS CACHE POISONING DETAILED ANALYSIS REPORT Version 2
## (by Kyle Haugsness and the ISC Incident Handlers)
##
########################################################################
########################################################################
## Summary
########################################################################
Around 22:30 GMT on March 3, 2005 the SANS Internet Storm Center began
receiving reports from multiple sites about DNS cache poisoning attacks
that were redirecting users to websites hosting malware. As the
"Handler on Duty" for March 4, I began investigating the incident over
the course of the following hours and days. This report is intended to
provide useful details about this incident to the community.
The initial reports showed solid evidence of DNS cache poisoning, but
there also seemed to be a spyware/adware/malware component at work.
After complete analysis, the attack involved several different
technologies: dynamic DNS, DNS cache poisoning, a bug in Symantec
firewall/gateway products, default settings on Windows NT4/2000,
spwyare/adware, and a compromise of at least 5 UNIX webservers. We
received information the attack may have started as early as Feb. 22,
2005 but probably only affected a small number of people.
On March 24, we received reports of a different DNS cache poisoning
attack. This attack did not appear to affect as many people. This will
be referred to as the "second attack" in the remainder of this report.
After monitoring the situation for several weeks now, it has become
apparent that the attacker(s) are changing their methods and toolset to
point at different compromised servers in an effort to keep the attacks
alive. This attack morphed into a similar attack with different IP
addresses that users were re-directed toward. This will be referred to
as the third attack and is still ongoing as of April 1, 2005.
Before proceeding, a note of thanks is in order for all the people that
have submitted reports to us, helped us investigate further, and
provided us logs or data. The Internet Storm Center is a volunteer
effort and the better information that we receive from the community,
the better analysis we can perform and contribute back to the community.
Bruce,
The command you are asking about is "nslookup". Although I don't know if it works in Puppy, this is what I got for google.com:
babbs
The command you are asking about is "nslookup". Although I don't know if it works in Puppy, this is what I got for google.com:
Code: Select all
[babbs@localhost ~]$ nslookup google.com
Server: 216.151.83.45
Address: 216.151.83.45#53
Non-authoritative answer:
Name: google.com
Address: 216.239.39.99
Name: google.com
Address: 216.239.37.99
Name: google.com
Address: 216.239.57.99
I couldn't access the Google website on any of my PC's, for a whole day.
I thought the site was down.
I thought the site was down.
When was Google website down?
Me either. Sometimes it's slow to respond, but eventually it always does.
Flash,
There has been a worm or two that has caused Google to be unavailabe for a period of time, but that time has been measured by hours... Not a whole day or more.
(The worm that comes to mind used Google to search for additional computers vulnerable to its exploit. Yahoo search was also a victim to this worm. The Google and Yahoo search sites went because the worm caused a denial of service like attack on them.)
babbs
There has been a worm or two that has caused Google to be unavailabe for a period of time, but that time has been measured by hours... Not a whole day or more.
(The worm that comes to mind used Google to search for additional computers vulnerable to its exploit. Yahoo search was also a victim to this worm. The Google and Yahoo search sites went because the worm caused a denial of service like attack on them.)
babbs
Re: google
Those were my first symptoms, started yesterday. Then I connected to the bogus site.ezeze5000 wrote:I couldn't access the Google website on any of my PC's, for a whole day.
I thought the site was down.
Actually, the more I think about it - I bet on GuestToo's theory something with the DNS.
Maybe a coincidence that it started working right after deleting /root/.mozilla