Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sun 20 Apr 2014, 01:26
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Viruses in PUPPY Linux, YES, "Viruses in Linux"
Post new topic   Reply to topic View previous topic :: View next topic
Page 2 of 5 [70 Posts]   Goto page: Previous 1, 2, 3, 4, 5 Next
Author Message
Moose On The Loose


Joined: 24 Feb 2011
Posts: 479

PostPosted: Mon 20 Jun 2011, 10:21    Post subject:  

nooby wrote:
Moose OTL wrote that

Quote:
Since Linux systems are rarely rebooted,


That is only true to particular users. All of us that sleep in same room as the computer power off each night and power on each morning. And many power off when doing something else like taking a walk to buy food whatever.

Code:

# uptime
 07:12:46 up 14 days, 17:23, load average: 0.26, 0.20, 0.17
#

I tend to leave mine on. Part of the reason is that I share files off this machine that my wife wants to get to while I am at work. Part is that I just got in the habit (perhaps an admitted bad one) years back when booting took a long time.

In the heat of the summer, I am more likely to power it down so I don't force the airconditioner to work to cool it.

Quote:

I trust that the only reason that Puppy are a bit less often often targeted is that them go for where the money is.


There is also the fact that people outright hate Windows. Hate can be a strong motivation.

Quote:

Apple machines are usually very expensive machines so the criminals reason that Apple owners are wealthy enough to be a good catch.


Apple machines are only "expensive" not "very expensive". At the time I bought this machine I paid as much for it as an Apple machine. I got a lot more disk and processor for the price.

Quote:

Puppy users using old machines them found in the dumpster not so practical to get money from them? Smile


Not this puppy user; To some peoples point of view I am a rich person using an expensive machine. I don't drive an expensive car but I do drive one that works very well for the purpose. The desk it is sitting on is very solidly made from wood. My house has earthquake bracing and storm shutters. I use puppy not because it costs less but rather because very simply it is better.

Quote:

If you run CD or DVD that seems more safe than using frugal on NTFS does it not?

There are no NTFS partitions on this machine. There is one on my wifes. What can I say, I love her dearly, but NTFS whats up with that!

Quote:

So I am happy you started this thread.

I will gladly take the credit, thank you thank you, .. no wait I didn't start it.

Quote:

The only thing I worry about now is that those that really got virus don't bother to report on it in the forum.


If there are any please speak up. Think of the blackbox on an aircraft. They all have them even though it doesn't save the life of those on the ones that gather the really important information.
Back to top
View user's profile Send private message 
Bruce B


Joined: 18 May 2005
Posts: 11050
Location: The Peoples Republic of California

PostPosted: Mon 20 Jun 2011, 14:22    Post subject:  

When I start Firefox from the CLI I get this error frequently. The site blocked in hosts.

The point is why is Firefox trying to make a secure connection to a text file?

Let alone any connection at all on startup.

FAIL download from https://s3.amazonaws.com/fvd-suite/ad_signs.txt
FAIL DOWNLOAD FROM https://s3.amazonaws.com/fvd-suite/sites.txt


I'll keep this updated as I learn more.

UPDATE

This is the content of one file it is trying get from the secure connection:

speed.pointroll.com
ad-g.doubleclick.net
naked.com
exoclick.com
pointroll.com
edgesuite.net
mtvnservices.com
gfrevenge.com
71i.de
contentabc.com
telemetryverification.net
nbcuni.com
2mdn.net
filesonic.com
pop6.com
daredorm.com
adrocketmedia.com
moviebox.com
amateurmatch.com



UPDATE

If I block s3.amazonaws.com I get the error message

If I don't - no error message.

127.0.0.1 s3.amazonaws.com

SOLVED

A Firefox extension is getting the (2) files.

I discovered the site was being contacted earlier by reviewing the log files, but didn't know why it was being contacted, so I blocked it, that's why the error message later.

~

_________________
New! Puppy Linux Links Page
Back to top
View user's profile Send private message 
Makoto


Joined: 03 Sep 2009
Posts: 1725
Location: Out wandering... maybe.

