Virus warning from www.puppylinux.com/manuals.htm

Puppy related raves and general interest that doesn't fit anywhere else
Message
Author
User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

#31 Post by BarryK »

I was forced to remove my WordPress blog to fnd out if that is the security weakness. Now it's a waiting game, to see if my pages get compromised again.

If they do, then Servage is to blame, as all I have left are static web pages (with 644 permissions).

I complained to Servage a couple of months ago, and they told me it's my fault, my blog script or file permissions. Their Control Panel has a history thing which is supposed to show who has logged in and they told me to look at that to see if anyone else has logged in -- except that feature of the Control Panel isn't working. Anyway, I changed the password. I'm not looking forward to going back to Servage customer support -- their responses are close to brain dead.
[url]https://bkhome.org/news/[/url]

oblivious
Posts: 303
Joined: Sat 14 Apr 2007, 05:59
Location: Western Australia

#32 Post by oblivious »

That should help keep the IFRAME wolves at bay for those hapless souls still shackled by the Curse of Redmond.
Can one of you knowledgeable types confirm that that exploit is only a problem with IE? (I've visited the site several times using Firefox, but had nothing downloaded/warned about)
Makes one wonder what might be buried in the ISOs.
Do you think there could be stuff in the ISOs? Can the "baddies" put things in the ibiblio downloads, or can they only mess with web pages?

User avatar
MU
Posts: 13649
Joined: Wed 24 Aug 2005, 16:52
Location: Karlsruhe, Germany
Contact:

#33 Post by MU »

BarryK wrote: their responses are close to brain dead.
this implies there is a brain...

oblivious wrote:Do you think there could be stuff in the ISOs? Can the "baddies" put things in the ibiblio downloads, or can they only mess with web pages?
Simply look at the modification date.

My personal experience is, that such attacs are automated scripts, that do not infect a particular domain.
Instead, they search the web for typical bugs in PHP or applications (like wordpress). They infect whatever they find, but do not target on "Linux-sites" or other special topics.
They then install some code hidden in iframes or a "this site was hacked by ultracool ME".
Modifying isos or packages is not to be feared.
This requires advanced knowledge and "manual" operations (like extracting and rebuilding and uploading again).
You than could see that by the change in the date of the file.

GENERAL HINT
If you must use windows to surf (e.g. at work), DO use firefox or other browsers!
Even very trusted sites were infected in the last weeks (famous newspapers and such) by using the advertisment banners (hosted by other companies) as a way to infect the sites.
Most exploits still target on the Internet Explorer, that makes it easy to damage the whole system via ActiveX.
Use a browser, that is targeted less often, and does not support ActiveX instead.

Someone who is infected, has a high portion of responsibility on his own, because he does not even care about simplest protection.
Windows is know to be dangerous in this regard since years, even users without deeper knowlede in computers should know that.

Mark
[url=http://murga-linux.com/puppy/viewtopic.php?p=173456#173456]my recommended links[/url]

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#34 Post by alienjeff »

MU wrote:Modifying isos or packages is not to be feared.
Though I hate playing the Devil's advocate, Mark, that's a rather pious claim and I can't but help notice an ever-so-faint tick-tock way off in the distance.

Not all black hats are script kiddies or index.html graffiti vandals. Some are very patient and cunning. All it would take is for one such black hat to embed a date/time/event triggered nightmare within a popular and seemingly innocuous dotpup, pupget or sfs file for all Hell to break loose.

We now return you to your normally scheduled programming.
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

oblivious
Posts: 303
Joined: Sat 14 Apr 2007, 05:59
Location: Western Australia

#35 Post by oblivious »

All it would take is for one such black hat to embed a date/time/event triggered nightmare within a popular and seemingly innocuous dotpup
How would they do that? I understood Mark to be saying that they'd actually have to get the file and upload a tainted version, rather than just get the bad stuff on there by sending out scripts . What sort of "nightmare" could happen?

User avatar
MU
Posts: 13649
Joined: Wed 24 Aug 2005, 16:52
Location: Karlsruhe, Germany
Contact:

#36 Post by MU »

Code: Select all

Not all black hats are script kiddies or index.html graffiti vandals. Some are very patient and cunning. All it would take is for one such black hat to embed a date/time/event triggered nightmare within a popular and seemingly innocuous dotpup, pupget or sfs file for all Hell to break loose. 
In theory someone with access to the server can:
Download a pup/iso.
Add a trojan.
Repackage it.
Modify the system date.
Re-upload the modified package, including a modified md5sum.
Reset the system time to the current time.

The only protection would be to store the md5sum on a seperate server, or by using a script, that compares the md5sums with the ones on your local computer.

I do not want to spread fear, I already got the first PM now about a concerned user.
I just describe what is possible in theory.

