From: usrID on
Hi all,

should premise that I'm a great geek...
I'm running a linux box with a sort of default firewall settings: in
Firestarter I've enabled/disabled a couple of settings - nothing really
important, as far as I can understand.

It all started a couple of days ago while browsing Gigapedia. I left the
pc and when I came back it was freezed. I had to switch it off. Since it
was the first time i happened - never had a crash before - I smelled
something wrong.

Now, what makes me believe I've been really hacked? I have had a couple
of popups in firefox that weren't unrelated to what I was browsing.

One was a warning of an invalid certificate - US Defence, or similar -
and the other a login screen for a web address I wasn't browsing.

My guess is that someone is using my box as a proxy or a bot or something..

So, my question is: is it possible (or, has it any sense)?

From: Bit Twister on
On Sun, 07 Mar 2010 17:52:07 +0100, userid wrote:

> I'm running Mint 8, an Ubuntu derivate. I've tested the firewall on a
> couple of security sites and it looked ok.

Yes, sounds like front door secured and backdoor left unlocked.

Black hats have moved from web side attacks to web client exploits
and through downloaded media files (flash, pdf, gif, MP3, WMA, WMV, MP2,...)


> Ubuntu - as far as I understand ;) - uses a mixed policy: you log in as
> a normal user but, using the same password, you may become a sudoer.

Yes, seen that policy. Instead of having to crack user and root passwords,
cracker just needs to crack one password. :(


> I normally browse with user account (apparently, by default, there's no
> root account).

Hmmm, try these three commands in a terminal.
grep $USER/etc/passwd
grep browser /etc/passwd
grep root /etc/passwd


> But, shouldn't you see these popups every time, then?

Not necessarily.


> They popped up just once,

Yep, to further hinder Anti-virus vendors from getting their hands on
a copy of malware, the infected site can keep a record of ip addresses
and not attempt to serve malware to an already logged ip address.

> I was thinking to the mechanics of someone using my box as a proxy.

Think of a proxy as a software router which redirects traffic.
Normally it is transparent to the user.

> Does it make any sense that _my_ browser pops something up?

Depends on the malware's design/goal in life. If it needs to click a
window or enter data, then yes.

> Or, should it be invisible?

Well designed malware will keep it's activity hidden as much as possible.

> Thank you very much for these suggestions, I would try them. I just
> think though that a separate account to browse is far too complicate to
> me, since I need it to work. It would be an endless switching

Hehehe, maybe a 5 line change, max, to /etc/sudoers
a little script that does a
qdbus org.kde.kwin /KWin org.kde.KWin.setCurrentDesktop 3 > /dev/null
xterm -e sudo /bin/su -l browser_login_id

and a desktop shortcut which runs script. Click shortcut, desktop switches
to desktop window 3 and launches log in into browser_login_id.
Above qdbus command assumes your running KDE4.x as desktop manager.

~browser_login_here/.bash_profile has something like
firefox $HOME/index.html
/bin/rm -rf .mozilla .macromedia
tar -xpvf $HOME/firefox.tar > /dev/null 2>&1
exit

That assumes you have already tar'ed up .mozilla and .macromedia into
/home/browser_login_id/firefox.tar

Upside, poisoned cache, cookies, memory, dns cache are deleted upon exit.
Downside to above is bookmarks are also deleted.

Not a problem for me. I keep urls with keyword hints in an ascii file.
I have a script to grep the file. example

$ urls bash doc
http://www.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html ! basic shell bash doc
http://gentoo-wiki.com/MAN_bash ! documentation
http://cfaj.freeshell.org/shell ! bash script tips usage doc
http://tldp.org/LDP/abs/html/index.html ! bash script advanced documentation
http://mywiki.wooledge.org/BashFAQ/050 ! bash script variable expansion doc
From: usrID on
Bit Twister wrote:
> On Sun, 07 Mar 2010 17:52:07 +0100, userid wrote:
>
>> I'm running Mint 8, an Ubuntu derivate. I've tested the firewall on a
>> couple of security sites and it looked ok.
>
> Yes, sounds like front door secured and backdoor left unlocked.
>
> Black hats have moved from web side attacks to web client exploits
> and through downloaded media files (flash, pdf, gif, MP3, WMA, WMV, MP2,...)

I've read of pdf exploits - in Gigapedia that makes sense - but I
thought that with javascipt disabled (in Acrobat Reader) and being in
linux I could be safe

>> Ubuntu - as far as I understand ;) - uses a mixed policy: you log in as
>> a normal user but, using the same password, you may become a sudoer.
>
> Yes, seen that policy. Instead of having to crack user and root passwords,
> cracker just needs to crack one password. :(

Yeah, ingenious isn't it?

