Spyware in Firefox??

[Bruce B]

The first symptom I noticed was I couldn't connect to Google or Yahoo search. Eventually I connected to Google but it wasn't Google's page source. This is the page source:

<html>
<head>
<title>Goggle.com</title>
</head>
<frameset rows="0,*" framespacing="0" border="0">
<frame frameborder="0" name="disclaimer" src="disclaimer.html" noresize="noresize" scrolling=no>
<frame frameborder="0" name="prize" src="http://lsjmp.com/12/135.htm?r=135&u=519" noresize="noresize">
<noframes>
<body>
<br>
<br>

<br>
<a href="http://lsjmp.com/12/130.htm?r=130&u=519">Clean your computer now! Click Here!</a>
</body>
</noframes>
</frameset>
</html>

I seemed to be able to connect with other sites just fine. I started and restarted the computer and no change.

I deleted /root/.mozilla directory and it seems okay now.

Just thought I'd update you all. If anyone else has funny behavior like this let me (us) know, okay?

----------------------

Software Information

Puppy v1.0.3
Firefox v.1.0.4
Icewm
A few extensions installed, not many
Java - disabled
Java script - disabled
Allow sites to install software - enabled

[babbs]

Bruce,

Since April 17th, I have seen 6 different Firefox exploits posted to the web. The proof of concept code for the malicious code you encountered was posted that day.

Mozilla Firefox Sidebar Code Execution Proof of Concept Exploit
http://www.frsirt.com/exploits/20050416.MFSA200539.php

babbs

[BillK]

The latest four releases of Firefox have all been to fix various problems and exploits. i.e. v1.0.1 to v1.0.4.
I believe this exploit was fixed in v1.0.3.

So make sure you are up-to-date and running v1.0.4.
Click on the 'Check for updates' icon in the top right corner.

[GuestToo]

also, be sure you are trying to access google.com and not goggle.com

google is a search engine
goggle is a web site waiting for people that make spelling mistakes

[Guest]

also, be sure you are trying to access google.com and not goggle.com

google is a search engine
goggle is a web site waiting for people that make spelling mistakes

That wasn't the problem. In fact I first discovered it using the Firefox search box in the upper right corner of the browser. When Google didn't work I tried Yahoo.

Even more spooky - Dillo didn't work either.

More spooky - I pinged Google and used the IP address from ping and still had the same problem.

System wide problem? I prefer to think not. I think maybe Google's IP wrong address got cached or something.

But just to verify that it wasn't goggle I typed in I just tried it and got a different page - it doesn't even match the source code I posted.

Something exploited the browser since yesterday. I made a clean install of Puppy v1.0.3 yesterday.

[GuestToo]

that sounds like a dns problem ... i think i read somewhere that google's ip was being redirected by hijacked dns servers ... that would be an internet problem, not on your machine

hijackers often modify your hosts file (/etc/hosts) and redirect urls like google to other ip's ... you will see it right away if you look in your hosts file ... you can make your hosts file read-only by typing chmod a-w /etc/hosts

i'm running Firefox 1.0.4 ... it's easy to install the latest Firefox (or Mozilla Suite, or Opera) ... just download, unzip and run

[Bruce B]

Remember that Yahoo was also doing the same thing.

I'd prefer to think that the Internet was the problem. I've never had a problem like this one with Firefox or Linux for that matter.

The hosts file gives me an idea. Maybe I'll put google and frequently visited sites in the hosts file. Isn't there a utility for looking up name -> IP in Linux?

I used ping but I think there is a better utility.

[babbs]

Here is an article that may shed some light:
( http://isc.sans.org/presentations/dnspoisoning.php )

March 2005 DNS Poisoning Summary
compiled by Kyle Haugsness
Note: As of April 3rd, this episode of DNS poisoning is not fully mitigated or explained yet. We will update this text as more details become available

########################################################################
##
## DNS CACHE POISONING DETAILED ANALYSIS REPORT Version 2
## (by Kyle Haugsness and the ISC Incident Handlers)
##
########################################################################

########################################################################
## Summary
########################################################################

Around 22:30 GMT on March 3, 2005 the SANS Internet Storm Center began
receiving reports from multiple sites about DNS cache poisoning attacks
that were redirecting users to websites hosting malware. As the
"Handler on Duty" for March 4, I began investigating the incident over
the course of the following hours and days. This report is intended to
provide useful details about this incident to the community.

The initial reports showed solid evidence of DNS cache poisoning, but
there also seemed to be a spyware/adware/malware component at work.
After complete analysis, the attack involved several different
technologies: dynamic DNS, DNS cache poisoning, a bug in Symantec
firewall/gateway products, default settings on Windows NT4/2000,
spwyare/adware, and a compromise of at least 5 UNIX webservers. We
received information the attack may have started as early as Feb. 22,
2005 but probably only affected a small number of people.

On March 24, we received reports of a different DNS cache poisoning
attack. This attack did not appear to affect as many people. This will
be referred to as the "second attack" in the remainder of this report.

After monitoring the situation for several weeks now, it has become
apparent that the attacker(s) are changing their methods and toolset to
point at different compromised servers in an effort to keep the attacks
alive. This attack morphed into a similar attack with different IP
addresses that users were re-directed toward. This will be referred to
as the third attack and is still ongoing as of April 1, 2005.

Before proceeding, a note of thanks is in order for all the people that
have submitted reports to us, helped us investigate further, and
provided us logs or data. The Internet Storm Center is a volunteer
effort and the better information that we receive from the community,
the better analysis we can perform and contribute back to the community.

<<More at the link above>>

[babbs]

Bruce,

The command you are asking about is "nslookup". Although I don't know if it works in Puppy, this is what I got for google.com:

Code: Select all

[babbs@localhost ~]$ nslookup google.com
Server:         216.151.83.45
Address:        216.151.83.45#53

Non-authoritative answer:
Name:   google.com
Address: 216.239.39.99
Name:   google.com
Address: 216.239.37.99
Name:   google.com
Address: 216.239.57.99

babbs

[ezeze5000]

I couldn't access the Google website on any of my PC's, for a whole day.


I thought the site was down.

[babbs]

ezeze,

When was that? Not a day has gone by for the past 90+ days has that happened to me.

babbs

[Flash]

Me either. Sometimes it's slow to respond, but eventually it always does.

[babbs]

Flash,

There has been a worm or two that has caused Google to be unavailabe for a period of time, but that time has been measured by hours... Not a whole day or more.

(The worm that comes to mind used Google to search for additional computers vulnerable to its exploit. Yahoo search was also a victim to this worm. The Google and Yahoo search sites went because the worm caused a denial of service like attack on them.)

babbs

[Bruce B]

I couldn't access the Google website on any of my PC's, for a whole day.


I thought the site was down.

Those were my first symptoms, started yesterday. Then I connected to the bogus site.

Actually, the more I think about it - I bet on GuestToo's theory something with the DNS.

Maybe a coincidence that it started working right after deleting /root/.mozilla