Linux-Malware in Gentoo a Threat to Puppy?

For discussions about security.
Message
Author
User avatar
edoc
Posts: 4729
Joined: Sun 07 Aug 2005, 20:16
Location: Southeast Georgia, USA
Contact:

Linux-Malware in Gentoo a Threat to Puppy?

#1 Post by edoc »

Is there any likelihood that the Linux-malware recently found in Gentoo might metasticize to Puppy and other distros?

http://www.zdnet.com/blog/bott/linux-in ... ag=nl.e539

Could this be the beginning of attacks on complacent Linux users?

I have observed that the recent releases of Quirky and Wary come with Firewalls by default - did Barry see this coming?
[b]Thanks! David[/b]
[i]Home page: [/i][url]http://nevils-station.com[/url]
[i]Don't google[/i] [b]Search![/b] [url]http://duckduckgo.com[/url]
TahrPup64 & Lighthouse64-b602 & JL64-603

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#2 Post by nooby »

Thanks indeed for telling about this.
Update 12:30PM PDT 14-Jun-2010: It’s much worse than it appears. According to this report, the malware-compromised code was included in the official Gentoo distribution:

Would you consider it to be a big deal if it was found in a distribution? Gentoo just released an update to remove the backdoor.

http://packages.gentoo.org/package/net-irc/unrealircd

I’m sure there will be others, I believe the package is also available in Arch. I haven’t really looked to see if it was anywhere else.
http://www.zdnet.com/blog/bott/linux-in ... ag=nl.e539

The text he write about comes from here
http://www.fewt.com/2010/06/linux-infected.html
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
edoc
Posts: 4729
Joined: Sun 07 Aug 2005, 20:16
Location: Southeast Georgia, USA
Contact:

#3 Post by edoc »

Someone explained on another list ...
It is specifically Unreal3.2.8.1.tar.gz on a small subset of mirror sites, and not particularly a Gentoo problem but any distro that includes the Unreal Tournament IRC server. The sad part is it has been there for several months and was just now noticed; the good news is that as soon as it was noticed, the corrupt version of that file was removed and replaced with a clean copy. So that's not a "shame on Gentoo" problem; it's a shame on the maintainers of the Unreal mirrors.
More technically literate details here
[b]Thanks! David[/b]
[i]Home page: [/i][url]http://nevils-station.com[/url]
[i]Don't google[/i] [b]Search![/b] [url]http://duckduckgo.com[/url]
TahrPup64 & Lighthouse64-b602 & JL64-603

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#4 Post by nooby »

So it was more a vulnerable server upload thing than Gentoo Linux as such?

That makes me feel a bit more secure. Hmm
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
SirDuncan
Posts: 829
Joined: Sat 09 Dec 2006, 20:35
Location: Ohio, USA
Contact:

#5 Post by SirDuncan »

If what I'm understanding is correct, the problem was with the people distributing the Unreal source code. It was some of their mirrors that were compromised, and they were the idiots that weren't signing their files with PGP. Without the PGP signature the people at Gentoo had no way of realizing that the source code was tainted. The Gentoo folks then distributed the compromised file from their trusted (but insecure) source code provider.

It should also be noted that this would only affect people that installed Unreal. It wasn't actually included with the base distro (with Gentoo the kernel isn't even included with the base distro, you have to compile it yourself). Since Gentoo distributes only source code and does not have binaries on their servers, there was no way for a virus scanner to catch the corrupted files.

I suppose the folks at Gentoo shouldn't have used an unsigned file, but I don't think that I would have considered the possibility of the official Unreal mirrors distributing bad code so I can't really bash them.

Constant vigilance!
Be brave that God may help thee, speak the truth even if it leads to death, and safeguard the helpless. - A knight's oath

User avatar
WhoDo
Posts: 4428
Joined: Wed 12 Jul 2006, 01:58
Location: Lake Macquarie NSW Australia

Re: Linux-Malware in Gentoo a Threat to Puppy?

#6 Post by WhoDo »

edoc wrote:I have observed that the recent releases of Quirky and Wary come with Firewalls by default - did Barry see this coming?
In fact ALL official releases since 4.12 (at least) have the firewall installed and on by default. That certainly was the case with 4.2x releases, and I'm pretty sure it is true of 4.3x too.
[i]Actions speak louder than words ... and they usually work when words don't![/i]
SIP:whodo@proxy01.sipphone.com; whodo@realsip.com

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#7 Post by nooby »

firewall in puppy
and on by default
Nope we have to activate it using the set up. That is how I get it.
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
otropogo
Posts: 764
Joined: Sat 24 Oct 2009, 15:17
Location: Montreal
Contact:

#8 Post by otropogo »

I've wondered about this lately myself. I always use the firewall wizard when configuring a new Puppy or using pfix=ram., but note that:

1. whether your use the "automatic" or the "default" method, the result seems to be the same

2. there's no indication whether it's running or not, as promised by the displayed messges.

3. there's no indication of any method of turning it off, should you wish to use another firewall or no firewall at all. To believe the display, once configured and saved, it will start at bootup every time.

So while I'm not sure what to believe now - is the firewall on by default or not? And can it be turned off once saved to the 2fs file?

There are numerous menus in Puppy that appear to respond to user input, but in the end achieve nothing. They have not been functional for years, if ever, and simply have never been removed or fixed.
otropogo@gmail.com facebook.com/otropogo

User avatar
otropogo
Posts: 764
Joined: Sat 24 Oct 2009, 15:17
Location: Montreal
Contact:

#9 Post by otropogo »

I've wondered about this lately myself. I always use the firewall wizard when configuring a new Puppy or using pfix=ram., but note that:

1. whether your use the "automatic" or the "default" method, the result seems to be the same

2. there's no indication whether it's actually running as promised by the displayed messages.

3. there's no indication of any method of turning it off, should you wish to use another firewall or no firewall at all. To believe the display, once configured and saved, it will start at bootup every time.

So I'm not sure what to believe now - is the firewall on by default or not? And can it be turned off once saved to the 2fs file?

There are numerous menus in Puppy that appear to respond to user input, but in the end achieve nothing. They have not been functional for years, if ever, and simply have never been removed or fixed.
otropogo@gmail.com facebook.com/otropogo

tubby
Posts: 317
Joined: Sat 24 Jan 2009, 15:49

firewall

#10 Post by tubby »

Take a peek in etc/rc.d/rc.firewall, open as text and see for yourself what you can alter. :)

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#11 Post by nooby »

This you can test in the urxvt, rxvt or console or terminal or CLI.

like this
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
TRUSTED all -- anywhere anywhere state NEW

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere state INVALID

Chain TRUSTED (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
DROP icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
#
you write

iptables -L

if it says accept in all places then most likely it is not activated.


But more than than that I have no idea how to know how good it is.

But my experience is that if one don't activate it then it is active but of no use at all. It is active in the sense that it is there but it is allowing everything both in and out.

But if one run the set up then it activate the Drop things you can see there but I don't get what it means. Hopefully somebody explain it to us. :)

what tubby refers to is how you can detail every little thing it can change.

While the set up allow what I quoted. A preset by the developer
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
otropogo
Posts: 764
Joined: Sat 24 Oct 2009, 15:17
Location: Montreal
Contact:

#12 Post by otropogo »

Take a peek in etc/rc.d/rc.firewall, open as text and see for yourself what you can alter.
thanks tubby, will have a look, but I doubt I'll understand enough to make changes. I'm used to Zonealarm.
This you can test in the urxvt, rxvt or console or terminal or CLI.
thanks Nooby. PS. do you ever regret your pessimistic choice of username? :wink:
otropogo@gmail.com facebook.com/otropogo

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#13 Post by nooby »

Hahah, if you have a good suggestion do write me a PM and I will consider it. :)

Nooby is a crazy name but it is kind of very apt. I am like an eternal Newbie. Knowledge almost never get remembered due to my bad attention.

Should I call myself maybe Nobody?

Hmm

Promise to send me a PM with a good suggestion so nobody else take it.
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
otropogo
Posts: 764
Joined: Sat 24 Oct 2009, 15:17
Location: Montreal
Contact:

#14 Post by otropogo »

You mean you'd consider changing your username? Is that even possible.?

I guess you'd still be recognizable by your avatar.

I could certainly make some suggestions. Send me a pm or e-mail and tell me more about yourself. I have the impression you're in Sweden or thereabouts.

Your claimed memory deficit doesn't sound plausible though. You're forever posting references, while I have trouble just remembering not to waste my time with the BBS search engine.
otropogo@gmail.com facebook.com/otropogo

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#15 Post by nooby »

Somebody complained about me writing Europe. But I failed to find where to correct it.

The mods told me it is allowed to change username as long as one don't use such change for trolling or anything bad.

As you say my avatar would reveal me but most revealing is my writing style.

None else are as naive in their posting as me. Unfortunately for me I have no way to pretend to be somebody else. my body automatically write in my style even if I try to be like everybody else. Hopeless case.
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#16 Post by Pizzasgood »

It isn't possible for a user to change his own name (with the current settings), but an administrator can change a user's names upon request as long as there's a decent reason - e.g. the name offends somebody or brings up painful memories or makes people not take them seriously, etc., so they want to change it to something different.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

User avatar
otropogo
Posts: 764
Joined: Sat 24 Oct 2009, 15:17
Location: Montreal
Contact:

#17 Post by otropogo »

Pizzasgood wrote:It isn't possible for a user to change his own name (with the current settings), but an administrator can change a user's names upon request as long as there's a decent reason - e.g. the name offends somebody or brings up painful memories or makes people not take them seriously, etc., so they want to change it to something different.
Good to know.And then all of their posts would be reattributed to the new name, presumably.

Some forums are completely rigid on this point.

When registering for another online forum I made a typo and got myself registered as "otorpogo". I immediately contacted the admin about it and requested a correction. The answer was "absolutely not", no reason given.

So I've been stuck with it for years now.
otropogo@gmail.com facebook.com/otropogo

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#18 Post by nooby »

I trust Pizzasgood on this. I guess the Mods here felt so sorry for my poor choice of name that they allowed me on spot to change when I did mention it in Dec 2009 whatever.

Since then I have cooled down a bit on changing it.

Yes all old posts would be in the new name if I get it too.
I use Google Search on Puppy Forum
not an ideal solution though

gerry
Posts: 986
Joined: Thu 26 Jul 2007, 21:49
Location: England

#19 Post by gerry »

@Nooby- you think you can't remember things? Fifty+ years ago, my maths lecturer used to come in, write for a couple of minutes in a corner of the blackboard, draw a box round it, and say "For the benefit of Mr (me), that's what we learnt last week." And then start his lecture. Things haven't improved....

gerry

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#20 Post by nooby »

Thanks Gerry.

Sometimes I wonder if not Nobody would be a good nick name to use.

or this one "Whatever". Or why not "Ignorius" or "When Will I Be Loved"
or ... I lack imagination to come up with something that really would work.

Heheheh, we have PuppyLuvr so maybe I should name myself

QuirkyTester but that sounds too demanding too. I am not tested. More of a
Quirky:MessMaker, QuirkyConfuser, ...
I use Google Search on Puppy Forum
not an ideal solution though

Post Reply