mysterious files appeared... computer "seemed" to run slow

For discussions about security.
Post Reply
Message
Author
mcewanw
Posts: 3169
Joined: Thu 16 Aug 2007, 10:48
Contact:

mysterious files appeared... computer "seemed" to run slow

#1 Post by mcewanw »

mysterious files appeared... computer "seemed" to run slow

On Puppy 4.3.1, had been browsing with Seamonkey 1.1.18

May be nothing, but I discovered the following strange folder in /tmp

/tmp/plugtmp

which contained two files:

1. plugin-crossdomain

and

2. plugin-policy

File 1 contained:

Code: Select all

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy 
  SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
  <allow-access-from domain="*.amazon.com" />
  <allow-access-from domain="amazon.com" />
  <allow-access-from domain="www.amazon.com" />
  <allow-access-from domain="pre-prod.amazon.com" />
  <allow-access-from domain="devo.amazon.com" />
  <allow-access-from domain="anon.amazon.speedera.net" />
  <allow-access-from domain="*.images-amazon.com" />
  <allow-access-from domain="*.ssl-images-amazon.com" />

  <allow-access-from domain="*.amazon.ca" />
  <allow-access-from domain="*.amazon.de" />
  <allow-access-from domain="*.amazon.fr" />
  <allow-access-from domain="*.amazon.jp" />
  <allow-access-from domain="*.amazon.co.jp" />
  <allow-access-from domain="*.amazon.uk" />
  <allow-access-from domain="*.amazon.co.uk" />
</cross-domain-policy>
and File 2:

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy>
  <allow-access-from domain="*" to-ports="*" />
</cross-domain-policy>
I don't like the look of the: access-from "*" and to-ports="*"...

Perhaps it is nothing, but if it is... If only I weren't so tired I'd set about catching the bastards and seeing if I could throw back some of their own medicine. But please tell me these are well known file, and nothing of concern! :-)

I erased the folder (rebooted actually) and all seems fine, though I will spend ten minutes or so soon re-placing the existing pupsave file with my original backup. Not much time lost, but always a waste when trying to develop apps.
github mcewanw

User avatar
WhoDo
Posts: 4428
Joined: Wed 12 Jul 2006, 01:58
Location: Lake Macquarie NSW Australia

Re: mysterious files appeared... computer "seemed" to run slow

#2 Post by WhoDo »

mcewanw wrote:I don't like the look of the: access-from "*" and to-ports="*"...

Perhaps it is nothing, but if it is... If only I weren't so tired I'd set about catching the bastards and seeing if I could throw back some of their own medicine. But please tell me these are well known file, and nothing of concern! :-)
Part of a global DDoS attack on Amazon. For more information see the following story:
Amazon hit with DDoS attack
[i]Actions speak louder than words ... and they usually work when words don't![/i]
SIP:whodo@proxy01.sipphone.com; whodo@realsip.com

mcewanw
Posts: 3169
Joined: Thu 16 Aug 2007, 10:48
Contact:

#3 Post by mcewanw »

Well..., I doubt that my slow dialup account connection provided them with much ammunition...
github mcewanw

amigo
Posts: 2629
Joined: Mon 02 Apr 2007, 06:52

#4 Post by amigo »

Nice example of how running as root and being online comprises real security risks. Just because you can reboot and not have those things carried over into the reboot, doesn't mean that you aren't contributing to some spambots' shenannigins while up and running.... Usually overlooked in the discussions on security here.

User avatar
WhoDo
Posts: 4428
Joined: Wed 12 Jul 2006, 01:58
Location: Lake Macquarie NSW Australia

#5 Post by WhoDo »

amigo wrote:Nice example of how running as root and being online comprises real security risks.
The question for me is whether or not mcewanw had his firewall enabled. It's a small but important step that can prevent such things from happening without compromising speed for a dialup connection. Just a thought.
[i]Actions speak louder than words ... and they usually work when words don't![/i]
SIP:whodo@proxy01.sipphone.com; whodo@realsip.com

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#6 Post by mikeb »

1. plugin-crossdomain

and

2. plugin-policy
these are both normal files from flashplayer usage...they allow flashplayer to use data from a site different to the one it is hosted on and they reside in the root of the webserver. I use them for a chatroom myself

So they are harmless.....

mike

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#7 Post by Lobster »

Could we have been saved from these harmless files by: This message will self destruct (or be forgotten) in two years

[cue Mission Impossible Music]

. . . meanwhile Stay safe - Happy New World Order - oops
I mean Happy New Year :wink:

8)
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

mcewanw
Posts: 3169
Joined: Thu 16 Aug 2007, 10:48
Contact:

Solved? (this time round anyway).

#8 Post by mcewanw »

mcewanw wrote:But please tell me these are well known file, and nothing of concern! :-)
mikeb wrote:these are both normal files from flashplayer usage...
. . .
So they are harmless.....

mike
Thank you Mike. :-)

Of course, had they been other than that, they could and would have been a good example of the dangers to overall system security of running as root whilst online, so your point amigo is well-taken regardless of the outcome here. And firewall settings can help, at least to some extent, against that danger, though not eradicate it.

Indeed, though my worries regarding these two files have been eradicated, it remains a concern to me that my system did indeed become insanely sluggish, and though it may very well be a complete coincidence, that sluggishness did appear to coincide with the timing of the amazon DoS attack described. The way computers are, however, I do put that down to likely coincidence...
github mcewanw

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#9 Post by mikeb »

Well perhaps the sluggishness simply came from heavy flash activity..I find flashbock a godsend....some pages have invisible flash running for whatever purposes...you see them with flash block installed . Some pages go from 100%cpu to ticking over just with the flash disabled.
Not so much a security issue , more an annoyance.
mike

Post Reply