Author |
Message |
mcewanw
Joined: 16 Aug 2007 Posts: 3194 Location: New Zealand
|
Posted: Wed 30 Dec 2009, 03:29 Post subject:
mysterious files appeared... computer "seemed" to run slow |
|
mysterious files appeared... computer "seemed" to run slow
On Puppy 4.3.1, had been browsing with Seamonkey 1.1.18
May be nothing, but I discovered the following strange folder in /tmp
/tmp/plugtmp
which contained two files:
1. plugin-crossdomain
and
2. plugin-policy
File 1 contained:
Code: |
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.amazon.com" />
<allow-access-from domain="amazon.com" />
<allow-access-from domain="www.amazon.com" />
<allow-access-from domain="pre-prod.amazon.com" />
<allow-access-from domain="devo.amazon.com" />
<allow-access-from domain="anon.amazon.speedera.net" />
<allow-access-from domain="*.images-amazon.com" />
<allow-access-from domain="*.ssl-images-amazon.com" />
<allow-access-from domain="*.amazon.ca" />
<allow-access-from domain="*.amazon.de" />
<allow-access-from domain="*.amazon.fr" />
<allow-access-from domain="*.amazon.jp" />
<allow-access-from domain="*.amazon.co.jp" />
<allow-access-from domain="*.amazon.uk" />
<allow-access-from domain="*.amazon.co.uk" />
</cross-domain-policy>
|
and File 2:
Code: |
<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy>
<allow-access-from domain="*" to-ports="*" />
</cross-domain-policy>
|
I don't like the look of the: access-from "*" and to-ports="*"...
Perhaps it is nothing, but if it is... If only I weren't so tired I'd set about catching the bastards and seeing if I could throw back some of their own medicine. But please tell me these are well known file, and nothing of concern! :-)
I erased the folder (rebooted actually) and all seems fine, though I will spend ten minutes or so soon re-placing the existing pupsave file with my original backup. Not much time lost, but always a waste when trying to develop apps.
_________________ SomeOfMyWork with links:
dCoreDog
weX, scrox, Precord, Premote, fokSyfEyeR, xhippo-mod, flite_hts_pet
|
Back to top
|
|
 |
WhoDo

Joined: 11 Jul 2006 Posts: 4440 Location: Lake Macquarie NSW Australia
|
Posted: Wed 30 Dec 2009, 04:44 Post subject:
Re: mysterious files appeared... computer "seemed" to run slow |
|
mcewanw wrote: | I don't like the look of the: access-from "*" and to-ports="*"...
Perhaps it is nothing, but if it is... If only I weren't so tired I'd set about catching the bastards and seeing if I could throw back some of their own medicine. But please tell me these are well known file, and nothing of concern!  |
Part of a global DDoS attack on Amazon. For more information see the following story:
Amazon hit with DDoS attack
_________________ Actions speak louder than words ... and they usually work when words don't!
SIP:whodo@proxy01.sipphone.com; whodo@realsip.com
|
Back to top
|
|
 |
mcewanw
Joined: 16 Aug 2007 Posts: 3194 Location: New Zealand
|
Posted: Wed 30 Dec 2009, 05:55 Post subject:
|
|
Well..., I doubt that my slow dialup account connection provided them with much ammunition...
_________________ SomeOfMyWork with links:
dCoreDog
weX, scrox, Precord, Premote, fokSyfEyeR, xhippo-mod, flite_hts_pet
|
Back to top
|
|
 |
amigo
Joined: 02 Apr 2007 Posts: 2641
|
Posted: Wed 30 Dec 2009, 07:09 Post subject:
|
|
Nice example of how running as root and being online comprises real security risks. Just because you can reboot and not have those things carried over into the reboot, doesn't mean that you aren't contributing to some spambots' shenannigins while up and running.... Usually overlooked in the discussions on security here.
|
Back to top
|
|
 |
WhoDo

Joined: 11 Jul 2006 Posts: 4440 Location: Lake Macquarie NSW Australia
|
Posted: Wed 30 Dec 2009, 19:13 Post subject:
|
|
amigo wrote: | Nice example of how running as root and being online comprises real security risks. |
The question for me is whether or not mcewanw had his firewall enabled. It's a small but important step that can prevent such things from happening without compromising speed for a dialup connection. Just a thought.
_________________ Actions speak louder than words ... and they usually work when words don't!
SIP:whodo@proxy01.sipphone.com; whodo@realsip.com
|
Back to top
|
|
 |
mikeb

Joined: 23 Nov 2006 Posts: 11101
|
Posted: Wed 30 Dec 2009, 20:52 Post subject:
|
|
Quote: | 1. plugin-crossdomain
and
2. plugin-policy |
these are both normal files from flashplayer usage...they allow flashplayer to use data from a site different to the one it is hosted on and they reside in the root of the webserver. I use them for a chatroom myself
So they are harmless.....
mike
|
Back to top
|
|
 |
Lobster
Official Crustacean

Joined: 04 May 2005 Posts: 15238 Location: Paradox Realm
|
Posted: Wed 30 Dec 2009, 22:05 Post subject:
|
|
Could we have been saved from these harmless files by:
This message will self destruct (or be forgotten) in two years
[cue Mission Impossible Music]
. . . meanwhile Stay safe - Happy New World Order - oops
I mean Happy New Year
_________________ YinYana AI Buddhism
|
Back to top
|
|
 |
mcewanw
Joined: 16 Aug 2007 Posts: 3194 Location: New Zealand
|
Posted: Fri 01 Jan 2010, 18:00 Post subject:
Solved? (this time round anyway). |
|
mcewanw wrote: | But please tell me these are well known file, and nothing of concern! :-) |
mikeb wrote: | these are both normal files from flashplayer usage...
. . .
So they are harmless.....
mike |
Thank you Mike. :-)
Of course, had they been other than that, they could and would have been a good example of the dangers to overall system security of running as root whilst online, so your point amigo is well-taken regardless of the outcome here. And firewall settings can help, at least to some extent, against that danger, though not eradicate it.
Indeed, though my worries regarding these two files have been eradicated, it remains a concern to me that my system did indeed become insanely sluggish, and though it may very well be a complete coincidence, that sluggishness did appear to coincide with the timing of the amazon DoS attack described. The way computers are, however, I do put that down to likely coincidence...
_________________ SomeOfMyWork with links:
dCoreDog
weX, scrox, Precord, Premote, fokSyfEyeR, xhippo-mod, flite_hts_pet
|
Back to top
|
|
 |
mikeb

Joined: 23 Nov 2006 Posts: 11101
|
Posted: Fri 01 Jan 2010, 18:53 Post subject:
|
|
Well perhaps the sluggishness simply came from heavy flash activity..I find flashbock a godsend....some pages have invisible flash running for whatever purposes...you see them with flash block installed . Some pages go from 100%cpu to ticking over just with the flash disabled.
Not so much a security issue , more an annoyance.
mike
|
Back to top
|
|
 |
|