Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
01-03-2008, 04:30 AM
|
#1
|
LQ Newbie
Registered: Feb 2007
Posts: 12
Rep:
|
Compuiters hacked via online forum?
On an online forum (not this one) , strange things keep happening.Several people have reported their browser freezes ,frequent log in pop-ups.I was locked out of my computer completely after clicking the link to a question and several people have reported that their trouble began after clicking on the same person's question link(s) I had to reboot in order to regain control .All other sites were o.k when this happened . I thought there was something wrong with my machine so I went back and the same thing happened again ,but not with other sites.Site Admnin says this person has done nothing wrong there.Looking at the page source code I don't see anything that stands out although I don't really have any knowledge in html at all it just sems like headers ,footers ,colors . Others have checked who do know more than me and cannot find anything on the page that is out of place.
I'm wondering if some individual is hacking the site from the outside or could the site owners be the ones doing something to people's computers while they are visiting the site?
Is it possible?
Last edited by astromech; 01-03-2008 at 04:36 AM.
|
|
|
01-03-2008, 04:55 AM
|
#2
|
LQ Guru
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211
Rep:
|
Onine forums like this one use a lot of php and similar - there are php exploits that can be used to hack the site but what you want to know is if a specially crafted question could be used to produce things not intended when browsing to their post - perhaps. Depends what the sysadmins let you post.
eg. Some image formats (gif, png) used as avatars can contain malicious code. Some sites allow users to add html to their posts. But it is more likely that the association with the post is accidental.
Of course, if you mean links in the post - well...
|
|
|
01-03-2008, 05:42 AM
|
#3
|
LQ Newbie
Registered: Feb 2007
Posts: 12
Original Poster
Rep:
|
Quote:
Originally Posted by Simon Bridge
Onine forums like this one use a lot of php and similar - there are php exploits that can be used to hack the site but what you want to know is if a specially crafted question could be used to produce things not intended when browsing to their post - perhaps. Depends what the sysadmins let you post.
eg. Some image formats (gif, png) used as avatars can contain malicious code. Some sites allow users to add html to their posts. But it is more likely that the association with the post is accidental.
Of course, if you mean links in the post - well...
|
The sysadmnins on that site allow HTML,GIF,png ,YouTube link,Links to other sites images from other sites like photobucket and pretty much anywhere else .I don't know if it's relevant that the poster in question has put sound on a question page without trace of anything else showing.
But i also want to know if the sysadmins could be trying to gain control of our comps while we are visitng the site.
It reminds me of once visiting a *cereal* site and within seconds my browser froze and my bitdefender firewall told me that " kernel 32" was trying to access the internet.Now that was with Windows obviously and I know kernel 32 is not required to access the internet so I pulled the telephone plug and rebooted .But now this is with linux the symptoms are similar but i don't have anything telling me that someone's trying to seize control of the linux kernel!.so it's tough to know what's happening for sure .Any thoughts ? And I did check my firewall and it passed the tests at shields up from gibson research.Wondering wether that makes any difference in this situation.
|
|
|
01-03-2008, 09:02 AM
|
#4
|
LQ Guru
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211
Rep:
|
Quote:
Originally Posted by astromech
The sysadmnins on that site allow HTML,GIF,png ,YouTube link,Links to other sites images from other sites like photobucket and pretty much anywhere else .I don't know if it's relevant that the poster in question has put sound on a question page without trace of anything else showing.
|
Well then... all you are experiencing could be a result of the site code. Switch everything off when you visit, or, better yet, don't visit.
Quote:
But i also want to know if the sysadmins could be trying to gain control of our comps while we are visitng the site.
|
Well, I bet the site requires javascript and cookies turned on, and uses iframes, flash etc itself. But anything nasty coming from the sysadmins is likely to strike at the login phase. i.e. before you browse to any specific post.
Quote:
It reminds me of once visiting a *cereal* site and within seconds my browser froze and my bitdefender firewall told me that " kernel 32" was trying to access the internet.
[snip]
But now this is with linux the symptoms are similar but i don't have anything telling me that someone's trying to seize control of the linux kernel!.so it's tough to know what's happening for sure .Any thoughts ? And I did check my firewall and it passed the tests at shields up from gibson research.Wondering wether that makes any difference in this situation.
|
The most they can try is tricking your web-aware apps (browser) to run something malicious. That's why you browse with noscript active, flash and cookies inactive.
