should premise that I'm a great geek... I'm running a linux box with a sort of default firewall settings: in Firestarter I've enabled/disabled a couple of settings - nothing really important, as far as I can understand.
It all started a couple of days ago while browsing Gigapedia. I left the pc and when I came back it was freezed. I had to switch it off. Since it was the first time i happened - never had a crash before - I smelled something wrong.
Now, what makes me believe I've been really hacked? I have had a couple of popups in firefox that weren't unrelated to what I was browsing.
One was a warning of an invalid certificate - US Defence, or similar - and the other a login screen for a web address I wasn't browsing.
My guess is that someone is using my box as a proxy or a bot or something..
So, my question is: is it possible (or, has it any sense)?
Yes, sounds like front door secured and backdoor left unlocked.
Black hats have moved from web side attacks to web client exploits and through downloaded media files (flash, pdf, gif, MP3, WMA, WMV, MP2,...)
Yes, seen that policy. Instead of having to crack user and root passwords, cracker just needs to crack one password. :(
Hmmm, try these three commands in a terminal. grep $USER/etc/passwd grep browser /etc/passwd grep root /etc/passwd
Not necessarily.
Yep, to further hinder Anti-virus vendors from getting their hands on a copy of malware, the infected site can keep a record of ip addresses and not attempt to serve malware to an already logged ip address.
Think of a proxy as a software router which redirects traffic. Normally it is transparent to the user.
Depends on the malware's design/goal in life. If it needs to click a window or enter data, then yes.
Well designed malware will keep it's activity hidden as much as possible.
Hehehe, maybe a 5 line change, max, to /etc/sudoers a little script that does a qdbus org.kde.kwin /KWin org.kde.KWin.setCurrentDesktop 3 > /dev/null xterm -e sudo /bin/su -l browser_login_id
and a desktop shortcut which runs script. Click shortcut, desktop switches to desktop window 3 and launches log in into browser_login_id. Above qdbus command assumes your running KDE4.x as desktop manager.
~browser_login_here/.bash_profile has something like firefox $HOME/index.html /bin/rm -rf .mozilla .macromedia tar -xpvf $HOME/firefox.tar > /dev/null 2>&1 exit
That assumes you have already tar'ed up .mozilla and .macromedia into /home/browser_login_id/firefox.tar
Upside, poisoned cache, cookies, memory, dns cache are deleted upon exit. Downside to above is bookmarks are also deleted.
Not a problem for me. I keep urls with keyword hints in an ascii file. I have a script to grep the file. example
I've read of pdf exploits - in Gigapedia that makes sense - but I thought that with javascipt disabled (in Acrobat Reader) and being in linux I could be safe
Yeah, ingenious isn't it?
First two haven't output anything, perhaps my fault The third: root:x:0:0:root:/root:/bin/bash Look, I can act as root in Nautilus, but I cannot log in as root
This leaves me in doubt though.. I've been browsing in a linux environment with a user account and, maybe, have opened a couple of pdf. Could all this put me in trouble? The two occurrences are any sign?
basic shell bash doc
This really makes me feel a lot behind the curve.. :( Thanks again for all the suggestions. I'll look at every line trying to learn
No, it was my fault. I missed typing in a space on the first one, second one was to show no account and third was to show root. Here is the corrected first line.
grep $USER /etc/passwd
Yep, there is the root account entry.
Yes, root's account was setup without a password which prevents you from doing a terminal log in. I was trying to get you to see that there is a root account.
I have not installed Mint. I have no idea if Mint installs Aobe's Acrobat pdf reader or if Mint runs the open source reader. If open source, I'd have to guess you are safe. To make you feel better, I have not seen any linux malware in pdf form recently.
It comes with evince, the open source reader, but I've installed Adobe Acrobat too for convenience :) It renders fonts better than evince. Good to know there has been no linux malware in pdfs!
Thank you Bit Twister, you've been very helpful. I'll pay careful attention to any further sign before flatten and rebuild (which I'd do very very reluctantly)
Anyway, you can disable this behaviour by removing the respective line from /etc/sudoers. Make sure you've enabled the root account (and set a good password for it) before you do that.
Depends on who you ask. Mac users certainly would say it is. Then again, they'd also say a steaming pile of crap were the best thing since sliced bread, provided it comes from Cupertino. I for one wouldn't agree with them on either part, though.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.