PostPosted: Mon 20 Jun 2011, 15:19    Post subject:  

Create a new user (profile) in Firefox (you can delete the additional user later, if you want). Don't add any extensions. Do the problems persist?

Which version of Firefox are you using? I've heard that's what one or more of the new security/anti-phishing options in Firefox 3 and up does - connect to a remote (non-Mozilla) server to download a list of sites to act upon. You might try turning off the anti-phishing/secure browsing/secure site/whatever options (sorry, I'm not at one of my systems with FF3.6 or 4.01 installed, so I don't remember offhand what all of the options you might want to disable are Embarassed ) and see if the behavior continues.

_________________
[ Puppy 4.3.1 JP, Frugal install | 1GB RAM | 1.3GB swap ] * My Pidgin Builds for Puppy 4.3.1+
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).
Back to top
View user's profile Send private message 
Bruce B


Joined: 18 May 2005
Posts: 11050
Location: The Peoples Republic of California

PostPosted: Mon 20 Jun 2011, 15:54    Post subject:  

Makoto,

I'll leave the troubleshooting notes up. At first something didn't appear right. Then after running it down, I found it was OK.

Using Hiawatha I made a duplicate directory and put the files in it. Now Hiawatha will serve the files and give an error code of 200, which means success.

The idea here is pay attention.

For example, how many people pull the urls out of the proprietary flash plugin and block them?

How many people are told not to click on hyperlinks in the flash media?

How many people shut down suspicious pages and popup with Ctrl+F4 or Ctrl+W rather than click the mouse?

There is a lot the user can do to keep his browsing clean.

Bruce

~

_________________
New! Puppy Linux Links Page
Back to top
View user's profile Send private message 
Makoto


Joined: 03 Sep 2009
Posts: 1725
Location: Out wandering... maybe.

PostPosted: Mon 20 Jun 2011, 16:07    Post subject:  

Some of those 'fake antivirus' popups/windows that installed malware on Windows were also designed to trap close attempts (the X button, Alt-F4, etc.) and install the malware anyway. The malware may not have as much of an impact for a Linux system, but it's still a good idea to know that they can, in fact, trap keystrokes like that, if they really want.
Under Puppy, if I get a suspicious window, it's easier just to choose to 'kill' the window, just to be safe. Smile (IMHO, of course.)

_________________
[ Puppy 4.3.1 JP, Frugal install | 1GB RAM | 1.3GB swap ] * My Pidgin Builds for Puppy 4.3.1+
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).
Back to top
View user's profile Send private message 
nooby

Joined: 29 Jun 2008
Posts: 10522
Location: SwedenEurope

PostPosted: Mon 20 Jun 2011, 22:12    Post subject:  

Bruce wrote

Quote:
For example, how many people pull the urls out of the proprietary flash plugin and block them?

How many people are told not to click on hyperlinks in the flash media?

How many people shut down suspicious pages and popup with Ctrl+F4 or Ctrl+W rather than click the mouse?

There is a lot the user can do to keep his browsing clean.


Makoto wrote
Quote:

Some of those 'fake antivirus' popups/windows that installed malware on Windows were also designed to trap close attempts (the X button, Alt-F4, etc.) and install the malware anyway. The malware may not have as much of an impact for a Linux system, but it's still a good idea to know that they can, in fact, trap keystrokes like that, if they really want.
Under Puppy, if I get a suspicious window, it's easier just to choose to 'kill'


Despite the fact that I've been active here now daily since at least two years back I don't trust that I get what your two talk about so how can I protect myself of the advices are on a to me non-comprehensible level of abstract geek talk?

No offense but I sure want to do it right too but what was it I was supposed to do then.

I remember one time I used kill that destroyed that session and had to reboot to get it right again.

I get the impression that your two posts somewhat contradict each other? So how to I shut down that thing popping up?

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send private message 
Makoto


Joined: 03 Sep 2009
Posts: 1725
Location: Out wandering... maybe.

PostPosted: Tue 21 Jun 2011, 04:40    Post subject:  

I was mainly just saying that in my opinion, it's safer (no matter which OS I'm using) to kill a browser window with a suspicious page from the outside, rather than try to quit it using keypresses from "within" the browser window.