You're right to be cancerned - there are no linux botnet members so far, but linux servers have been subverted to run botnets (anecdotal).
SELinux will stop things from acting out of context - but browsers can do quite a bit. Try looking through your cookies. If you are really concerned, you can get your firewall to log weird outgoing connections. Check the site's privacy policy. Never log in as root.
But really, don't visit such an irresponsible site. Compare with LQ - Jeremy runs a pretty tight ship here.
|
|
|
01-03-2008, 01:16 PM
|
#5
|
LQ Newbie
Registered: Feb 2007
Posts: 12
Original Poster
Rep:
|
Quote:
Originally Posted by Simon Bridge
Well then... all you are experiencing could be a result of the site code. Switch everything off when you visit, or, better yet, don't visit.
Well, I bet the site requires javascript and cookies turned on, and uses iframes, flash etc itself. But anything nasty coming from the sysadmins is likely to strike at the login phase. i.e. before you browse to any specific post.
The most they can try is tricking your web-aware apps (browser) to run something malicious. That's why you browse with noscript active, flash and cookies inactive.
You're right to be cancerned - there are no linux botnet members so far, but linux servers have been subverted to run botnets (anecdotal).
SELinux will stop things from acting out of context - but browsers can do quite a bit. Try looking through your cookies. If you are really concerned, you can get your firewall to log weird outgoing connections. Check the site's privacy policy. Never log in as root.
But really, don't visit such an irresponsible site. Compare with LQ - Jeremy runs a pretty tight ship here.
|
Yes you are right about them being irresponsible. That has been my feeling exactly.
I don't know if their server is run with Linux or not I've heard the term "botnets" but don't know exactly what they are I will have to look that up.
Do you mean the "noscript" add on for Firefox? or just turning scripts off? I have had the add on I forgot to reinstall it i have to say one thing about it : it makes browsing a pain,too bad.
Many sites such as ebay require cookies turned on Yahoo too I believe.
Do you mean turn them off just for sites that are suspect or leave them off untill you have no choice but to turn them on?
how do i turn off flash? Is it easy to turn back on?
SELinux I've heard that term also but don't know what it is .Is it something that they (site admin) must use on their server or something that the average user can use on their system ? I have a feeling it's the former.
Thanks
|
|
|
01-03-2008, 01:39 PM
|
#6
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by astromech
Do you mean the "noscript" add on for Firefox? or just turning scripts off? I have had the add on I forgot to reinstall it i have to say one thing about it : it makes browsing a pain,too bad.
|
I'm pretty sure he meant NoScript.
I've got it installed and I honestly don't find browsing to be a pain - of course that's subjective.
Quote:
Many sites such as ebay require cookies turned on Yahoo too I believe.
Do you mean turn them off just for sites that are suspect or leave them off untill you have no choice but to turn them on?
|
IMHO the most feasible approach would be to whitelist cookies. There should be several extensions that do this. I just did a quick search and found this one.
Quote:
how do i turn off flash? Is it easy to turn back on?
|
NoScript will take care of Flash.
If you want an extension that is made specifically for Flash maybe try something like Flashblock.
Yes, enabling Flash for a particular site is easy, it should take nothing but a mouse click or two IIRC.
Quote:
SELinux I've heard that term also but don't know what it is .Is it something that they (site admin) must use on their server or something that the average user can use on their system ? I have a feeling it's the former.
|
It can be used for both clients and servers. It's not something an average desktop user would use unless it came pre-configured with their distro. That said, the types of attack you seem to be describing are precisely why extensions like NoScript were created - I highly recommend it.
Last edited by win32sux; 01-03-2008 at 01:50 PM.
|
|
|
01-03-2008, 02:14 PM
|
#7
|
LQ Newbie
Registered: Feb 2007
Posts: 12
Original Poster
Rep:
|
Quote:
Originally Posted by win32sux
I'm pretty sure he meant NoScript.
I've got it installed and I honestly don't find browsing to be a pain - of course that's subjective.
IMHO the most feasible approach would be to whitelist cookies. There should be several extensions that do this. I just did a quick search and found this one.