>> I normally browse with user account (apparently, by default, there's no
>> root account).
>
> Hmmm, try these three commands in a terminal.
> grep $USER/etc/passwd
> grep browser /etc/passwd
> grep root /etc/passwd

First two haven't output anything, perhaps my fault
The third: root:x:0:0:root:/root:/bin/bash
Look, I can act as root in Nautilus, but I cannot log in as root

>> But, shouldn't you see these popups every time, then?
>
> Not necessarily.
>
>
>> They popped up just once,
>
> Yep, to further hinder Anti-virus vendors from getting their hands on
> a copy of malware, the infected site can keep a record of ip addresses
> and not attempt to serve malware to an already logged ip address.
>
>> I was thinking to the mechanics of someone using my box as a proxy.
>
> Think of a proxy as a software router which redirects traffic.
> Normally it is transparent to the user.
>
>> Does it make any sense that _my_ browser pops something up?
>
> Depends on the malware's design/goal in life. If it needs to click a
> window or enter data, then yes.
>
>> Or, should it be invisible?
>
> Well designed malware will keep it's activity hidden as much as possible.

This leaves me in doubt though..
I've been browsing in a linux environment with a user account and,
maybe, have opened a couple of pdf. Could all this put me in trouble?
The two occurrences are any sign?

>> Thank you very much for these suggestions, I would try them. I just
>> think though that a separate account to browse is far too complicate to
>> me, since I need it to work. It would be an endless switching
>
> Hehehe, maybe a 5 line change, max, to /etc/sudoers
> a little script that does a
> qdbus org.kde.kwin /KWin org.kde.KWin.setCurrentDesktop 3> /dev/null
> xterm -e sudo /bin/su -l browser_login_id
>
> and a desktop shortcut which runs script. Click shortcut, desktop switches
> to desktop window 3 and launches log in into browser_login_id.
> Above qdbus command assumes your running KDE4.x as desktop manager.
>
> ~browser_login_here/.bash_profile has something like
> firefox $HOME/index.html
> /bin/rm -rf .mozilla .macromedia
> tar -xpvf $HOME/firefox.tar> /dev/null 2>&1
> exit
>
> That assumes you have already tar'ed up .mozilla and .macromedia into
> /home/browser_login_id/firefox.tar
>
> Upside, poisoned cache, cookies, memory, dns cache are deleted upon exit.
> Downside to above is bookmarks are also deleted.
>
> Not a problem for me. I keep urls with keyword hints in an ascii file.
> I have a script to grep the file. example
>
> $ urls bash doc
> http://www.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html ! basic shell bash doc
> http://gentoo-wiki.com/MAN_bash ! documentation
> http://cfaj.freeshell.org/shell ! bash script tips usage doc
> http://tldp.org/LDP/abs/html/index.html ! bash script advanced documentation
> http://mywiki.wooledge.org/BashFAQ/050 ! bash script variable expansion doc

This really makes me feel a lot behind the curve.. :(
Thanks again for all the suggestions. I'll look at every line trying to
learn
From: Bit Twister on
On Sun, 07 Mar 2010 21:14:00 +0100, usrID wrote:
> Bit Twister wrote:
>> Hmmm, try these three commands in a terminal.
>> grep $USER/etc/passwd
>> grep browser /etc/passwd
>> grep root /etc/passwd
>
> First two haven't output anything, perhaps my fault

No, it was my fault. I missed typing in a space on the first one,
second one was to show no account and third was to show root.
Here is the corrected first line.

grep $USER /etc/passwd

> The third: root:x:0:0:root:/root:/bin/bash

Yep, there is the root account entry.

> Look, I can act as root in Nautilus, but I cannot log in as root

Yes, root's account was setup without a password which prevents you
from doing a terminal log in.
I was trying to get you to see that there is a root account.


> This leaves me in doubt though..
> I've been browsing in a linux environment with a user account and,
> maybe, have opened a couple of pdf. Could all this put me in trouble?

I have not installed Mint. I have no idea if Mint installs Aobe's Acrobat pdf
reader or if Mint runs the open source reader. If open source, I'd
have to guess you are safe. To make you feel better, I have not seen
any linux malware in pdf form recently.

> The two occurrences are any sign?

I would say no.

From: usrID on
Bit Twister wrote:
> On Sun, 07 Mar 2010 21:14:00 +0100, usrID wrote:
>> Bit Twister wrote:
>>> Hmmm, try these three commands in a terminal.
>>> grep $USER/etc/passwd
>>> grep browser /etc/passwd
>>> grep root /etc/passwd
>>
>> First two haven't output anything, perhaps my fault
>
> No, it was my fault. I missed typing in a space on the first one,
> second one was to show no account and third was to show root.
> Here is the corrected first line.
>
> grep $USER /etc/passwd

Ok..
daemon:x:1:1:daemon:/user/sbin:/bin/sh
games:x:5:60:games:/user/games:/bin/sh
user:x:1000:1000:user,,,:/home/user:/bin/bash

>> This leaves me in doubt though..
>> I've been browsing in a linux environment with a user account and,
>> maybe, have opened a couple of pdf. Could all this put me in trouble?
>
> I have not installed Mint. I have no idea if Mint installs Aobe's Acrobat pdf
> reader or if Mint runs the open source reader. If open source, I'd
> have to guess you are safe. To make you feel better, I have not seen
> any linux malware in pdf form recently.

It comes with evince, the open source reader, but I've installed Adobe
Acrobat too for convenience :) It renders fonts better than evince.
Good to know there has been no linux malware in pdfs!

>> The two occurrences are any sign?
>
> I would say no.
>

Thank you Bit Twister, you've been very helpful. I'll pay careful
attention to any further sign before flatten and rebuild (which I'd do
very very reluctantly)