Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 01 Oct 2014, 06:23
All times are UTC - 4
 Forum index » House Training » Users ( For the regulars )
Spyware in Firefox??
Moderators: Flash, Ian, JohnMurga
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [14 Posts]  
Author Message
Bruce B


Joined: 18 May 2005
Posts: 11109
Location: The Peoples Republic of California

PostPosted: Fri 10 Jun 2005, 13:26    Post subject:  Spyware in Firefox??  

The first symptom I noticed was I couldn't connect to Google or Yahoo search. Eventually I connected to Google but it wasn't Google's page source. This is the page source:

<html>
<head>
<title>Goggle.com</title>
</head>
<frameset rows="0,*" framespacing="0" border="0">
<frame frameborder="0" name="disclaimer" src="disclaimer.html" noresize="noresize" scrolling=no>
<frame frameborder="0" name="prize" src="http://lsjmp.com/12/135.htm?r=135&u=519" noresize="noresize">
<noframes>
<body>
<br>
<br>

<br>
<a href="http://lsjmp.com/12/130.htm?r=130&u=519">Clean your computer now! Click Here!</a>
</body>
</noframes>
</frameset>
</html>

I seemed to be able to connect with other sites just fine. I started and restarted the computer and no change.

I deleted /root/.mozilla directory and it seems okay now.

Just thought I'd update you all. If anyone else has funny behavior like this let me (us) know, okay?

----------------------

Software Information

Puppy v1.0.3
Firefox v.1.0.4
Icewm
A few extensions installed, not many
Java - disabled
Java script - disabled
Allow sites to install software - enabled
Back to top
View user's profile Send private message 
babbs


Joined: 10 May 2005
Posts: 397
Location: Running down a highway in Virginia, USA.

PostPosted: Fri 10 Jun 2005, 13:43    Post subject:  

Bruce,

Since April 17th, I have seen 6 different Firefox exploits posted to the web. The proof of concept code for the malicious code you encountered was posted that day.

Mozilla Firefox Sidebar Code Execution Proof of Concept Exploit
http://www.frsirt.com/exploits/20050416.MFSA200539.php

babbs
Back to top
View user's profile Send private message 
BillK

Joined: 09 Jun 2005
Posts: 11
Location: London, England

PostPosted: Fri 10 Jun 2005, 15:02    Post subject:  

The latest four releases of Firefox have all been to fix various problems and exploits. i.e. v1.0.1 to v1.0.4.
I believe this exploit was fixed in v1.0.3.

So make sure you are up-to-date and running v1.0.4.
Click on the 'Check for updates' icon in the top right corner.
Back to top
View user's profile Send private message 
GuestToo
Puppy Master

Joined: 04 May 2005
Posts: 4078

PostPosted: Fri 10 Jun 2005, 15:10    Post subject:  

also, be sure you are trying to access google.com and not goggle.com

google is a search engine
goggle is a web site waiting for people that make spelling mistakes
Back to top
View user's profile Send private message 
Guest
Guest


PostPosted: Fri 10 Jun 2005, 15:20    Post subject:  

GuestToo wrote:
also, be sure you are trying to access google.com and not goggle.com

google is a search engine
goggle is a web site waiting for people that make spelling mistakes


That wasn't the problem. In fact I first discovered it using the Firefox search box in the upper right corner of the browser. When Google didn't work I tried Yahoo.

Even more spooky - Dillo didn't work either.

More spooky - I pinged Google and used the IP address from ping and still had the same problem.

System wide problem? I prefer to think not. I think maybe Google's IP wrong address got cached or something.

But just to verify that it wasn't goggle I typed in I just tried it and got a different page - it doesn't even match the source code I posted.

Something exploited the browser since yesterday. I made a clean install of Puppy v1.0.3 yesterday.
Back to top
GuestToo
Puppy Master

Joined: 04 May 2005
Posts: 4078

PostPosted: Fri 10 Jun 2005, 17:14    Post subject:  

that sounds like a dns problem ... i think i read somewhere that google's ip was being redirected by hijacked dns servers ... that would be an internet problem, not on your machine

hijackers often modify your hosts file (/etc/hosts) and redirect urls like google to other ip's ... you will see it right away if you look in your hosts file ... you can make your hosts file read-only by typing chmod a-w /etc/hosts

i'm running Firefox 1.0.4 ... it's easy to install the latest Firefox (or Mozilla Suite, or Opera) ... just download, unzip and run
Back to top
View user's profile Send private message 
Bruce B


Joined: 18 May 2005
Posts: 11109
Location: The Peoples Republic of California

PostPosted: Fri 10 Jun 2005, 17:31    Post subject:  

Remember that Yahoo was also doing the same thing.

I'd prefer to think that the Internet was the problem. I've never had a problem like this one with Firefox or Linux for that matter.

The hosts file gives me an idea. Maybe I'll put google and frequently visited sites in the hosts file. Isn't there a utility for looking up name -> IP in Linux?

I used ping but I think there is a better utility.
Back to top
View user's profile Send private message 
babbs


Joined: 10 May 2005
Posts: 397
Location: Running down a highway in Virginia, USA.

PostPosted: Fri 10 Jun 2005, 21:46    Post subject:  

Here is an article that may shed some light:
( http://isc.sans.org/presentations/dnspoisoning.php )

Quote:
March 2005 DNS Poisoning Summary
compiled by Kyle Haugsness
Note: As of April 3rd, this episode of DNS poisoning is not fully mitigated or explained yet. We will update this text as more details become available

########################################################################
##
## DNS CACHE POISONING DETAILED ANALYSIS REPORT Version 2
## (by Kyle Haugsness and the ISC Incident Handlers)
##
########################################################################

########################################################################
## Summary
########################################################################

Around 22:30 GMT on March 3, 2005 the SANS Internet Storm Center began
receiving reports from multiple sites about DNS cache poisoning attacks
that were redirecting users to websites hosting malware. As the
"Handler on Duty" for March 4, I began investigating the incident over
the course of the following hours and days. This report is intended to
provide useful details about this incident to the community.

The initial reports showed solid evidence of DNS cache poisoning, but
there also seemed to be a spyware/adware/malware component at work.
After complete analysis, the attack involved several different
technologies: dynamic DNS, DNS cache poisoning, a bug in Symantec
firewall/gateway products, default settings on Windows NT4/2000,
spwyare/adware, and a compromise of at least 5 UNIX webservers. We
received information the attack may have started as early as Feb. 22,
2005 but probably only affected a small number of people.

On March 24, we received reports of a different DNS cache poisoning
attack. This attack did not appear to affect as many people. This will
be referred to as the "second attack" in the remainder of this report.

After monitoring the situation for several weeks now, it has become
apparent that the attacker(s) are changing their methods and toolset to
point at different compromised servers in an effort to keep the attacks
alive. This attack morphed into a similar attack with different IP
addresses that users were re-directed toward. This will be referred to
as the third attack and is still ongoing as of April 1, 2005.

Before proceeding, a note of thanks is in order for all the people that
have submitted reports to us, helped us investigate further, and
provided us logs or data. The Internet Storm Center is a volunteer
effort and the better information that we receive from the community,
the better analysis we can perform and contribute back to the community.


<<More at the link above>>
Back to top
View user's profile Send private message 
babbs


Joined: 10 May 2005
Posts: 397
Location: Running down a highway in Virginia, USA.

PostPosted: Fri 10 Jun 2005, 21:51    Post subject:  

Bruce,

The command you are asking about is "nslookup". Although I don't know if it works in Puppy, this is what I got for google.com:

Code:
[babbs@localhost ~]$ nslookup google.com
Server:         216.151.83.45
Address:        216.151.83.45#53

Non-authoritative answer:
Name:   google.com
Address: 216.239.39.99
Name:   google.com
Address: 216.239.37.99
Name:   google.com
Address: 216.239.57.99


babbs
Back to top
View user's profile Send private message 
ezeze5000


Joined: 10 May 2005
Posts: 346
Location: Missouri U.S.A

PostPosted: Fri 10 Jun 2005, 23:14    Post subject: google  

I couldn't access the Google website on any of my PC's, for a whole day.


I thought the site was down.
Back to top
View user's profile Send private message Yahoo Messenger 
babbs


Joined: 10 May 2005
Posts: 397
Location: Running down a highway in Virginia, USA.

PostPosted: Fri 10 Jun 2005, 23:46    Post subject:  

ezeze,

When was that? Not a day has gone by for the past 90+ days has that happened to me.

babbs
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 11081
Location: Arizona USA

PostPosted: Sat 11 Jun 2005, 00:03    Post subject: When was Google website down?  

Me either. Sometimes it's slow to respond, but eventually it always does.
Back to top
View user's profile Send private message 
babbs


Joined: 10 May 2005
Posts: 397
Location: Running down a highway in Virginia, USA.

PostPosted: Sat 11 Jun 2005, 00:10    Post subject:  

Flash,

There has been a worm or two that has caused Google to be unavailabe for a period of time, but that time has been measured by hours... Not a whole day or more.

(The worm that comes to mind used Google to search for additional computers vulnerable to its exploit. Yahoo search was also a victim to this worm. The Google and Yahoo search sites went because the worm caused a denial of service like attack on them.)

babbs
Back to top
View user's profile Send private message 
Bruce B


Joined: 18 May 2005
Posts: 11109
Location: The Peoples Republic of California

PostPosted: Sat 11 Jun 2005, 00:17    Post subject: Re: google  

ezeze5000 wrote:
I couldn't access the Google website on any of my PC's, for a whole day.


I thought the site was down.


Those were my first symptoms, started yesterday. Then I connected to the bogus site.

Actually, the more I think about it - I bet on GuestToo's theory something with the DNS.

Maybe a coincidence that it started working right after deleting /root/.mozilla
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [14 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » House Training » Users ( For the regulars )
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0790s ][ Queries: 11 (0.0033s) ][ GZIP on ]