NoScript will take care of Flash.
If you want an extension that is made specifically for Flash maybe try something like Flashblock.
Yes, enabling Flash for a particular site is easy, it should take nothing but a mouse click or two IIRC.
It can be used for both clients and servers. It's not something an average desktop user would use unless it came pre-configured with their distro. That said, the types of attack you seem to be describing are precisely why extensions like NoScript were created - I highly recommend it.
|
Hi thanks! Right after I posted I installed the Noscript add-on for Firefox and Flashblock .I turned off my cookies for now but will use a whitelist after I have reinstalled my OS just to be sure nothing is actually on my computer that shouldn't be there.
>>an example of the pain in the butt noscript can be I couldn't post this reply without allowing everything here. It's tedious.
|
|
|
01-03-2008, 02:29 PM
|
#8
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by astromech
>>an example of the pain in the butt noscript can be I couldn't post this reply without allowing everything here. It's tedious.
|
That's pretty strange. I have NoScript enabled right now as I'm posting this.
|
|
|
01-03-2008, 03:00 PM
|
#9
|
LQ Newbie
Registered: Feb 2007
Posts: 12
Original Poster
Rep:
|
Quote:
Originally Posted by win32sux
That's pretty strange. I have NoScript enabled right now as I'm posting this.
|
This a happens a lot for me .I think I'll go to the NoScript home page and maybe I'll find something out .I could be doing something wrong.
|
|
|
01-03-2008, 07:30 PM
|
#10
|
LQ Guru
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211
Rep:
|
Noscript should be stopping the javascript on this page, there in LQ itself, google analytics and doubleclick.net
Make sure you have set up noscript properly.
|
|
|
01-05-2008, 10:47 PM
|
#11
|
LQ Newbie
Registered: Feb 2007
Posts: 12
Original Poster
Rep:
|
Quote:
Originally Posted by Simon Bridge
Noscript should be stopping the javascript on this page, there in LQ itself, google analytics and doubleclick.net
Make sure you have set up noscript properly.
|
It's because I wasn't allowing google analytics ,google syndication ,doubleclick and stuff like that I was only temporarily allowing them .
So I'd go from site to site and each time i had to re-allow all this stuff .
Unless those aren't good things to allow?
|
|
|
01-05-2008, 10:53 PM
|
#12
|
LQ Newbie
Registered: Feb 2007
Posts: 12
Original Poster
Rep:
|
Wondering...
Quote:
Originally Posted by Simon Bridge
Noscript should be stopping the javascript on this page, there in LQ itself, google analytics and doubleclick.net
Make sure you have set up noscript properly.
|
Another friend experienced a DOS attack after clicking on the supect poster's link .Could such an attack be setup or initiated from something like that ?
And thanks again for all your help!
|
|
|
01-06-2008, 04:58 AM
|
#13
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by astromech
Another friend experienced a DOS attack after clicking on the supect poster's link .Could such an attack be setup or initiated from something like that ?
|
In parts of this discussion there are no references to the OS used. Is it GNU/Linux or any *NIX in all cases? Now without providing an URI example or detailed account of events, asking such a question can only result in speculation. I do not want to make our fellow LQ members trip over possibly hostile contents and posting the URI is prohibited, so if you could submit the forum linkout to me by e-mail I'd appreciate it.
|
|
|
01-06-2008, 02:40 PM
|
#14
|
LQ Newbie
Registered: Feb 2007
Posts: 12
Original Poster
Rep:
|
Quote:
Originally Posted by unSpawn
In parts of this discussion there are no references to the OS used. Is it GNU/Linux or any *NIX in all cases? Now without providing an URI example or detailed account of events, asking such a question can only result in speculation. I do not want to make our fellow LQ members trip over possibly hostile contents and posting the URI is prohibited, so if you could submit the forum linkout to me by e-mail I'd appreciate it.
|
Ubuntu was the OS for me and friend that were there.
|
|
|
01-06-2008, 04:45 PM
|
#15
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,970
|
It is certainly possible for a link, anywhere, to contain "rogue" JavaScript which can certainly play-the-deuce with your browser.
|
|
|
All times are GMT -5. The time now is 04:02 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|