Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i have picked up some malware, ib.adnxs.com. it redirects my browser when i am on sites with lots of ad content and can make things so slow that i eventually give up. i have solved the problem by redirecting the url to local host, 127.0.0.1 in /etc/hosts. what bothers me now is how the redirection to ib.adnxs.com is accomplished. there is no entry in /etc/hosts. i can't find any suspicious processes running. any ideas?
Wipe an install a newer OS like Debian. And TURN OFF those unneeded daemons and install Shorewall! Then use DNSCrypt chained to unbound. (You must turn off DNSSEC)
Last edited by Quantumstate; 08-16-2012 at 03:48 PM.
In this forum providing proof would be prudent before making statements like that.
If you don't have proof then either don't post or phrase your "advice" as a question.
Quote:
Originally Posted by Quantumstate
Wipe an install a newer OS like Debian.
Even if this were about DNS poisoning what exactly would that accomplish to mitigate things?
You made a statement w/o providing proof any so I asked you to support your claim. Instead what I get is a lack of respect, you trying to counter-challenge me and a completely unwarranted personal attack, the latter of which earns you this official warning:
Warning: You have violated LQ Rule 2 which states that personal attacks on others will not be tolerated.
Do not let that happen again.
i have some new ideas about this problem. the site that seems to be worst is the seattle post web site. perhaps they have been hacked. meanwhile i have added about thirty entries to /etc/hosts to block rogue ad and tracking urls found at seattlepi.com. i will use another computer and/or os. to see if the problem is local.
i know that fedora 14 is stone age but i am an old fart and set in my ways. once i get something working well i tend to hang on to it. also, i don't much like the latest from gnome. i probably have an old box somewhere with suse 5.5 running on two pentium 3's.
seattlepi.com seems to be free of the abundant ad urls this morning. i suspect that the problem was on their end. it looks like unscrupulous characters are posting adds on websites without paying for the privilege, cyber-tresspass. someone in eastern europe probably made a few currency units, just a theory. meanwhile, i wore a blister on my thumb editing /etc/hosts.
i have some new ideas about this problem. the site that seems to be worst is the seattle post web site. perhaps they have been hacked.
Ideas, nice, but saying "perhaps they have been hacked" is not. I posted resources for you to check and possibly provide feedback with (call it reciprocity) so we can avoid misinterpretation and speculation and draw a conclusion based on analysis. Since you haven't here's the result of Google safebrowsing, Jsunpack and urlquery.net.
Quote:
Originally Posted by heyduke25
meanwhile i have added about thirty entries to /etc/hosts to block rogue ad and tracking urls found at seattlepi.com.
If you use Firefox (current version: 14.0.1) then consider using the NoScript and RequestPolicy addons in addition to using a profile without Java and as little plugins as possible.
Quote:
Originally Posted by heyduke25
i will use another computer and/or os. to see if the problem is local.
.*BSD, OpenIndiana or Linux OK, but if you mean Microsoft or Apple platforms then I'm sure there's people other than me that would be interested in any such results.
Quote:
Originally Posted by heyduke25
i know that fedora 14 is stone age but (..) once i get something working well i tend to hang on to it.
I can understand how it must be difficult to make backups and upgrade regularly but there's overarching reasons and I'm sorry to say but yours just isn't a valid one.
Ideas, nice, but saying "perhaps they have been hacked" is not. I posted resources for you to check and possibly provide feedback with (call it reciprocity) so we can avoid misinterpretation and speculation and draw a conclusion based on analysis. Since you haven't here's the result of Google safebrowsing, Jsunpack and urlquery.net.
thank you for the feedback. i did scan seattlepi.com with the avg tool and with urlquery. google and jsunpack were unavailable. the url came thru with flying colors. on urlquery i looked only at the report that was dated yesterday. as i said earlier the problem of numerous urls attempting to load when accessing a seattlepi.com url seems to have vanished. the worst was ib.adnxs.com which would come up and time out(?) numerous times while loading at seattlepi.com url. i also checked several of the urls that i entered into /etc/hosts (redirected to 127.0.0.1) no alerts were shown but in the same column of the report was a value, IDS. i don't know what that is.
finally, i'm still puzzled. the problem could be on my computer or lan but it is odd that the bad behavior seems to have ceased without any known action by me.
