Viruses? can I get them?

For discussions about security.
Message
Author
User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#31 Post by Pizzasgood »

I'm saying that if somebody manages to "hack into your Puppy" such that they can run commands as root, and the drive is plugged in, then it would be trivial.

But they have to get into your Puppy first, which is not trivial. How do they do that?

If they write a trojan, and you run it as root, then the trojan can do anything root can do, including mounting drives.

If you install and enable an SSH server and they manager to figure out your password and you have Puppy and SSH configured to accept connections from wherever the person is coming from, he could log in and run anything he wants as root.


Otherwise, I don't know how the hacker would get into your Puppy in the first place. He'd have to find some vulnerability to exploit, and I don't know much about how to do that yet.


Best way to protect a harddrive is to unplug it from the motherboard (while the computer is powered down of course, otherwise you are more dangerous to it (and it to you) than any hacker!).

That isn't always practical though. Another method is to not run programs that can be exploited, or at least minimize the damage they could do. The biggest hole is the browser and its plugins. If the browser is run as 'spot' or another limited user, then if an exploit is exploited they still won't have root access (be sure to change your password from the default with the 'passwd' command though!).


Don't run servers that allow outside people to interact with your machine. I mentioned SSH already. Telnet, webservers, ftp servers, etc. also are candidates for attack. If servers must be run, try to deny all the web by default and then only allow specific machines access if possible (/etc/hosts.allow and /etc/hosts.deny are useful for this). Puppy is set up by default to block all non-local hosts. You should also learn something about the firewall. It can do interesting things like temporarily (or permanently) ban people who attempt to access your machine too frequently.


Be careful what programs you install. If possible it's good to look inside a package to see what exactly it does (they're basically just .tar.gz files, with a md5 checksum appended to the end, so you can extract them with tar -xf packagename.pet). You can't look at a binary file and see what it does unless you know machine code, but you can read through any scripts, and make sure important system files aren't being replaced. You'll also come out knowing more about the program you installed, in case it ever breaks.


Learn what your computer normally behaves like so that you notice any changes. (Temperature, CPU load, memory usage, disk activity, network activity, etc.) If you're seeing network activity but not actually doing anything with the network, find out why.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#32 Post by PaulBx1 »

Pizzasgood, I tried that "su spot seamonkey" and it works fine. I can even go and do things on the "about:config" page. The only thing is that my old profile is gone of course.

But I wonder, is there any reason at all for running Seamonkey as root? If not, why is seamonkey not invoked by default with a "su spot seamonkey"? It would seem to be a good security measure. Maybe rattle Barry's cage?

Of course there is the difficulty of moving the old profile over, which some would find a pain. I'm not sure how to do it. Maybe that can be automated too?

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#33 Post by Pizzasgood »

The seamonkey (and firefox if installed) profile is at ~/.mozilla, so you could try something like this (as root):

Code: Select all

rm -r /root/spot/.mozilla
cp -a /root/.mozilla /root/spot/
sed -i 's|/root/|/root/spot/|g' $(grep -Rl '/root/' /root/spot/.mozilla)
chown -R spot:spot /root/spot/.mozilla
If it doesn't work, just delete /root/spot/.mozilla/ and try something different.


Probably one of the reasons we don't use seamonkey as spot by default is that too many people would complain about not being able to download files to other places.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

mystmaiden
Posts: 93
Joined: Thu 23 Jul 2009, 14:36

#34 Post by mystmaiden »

.Flash wrote back in the beginning of this thread:

Still, malware is a possibility to keep in mind.

With windows I found myself having to constantly run 3 different malware detectors to keep xp clean (not one of them would catch everything), how would one deal with malware on puppy? Is it detected by one of the antivirus programs or ?

myst

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#35 Post by Pizzasgood »

You could install an antivirus program like ClamAV or F-Prot.

Most people just don't worry about it, because it isn't an issue yet.

I could carry antivenom in my pocket every day, but there isn't much point - I have such a small chance of being bitten by a deadly snake where I live that it would be a waste of pocketspace. Somebody could introduce some snakes, but they would probably be run over by all the cars before they had a chance to harm me.

I would be more concerned about an enemy attempting to assassinate me by slipping a snake into my bed. As unlikely as that is, it's more likely than being bitten by a random snake released to attack any random person who passes by.


