LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 05-08-2010, 05:01 PM   #1
powerslave12r
LQ Newbie
 
Registered: Apr 2010
Distribution: Slackware64 13.
Posts: 3

Rep: Reputation: 0
Question Firefox 3.5.2 redirecting to malicious website - using google DNS on Slackware64 13.


Hey guys,

Sorry to have my first post be a 'help wanted' rather than an 'help offered'.

I'm a newbie to Slackware64 13 (been on ubuntu for a couple of years) and I recently followed alien Bob's + slackbook instructions to set up my network (ethernet). I have Windows 7 on dual boot that doesn't see this problem.

I'm using DHCP and Google DNSs (8.8.8.8 and 8.8.4.4 both entered into /etc/resolv.conf) through ethernet (eth0).

Now I don't know which website I clicked (mostly been looking at Slack related help forums etc) but on two different occasions I was redirected to some page, which popped up 'Your windows computer has virus, scan now.' Pop makes you click okay and then a simulated windows folder with a scan bar shows up.

There were three URLs that were in the history. I'm sorry I did not record all of them, but one of them (the final one I think) is here:

DO NOT CLICK ON THIS LINK BELOW, IT IS MALICIOUS.
Quote:
Code:
http://www1.firesavez7.com/?p=p52dcWpkbmqHjsbIo216h3de0KCfYWCdU9LXoKith6Swz9KwoFqbnZxxmpinc4rapZxqa2NsmF%2BZZmPMZJqK1qWYpqvYnpRfo3FfqKGopJ6eU8rPnZVqWqihyaSfVpnWapSbll9oaGSWkplnY2ZtWqqZnnaHodejYmJkZ2Vsl2OWaFbaoJWhlGNuZWmZlJltalqcl3WJi1%2FYlsijaWll
Googling didn't reveal much and after trying to figure out what's going on, I'm here to ask for help. I have logged out of all accounts and changed my passwords for the accounts I was logged into then.

Questions:
1. I have mounted the windows drives that are accessible through Home > Filesystem > Windows Drive. Is this going to be affected.

2. Can there be any malware stored somewhere in the Linux directories? I was running as root because I was configuring my wifi card at the time.

3. What can I do to get rid of this problem? I looked at clamav but it looks remedial action rather than preventative.

I downloaded my Slackware Iso from the http mirror : slackware.cs.utah.edu. I did NOT check the md5hash though.

Kindly help or direct me towards existing solutions to this as I searched around and I'm slowly getting frustrated that this is happening
in slackware!


Thanks a lot.

EDIT: The nameserver seems to have been overwritten by the router to the default gateway after the last reboot, haven't clicked on many links since then, but this redirect hasn't happened yet this time.

Here's the whois on that domain name, registered yesterday:
http://whois.domaintools.com/firesavez7.com
Quote:
DNS:
ns3.cnmsn.com
ns4.cnmsn.com

Created: 2010-05-07
Expires: 2011-05-07
EDIT 2: I can see Norton just posted the update an hour ago. http://safeweb.norton.com/report/sho...firesavez7.com

I'm guessing this has to do with the websites I visited and nothing to do with my computer.

Last edited by powerslave12r; 05-08-2010 at 05:33 PM.
 
Old 05-08-2010, 05:23 PM   #2
brucehinrichs
Member
 
Registered: Mar 2008
Location: US
Distribution: Debian Sid; Sabayon, UbuntuStudio, Slackware-multilib 13.1, Peppermint Ice, CentOS
Posts: 575

Rep: Reputation: 67
This has nothing to do with your computer. It's just another invasive, annoying, and WRONG form of advertisement.
 
Old 05-08-2010, 05:31 PM   #3
powerslave12r
LQ Newbie
 
Registered: Apr 2010
Distribution: Slackware64 13.
Posts: 3

Original Poster
Rep: Reputation: 0
The reason why I'm alarmed is that I haven't seen such a website show up in a long time, both on Windows 7 or Ubuntu. In fact despite shifting to Chrome from Firefox I stopped using Ad Block altogether and still didn't have any such sites pop up.

Right now I'm worried about it having infected my windows partition or laying dormant in some Linux directory somewhere.
 
Old 05-09-2010, 05:22 AM   #4
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,004
Blog Entries: 11

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
Moved: This thread is more suitable in <Linux-Security> and has been moved accordingly to help your thread/question get the exposure it deserves.
 
Old 05-09-2010, 05:30 AM   #5
powerslave12r
LQ Newbie
 
Registered: Apr 2010
Distribution: Slackware64 13.
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks for moving the thread.

It just happened again when I clicked on this link.

http://www.basicconfig.com/install_a...lackware_linux.

And now that I click on it the second time or more, the page seems to load up just fine. I don't think this is something to do with the websites anymore. My browser seems to have been hijacked somehow.

Can some one please help me fix this?
 
Old 05-09-2010, 05:38 AM   #6
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Servers: Debian Squeeze and Wheezy. Desktop: Slackware64 14.0. Netbook: Slackware 13.37
Posts: 8,563
Blog Entries: 29

Rep: Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179
Quote:
Originally Posted by powerslave12r View Post
It just happened again when I clicked on this link.

http://www.basicconfig.com/install_a...lackware_linux.

And now that I click on it the second time or more, the page seems to load up just fine. I don't think this is something to do with the websites anymore. My browser seems to have been hijacked somehow.

Can some one please help me fix this?
That link is OK for me. You could try fixing the problem by renaming ~/.mozilla, removing FireFox and re-installing it. That would loose all your customisation, bookmarks etc. but the bookmarks could be salvaged from the re-named ~/.mozilla. If this solved the problem you would know that the cause was within the Firefox package and your personal customisation. If it did not you would know the problem was somewhere else.
 
Old 05-09-2010, 09:56 PM   #7
Rasczak
LQ Newbie
 
Registered: May 2010
Location: Virginia
Distribution: Ubuntu
Posts: 1

Rep: Reputation: 0
I tried the link in Epiphany and Chromium and was redirected to the rogue/fake AV ad. Then I tried it in Firefox and the link worked fine.
 
Old 07-03-2010, 12:44 AM   #8
rajakipas
LQ Newbie
 
Registered: Aug 2009
Posts: 1

Rep: Reputation: 0
There is nothing wrong with your browser and your computer is not infected with any of the virus or malware mentioned. Just like brucehinrichs said -It's just another invasive, annoying, and WRONG form of advertisement.

I've contacted the webmaster of basicconfig.com and mentioned about the problem. The webmaster confirmed that the website was infected by the eval(base64_decode) which attacked godaddy server recently and the problem was fixed.
 
Old 07-03-2010, 02:35 AM   #9
craigevil
Senior Member
 
Registered: Apr 2005
Location: OZ
Distribution: Debian Sid
Posts: 4,734
Blog Entries: 12

Rep: Reputation: 457Reputation: 457Reputation: 457Reputation: 457Reputation: 457
Clicking http://www.basicconfig.com/install_a...lackware_linux goes to a nice page about just what it says.
So whatever the problem was seems to be fixed.
 
  


Reply

Tags
malware, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
I have coded a website that searches Google WAY FASTER than Google.com for you! rharjanto Linux - Software 10 12-24-2010 11:33 AM
I have coded a website that searches Google WAY FASTER than Google.com for you! dogglefox2 General 9 04-09-2010 12:29 PM
Google Redirecting? the_imax General 1 12-31-2004 12:01 PM


All times are GMT -5. The time now is 10:18 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration