Viruses in PUPPY Linux, YES, "Viruses in Linux"

[Moose On The Loose]

Moose OTL wrote that

Since Linux systems are rarely rebooted,

That is only true to particular users. All of us that sleep in same room as the computer power off each night and power on each morning. And many power off when doing something else like taking a walk to buy food whatever.

Code: Select all

# uptime
 07:12:46 up 14 days, 17:23, load average: 0.26, 0.20, 0.17
# 

I tend to leave mine on. Part of the reason is that I share files off this machine that my wife wants to get to while I am at work. Part is that I just got in the habit (perhaps an admitted bad one) years back when booting took a long time.

In the heat of the summer, I am more likely to power it down so I don't force the airconditioner to work to cool it.

I trust that the only reason that Puppy are a bit less often often targeted is that them go for where the money is.

There is also the fact that people outright hate Windows. Hate can be a strong motivation.

Apple machines are usually very expensive machines so the criminals reason that Apple owners are wealthy enough to be a good catch.

Apple machines are only "expensive" not "very expensive". At the time I bought this machine I paid as much for it as an Apple machine. I got a lot more disk and processor for the price.

Puppy users using old machines them found in the dumpster not so practical to get money from them?

Not this puppy user; To some peoples point of view I am a rich person using an expensive machine. I don't drive an expensive car but I do drive one that works very well for the purpose. The desk it is sitting on is very solidly made from wood. My house has earthquake bracing and storm shutters. I use puppy not because it costs less but rather because very simply it is better.

If you run CD or DVD that seems more safe than using frugal on NTFS does it not?

There are no NTFS partitions on this machine. There is one on my wifes. What can I say, I love her dearly, but NTFS whats up with that!

So I am happy you started this thread.

I will gladly take the credit, thank you thank you, .. no wait I didn't start it.

The only thing I worry about now is that those that really got virus don't bother to report on it in the forum.

If there are any please speak up. Think of the blackbox on an aircraft. They all have them even though it doesn't save the life of those on the ones that gather the really important information.

[Bruce B]

When I start Firefox from the CLI I get this error frequently. The site blocked in hosts.

The point is why is Firefox trying to make a secure connection to a text file?

Let alone any connection at all on startup.

FAIL download from https://s3.amazonaws.com/fvd-suite/ad_signs.txt
FAIL DOWNLOAD FROM https://s3.amazonaws.com/fvd-suite/sites.txt

I'll keep this updated as I learn more.

UPDATE

This is the content of one file it is trying get from the secure connection:

speed.pointroll.com
ad-g.doubleclick.net
naked.com
exoclick.com
pointroll.com
edgesuite.net
mtvnservices.com
gfrevenge.com
71i.de
contentabc.com
telemetryverification.net
nbcuni.com
2mdn.net
filesonic.com
pop6.com
daredorm.com
adrocketmedia.com
moviebox.com
amateurmatch.com


UPDATE

If I block s3.amazonaws.com I get the error message

If I don't - no error message.

127.0.0.1 s3.amazonaws.com

SOLVED

A Firefox extension is getting the (2) files.

I discovered the site was being contacted earlier by reviewing the log files, but didn't know why it was being contacted, so I blocked it, that's why the error message later.

~

[Makoto]

Create a new user (profile) in Firefox (you can delete the additional user later, if you want). Don't add any extensions. Do the problems persist?

Which version of Firefox are you using? I've heard that's what one or more of the new security/anti-phishing options in Firefox 3 and up does - connect to a remote (non-Mozilla) server to download a list of sites to act upon. You might try turning off the anti-phishing/secure browsing/secure site/whatever options (sorry, I'm not at one of my systems with FF3.6 or 4.01 installed, so I don't remember offhand what all of the options you might want to disable are ) and see if the behavior continues.

[Bruce B]

Makoto,

I'll leave the troubleshooting notes up. At first something didn't appear right. Then after running it down, I found it was OK.

Using Hiawatha I made a duplicate directory and put the files in it. Now Hiawatha will serve the files and give an error code of 200, which means success.

The idea here is pay attention.

For example, how many people pull the urls out of the proprietary flash plugin and block them?

How many people are told not to click on hyperlinks in the flash media?

How many people shut down suspicious pages and popup with Ctrl+F4 or Ctrl+W rather than click the mouse?

There is a lot the user can do to keep his browsing clean.

Bruce

~

[Makoto]

Some of those 'fake antivirus' popups/windows that installed malware on Windows were also designed to trap close attempts (the X button, Alt-F4, etc.) and install the malware anyway. The malware may not have as much of an impact for a Linux system, but it's still a good idea to know that they can, in fact, trap keystrokes like that, if they really want.
Under Puppy, if I get a suspicious window, it's easier just to choose to 'kill' the window, just to be safe. (IMHO, of course.)

