Virus warning from www.puppylinux.com/manuals.htm
-
- Posts: 12
- Joined: Sun 26 Aug 2007, 19:19
I am one of the people that took it deep in the anus on this thing. Unfortunately a lot of my dev software only works on Windows and it's not too often that I get the alerts for virii or use IE. Thankfully I do keep archives and many backups off-machine.
I was running clamAV when this happened and it was a rather quick infection. Incidentally, F-Prot was the only tool that caught it, after the fact.
I had some 35 password/key loggers and trojans installed in less than 30 minutes time. I ended up fdisking ftw. It cost me a day's worth of time to remedy/rebuild and am I dumber for having trusted Puppy websites to be secure.
BTW Word Press is a popular target for hackers. It's riddled with security holes and cross sight scripting vulnerabilities.
If you want secure, powerful, flexible and simple you should definitely check into Drupal.
@Jeff: You are completely correct. It only takes a little bit of patience to sneak something into Puppy legitimately (even as a simple package) that can cause a serious problem. It's very easy to misbehave when you are not denied root access to any part of the OS.
I was running clamAV when this happened and it was a rather quick infection. Incidentally, F-Prot was the only tool that caught it, after the fact.
I had some 35 password/key loggers and trojans installed in less than 30 minutes time. I ended up fdisking ftw. It cost me a day's worth of time to remedy/rebuild and am I dumber for having trusted Puppy websites to be secure.
BTW Word Press is a popular target for hackers. It's riddled with security holes and cross sight scripting vulnerabilities.
If you want secure, powerful, flexible and simple you should definitely check into Drupal.
@Jeff: You are completely correct. It only takes a little bit of patience to sneak something into Puppy legitimately (even as a simple package) that can cause a serious problem. It's very easy to misbehave when you are not denied root access to any part of the OS.
IFRAME EXPLOIT PERSISTS
Either it was missed in the sweep or it's back.
http://puppylinux.com/links.htm
I checked all pages in the main page's menu bar, but that's the extent of my searching. To go any deeper is the job of the owner, not the visitor.
Barry: please leave Dingo be and clean the dog run.
http://puppylinux.com/links.htm
I checked all pages in the main page's menu bar, but that's the extent of my searching. To go any deeper is the job of the owner, not the visitor.
Barry: please leave Dingo be and clean the dog run.
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]
IRC user ralphv caught the following that's on puppylinux(dot)com's main page:
Barry have any stock in pharmaceuticals? If not, stop feeding the bots and spiders.
Code: Select all
</body></html><!--ngz-->
<div style="position:absolute;left:-200000px">| <a href="http://transplants.org/images/Titles/pharmacy/arimidex/">arimidex</a> |
<a href="http://transplants.org/images/Titles/pharmacy/standing tall/">female standing tall</a> |
<a href="http://transplants.org/images/Titles/pharmacy/accutane/">accutane</a> |
<a href="http://transplants.org/images/Titles/pharmacy/relafen/">relafen</a> |
<a href="http://transplants.org/images/Titles/pharmacy/zyban/">zyban</a> |
<a href="http://transplants.org/images/Titles/pharmacy/lipitor/">lipitor</a> |
<a href="http://transplants.org/images/Titles/pharmacy/zithromax/">zithromax</a> |
<a href="http://transplants.org/images/Titles/pharmacy/doxycycline/">doxycycline</a> |
<a href="http://transplants.org/images/Titles/pharmacy/zyvox/">zyvox</a> |
<a href="http://transplants.org/images/Titles/pharmacy/diflucan/">diflucan</a> |
<a href="http://transplants.org/images/Titles/pharmacy/prednisone/">prednisone</a> |
<a href="http://transplants.org/images/Titles/pharmacy/poisonous crap/">poisonous crap</a> |
<a href="http://transplants.org/images/Titles/pharmacy/lamisil/">lamisil</a> |
<a href="http://transplants.org/images/Titles/pharmacy/standing tall/">standing tall</a> |
<a href="http://transplants.org/images/Titles/pharmacy/wellbutrin/">wellbutrin</a> |
<a href="http://transplants.org/images/Titles/pharmacy/zoloft/">zoloft</a> |
<a href="http://transplants.org/images/Titles/pharmacy/paxil/">paxil</a> |
<a href="http://transplants.org/images/Titles/pharmacy/clomid/">clomid</a> |
<a href="http://transplants.org/images/Titles/pharmacy/celebrex/">celebrex</a> |
<a href="http://transplants.org/images/Titles/pharmacy/ultram/">ultram</a> |
<a href="http://transplants.org/images/Titles/pharmacy/poisonous crap/">poisonous crap</a> |
<a href="http://transplants.org/images/Titles/pharmacy/lexapro/">lexapro</a> |
<a href="http://transplants.org/images/Titles/pharmacy/zyrtec/">zyrtec</a> </div>
<!--ngzf-->
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]
It has been just over 42-hours since I last posted about this.
