[ALERT?] (probably) trojan keylogger reported

For discussions about security.
Post Reply
Message
Author
User avatar
MU
Posts: 13649
Joined: Wed 24 Aug 2005, 16:52
Location: Karlsruhe, Germany
Contact:

[ALERT?] (probably) trojan keylogger reported

#1 Post by MU »

I think these are the first reliable indicators of infected Puppylinux installations.

http://www.murga-linux.com/puppy/viewto ... 515#358515

Update: that one seems to be a false alert, see Pizzasgoods explanation:
http://www.murga-linux.com/puppy/viewto ... 164#359164

In all other cases in the past, I think we had false alerts.


You can install the firewall from the menu, or by typing:
firewallinstallshell

If you choose "automatic installation", it is very easy.

Mark
Last edited by MU on Sat 07 Nov 2009, 18:47, edited 2 times in total.
[url=http://murga-linux.com/puppy/viewtopic.php?p=173456#173456]my recommended links[/url]

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#2 Post by Pizzasgood »

I don't know about the first one, but the second one seems to be a false positive. The scanner got confused by our use of busybox.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

User avatar
MU
Posts: 13649
Joined: Wed 24 Aug 2005, 16:52
Location: Karlsruhe, Germany
Contact:

#3 Post by MU »

Thanks for the clarification, Jeremy :D

The first one looks strange. No idea at moment...

Mark
[url=http://murga-linux.com/puppy/viewtopic.php?p=173456#173456]my recommended links[/url]

User avatar
Patriot
Posts: 733
Joined: Thu 15 Jan 2009, 19:04

#4 Post by Patriot »

Hmmm .....

MU,

I concur with Pizzasgood ...

I've tested chkrootkit on my system and it gives the exact output as reported in the second link. I also have just rebuilt busybox 1.15.2 from source and chkrootkit gives the same output ... So, I agree it's a false alarm ...

From what I understand, rootkits may get installed if one unwittingly uses a package from unreliable download sources ...


Rgds

PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#5 Post by PaulBx1 »

Since Puppy is supposed to be newbie-friendly, I've always wondered why the user has to invoke the firewall startup (and thus, has to KNOW to invoke it). Why not just have it running by default, even when booting pfix=ram?

User avatar
sikpuppy
Posts: 415
Joined: Sun 29 Mar 2009, 05:54

#6 Post by sikpuppy »

PaulBx1 wrote:Since Puppy is supposed to be newbie-friendly, I've always wondered why the user has to invoke the firewall startup (and thus, has to KNOW to invoke it). Why not just have it running by default, even when booting pfix=ram?
It would be nice, but what would be the default settings? Just enough to run the software contained on the LIVE CD?

What happens when the user installs extra PETs that need firewall access? It means that a new set of rules would have to be supplied by the PET packager, or the user would have to set the rules themselves.

The network wizard would also have to modify the firewall, which in itself might not be problematic, but at this stage I fear that the firewall would block initial attempts to gain a connection.

BTW I think that it is a good idea to have the firewall on and locked down by default, I am just playing devil's advocate.
ASUS A1000, 800Mhz PIII Coppermine!, 192Mb RAM, 10Gb IBM Travelstar HDD, Build date August 2001.

Post Reply