[nooby]

Bruce wrote

For example, how many people pull the urls out of the proprietary flash plugin and block them?

How many people are told not to click on hyperlinks in the flash media?

How many people shut down suspicious pages and popup with Ctrl+F4 or Ctrl+W rather than click the mouse?

There is a lot the user can do to keep his browsing clean.

Makoto wrote

Some of those 'fake antivirus' popups/windows that installed malware on Windows were also designed to trap close attempts (the X button, Alt-F4, etc.) and install the malware anyway. The malware may not have as much of an impact for a Linux system, but it's still a good idea to know that they can, in fact, trap keystrokes like that, if they really want.
Under Puppy, if I get a suspicious window, it's easier just to choose to 'kill'

Despite the fact that I've been active here now daily since at least two years back I don't trust that I get what your two talk about so how can I protect myself of the advices are on a to me non-comprehensible level of abstract geek talk?

No offense but I sure want to do it right too but what was it I was supposed to do then.

I remember one time I used kill that destroyed that session and had to reboot to get it right again.

I get the impression that your two posts somewhat contradict each other? So how to I shut down that thing popping up?

[Makoto]

I was mainly just saying that in my opinion, it's safer (no matter which OS I'm using) to kill a browser window with a suspicious page from the outside, rather than try to quit it using keypresses from "within" the browser window.

Originally, when the 'fake antivirus' popups began to appear, they frustrated a lot of people - until someone realized you could just click on the 'close' button at the top of the window, as you would any other program.
So, the malware writers corrected that oversight. Now, either the close button wouldn't work, or, just like clicking on the window, it would also install the malware. Often, they'd use javascript to spoof the Windows titlebar at the top for that.
But then, someone announced that you could just use Alt-F4 (etc.) to kill the window. The malware writers tried fixing that, too. Not every bit of malware out there does it, but you may encounter one that does trap whatever keys you try to use, and try to install its garbage, anyway.

Of course, some try to install merely when infected ad code is run, alone. So something could hit just by visiting a 'safe' page, too.

Can any of this run on, or affect Linux? I don't know. However, as with the trojan programs that used to spread through email like crazy, it can pile up on your hard drives, even if you don't have to worry about it running or spreading. On one of my non-Windows systems, earlier this decade, I had to run a simple anti-virus setup just to automatically clean out my email attachments folder, so the stupid trojans wouldn't eat up my HD space in no time.

[Bruce B]

Some of those 'fake antivirus' popups/windows that installed malware on Windows were also designed to trap close attempts (the X button, Alt-F4, etc.) and install the malware anyway. The malware may not have as much of an impact for a Linux system, but it's still a good idea to know that they can, in fact, trap keystrokes like that, if they really want.
Under Puppy, if I get a suspicious window, it's easier just to choose to 'kill' the window, just to be safe. :) (IMHO, of course.)

Yes, thank you. Do not interact with the Browser, window or popups. Kill it with another tool.

I like a soft kill so as not to corrupt files the browser wants to write back. Htop is included with most newer Puppys. With htop we can kill it with a sig 15 for a soft kill.

~

[Bruce B]

I get the impression that your two posts [Bruce B, Makoto] somewhat contradict each other? So how to I shut down that thing popping up?

There was an apparent contradiction. My suggestion eliminates mouse events or any interaction with the suspicious window or dialog. Makoto's suggestion eliminates any events.

Makoto's suggesting is the safest of the two as it covers all bases.

~

Keep in mind that a cancel button can do exactly the same as in install button. Don't click either.

~

[nooby]

I trust it is my ADHD. So much to read through.

sig15 is not something I shall do that info belongs to a kind of background info on what happens when one go

Menu > System > System status > Htop

or if one go Menu > System > System status > Pprocess viewer.

Which am I supposed to use? I am not 100 sure but I think the I did the latter and that it did kill the process but also killed me being able to use the computer so had to reboot.

How one can use Htop to kill something that I have no idea how to do.

Anyway I try to reconstruct to see if it happens again.
So I post this above and then read it and then kill this tab with htop first and if that fails I do the Pprocess and then I read your kind description after this post.

Edit

Haha, I am a true Noob. I've looked and looked on that Htop so many times and not noticed the lowest text there.

It was super simple when one knew what to look for.

One highlight Firefox and then do F9 and then Enter.

And when one klick on browser again then I am right back here again being able to edit without having to log in even.

So that is odd. it did not really killed it then? Only suspended or something

Thanks Bruce you wrote that while I was composing this text.

Arrow I used the Mouse. Would that make a difference?

[Bruce B]

htop destructions

use arrow key to highlight application to kill
hit f9 key
then enter

~

[nooby]

But how does one know which to mark.