puppylinux(dot)com still has the IFRAME EXPLOIT embedded in the main page, and the links page still has the pharmaceutical links at the bottom of the source code.
Unless this matter is tended to, sooner or later someone (it won't be me) is going to very ungently report this on DistroWatch and/or similar on-line rags.
P.S.
@John Doe
Clearly neither Servage nor anyone else is doing anything about this.
puppylinux(dot)com still has the IFRAME EXPLOIT embedded in the main page, and the links page still has the pharmaceutical links at the bottom of the source code.
Unless this matter is tended to, sooner or later someone (it won't be me) is going to very ungently report this on DistroWatch and/or similar on-line rags.
P.S.
@John Doe
Clearly neither Servage nor anyone else is doing anything about this.
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]
- BarryK
- Puppy Master
- Posts: 9392
- Joined: Mon 09 May 2005, 09:23
- Location: Perth, Western Australia
- Contact:
See my latest blog post.alienjeff wrote:Clearly neither Servage nor anyone else is doing anything about this.
If Servage doesn't fix it soon, I'm moving. Unfortunately I paid for a year and have only been there a few months.
I can reupload everything again, which is what I have been doing, but I am leaving it as-is for now so that Servage can see its condition.
I'll wait a bit longer, not much longer, then reupload everything again.
[url]https://bkhome.org/news/[/url]
It's definitely not good if any puppy sites are hosting any malware. But, if it's true that these things are specifically targetting ActiveX vulnerabilities in IE, how come we haven't seen any response from Microsoft support? I mean, Bill does post regularly to the forum, doesn't he?In the mean time all Windows vistitors inquirering about Puppy gets blasted with a trojan.
@Barry
Thanks for the update. To leave the iframe exploit online is as much as supporting the black hats. Instead of passively waiting for the techs at Servage to check the pages live, if and when they ever get around to it, please consider:
1) copying and saving the the HTML from both the index and links pages,
2) upload clean index and links pages, and
3) attach appropriate excerpts of HTML to correspondence with Servage.
I noted that several of your puppylinux(dot)com pages were generated using IBM WebSphere Studio Homepage Builder V6.0.0 for Windows. Assuming you use Windows from time to time, it's conceivable that your own Windows box may be compromised and the reinfection could be taking place quite close to home. Anyone else with admin privies to puppylinux(dot)com should check their systems for infection, too.
It would be sad if at the end of the day it turned out to be a case of either tail or ghost chasing ...
@Community
Going by this thread, two of "our own" have been infected, though there may be more and we haven't heard from them. They may be a tad embarrassed to display soiled laundry.
Regardless of how some of us feel about the monster of Redmond that is Microsoft, it's important to remember that a many of us may very well may have been introduced to Puppy while still using IE.
Also remember the old saw about Linux being inherently safe from virii, trojans and such. Puppy could take a devastating publicity hit should the wrong person innocently visit puppylinux(dot)com and click "links" in the menu bar. When I say devastating, I mean a publicity hit that would make the infamous Mark South Distrowatch Dramarama barely a blip on the radar screen.
Please don't ask me to spell it out any further. Use your own imagination.
Think about it.
Thanks for the update. To leave the iframe exploit online is as much as supporting the black hats. Instead of passively waiting for the techs at Servage to check the pages live, if and when they ever get around to it, please consider:
1) copying and saving the the HTML from both the index and links pages,
2) upload clean index and links pages, and
3) attach appropriate excerpts of HTML to correspondence with Servage.
