Is my box compromised?
in [Firewalls]
|
From: usrID on 7 Mar 2010 10:15 Hi all, should premise that I'm a great geek... I'm running a linux box with a sort of default firewall settings: in Firestarter I've enabled/disabled a couple of settings - nothing really important, as far as I can understand. It all started a couple of days ago while browsing Gigapedia. I left the pc and when I came back it was freezed. I had to switch it off. Since it was the first time i happened - never had a crash before - I smelled something wrong. Now, what makes me believe I've been really hacked? I have had a couple of popups in firefox that weren't unrelated to what I was browsing. One was a warning of an invalid certificate - US Defence, or similar - and the other a login screen for a web address I wasn't browsing. My guess is that someone is using my box as a proxy or a bot or something.. So, my question is: is it possible (or, has it any sense)?
From: Bit Twister on 7 Mar 2010 13:28 On Sun, 07 Mar 2010 17:52:07 +0100, userid wrote: > I'm running Mint 8, an Ubuntu derivate. I've tested the firewall on a > couple of security sites and it looked ok. Yes, sounds like front door secured and backdoor left unlocked. Black hats have moved from web side attacks to web client exploits and through downloaded media files (flash, pdf, gif, MP3, WMA, WMV, MP2,...) > Ubuntu - as far as I understand ;) - uses a mixed policy: you log in as > a normal user but, using the same password, you may become a sudoer. Yes, seen that policy. Instead of having to crack user and root passwords, cracker just needs to crack one password. :( > I normally browse with user account (apparently, by default, there's no > root account). Hmmm, try these three commands in a terminal. grep $USER/etc/passwd grep browser /etc/passwd grep root /etc/passwd > But, shouldn't you see these popups every time, then? Not necessarily. > They popped up just once, Yep, to further hinder Anti-virus vendors from getting their hands on a copy of malware, the infected site can keep a record of ip addresses and not attempt to serve malware to an already logged ip address. > I was thinking to the mechanics of someone using my box as a proxy. Think of a proxy as a software router which redirects traffic. Normally it is transparent to the user. > Does it make any sense that _my_ browser pops something up? Depends on the malware's design/goal in life. If it needs to click a window or enter data, then yes. > Or, should it be invisible? Well designed malware will keep it's activity hidden as much as possible. > Thank you very much for these suggestions, I would try them. I just > think though that a separate account to browse is far too complicate to > me, since I need it to work. It would be an endless switching Hehehe, maybe a 5 line change, max, to /etc/sudoers a little script that does a qdbus org.kde.kwin /KWin org.kde.KWin.setCurrentDesktop 3 > /dev/null xterm -e sudo /bin/su -l browser_login_id and a desktop shortcut which runs script. Click shortcut, desktop switches to desktop window 3 and launches log in into browser_login_id. Above qdbus command assumes your running KDE4.x as desktop manager. ~browser_login_here/.bash_profile has something like firefox $HOME/index.html /bin/rm -rf .mozilla .macromedia tar -xpvf $HOME/firefox.tar > /dev/null 2>&1 exit That assumes you have already tar'ed up .mozilla and .macromedia into /home/browser_login_id/firefox.tar Upside, poisoned cache, cookies, memory, dns cache are deleted upon exit. Downside to above is bookmarks are also deleted. Not a problem for me. I keep urls with keyword hints in an ascii file. I have a script to grep the file. example $ urls bash doc http://www.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html ! basic shell bash doc http://gentoo-wiki.com/MAN_bash ! documentation http://cfaj.freeshell.org/shell ! bash script tips usage doc http://tldp.org/LDP/abs/html/index.html ! bash script advanced documentation http://mywiki.wooledge.org/BashFAQ/050 ! bash script variable expansion doc
From: usrID on 7 Mar 2010 15:14 Bit Twister wrote: > On Sun, 07 Mar 2010 17:52:07 +0100, userid wrote: > >> I'm running Mint 8, an Ubuntu derivate. I've tested the firewall on a >> couple of security sites and it looked ok. > > Yes, sounds like front door secured and backdoor left unlocked. > > Black hats have moved from web side attacks to web client exploits > and through downloaded media files (flash, pdf, gif, MP3, WMA, WMV, MP2,...) I've read of pdf exploits - in Gigapedia that makes sense - but I thought that with javascipt disabled (in Acrobat Reader) and being in linux I could be safe >> Ubuntu - as far as I understand ;) - uses a mixed policy: you log in as >> a normal user but, using the same password, you may become a sudoer. > > Yes, seen that policy. Instead of having to crack user and root passwords, > cracker just needs to crack one password. :( Yeah, ingenious isn't it? >> I normally browse with user account (apparently, by default, there's no >> root account). > > Hmmm, try these three commands in a terminal. > grep $USER/etc/passwd > grep browser /etc/passwd > grep root /etc/passwd First two haven't output anything, perhaps my fault The third: root:x:0:0:root:/root:/bin/bash Look, I can act as root in Nautilus, but I cannot log in as root >> But, shouldn't you see these popups every time, then? > > Not necessarily. > > >> They popped up