Originally, when the 'fake antivirus' popups began to appear, they frustrated a lot of people - until someone realized you could just click on the 'close' button at the top of the window, as you would any other program.
So, the malware writers corrected that oversight. Now, either the close button wouldn't work, or, just like clicking on the window, it would also install the malware. Often, they'd use javascript to spoof the Windows titlebar at the top for that.
But then, someone announced that you could just use Alt-F4 (etc.) to kill the window. The malware writers tried fixing that, too. Not every bit of malware out there does it, but you may encounter one that does trap whatever keys you try to use, and try to install its garbage, anyway.

Of course, some try to install merely when infected ad code is run, alone. So something could hit just by visiting a 'safe' page, too.

Can any of this run on, or affect Linux? I don't know. However, as with the trojan programs that used to spread through email like crazy, it can pile up on your hard drives, even if you don't have to worry about it running or spreading. On one of my non-Windows systems, earlier this decade, I had to run a simple anti-virus setup just to automatically clean out my email attachments folder, so the stupid trojans wouldn't eat up my HD space in no time. Rolling Eyes

_________________
[ Puppy 4.3.1 JP, Frugal install | 1GB RAM | 1.3GB swap ] * My Pidgin Builds for Puppy 4.3.1+
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).
Back to top
View user's profile Send private message 
Bruce B


Joined: 18 May 2005
Posts: 11050
Location: The Peoples Republic of California

PostPosted: Tue 21 Jun 2011, 09:22    Post subject:  

Makoto wrote:
Some of those 'fake antivirus' popups/windows that installed malware on Windows were also designed to trap close attempts (the X button, Alt-F4, etc.) and install the malware anyway. The malware may not have as much of an impact for a Linux system, but it's still a good idea to know that they can, in fact, trap keystrokes like that, if they really want.
Under Puppy, if I get a suspicious window, it's easier just to choose to 'kill' the window, just to be safe. :) (IMHO, of course.)


Yes, thank you. Do not interact with the Browser, window or popups. Kill it with another tool.

I like a soft kill so as not to corrupt files the browser wants to write back. Htop is included with most newer Puppys. With htop we can kill it with a sig 15 for a soft kill.

~

_________________
New! Puppy Linux Links Page
Back to top
View user's profile Send private message 
Bruce B


Joined: 18 May 2005
Posts: 11050
Location: The Peoples Republic of California

PostPosted: Tue 21 Jun 2011, 09:32    Post subject:  

nooby wrote:
I get the impression that your two posts [Bruce B, Makoto] somewhat contradict each other? So how to I shut down that thing popping up?


There was an apparent contradiction. My suggestion eliminates mouse events or any interaction with the suspicious window or dialog. Makoto's suggestion eliminates any events.

Makoto's suggesting is the safest of the two as it covers all bases.

~

Keep in mind that a cancel button can do exactly the same as in install button. Don't click either.

~

_________________
New! Puppy Linux Links Page
Back to top
View user's profile Send private message 
nooby

Joined: 29 Jun 2008
Posts: 10522
Location: SwedenEurope

PostPosted: Tue 21 Jun 2011, 11:05    Post subject:  

I trust it is my ADHD. So much to read through.

sig15 is not something I shall do that info belongs to a kind of background info on what happens when one go

Menu > System > System status > Htop

or if one go Menu > System > System status > Pprocess viewer.

Which am I supposed to use? I am not 100 sure but I think the I did the latter and that it did kill the process but also killed me being able to use the computer so had to reboot.

How one can use Htop to kill something that I have no idea how to do.

Anyway I try to reconstruct to see if it happens again.
So I post this above and then read it and then kill this tab with htop first and if that fails I do the Pprocess and then I read your kind description after this post.

Edit

Haha, I am a true Noob. I've looked and looked on that Htop so many times and not noticed the lowest text there.

It was super simple when one knew what to look for.

One highlight Firefox and then do F9 and then Enter.

And when one klick on browser again then I am right back here again being able to edit without having to log in even.

So that is odd. it did not really killed it then? Only suspended or something

Thanks Bruce you wrote that while I was composing this text. Smile

Arrow I used the Mouse. Would that make a difference?