I noted that several of your puppylinux(dot)com pages were generated using IBM WebSphere Studio Homepage Builder V6.0.0 for Windows. Assuming you use Windows from time to time, it's conceivable that your own Windows box may be compromised and the reinfection could be taking place quite close to home. Anyone else with admin privies to puppylinux(dot)com should check their systems for infection, too.
It would be sad if at the end of the day it turned out to be a case of either tail or ghost chasing ...
@Community
Going by this thread, two of "our own" have been infected, though there may be more and we haven't heard from them. They may be a tad embarrassed to display soiled laundry.
Regardless of how some of us feel about the monster of Redmond that is Microsoft, it's important to remember that a many of us may very well may have been introduced to Puppy while still using IE.
Also remember the old saw about Linux being inherently safe from virii, trojans and such. Puppy could take a devastating publicity hit should the wrong person innocently visit puppylinux(dot)com and click "links" in the menu bar. When I say devastating, I mean a publicity hit that would make the infamous Mark South Distrowatch Dramarama barely a blip on the radar screen.
Please don't ask me to spell it out any further. Use your own imagination.
Think about it.
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]
Warning for all forum users:
Turn off :display email address: in your user profile. I didn’t realize till yesterday that this phpBB version doesn’t use an internal mail server for sending emails to other users.
Your email address is displayed with as little as a mouse-over. This makes it so easy for anyone to gather ALL emails, from everybody registered on this rather old and buggy version of phpBB.
There is a script out there that can gather all your email addresses in just a minute or two.
Email spam is as bad as that crap in a can. LOL
Turn off :display email address: in your user profile. I didn’t realize till yesterday that this phpBB version doesn’t use an internal mail server for sending emails to other users.
Your email address is displayed with as little as a mouse-over. This makes it so easy for anyone to gather ALL emails, from everybody registered on this rather old and buggy version of phpBB.
There is a script out there that can gather all your email addresses in just a minute or two.
Email spam is as bad as that crap in a can. LOL
- prehistoric
- Posts: 1744
- Joined: Tue 23 Oct 2007, 17:34
email address
@wingruntled,
I was embarrassed to find that out some time before the changeover, while using a friend's machine to view the forum. Makes me wonder what else we haven't noticed.
I was embarrassed to find that out some time before the changeover, while using a friend's machine to view the forum. Makes me wonder what else we haven't noticed.
- prehistoric
- Posts: 1744
- Joined: Tue 23 Oct 2007, 17:34
I've got the answer!
After checking Barry's (now static) blog, I just had a brilliant insight.
prehistoric
Quick! Pick up the telephone and warn Servage. Their customer service department is currently staffed with 'bots.And here is the response from Servage:
Hello Barry
We are sorry to hear about your hacking issue. Kindly remove all the file contents in your account, change all the passwords, reupload all the contents. Make sure that you are not using any insecure script in your account and also try to avoid the 777 file permissions as they make the files world writable and hence vulnerable.
Thank you!
Kind regards,
Scott, Support
Servage Hosting
'Scott' is telling me to do what I have just told him that I have already done!
prehistoric
- BarryK
- Puppy Master
- Posts: 9392
- Joined: Mon 09 May 2005, 09:23
- Location: Perth, Western Australia
- Contact:
I also changed my passwords again. So, we wait and see if my site gets compromised again....
I dunno, maybe the previous time I changed my password wasn't enough and it was somehow discovered. Well, right now my site seems to be clean and I have brand spanking new passwords, so we shall see.
I dunno, maybe the previous time I changed my password wasn't enough and it was somehow discovered. Well, right now my site seems to be clean and I have brand spanking new passwords, so we shall see.
[url]https://bkhome.org/news/[/url]
- prehistoric
- Posts: 1744
- Joined: Tue 23 Oct 2007, 17:34
the Servage 'botnet
O.K., Barry, my first hypothesis was too conservative. Servage is staffed entirely by 'bots.
This is a pity, If there were any humans available I would send them a link to this article. computerworld article
This is a pity, If there were any humans available I would send them a link to this article. computerworld article