Mozilla/Google interfaced hacked
 

hello
I was trying to set up a firewall and made the mistake of using Mozilla when I was logged in as root on a console (or at least I think this is what happend). I was probing myself using "nmap -vv localhost, netstat -lnp, route, ping" and so on. Anyway, before I got the Iptables up and running, I saw that when I mouse clicked on the Mozilla search window, the google location was redirected to a porn site and all kinds of fast moving messages were observed by me as it happened. "...spy.com.org or something....." and so on.

As this is an experimental partition to a dual boot Windows98 SE install, I just popped the Mandrake 9.1 RC2 cooker cd-rom into the bay and rebooted and immediately reformatted the 4 partitions that I made on the Linux side and reinstalled the system. I noticed that this installer makes an "old linux" option available on lilo and presumably this is the system that I just tried to get rid of.

The question is......Am I compromised?; How would I know? I am on-line now with the new setup (including a rudimentary iptables firewall that blocks all ports) and using Mozilla and running "top" on a console shows everything pretty normal. Is there anything that I should do. I intend to next go to Mandrake and download security and other updates. Is there any place I should go for a test of my system?

thanks for any guiding or suggestions. robertn

robertn, I don't think that you have anything to worry about. Sometimes webpages can (depending on various things) change certain settings in your browser, ie. changing your homepage to pr0n or something. So that is most likely what happened. However, since you went through the effort of formatting and re-installing, you don't have anything to worry about. In the future I would not suggest such a radical solution as the first step. Normally, the only time you would format and re-install is as the last resort. Also note, even though you had not yet set up your firewall, since you initiated the connection by asking mozilla to access some web page, the firewall would not stop this anyway. The best thing you can do to keep your system secure is to update regularly. If your really paranoid, you could do a fresh install, get checksums for all you system files, also backup all your system files on a completly different physical device that is not on the network and if you think something strange is going on, you can compare your system file checksums and if something does not match, replace the file or files with your backup files. Of course you have to update your checksums and backup files whenever a legitamate update changes your system files. There are some software packages that helps to automate this process. I hope that this helps you.

And in the future please never be on line as root ;)

Thanks for the replies; I feel better. I am still setting up this old machine and experimenting. After I am satisfied with the network/internet interface, I intend to add either a CD-RW drive or a USB external device for backing up the systems. I will investigate the checksums utility then.

Also copy the online as root warning; I will follow. Right at this moment, I am considering changing ISP and I was considering reinstalling anyway in order to reconfigure my partitions more advantageously, so I just used the Google redirected to Porn as a convenient reason to do it now. :D

By the way, I just noticed that my KPPP utility is owned by root and although I called it from KDE desktop logged in as user , the output of "ps -aux" shows that it apparently executes as root. Now this only gets me as far as my ISP and I am behind the ISP's firewall, but the /usr/bin/mozilla executable is also a root owned executable. Is this right? I am sure it must be since people who know designed it, but I am just wondering? As you can see, I am pretty unsure of myself and have more questions than answers. :scratch:

thanks again, robertn :study:

Since Google is the most popular search engine, there are a lot of attempts at DNS poisoning to redirect to other sites, and also a lot of malicious scripts on websites that try to change your browser settings or install plugins. If you didn't have a firewall setup, there's a fairly decent chance that you were the victim of DNS poisoning.

This is an excellent illustration of why you should secure your box *BEFORE* you connect it to the 'net, instead of the other way around.

thankyou & followup update
 

I do appreciate the scolding and the interest. I now have two basic firewall scripts functional. The first I got from the Security Quick-Start HOWTO v1.1 included with the Mandrake 9.1 rc2 which blocks everything and the second from the wiki.org site affiliated with this site. This one allows SSH from port 20 and FTP from port 21. Both are simple enough that a new user can understand how they work.

Today, I fired up #2 firewall and used the update utility in the Mandrake Control Center GUI at the Software Tab and the Update button therein. It made a valiant download of almost 6 Mbytes (according to the little "led" display connection utility in the system tray) and then automatically pulled up the urpmi/rpm GUI and apparently checked for updateable packages. It then informed me that there were none or that I had already accomplished available upgrades.

This also has me wondering :scratch: since this is the first time that I have tried to use an FTP mirror site to download anything. Am I really up to date with available security patches? I bought these install disks from the famous "Cheapbytes" site. Or is it perhaps that 9.1 is not supported anymore?

OH well; I feel like I am making progress anyway. Thanks again

:cool: robertn :study: