Hi,
I decided to see what the current version of Fedora was.
I went to RedHat and didn't find anything pointing to fedora.
I used the "I'm feeling lucky" method without google.
I tried both fedora.com and fedora.org
One of them looked like your typical site holding a web slot.
The other mentioned something about containing pictures they have for their own purposes. Didn't go any further into the site.

After the 2, I get a warning message saying I've been to a porn site, could affect job, marriage etc etc.
Then it offers to troubleshoot the damage clean cache etc.
I choose "No" but it runs anyway which I switch off quick.

I think it was called diskcleaner utility.

Much later, this warning appears again and tries the diskcleaner again. Cron?

Anyone know which of the sites caused the problem and what it's giving to its visitors, and how to clean up the mess.

If it was one of these sites, I'm surprised the site like this is allowed to do this at fedora's expense.

Thanks for the help!

Fedora's site is: www.fedora.redhat.com

"how to clean up the mess."

What OS and what browser are you using?

----------------
Steve Stites

OpenSUSE 10
Firefox 2

But what is the site doing - I presume it's the .org version of fedora.

PS, I think the real fedora site may be fedoraproject.??? com or org?

Any security folks trying out the site to see what it's doing?

Thanks

The official address for the Fedora distro is: http://www.fedoraproject.org/

I checked fedora.com and fedora.org but didn't notice anything evil. Keep in mind I'm using the NoScript extension, though. Also, I'd point-out that neither fedora.com or fedora.org raise any red flags at McAfee's SiteAdvisor (at the time of this post):

http://www.siteadvisor.com/sites/fedora.com

http://www.siteadvisor.com/sites/fedora.org

Is it possible you got the malware from some other site?

I had a look at the browsing history closer.
fedora.com appears to have been visited after some malware looking stuff, therefore it must have happened when I visited fedora.org (whether that be something that was on their site yesterday (it looked like it was probably going to be a porn site (yesterday), although didn't enter to find out), or malware on my CPU that happened to kick in right then (unlikely).

History (in the firefox sidebar):

- redhat.com

- fedora: it burns my eyes like the glory of god! (that's how you know it's working) (which is Fedora.org)

- /.freeware/....CASHEBUSTER.... (where .... = lost of params)

- Error Detected

- DriveCleaner

- Linux (which is Fedora.com)

Not sure what to tell you. I really don't see anything that would indicate that either fedora.org or fedora.com are putting-out malware. I have no idea how you ended-up getting bitten by the known-bad DriveCleaner. Although it is possible that the site became rogue for only a few seconds while you visited it, it is extremely unlikely. It should be noted that popups are many times designed to look as if like they are actually programs running on your computer, when they are not. Are you sure that isn't the case here?

Perhaps our energies should be focused on determining what exactly happened to your browser. Could you clarify what exactly are the symptoms you are experiencing? Is it that you are getting a DriveCleaner popup when you surf known-good websites (such as LQ, etc.)? Do you have Firefox's popup blocker activated? Do you have a whitelist of sites allowed to install add-ons? If you go into your add-ons manager, do you see any in there that weren't installed by you intentionally? What version of Firefox are you running (Help > About Mozilla Firefox)?

Popups looking like prog running? Unsure myself, it could be, it looked very real the short time it was allowed on the screen. It's setup very well if it is. Shocks you with the porn message first then goes to town looking like it's doing something to your system (good or evil).

Symptoms?
I got a warning message saying I've been to a porn site, could affect job, marriage etc etc.
Then it offers to troubleshoot the damage clean cache etc.
I choose "No" but it runs anyway which I switch off quick.
A diskcleaner utility window appears with flashing lights looking like it's monitoring itself processing. I pressed the "x" in top corner to close window.

I thought it was a one off, but much later in the day, this warning appears again and tries the diskcleaner again.

DriveCleaner popup when you surf known-good websites (such as LQ, etc.)? Unsure, I've mostly given up on the computer. It appeared again when I was doing my usual surfing of good sites. I had never seen it before until trying www.fedora.org

Firefox's popup blocker? Yes
The only one that was set to allow that I don't absolutely know of was BPSBelgium.com (but for some reason I think it's OK too.


whitelist of sites allowed to install add-ons? Nothing unusual.

add-ons manager, any not installed intentionally?
This was OK.
Firefox is also set to warn if site tries to install addons.

Firefox Version? 2.0.0.5

Other?
Load Images Auto is enabled
Java and Javascript enabled

Thanks for taking me thru the settings.

Win32Sux - Just out of interest, if you don't mind me asking - I'd been thinking of looking at Slackware - what do you use Ubuntu for, and what do you use your Slackware for?

I can confirm I've seen these types of popups in the past. They even have colorful progress bars and everything. I haven't seen any of these since I started using NoScript, as the sites I whitelist don't put-out those types of popups.

Yeah, sounds like the same yada yada the DriveCleaner folks spew on the front page of their website:
This is the strange part. I mean, it would be normal if certain websites are sending that popup your way, but if you are getting the popup while visiting known-good sites (like LQ) then something is definitely not right.

Yikes.

I see.

Cool.

Cool.

Not cool. I'm not saying you've been exploited, but you are definitely vulnerable in that case. Might be a good time to upgrade to 2.0.0.6, and maybe clean-out your whole ~/.mozilla directory while you're at it (backup your bookmarks) to see if your problem is fixed.

Frankly, I think letting all websites execute code on your box is already bad enough with an up-to-date browser. Needless to say, it's absolutely terrible with a vulnerable one such as yours (for example). I HIGHLY recommend that you take a step back and give some thought to your current "let anyone run javascript and java on my box" approach. It's just way too dangerous. I'm willing to bet that if you had NoScript (or something similar) installed, you probably wouldn't be having these issues right now.

Send me an email and I'll hit you back with an answer to this. I tried emailing you but you have the email option disabled. I've decided not to post the answer here as it would risk starting a barrage of off-topic posts.