When it comes to Linux, I use Conky so that I can monitor my CPU use, network activity, temperature, etc., and I often look inside a package before installing it to find out what it does (mainly out of curiosity though, so I'll know more about how it works). I also keep any especially confidential information encrypted - not only does that help reduce the harm that could be done through malware, but it helps protect me in the event of theft.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#36 Post by mikeb »

Bear in mind that windows has the mechanism for malware to be installed and run built in (did you see flash install itself??)...It is such an easy target why bother trying to wriggle in the secure_by_default linux.

The mechanism can be removed from windows but we who do so are liars and are lying about having no infections for years whilst running no antivirus software :D

relax

mike

Frank Cox
Posts: 378
Joined: Sun 01 Nov 2009, 06:05

Chat users claim their is a virus

#37 Post by Frank Cox »

I have a weird problem on a Dell 530 duo core running Ubuntu and Puppy.
Puppy refuses to run x period. It worked for a awhile then all I get is a blank screen and when I reboot it says to use the xorg wizard but no matter what setting it is blank. Ubuntu still works fine and I blew up windows a month ago and have been afraid to reinstall it as I have almost 60 gigs of files in Ubuntu .

The people in puppy chat claim there is a virus that does that and probably got there using Ubuntu. I wrote the name down but it is not here. Personally I think they are yanking my chain because Ubuntu is unaffected.

Avast makes anti-virus for Linux, it has never failed me in Windows. Its also free. I have not used it because I am concerned it will be too big a resource hit.

If you are that paranoid you could unplug all the hard drives save one that you use for downloads and run in ram off the cd. and then scan it with Avast.

Please tell me how to become a liar and disable that feature in Winders? :D

I guess if someone wanted to they could post an amazing new pet that installs a full blown MSWord suite in Puppy using only 25 megs and con people into installing the virus for them? :}

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#38 Post by mikeb »

Puppy refuses to run x period. It worked for a awhile then all I get is a blank screen and when I reboot it says to use the xorg wizard but no matter what setting it is blank.
sounds like a corrupted pup_save/filesystem problem that's a little too common
at the moment...nothing malicious just failing software....a fsck on the partition/pupsave might help sort it and there are some fixes for full installs floating around.
Do not take anything from that chatroom seriously.

As for windows look up nlite and xplite and how integrated internet explorer is the gateway to nasties

mike

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#39 Post by Pizzasgood »

Puppy refuses to run x period. It worked for a awhile then all I get is a blank screen and when I reboot it says to use the xorg wizard but no matter what setting it is blank.
Since you didn't specify whether you tried this, I had better ask just in case: Have you tried simply running startx?

If that doesn't work, and if it doesn't provide any error messages (it probably wouldn't), there is an error log that it generates at /var/log/Xorg.0.log. You can read it from the commandline like this:

Code: Select all

less /var/log/Xorg.0.log
Like it says at the top, lines that have warnings will be prefixed with (WW) and lines with errors will have (EE). In particular, at the very bottom it might have a hint about why it didn't start. Of course, try to look through the whole thing too... (You navigate inside of less with the arrow keys. You can also use the spacebar to page down and the 'b' key to page up. You can exit with the 'q' key.)

If you need to copy that file to another location on the drive so that you can access it from another OS to post it here, you can do that with the cp program. For example, if you wanted to copy it to /mnt/home/, you could do that like this:

Code: Select all

cp /var/log/Xorg.0.log /mnt/home/
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#40 Post by Lobster »

I created Growl for the 'there must be devils and viruses brigade'
Never use it myself
http://www.murga-linux.com/puppy/viewto ... 821#371821

Here is more info to scare yourself with
http://en.wikipedia.org/wiki/Linux_malware :roll:

Scared yet? Use this BSD
http://www.openbsd.org/

Hope you find what you are looking for. :)

Puppy Linux - runs as root
and still recommended by Computer Crime Investigation Unit

http://puppylinux.org/wikka/BlackOps
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
gposil
Posts: 1300
Joined: Mon 06 Apr 2009, 10:00
Location: Stanthorpe (The Granite Belt), QLD, Australia
Contact:

#41 Post by gposil »

Lobster,

Dpup484beta2 which will be out later today includes an all new "Sandboxed SafeBrowser", which runs as a non-root user and on closing destroys it's own cache, history...etc

Just thought those security conscious people would be interested.

Cheers
[img]http://gposil.netne.net/images/tlp80.gif[/img] [url=http://www.dpup.org][b]Dpup Home[/b][/url]

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#42 Post by Lobster »

Just thought those security conscious people would be interested
Guy
Mind viruses are the real enemy

For example the Dpup Beta 2 is uploaded to about 60MB at present
BUT
some people will download (gosh may even do it myself for that noob sensation]
check the md5sum
convince themselves their security is breached or some hacker is intercepting or . . .
[pause for breath]

is the worm in your head bigger than the threat
Answers in a crypted message to the usual drop zone :)
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
nubc
Posts: 2062
Joined: Tue 23 Jan 2007, 18:41
Location: USA

#43 Post by nubc »

Lately, I have acquired trojans from advertising popups, and the immediate remedy is to use the Adblock feature built into Puppy 4.3.1 (Seamonkey 1.1.18) to get rid of the advertising, and now getting no new viruses. This is why I desperately need Adblock 0.5 for Seamonkey 1.1.8.

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#44 Post by mikeb »

Lately, I have acquired trojans from advertising popups
would you care to elaborate?

mike

User avatar
nubc
Posts: 2062
Joined: Tue 23 Jan 2007, 18:41
Location: USA

#45 Post by nubc »

...not only trojans, but rootkits as well...
http://www.murga-linux.com/puppy/viewtopic.php?t=48548

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#46 Post by mikeb »

From that thread you are talking about XP with Internet explorer installed...so normal behaviour...you don't even have to run IE to get those.

You made it sound like this had happend whilts using puppy...my misunderstanding sorry

regards

mike

User avatar
nubc
Posts: 2062
Joined: Tue 23 Jan 2007, 18:41
Location: USA

#47 Post by nubc »

@mikeb
Your first impression was correct. The problem happens with Puppy Seamonkey, there is a recent report of Ubuntu (Firefox) getting the rogue AV popups, and even Macs seeing the problem. Since these popups and page redirects come from advertising, a good temporary fix for Mozilla browsers is to stop the ads with Adblock.

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#48 Post by mikeb »

Your first impression was correct. The problem happens with Puppy Seamonkey, there is a recent report of Ubuntu (Firefox) getting the rogue AV popups, and even Macs seeing the problem. Since these popups and page redirects come from advertising, a good temporary fix for Mozilla browsers is to stop the ads with Adblock.
ah those things....they use javascript and then make a page look like windows explorer or similar, or as you mentions the you are infected tripe...if only they knew :D. I'm not sure how the javascript settings in preferences would affect these happenings..the ones designed to limit what javascript can do.

mike

User avatar
drongo
Posts: 374
Joined: Sat 10 Dec 2005, 23:35
Location: UK

Pop-unders

#49 Post by drongo »

I have seen those kind of "scare-windows" a few times whilst using Puppy. They are quite amusing - especially the ones that refer to directories which you don't even have on your Windows partition - which isn't even mounted!

You sometimes see a pop-under window which only appears after you close or minimise the browser but this is just a scary window, it doesn't mean they are scanning or installing anything on Puppy Linux. Some of them are quite persistent - the only way I can get rid of these is to kill the process.

As far as I know, though, all quite harmless if you are using Puppy. I know this might be alarming for would-be Windows refugees but is it possible the pop-under is generated by a site you visited before Puppy Linux? If the Puppy forum is the last site you visit before closing the browser that's when you'd see the pop-under.

I usually visit the Forum with adblock enabled either on Seamonkey in Puppy or on Firefox in XP. Is it possible that's why nobody else has reported this? If it comes from an ad I'd never see it.

The last thing we should be doing is allowing these rogues to scare people away from Puppy.

User avatar
nubc
Posts: 2062
Joined: Tue 23 Jan 2007, 18:41
Location: USA

#50 Post by nubc »

word to the wise: When I was getting those popups on Puppy Forum, I actually had one trojan and three rootkits in operation on my Windows computer, which I occasionally used to visit the forums. The rootkits prevented my security software from detecting them, as well as preventing Windows security patches and updates from AVG.

Post Reply