In practice, the time a cracker has to invest will not match all all what he can win.

The scripts I mentioned above are spread using botnets, that already infected millions of Windows-computers.
Most windows-users are not aware, that they are part of a botnet!

It is so darned easy to do it this way, that in practice no cracker will waste time in modifiying pups.

However for minisys, we soon will activate a new fileserver.
The main reason is, that we have reports on download-problems with servage, and their statistics are just a bad joke.
We then will start to set up a business download-area with packages made especially for Muppy (it is free to use for everyone, we just call it "business" because it is made by us as company, to give consultants a trusted site).
This will include enhanced (scripted) mechanisms to ensure that the packages are not cracked.
I will release my scripts then to the public, they are nothing special.

But again, this is a bit "shooting on sparrows (small birds) with canons".
At moment I see no reason to get paranoid, and hope my explanations above make it easier to understand, why.

Mark
[url=http://murga-linux.com/puppy/viewtopic.php?p=173456#173456]my recommended links[/url]

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#37 Post by alienjeff »

oblivious wrote:How would they do that?
1) Be patient
2) Develop/modify and test needed app/dotpup
3) Be patient
4) Garner confidence of established community
5) Be patient (notice a trend here?)
4) Offer, promote and maintain app/dotpup
5) Be patient
6) Suggest or wait for app to be included in sfs or ISO
7) Be patient
What sort of "nightmare" could happen?
1) file type deletion
2) directory deletion
3) file system deletion
4) dd zero bomb
5) password/data detection/acquisition
4) zombie/trojan generation

... in other words, just about anything.

I'll grant you that it would take the combination of both amazing patience and a very twisted mind to pull something like this off, but it's certainly not out of the realm of possibility.
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

Caneri
Posts: 1513
Joined: Tue 04 Sep 2007, 13:23
Location: Canada

#38 Post by Caneri »

I suspect this may have happened very recently...as in a person creating .pets for bad purposes.

There was a new poster recently, and the first post was a .pet for network cracking which was followed by some more suspect .pets (I was suspicious).

With this in mind I emailed various puppians and watched this stuff closely. I also deleted those files from my server.

Since then, I have a group of guys checking new files on my server...so it's not just me watching for black hats...helps me out tremendously.

I set up an area on my server to allow ONLY "trusted puppy providers" thus the name TPP directory and I will slowly move all TPP people into this area. This directory is restricted and monitored closely by the users inside.

I maybe a tad paranoid but better safe than sorry.

Eric
[color=darkred][i]Be not afraid to grow slowly, only be afraid of standing still.[/i]
Chinese Proverb[/color]

wingruntled

#39 Post by wingruntled »

Eric
I know exactly what/who you are referring to. Red flags came out almost imediately for me when they jouned and started posting the type of packages that they did. And after the securities issues came to light neither of these folks were anywhere to be seem and haven't been seem since. One of those folks I tracked pretty deep into the other side of the net. Pretty dark place :/

oblivious
Posts: 303
Joined: Sat 14 Apr 2007, 05:59
Location: Western Australia

#40 Post by oblivious »

I maybe a tad paranoid but better safe than sorry.
I don't think it is the slightest bit paranoid - it is sensible to look at things with a critical eye and use some judgment. It is much easier for anyone with a bad intent to do something from a position of trust rather than brute force.

I've noticed that there are many linux distros with websites that give virtually no information about who you are dealing with. How many people trawl through the source code to see if there are any backdoors or trojans (or whatever) in there?

DigitalCrypto
Posts: 12
Joined: Sun 26 Aug 2007, 19:19

#41 Post by DigitalCrypto »

I am one of the people that took it deep in the anus on this thing. Unfortunately a lot of my dev software only works on Windows and it's not too often that I get the alerts for virii or use IE. Thankfully I do keep archives and many backups off-machine.

I was running clamAV when this happened and it was a rather quick infection. Incidentally, F-Prot was the only tool that caught it, after the fact.

I had some 35 password/key loggers and trojans installed in less than 30 minutes time. I ended up fdisking ftw. It cost me a day's worth of time to remedy/rebuild and am I dumber for having trusted Puppy websites to be secure.

BTW Word Press is a popular target for hackers. It's riddled with security holes and cross sight scripting vulnerabilities.

If you want secure, powerful, flexible and simple you should definitely check into Drupal.

@Jeff: You are completely correct. It only takes a little bit of patience to sneak something into Puppy legitimately (even as a simple package) that can cause a serious problem. It's very easy to misbehave when you are not denied root access to any part of the OS.

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

IFRAME EXPLOIT PERSISTS

#42 Post by alienjeff »

Either it was missed in the sweep or it's back.

http://puppylinux.com/links.htm

I checked all pages in the main page's menu bar, but that's the extent of my searching. To go any deeper is the job of the owner, not the visitor.