just once, > > Yep, to further hinder Anti-virus vendors from getting their hands on > a copy of malware, the infected site can keep a record of ip addresses > and not attempt to serve malware to an already logged ip address. > >> I was thinking to the mechanics of someone using my box as a proxy. > > Think of a proxy as a software router which redirects traffic. > Normally it is transparent to the user. > >> Does it make any sense that _my_ browser pops something up? > > Depends on the malware's design/goal in life. If it needs to click a > window or enter data, then yes. > >> Or, should it be invisible? > > Well designed malware will keep it's activity hidden as much as possible. This leaves me in doubt though.. I've been browsing in a linux environment with a user account and, maybe, have opened a couple of pdf. Could all this put me in trouble? The two occurrences are any sign? >> Thank you very much for these suggestions, I would try them. I just >> think though that a separate account to browse is far too complicate to >> me, since I need it to work. It would be an endless switching > > Hehehe, maybe a 5 line change, max, to /etc/sudoers > a little script that does a > qdbus org.kde.kwin /KWin org.kde.KWin.setCurrentDesktop 3> /dev/null > xterm -e sudo /bin/su -l browser_login_id > > and a desktop shortcut which runs script. Click shortcut, desktop switches > to desktop window 3 and launches log in into browser_login_id. > Above qdbus command assumes your running KDE4.x as desktop manager. > > ~browser_login_here/.bash_profile has something like > firefox $HOME/index.html > /bin/rm -rf .mozilla .macromedia > tar -xpvf $HOME/firefox.tar> /dev/null 2>&1 > exit > > That assumes you have already tar'ed up .mozilla and .macromedia into > /home/browser_login_id/firefox.tar > > Upside, poisoned cache, cookies, memory, dns cache are deleted upon exit. > Downside to above is bookmarks are also deleted. > > Not a problem for me. I keep urls with keyword hints in an ascii file. > I have a script to grep the file. example > > $ urls bash doc > http://www.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html ! basic shell bash doc > http://gentoo-wiki.com/MAN_bash ! documentation > http://cfaj.freeshell.org/shell ! bash script tips usage doc > http://tldp.org/LDP/abs/html/index.html ! bash script advanced documentation > http://mywiki.wooledge.org/BashFAQ/050 ! bash script variable expansion doc This really makes me feel a lot behind the curve.. :( Thanks again for all the suggestions. I'll look at every line trying to learn
From: Bit Twister on 7 Mar 2010 16:58 On Sun, 07 Mar 2010 21:14:00 +0100, usrID wrote: > Bit Twister wrote: >> Hmmm, try these three commands in a terminal. >> grep $USER/etc/passwd >> grep browser /etc/passwd >> grep root /etc/passwd > > First two haven't output anything, perhaps my fault No, it was my fault. I missed typing in a space on the first one, second one was to show no account and third was to show root. Here is the corrected first line. grep $USER /etc/passwd > The third: root:x:0:0:root:/root:/bin/bash Yep, there is the root account entry. > Look, I can act as root in Nautilus, but I cannot log in as root Yes, root's account was setup without a password which prevents you from doing a terminal log in. I was trying to get you to see that there is a root account. > This leaves me in doubt though.. > I've been browsing in a linux environment with a user account and, > maybe, have opened a couple of pdf. Could all this put me in trouble? I have not installed Mint. I have no idea if Mint installs Aobe's Acrobat pdf reader or if Mint runs the open source reader. If open source, I'd have to guess you are safe. To make you feel better, I have not seen any linux malware in pdf form recently. > The two occurrences are any sign? I would say no.
From: usrID on 8 Mar 2010 01:10 Bit Twister wrote: > On Sun, 07 Mar 2010 21:14:00 +0100, usrID wrote: >> Bit Twister wrote: >>> Hmmm, try these three commands in a terminal. >>> grep $USER/etc/passwd >>> grep browser /etc/passwd >>> grep root /etc/passwd >> >> First two haven't output anything, perhaps my fault > > No, it was my fault. I missed typing in a space on the first one, > second one was to show no account and third was to show root. > Here is the corrected first line. > > grep $USER /etc/passwd Ok.. daemon:x:1:1:daemon:/user/sbin:/bin/sh games:x:5:60:games:/user/games:/bin/sh user:x:1000:1000:user,,,:/home/user:/bin/bash >> This leaves me in doubt though.. >> I've been browsing in a linux environment with a user account and, >> maybe, have opened a couple of pdf. Could all this put me in trouble? > > I have not installed Mint. I have no idea if Mint installs Aobe's Acrobat pdf > reader or if Mint runs the open source reader. If open source, I'd > have to guess you are safe. To make you feel better, I have not seen > any linux malware in pdf form recently. It comes with evince, the open source reader, but I've installed Adobe Acrobat too for convenience :) It renders fonts better than evince. Good to know there has been no linux malware in pdfs! >> The two occurrences are any sign? > > I would say no. > Thank you Bit Twister, you've been very helpful. I'll pay careful attention to any further sign before flatten and rebuild (which I'd do very very reluctantly)
|
Next
|
Last
Pages: 1 2 Prev: Windows Sicherheit ohne PFW Next: Call for papers: ISP-10, USA, July 2010 |