Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi,
I decided to see what the current version of Fedora was.
I went to RedHat and didn't find anything pointing to fedora.
I used the "I'm feeling lucky" method without google.
I tried both fedora.com and fedora.org
One of them looked like your typical site holding a web slot.
The other mentioned something about containing pictures they have for their own purposes. Didn't go any further into the site.
After the 2, I get a warning message saying I've been to a porn site, could affect job, marriage etc etc.
Then it offers to troubleshoot the damage clean cache etc.
I choose "No" but it runs anyway which I switch off quick.
I think it was called diskcleaner utility.
Much later, this warning appears again and tries the diskcleaner again. Cron?
Anyone know which of the sites caused the problem and what it's giving to its visitors, and how to clean up the mess.
If it was one of these sites, I'm surprised the site like this is allowed to do this at fedora's expense.
I checked fedora.com and fedora.org but didn't notice anything evil. Keep in mind I'm using the NoScript extension, though. Also, I'd point-out that neither fedora.com or fedora.org raise any red flags at McAfee's SiteAdvisor (at the time of this post):
I had a look at the browsing history closer.
fedora.com appears to have been visited after some malware looking stuff, therefore it must have happened when I visited fedora.org (whether that be something that was on their site yesterday (it looked like it was probably going to be a porn site (yesterday), although didn't enter to find out), or malware on my CPU that happened to kick in right then (unlikely).
History (in the firefox sidebar):
- redhat.com
- fedora: it burns my eyes like the glory of god! (that's how you know it's working) (which is Fedora.org)
- /.freeware/....CASHEBUSTER.... (where .... = lost of params)
Not sure what to tell you. I really don't see anything that would indicate that either fedora.org or fedora.com are putting-out malware. I have no idea how you ended-up getting bitten by the known-bad DriveCleaner. Although it is possible that the site became rogue for only a few seconds while you visited it, it is extremely unlikely. It should be noted that popups are many times designed to look as if like they are actually programs running on your computer, when they are not. Are you sure that isn't the case here?
Perhaps our energies should be focused on determining what exactly happened to your browser. Could you clarify what exactly are the symptoms you are experiencing? Is it that you are getting a DriveCleaner popup when you surf known-good websites (such as LQ, etc.)? Do you have Firefox's popup blocker activated? Do you have a whitelist of sites allowed to install add-ons? If you go into your add-ons manager, do you see any in there that weren't installed by you intentionally? What version of Firefox are you running (Help > About Mozilla Firefox)?
Popups looking like prog running? Unsure myself, it could be, it looked very real the short time it was allowed on the screen. It's setup very well if it is. Shocks you with the porn message first then goes to town looking like it's doing something to your system (good or evil).
Symptoms?
I got a warning message saying I've been to a porn site, could affect job, marriage etc etc.
Then it offers to troubleshoot the damage clean cache etc.
I choose "No" but it runs anyway which I switch off quick.
A diskcleaner utility window appears with flashing lights looking like it's monitoring itself processing. I pressed the "x" in top corner to close window.
I thought it was a one off, but much later in the day, this warning appears again and tries the diskcleaner again.
DriveCleaner popup when you surf known-good websites (such as LQ, etc.)? Unsure, I've mostly given up on the computer. It appeared again when I was doing my usual surfing of good sites. I had never seen it before until trying www.fedora.org
Firefox's popup blocker? Yes
The only one that was set to allow that I don't absolutely know of was BPSBelgium.com (but for some reason I think it's OK too.
whitelist of sites allowed to install add-ons? Nothing unusual.
add-ons manager, any not installed intentionally?
This was OK.
Firefox is also set to warn if site tries to install addons.
Firefox Version? 2.0.0.5
Other?
Load Images Auto is enabled
Java and Javascript enabled
Thanks for taking me thru the settings.
Win32Sux - Just out of interest, if you don't mind me asking - I'd been thinking of looking at Slackware - what do you use Ubuntu for, and what do you use your Slackware for?
Last edited by optimizer; 08-17-2007 at 10:30 PM.
Reason: addt'ns
it looked very real the short time it was allowed on the screen. It's setup very well if it is. Shocks you with the porn message first then goes to town looking like it's doing something to your system (good or evil).
I can confirm I've seen these types of popups in the past. They even have colorful progress bars and everything. I haven't seen any of these since I started using NoScript, as the sites I whitelist don't put-out those types of popups.
Quote:
I got a warning message saying I've been to a porn site, could affect job, marriage etc etc.
Then it offers to troubleshoot the damage clean cache etc.
I choose "No" but it runs anyway which I switch off quick.
A diskcleaner utility window appears with flashing lights looking like it's monitoring itself processing. I pressed the "x" in top corner to close window.
Yeah, sounds like the same yada yada the DriveCleaner folks spew on the front page of their website:
Code:
Private companies are tracking the ISPs to record your Internet behavior and downloads for evidence. Simply deleting these files does not get rid of the evidence. Many times you are not even aware of the files that get installed by themselves and could compromise your career, your marriage or your overall status quo.
Quote:
I thought it was a one off, but much later in the day, this warning appears again and tries the diskcleaner again.
This is the strange part. I mean, it would be normal if certain websites are sending that popup your way, but if you are getting the popup while visiting known-good sites (like LQ) then something is definitely not right.
Quote:
I've mostly given up on the computer. It appeared again when I was doing my usual surfing of good sites. I had never seen it before until trying www.fedora.org
Yikes.
Quote:
The only one that was set to allow that I don't absolutely know of was BPSBelgium.com (but for some reason I think it's OK too.
I see.
Quote:
whitelist of sites allowed to install add-ons? Nothing unusual.
Cool.
Quote:
Firefox is also set to warn if site tries to install addons.
Cool.
Quote:
Firefox Version? 2.0.0.5
Not cool. I'm not saying you've been exploited, but you are definitely vulnerable in that case. Might be a good time to upgrade to 2.0.0.6, and maybe clean-out your whole ~/.mozilla directory while you're at it (backup your bookmarks) to see if your problem is fixed.
Quote:
Java and Javascript enabled
Frankly, I think letting all websites execute code on your box is already bad enough with an up-to-date browser. Needless to say, it's absolutely terrible with a vulnerable one such as yours (for example). I HIGHLY recommend that you take a step back and give some thought to your current "let anyone run javascript and java on my box" approach. It's just way too dangerous. I'm willing to bet that if you had NoScript (or something similar) installed, you probably wouldn't be having these issues right now.
Quote:
Just out of interest, if you don't mind me asking - I'd been thinking of looking at Slackware - what do you use Ubuntu for, and what do you use your Slackware for?
Send me an email and I'll hit you back with an answer to this. I tried emailing you but you have the email option disabled. I've decided not to post the answer here as it would risk starting a barrage of off-topic posts.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.