Quote:
*BSD, OpenIndiana or Linux OK, but if you mean Microsoft or Apple platforms then I'm sure there's people other than me that would be interested in any such results.
i primarily use linux as an os. i use ms windows to run my big epson printer and to download audio books. although i consider the current apple os to be very good, it is not a good fit for me, so i avoid it.
and... yes, it is probably time to update my linux boxes to the latest. funny though that redhat is probably still running an older, more stable version of fedora. i do keep my packages up to date.
the worst was ib.adnxs.com which would come up and time out(?) numerous times while loading at seattlepi.com url.
That seems to be the general consensus if you google for adnxs.com nfo.
Quote:
Originally Posted by heyduke25
i also checked several of the urls that i entered into /etc/hosts (redirected to 127.0.0.1) no alerts were shown but in the same column of the report was a value, IDS. i don't know what that is.
I don't know what site you refer to, maybe post an example URI, but if it's urlquery then it's about Suricata / Snort IDS results. The Emerging Threats rule set provides data on quite a few forms of tainting from what they dub "malvertisers" to RBN and Dshield-listed compromised hosts.
Quote:
Originally Posted by heyduke25
finally, i'm still puzzled. the problem could be on my computer or lan but it is odd that the bad behavior seems to have ceased without any known action by me.
Sites using external advertising management services have their displayed ads rotated for them and (depending on contracts and criteria) may not even be aware they're running ad such-and-such until they visit the site themselves or visitors start complaining (or worse: stay away). It's not uncommon for advertising agencies to lapse and as a result distribute one or two bad ads. It's just that the consequences can be devastating. Likewise an advertising agency has no control (except blocking them) over those submitting ads so if one of their hosts gets compromised it takes time for anyone in the chain to respond to visitor, client, provider or carrier complaints. Back to your reply: using an IDS and a proxy (caching or not) allows you to get a grip on requests and responses. Most of the time it'll be of limited use (statistics) but if you ever need to check out past requests then at least you have a partial audit trail.
Quote:
Originally Posted by heyduke25
funny though that redhat is probably still running an older, more stable version of fedora.
Completely different discussion but you should be aware RHEL practices backporting.
That seems to be the general consensus if you google for adnxs.com nfo.
yes, the first thing i did was google ib.adnxs.com.
Quote:
Sites using external advertising management services have their displayed ads rotated for them and (depending on contracts and criteria) may not even be aware they're running ad such-and-such until they visit the site themselves or visitors start complaining (or worse: stay away). It's not uncommon for advertising agencies to lapse and as a result distribute one or two bad ads. It's just that the consequences can be devastating. Likewise an advertising agency has no control (except blocking them) over those submitting ads so if one of their hosts gets compromised it takes time for anyone in the chain to respond to visitor, client, provider or carrier complaints. Back to your reply: using an IDS and a proxy (caching or not) allows you to get a grip on requests and responses. Most of the time it'll be of limited use (statistics) but if you ever need to check out past requests then at least you have a partial audit trail.
you hit the nail on the head. i discovered that if i view the same content, comics or puzzles, in another newspaper, there is no problem. i will edit my home page and change certain links to another newspaper, drop seattle post intelligencer. it's a fine rag but so is the houston chronicle.
anyway, i'm going to consider this problem resolved. i do need to institute an audit trail. it would save time when problems come up in the future. maybe i could just go back to usenet.
here's part of my /etc/hosts file redirecting problem urls to localhost. most seem to display no actual content on the page that requests them leading me to wonder if someone just neglected to remove them after they became obsolete. others, like ad.doubleclick.net display content but slow things down.
don't confuse a problem url with a problem service. the entry there for akamai is slightly dubious I'd say. If you start binning random akamai addresses (of which there are SO SO SO many) you could easily find yourself being unable pull other very legit content on other sites that use their CDN.
don't confuse a problem url with a problem service. the entry there for akamai is slightly dubious I'd say. If you start binning random akamai addresses (of which there are SO SO SO many) you could easily find yourself being unable pull other very legit content on other sites that use their CDN.
thanks for the heads-up. i commented the cited line in /etc/hosts, did the same for yieldmanager and doubleclick, feeling they might be worthy of trust.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.