Virus warning from www.puppylinux.com/manuals.htm

Puppy related raves and general interest that doesn't fit anywhere else
Post Reply
Message
Author
User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#16 Post by alienjeff »

From http://malwaredomains.com/?tag=fake-codecs

DNS Blocklist Update 12/29
Posted on December 29th, 2007 in New Domains, Storm Worm, fake codecs by dglosser

Added: storm worm domains, rogue antivirus, fake codecs

e-learningcenter.ru flashupdate.net
googl.name health-hack.com
home-xxx.com jkh-novgorod.ru
juhost.ru l0calh0st.jino-net.ru
natural-amber.com newyearwithlove.com
orentraff.cn qarchive.net
s0s1.net taktomi.ru
traffurl.ru trffc.org
vip-ddos.org x5x.ru
xll-g.com milk0soft.com
xmaturelife.com


updates are located at http://www.malwaredomains.com/updates
The full files are located at: http://www.malwaredomains.com/files

BOOT file is in MS DNS format
spywaredomains.zones file is in BIND Server format
domains.txt file is the complete list along with original reference
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

Caneri
Posts: 1513
Joined: Tue 04 Sep 2007, 13:23
Location: Canada

#17 Post by Caneri »

Hey thanks AJ,

I've been getting a huge spike in traffic out of .ru

It says it's from puppyrus but I will definitely look much closer at this.

Eric
[color=darkred][i]Be not afraid to grow slowly, only be afraid of standing still.[/i]
Chinese Proverb[/color]

wingruntled

#18 Post by wingruntled »

Where is Barry?
The manual page is still infected.

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#19 Post by alienjeff »

wingruntled wrote:Where is Barry?
Where's the emoticon for "bites down on tongue?"
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

purple_ghost
Posts: 416
Joined: Thu 10 Nov 2005, 02:18

Question is:

#20 Post by purple_ghost »

For the ordinary users. Have we been left with a Trojan in Puppy Linux iitself? Did I download a working Trojan with the manual? Should I rebuild by pup_save file?
Google Search of Forum: http://wellminded.com/puppy/pupsearch.html

Caneri
Posts: 1513
Joined: Tue 04 Sep 2007, 13:23
Location: Canada

#21 Post by Caneri »

I don't know who runs puppyrus but they should be informed also about this.

Eric
[color=darkred][i]Be not afraid to grow slowly, only be afraid of standing still.[/i]
Chinese Proverb[/color]

wingruntled

Re: Question is:

#22 Post by wingruntled »

purple_ghost wrote:For the ordinary users. Have we been left with a Trojan in Puppy Linux iitself? Did I download a working Trojan with the manual? Should I rebuild by pup_save file?
There shouldn't be any problem with your pup_save.
This is yet another windows base trojan.
http://www.bluetack.co.uk/forums/lofive ... 18052.html

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

Re: Stupid Question

#23 Post by alienjeff »

It has been just shy of 22-hours since biting my tongue regarding this matter. Though The Tongue is now unleashed, I'll measure my words - all in the interest of deliberately attempting to be constructive.

Any word back from Barry? It's Sunday morning, east coast USA time, and several pages on puppylinux.com still carry and propagate this IFRAME exploit.

I've just sent a PM to both LobsterEd and Barry regarding this, and a backup email to LobsterEd.

FYI, Barry's last post on this forum was date/time stamped Mon Feb 25, 2008 9:34 pm (east coast USA), though I seem to remember seeing him listed on-line since then. LobsterEd was logged on this forum when I was commenting here.
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

wingruntled

#24 Post by wingruntled »

The Tongue is now unleashed,
Well that wasn't so bad. I was expecting my LCD to turn blazing red. LOL
Thanks for that list of domains. Looks like I'm going to do some more editing on my windows hosts file just to stay a little bit safer.

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#25 Post by alienjeff »

To date, this is the only official public response I've been able find:
"Notice: this static webpage is temporarily replacing my WordPress blog until I can sort out a security hole in my site (hosted by servage.net)."
And now, this just in from the official Puppy Linux news desk:

Image
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

new vision

#26 Post by prehistoric »

With apologies to Lobster. :lol:
Attachments
omg.jpg
Ask AJ where he got it
(24.38 KiB) Downloaded 1385 times

Wolf Pup
Posts: 637
Joined: Fri 28 Apr 2006, 01:37

#27 Post by Wolf Pup »

AJ, where those once real monkeys? :?:

BTW, until Barry comes back and fixes the web page, anyone using Internet explorer should disable the IFRAME by:

Starting Internet Explorer then go to -
Tools - Internet Options - Security Tab - Click "Custom Level"

Scroll down till you see:
Launching programs and files in a IFrame = Disable

Then press OK to all, and restart. That IFRAME exploit should stop redirecting after this.
[img]http://img230.imageshack.us/img230/8595/ubd6467dp2.png[/img]
[url=http://www.tinyurl.com/54tu74]Visit The Repository[/url] - Helpful and hard-to-find treats for Puppy 3.
[url=http://www.tinyurl.com/c5a68f]Click Here for Puppy Support Chat, + Helpful Links.[/url]

User avatar
trapster
Posts: 2117
Joined: Mon 28 Nov 2005, 23:14
Location: Maine, USA
Contact:

#28 Post by trapster »

Internet Explorer?????

Wassat?
trapster
Maine, USA

Asus eeepc 1005HA PU1X-BK
Frugal install: Slacko
Currently using full install: DebianDog

wingruntled

#29 Post by wingruntled »

Wolf Pup
Barry was here in the forums yesterday. The pages on his domain were fixed directly after. I imagine he had quite a few PM's about the problem. He took his blog down and put up a temporary explaining what part of the problem was.

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#30 Post by alienjeff »

Wolf Pup wrote:AJ, where those once real monkeys?
Assuming you meant "were" and not "where," no. Those were once real giraffe. Amazing transformation, wouldn't you say?

Thanks for posting that IE tip. That should help keep the IFRAME wolves at bay for those hapless souls still shackled by the Curse of Redmond.
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

#31 Post by BarryK »

I was forced to remove my WordPress blog to fnd out if that is the security weakness. Now it's a waiting game, to see if my pages get compromised again.

If they do, then Servage is to blame, as all I have left are static web pages (with 644 permissions).

I complained to Servage a couple of months ago, and they told me it's my fault, my blog script or file permissions. Their Control Panel has a history thing which is supposed to show who has logged in and they told me to look at that to see if anyone else has logged in -- except that feature of the Control Panel isn't working. Anyway, I changed the password. I'm not looking forward to going back to Servage customer support -- their responses are close to brain dead.
[url]https://bkhome.org/news/[/url]

oblivious
Posts: 303
Joined: Sat 14 Apr 2007, 05:59
Location: Western Australia

#32 Post by oblivious »

That should help keep the IFRAME wolves at bay for those hapless souls still shackled by the Curse of Redmond.
Can one of you knowledgeable types confirm that that exploit is only a problem with IE? (I've visited the site several times using Firefox, but had nothing downloaded/warned about)
Makes one wonder what might be buried in the ISOs.
Do you think there could be stuff in the ISOs? Can the "baddies" put things in the ibiblio downloads, or can they only mess with web pages?

User avatar
MU
Posts: 13649
Joined: Wed 24 Aug 2005, 16:52
Location: Karlsruhe, Germany
Contact:

#33 Post by MU »

BarryK wrote: their responses are close to brain dead.
this implies there is a brain...

oblivious wrote:Do you think there could be stuff in the ISOs? Can the "baddies" put things in the ibiblio downloads, or can they only mess with web pages?
Simply look at the modification date.

My personal experience is, that such attacs are automated scripts, that do not infect a particular domain.
Instead, they search the web for typical bugs in PHP or applications (like wordpress). They infect whatever they find, but do not target on "Linux-sites" or other special topics.
They then install some code hidden in iframes or a "this site was hacked by ultracool ME".
Modifying isos or packages is not to be feared.
This requires advanced knowledge and "manual" operations (like extracting and rebuilding and uploading again).
You than could see that by the change in the date of the file.

GENERAL HINT
If you must use windows to surf (e.g. at work), DO use firefox or other browsers!
Even very trusted sites were infected in the last weeks (famous newspapers and such) by using the advertisment banners (hosted by other companies) as a way to infect the sites.
Most exploits still target on the Internet Explorer, that makes it easy to damage the whole system via ActiveX.
Use a browser, that is targeted less often, and does not support ActiveX instead.

Someone who is infected, has a high portion of responsibility on his own, because he does not even care about simplest protection.
Windows is know to be dangerous in this regard since years, even users without deeper knowlede in computers should know that.

Mark
[url=http://murga-linux.com/puppy/viewtopic.php?p=173456#173456]my recommended links[/url]

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#34 Post by alienjeff »

MU wrote:Modifying isos or packages is not to be feared.
Though I hate playing the Devil's advocate, Mark, that's a rather pious claim and I can't but help notice an ever-so-faint tick-tock way off in the distance.

Not all black hats are script kiddies or index.html graffiti vandals. Some are very patient and cunning. All it would take is for one such black hat to embed a date/time/event triggered nightmare within a popular and seemingly innocuous dotpup, pupget or sfs file for all Hell to break loose.

We now return you to your normally scheduled programming.
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

oblivious
Posts: 303
Joined: Sat 14 Apr 2007, 05:59
Location: Western Australia

#35 Post by oblivious »

All it would take is for one such black hat to embed a date/time/event triggered nightmare within a popular and seemingly innocuous dotpup
How would they do that? I understood Mark to be saying that they'd actually have to get the file and upload a tainted version, rather than just get the bad stuff on there by sending out scripts . What sort of "nightmare" could happen?

Post Reply