Last edited by nooby on Tue 21 Jun 2011, 11:13; edited 1 time in total
Back to top
View user's profile Send private message 
Bruce B


Joined: 18 May 2005
Posts: 11050
Location: The Peoples Republic of California

PostPosted: Tue 21 Jun 2011, 11:11    Post subject:  

htop destructions

use arrow key to highlight application to kill
hit f9 key
then enter

~

_________________
New! Puppy Linux Links Page
Back to top
View user's profile Send private message 
nooby

Joined: 29 Jun 2008
Posts: 10522
Location: SwedenEurope

PostPosted: Tue 21 Jun 2011, 11:26    Post subject:  

But how does one know which to mark.

Now when I look again and do the arrow scrolling then I have some 16FF and 2 Flashplayer or so instances of Firefox despite me only have one tab and only htop running.

I try to attach a pic showing the htop
htoppic.jpg
Description  Show htop and arrow in action?
jpg

 Download 
Filename  htoppic.jpg 
Filesize  210.69 KB 
Downloaded  222 Time(s) 

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send private message 
amigo

Joined: 02 Apr 2007
Posts: 2169

PostPosted: Tue 21 Jun 2011, 13:35    Post subject:  

"https://s3.amazonaws.com/fvd-suite/sites.txt"
The protocol (https) has nothing to do with the file type -in fact the '.txt' filename extension also has nothing to do with the file type. The 's' in https means secure. Sometimes you can use the same URL except for changing the protocol to simply 'hhtp'.
Back to top
View user's profile Send private message 
gcmartin

Joined: 14 Oct 2005
Posts: 3631
Location: Earth

PostPosted: Tue 21 Jun 2011, 13:46    Post subject:  

Bruce B wrote:
When I start Firefox from the CLI I get this error frequently. The site blocked in hosts.

The point is why is Firefox trying to make a secure connection to a text file?
@Bruce B.
I sure you are aware that "you" did something in FF to get /etc/hosts populated. Puppy doesn't come that way. And FF installation doesn't (usually) touch that file. But an extension does.

Hope this gives some insights to behavial changes we user do (with over 99% not knowing why or its impacts).

_________________
Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Engine or use DogPile
Back to top
View user's profile Send private message 
gcmartin

Joined: 14 Oct 2005
Posts: 3631
Location: Earth

PostPosted: Tue 21 Jun 2011, 14:08    Post subject:  

nooby wrote:
... One highlight Firefox and then do F9 and then ...
This is acceptable when one is using a single FF session. But, what happens when you have several tabs open in several Windows which constitutes your current work that you're involve. Then the "dreaded PopUP". In HTOP/TOP, you have a problem because you may have 5-9 FFs open ... which one is the PopUP? And, if you kill all of them, you lost all your work. Further, if you only kill the one, if you're lucky enough to figure out which is the PopUP, then you stand the chance that the viral/trojan activity has threaded its way into your other FF running sessions. Lastly, if you stopped all of them and restared, you may get the FF restart, which then will restart all/some of your prior internet connections which may now contain effects of the viral activity..

Confused, its what these things are designed for...twarting the smart user as well.

I call attention, not to show what happens, but rather, viral/trojan activity is not called this in the Linux community.

But, I too, use the steps that Bruce and Makoto outline. But, I have cause for concern of whether I can track the extent of what occurs.

I have alway used Live media in Puppy (and other OSs/distro too). It just allow me to control the extent to which the booting media is protected from inadvertant use, by me or from an errant application/virus/trojan.

But, I want us to consider how Puppy/Linux can be impacted versus the kind of hype that the security community throws at each of us. Understanding is very very key here.

This thread was started and specifically asks "Not to discuss 'ROOT' user here. The reason is, if we understand the methods by which Linux can acquire bad activity, then we can go to the Root User Discussion Threads and participate with a much better base understanding for what is "real" versus what is "hype". (But, please no root user discussion here on this thread).

Hope this helps.

_________________
Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Engine or use DogPile
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 2 of 5 [70 Posts]   Goto page: Previous 1, 2, 3, 4, 5 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.1115s ][ Queries: 12 (0.0072s) ][ GZIP on ]