Now when I look again and do the arrow scrolling then I have some 16FF and 2 Flashplayer or so instances of Firefox despite me only have one tab and only htop running.

I try to attach a pic showing the htop

[amigo]

"https://s3.amazonaws.com/fvd-suite/sites.txt"
The protocol (https) has nothing to do with the file type -in fact the '.txt' filename extension also has nothing to do with the file type. The 's' in https means secure. Sometimes you can use the same URL except for changing the protocol to simply 'hhtp'.

[gcmartin]

When I start Firefox from the CLI I get this error frequently. The site blocked in hosts.

The point is why is Firefox trying to make a secure connection to a text file?

@Bruce B.
I sure you are aware that "you" did something in FF to get /etc/hosts populated. Puppy doesn't come that way. And FF installation doesn't (usually) touch that file. But an extension does.

Hope this gives some insights to behavial changes we user do (with over 99% not knowing why or its impacts).

[gcmartin]

... One highlight Firefox and then do F9 and then ...

This is acceptable when one is using a single FF session. But, what happens when you have several tabs open in several Windows which constitutes your current work that you're involve. Then the "dreaded PopUP". In HTOP/TOP, you have a problem because you may have 5-9 FFs open ... which one is the PopUP? And, if you kill all of them, you lost all your work. Further, if you only kill the one, if you're lucky enough to figure out which is the PopUP, then you stand the chance that the viral/trojan activity has threaded its way into your other FF running sessions. Lastly, if you stopped all of them and restared, you may get the FF restart, which then will restart all/some of your prior internet connections which may now contain effects of the viral activity..

Confused, its what these things are designed for...twarting the smart user as well.

I call attention, not to show what happens, but rather, viral/trojan activity is not called this in the Linux community.

But, I too, use the steps that Bruce and Makoto outline. But, I have cause for concern of whether I can track the extent of what occurs.

I have alway used Live media in Puppy (and other OSs/distro too). It just allow me to control the extent to which the booting media is protected from inadvertant use, by me or from an errant application/virus/trojan.

But, I want us to consider how Puppy/Linux can be impacted versus the kind of hype that the security community throws at each of us. Understanding is very very key here.

This thread was started and specifically asks "Not to discuss 'ROOT' user here. The reason is, if we understand the methods by which Linux can acquire bad activity, then we can go to the Root User Discussion Threads and participate with a much better base understanding for what is "real" versus what is "hype". (But, please no root user discussion here on this thread).

Hope this helps.

[Sylvander]

I'd be inclined to:
Ctrl+Alt+backspace
To drop ot a command prompt...
Then:
xwin
To come back into the desktop...
Then:
Restart Firefox...
And choose which of the windows/tabs to restart...
By un-ticking the window/tab with the problem.

Any reason this wouldn't work?

[Bruce B]

Vulnerabilities don't exist anywhere and everywhere.

A vulnerability can only exist if it actually exists. Even at that, it has to be successfully exploited to be of consequence.

We still don't have to my knowledge a verified report on any Puppy users having been exploited.

~

[Bruce B]

I'd be inclined to:
Ctrl+Alt+backspace
To drop ot a command prompt...
Then:
xwin
To come back into the desktop...
Then:
Restart Firefox...
And choose which of the windows/tabs to restart...
By un-ticking the window/tab with the problem.

Any reason this wouldn't work?

It would kill the Browser and all X apps.

My question is how does it kill them? If it doesn't kill them nicely file corruption can occur with applications like Firefox

~

[nooby]

I'd be inclined to:
Ctrl+Alt+backspace
To drop ot a command prompt...
Then:
xwin
To come back into the desktop...
Then:
Restart Firefox...
And choose which of the windows/tabs to restart...
By un-ticking the window/tab with the problem.

Any reason this wouldn't work?

I have not tested more than one or two or three times but my poor memory tell me that FF remember all the tabs like you also indicate and how do I remember which of them that I was supposed to kill.

Okay one can do a workaround. To never have more than one tab open then one always know what to kill.

Fortunately it happen rather seldom that one have to kill a FF session.

But sometimes it lock up forever waiting for an ad that never loads and the FF is hanging and don't allow any other operation either it even refuse to get shut down using Ctrl+W

I had not heard of the Ctrl+F4 is that a FF thing or a OS or JWM thing?

I found this using google

For those of us Firefox users who love the tabs, Ctrl-F4 is an indispensable tool for ... It turns out, the solution is obvious to any average linux user, ...
forum.eeeuser.com/viewtopic.php?id=7256

Hope I remember this one next time something happens.

Does one still get the virus downloaded?

[Sky Aisling]

Thank you GCMartin for posting this thread. Thank you Nooby for keeping the 'newbie' voice alive in the discussion. Thanks to all for the thoughtful contributions.