Barry: please leave Dingo be and clean the dog run.
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#43 Post by alienjeff »

IRC user ralphv caught the following that's on puppylinux(dot)com's main page:

Code: Select all

</body></html><!--ngz-->
<div style="position:absolute;left:-200000px">| <a href="http://transplants.org/images/Titles/pharmacy/arimidex/">arimidex</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/standing tall/">female standing tall</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/accutane/">accutane</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/relafen/">relafen</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/zyban/">zyban</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/lipitor/">lipitor</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/zithromax/">zithromax</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/doxycycline/">doxycycline</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/zyvox/">zyvox</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/diflucan/">diflucan</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/prednisone/">prednisone</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/poisonous crap/">poisonous crap</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/lamisil/">lamisil</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/standing tall/">standing tall</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/wellbutrin/">wellbutrin</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/zoloft/">zoloft</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/paxil/">paxil</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/clomid/">clomid</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/celebrex/">celebrex</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/ultram/">ultram</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/poisonous crap/">poisonous crap</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/lexapro/">lexapro</a> | 
<a href="http://transplants.org/images/Titles/pharmacy/zyrtec/">zyrtec</a> </div>
<!--ngzf-->
Barry have any stock in pharmaceuticals? If not, stop feeding the bots and spiders.
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

John Doe
Posts: 1681
Joined: Mon 01 Aug 2005, 04:46
Location: Michigan, US

#44 Post by John Doe »

clearly Servage's box has been completely compromised.

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#45 Post by alienjeff »

It has been just over 42-hours since I last posted about this.

puppylinux(dot)com still has the IFRAME EXPLOIT embedded in the main page, and the links page still has the pharmaceutical links at the bottom of the source code.

Unless this matter is tended to, sooner or later someone (it won't be me) is going to very ungently report this on DistroWatch and/or similar on-line rags.

P.S.

@John Doe

Clearly neither Servage nor anyone else is doing anything about this. :?
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

wingruntled

#46 Post by wingruntled »

Sure enough :(
And I just got done from a complete reinstall of of everything, so this isn't a cache or worm issue.
Not yet anyway :/

User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

#47 Post by BarryK »

alienjeff wrote:Clearly neither Servage nor anyone else is doing anything about this. :?
See my latest blog post.
If Servage doesn't fix it soon, I'm moving. Unfortunately I paid for a year and have only been there a few months.

I can reupload everything again, which is what I have been doing, but I am leaving it as-is for now so that Servage can see its condition.

I'll wait a bit longer, not much longer, then reupload everything again.
[url]https://bkhome.org/news/[/url]

wingruntled

#48 Post by wingruntled »

but I am leaving it as-is for now so that Servage can see its condition.
Not smart!
In the mean time all Windows vistitors inquirering about Puppy gets blasted with a trojan.

muggins
Posts: 6724
Joined: Fri 20 Jan 2006, 10:44
Location: hobart

#49 Post by muggins »

In the mean time all Windows vistitors inquirering about Puppy gets blasted with a trojan.
It's definitely not good if any puppy sites are hosting any malware. But, if it's true that these things are specifically targetting ActiveX vulnerabilities in IE, how come we haven't seen any response from Microsoft support? I mean, Bill does post regularly to the forum, doesn't he?

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#50 Post by alienjeff »

@Barry
Thanks for the update. To leave the iframe exploit online is as much as supporting the black hats. Instead of passively waiting for the techs at Servage to check the pages live, if and when they ever get around to it, please consider:

1) copying and saving the the HTML from both the index and links pages,
2) upload clean index and links pages, and
3) attach appropriate excerpts of HTML to correspondence with Servage.

I noted that several of your puppylinux(dot)com pages were generated using IBM WebSphere Studio Homepage Builder V6.0.0 for Windows. Assuming you use Windows from time to time, it's conceivable that your own Windows box may be compromised and the reinfection could be taking place quite close to home. Anyone else with admin privies to puppylinux(dot)com should check their systems for infection, too.

It would be sad if at the end of the day it turned out to be a case of either tail or ghost chasing ...

@Community
Going by this thread, two of "our own" have been infected, though there may be more and we haven't heard from them. They may be a tad embarrassed to display soiled laundry.

Regardless of how some of us feel about the monster of Redmond that is Microsoft, it's important to remember that a many of us may very well may have been introduced to Puppy while still using IE.

Also remember the old saw about Linux being inherently safe from virii, trojans and such. Puppy could take a devastating publicity hit should the wrong person innocently visit puppylinux(dot)com and click "links" in the menu bar. When I say devastating, I mean a publicity hit that would make the infamous Mark South Distrowatch Dramarama barely a blip on the radar screen.

Please don't ask me to spell it out any further. Use your own imagination.

Think about it.
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

Post Reply