(old)Puppy Linux Discussion Forum

From http://malwaredomains.com/?tag=fake-codecs

DNS Blocklist Update 12/29
Posted on December 29th, 2007 in New Domains, Storm Worm, fake codecs by dglosser

Added: storm worm domains, rogue antivirus, fake codecs

e-learningcenter.ru flashupdate.net
googl.name health-hack.com
home-xxx.com jkh-novgorod.ru
juhost.ru l0calh0st.jino-net.ru
natural-amber.com newyearwithlove.com
orentraff.cn qarchive.net
s0s1.net taktomi.ru
traffurl.ru trffc.org
vip-ddos.org x5x.ru
xll-g.com milk0soft.com
xmaturelife.com


updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND Server format
domains.txt file is the complete list along with original reference

Hey thanks AJ,

I've been getting a huge spike in traffic out of .ru

It says it's from puppyrus but I will definitely look much closer at this.

Eric

Where is Barry?
The manual page is still infected.

wingruntled wrote:Where is Barry?

Where's the emoticon for "bites down on tongue?"

For the ordinary users. Have we been left with a Trojan in Puppy Linux iitself? Did I download a working Trojan with the manual? Should I rebuild by pup_save file?

I don't know who runs puppyrus but they should be informed also about this.

Eric

purple_ghost wrote:For the ordinary users. Have we been left with a Trojan in Puppy Linux iitself? Did I download a working Trojan with the manual? Should I rebuild by pup_save file?

There shouldn't be any problem with your pup_save.
This is yet another windows base trojan.
http://www.bluetack.co.uk/forums/lofive ... 18052.html

It has been just shy of 22-hours since biting my tongue regarding this matter. Though The Tongue is now unleashed, I'll measure my words - all in the interest of deliberately attempting to be constructive.

Any word back from Barry? It's Sunday morning, east coast USA time, and several pages on puppylinux.com still carry and propagate this IFRAME exploit.

I've just sent a PM to both LobsterEd and Barry regarding this, and a backup email to LobsterEd.

FYI, Barry's last post on this forum was date/time stamped Mon Feb 25, 2008 9:34 pm (east coast USA), though I seem to remember seeing him listed on-line since then. LobsterEd was logged on this forum when I was commenting here.

The Tongue is now unleashed,

Well that wasn't so bad. I was expecting my LCD to turn blazing red. LOL
Thanks for that list of domains. Looks like I'm going to do some more editing on my windows hosts file just to stay a little bit safer.

To date, this is the only official public response I've been able find:

"Notice: this static webpage is temporarily replacing my WordPress blog until I can sort out a security hole in my site (hosted by servage.net)."

And now, this just in from the official Puppy Linux news desk:

With apologies to Lobster.

AJ, where those once real monkeys?

BTW, until Barry comes back and fixes the web page, anyone using Internet explorer should disable the IFRAME by:

Starting Internet Explorer then go to -
Tools - Internet Options - Security Tab - Click "Custom Level"

Scroll down till you see:
Launching programs and files in a IFrame = Disable

Then press OK to all, and restart. That IFRAME exploit should stop redirecting after this.

Internet Explorer?????

Wassat?

Wolf Pup
Barry was here in the forums yesterday. The pages on his domain were fixed directly after. I imagine he had quite a few PM's about the problem. He took his blog down and put up a temporary explaining what part of the problem was.

Wolf Pup wrote:AJ, where those once real monkeys?

Assuming you meant "were" and not "where," no. Those were once real giraffe. Amazing transformation, wouldn't you say?

Thanks for posting that IE tip. That should help keep the IFRAME wolves at bay for those hapless souls still shackled by the Curse of Redmond.

I was forced to remove my WordPress blog to fnd out if that is the security weakness. Now it's a waiting game, to see if my pages get compromised again.

If they do, then Servage is to blame, as all I have left are static web pages (with 644 permissions).

I complained to Servage a couple of months ago, and they told me it's my fault, my blog script or file permissions. Their Control Panel has a history thing which is supposed to show who has logged in and they told me to look at that to see if anyone else has logged in -- except that feature of the Control Panel isn't working. Anyway, I changed the password. I'm not looking forward to going back to Servage customer support -- their responses are close to brain dead.

That should help keep the IFRAME wolves at bay for those hapless souls still shackled by the Curse of Redmond.

Can one of you knowledgeable types confirm that that exploit is only a problem with IE? (I've visited the site several times using Firefox, but had nothing downloaded/warned about)

Makes one wonder what might be buried in the ISOs.

Do you think there could be stuff in the ISOs? Can the "baddies" put things in the ibiblio downloads, or can they only mess with web pages?

BarryK wrote: their responses are close to brain dead.

this implies there is a brain...

oblivious wrote:Do you think there could be stuff in the ISOs? Can the "baddies" put things in the ibiblio downloads, or can they only mess with web pages?

Simply look at the modification date.

My personal experience is, that such attacs are automated scripts, that do not infect a particular domain.
Instead, they search the web for typical bugs in PHP or applications (like wordpress). They infect whatever they find, but do not target on "Linux-sites" or other special topics.
They then install some code hidden in iframes or a "this site was hacked by ultracool ME".
Modifying isos or packages is not to be feared.
This requires advanced knowledge and "manual" operations (like extracting and rebuilding and uploading again).
You than could see that by the change in the date of the file.

GENERAL HINT
If you must use windows to surf (e.g. at work), DO use firefox or other browsers!
Even very trusted sites were infected in the last weeks (famous newspapers and such) by using the advertisment banners (hosted by other companies) as a way to infect the sites.
Most exploits still target on the Internet Explorer, that makes it easy to damage the whole system via ActiveX.
Use a browser, that is targeted less often, and does not support ActiveX instead.

Someone who is infected, has a high portion of responsibility on his own, because he does not even care about simplest protection.
Windows is know to be dangerous in this regard since years, even users without deeper knowlede in computers should know that.

Mark

MU wrote:Modifying isos or packages is not to be feared.

Though I hate playing the Devil's advocate, Mark, that's a rather pious claim and I can't but help notice an ever-so-faint tick-tock way off in the distance.

Not all black hats are script kiddies or index.html graffiti vandals. Some are very patient and cunning. All it would take is for one such black hat to embed a date/time/event triggered nightmare within a popular and seemingly innocuous dotpup, pupget or sfs file for all Hell to break loose.

We now return you to your normally scheduled programming.

All it would take is for one such black hat to embed a date/time/event triggered nightmare within a popular and seemingly innocuous dotpup

How would they do that? I understood Mark to be saying that they'd actually have to get the file and upload a tainted version, rather than just get the bad stuff on there by sending out scripts . What sort of "nightmare" could happen?