LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-03-2008, 04:30 AM   #1
astromech
LQ Newbie
 
Registered: Feb 2007
Posts: 12

Rep: Reputation: 0
Question Compuiters hacked via online forum?


On an online forum (not this one) , strange things keep happening.Several people have reported their browser freezes ,frequent log in pop-ups.I was locked out of my computer completely after clicking the link to a question and several people have reported that their trouble began after clicking on the same person's question link(s) I had to reboot in order to regain control .All other sites were o.k when this happened . I thought there was something wrong with my machine so I went back and the same thing happened again ,but not with other sites.Site Admnin says this person has done nothing wrong there.Looking at the page source code I don't see anything that stands out although I don't really have any knowledge in html at all it just sems like headers ,footers ,colors . Others have checked who do know more than me and cannot find anything on the page that is out of place.

I'm wondering if some individual is hacking the site from the outside or could the site owners be the ones doing something to people's computers while they are visiting the site?

Is it possible?

Last edited by astromech; 01-03-2008 at 04:36 AM.
 
Old 01-03-2008, 04:55 AM   #2
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Onine forums like this one use a lot of php and similar - there are php exploits that can be used to hack the site but what you want to know is if a specially crafted question could be used to produce things not intended when browsing to their post - perhaps. Depends what the sysadmins let you post.

eg. Some image formats (gif, png) used as avatars can contain malicious code. Some sites allow users to add html to their posts. But it is more likely that the association with the post is accidental.

Of course, if you mean links in the post - well...
 
Old 01-03-2008, 05:42 AM   #3
astromech
LQ Newbie
 
Registered: Feb 2007
Posts: 12

Original Poster
Rep: Reputation: 0
Smile

Quote:
Originally Posted by Simon Bridge View Post
Onine forums like this one use a lot of php and similar - there are php exploits that can be used to hack the site but what you want to know is if a specially crafted question could be used to produce things not intended when browsing to their post - perhaps. Depends what the sysadmins let you post.

eg. Some image formats (gif, png) used as avatars can contain malicious code. Some sites allow users to add html to their posts. But it is more likely that the association with the post is accidental.

Of course, if you mean links in the post - well...



The sysadmnins on that site allow HTML,GIF,png ,YouTube link,Links to other sites images from other sites like photobucket and pretty much anywhere else .I don't know if it's relevant that the poster in question has put sound on a question page without trace of anything else showing.


But i also want to know if the sysadmins could be trying to gain control of our comps while we are visitng the site.

It reminds me of once visiting a *cereal* site and within seconds my browser froze and my bitdefender firewall told me that " kernel 32" was trying to access the internet.Now that was with Windows obviously and I know kernel 32 is not required to access the internet so I pulled the telephone plug and rebooted .But now this is with linux the symptoms are similar but i don't have anything telling me that someone's trying to seize control of the linux kernel!.so it's tough to know what's happening for sure .Any thoughts ? And I did check my firewall and it passed the tests at shields up from gibson research.Wondering wether that makes any difference in this situation.
 
Old 01-03-2008, 09:02 AM   #4
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Quote:
Originally Posted by astromech View Post
The sysadmnins on that site allow HTML,GIF,png ,YouTube link,Links to other sites images from other sites like photobucket and pretty much anywhere else .I don't know if it's relevant that the poster in question has put sound on a question page without trace of anything else showing.
Well then... all you are experiencing could be a result of the site code. Switch everything off when you visit, or, better yet, don't visit.

Quote:
But i also want to know if the sysadmins could be trying to gain control of our comps while we are visitng the site.
Well, I bet the site requires javascript and cookies turned on, and uses iframes, flash etc itself. But anything nasty coming from the sysadmins is likely to strike at the login phase. i.e. before you browse to any specific post.

Quote:
It reminds me of once visiting a *cereal* site and within seconds my browser froze and my bitdefender firewall told me that " kernel 32" was trying to access the internet.
[snip]
But now this is with linux the symptoms are similar but i don't have anything telling me that someone's trying to seize control of the linux kernel!.so it's tough to know what's happening for sure .Any thoughts ? And I did check my firewall and it passed the tests at shields up from gibson research.Wondering wether that makes any difference in this situation.
The most they can try is tricking your web-aware apps (browser) to run something malicious. That's why you browse with noscript active, flash and cookies inactive.

You're right to be cancerned - there are no linux botnet members so far, but linux servers have been subverted to run botnets (anecdotal).

SELinux will stop things from acting out of context - but browsers can do quite a bit. Try looking through your cookies. If you are really concerned, you can get your firewall to log weird outgoing connections. Check the site's privacy policy. Never log in as root.

But really, don't visit such an irresponsible site. Compare with LQ - Jeremy runs a pretty tight ship here.
 
Old 01-03-2008, 01:16 PM   #5
astromech
LQ Newbie
 
Registered: Feb 2007
Posts: 12

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Simon Bridge View Post
Well then... all you are experiencing could be a result of the site code. Switch everything off when you visit, or, better yet, don't visit.

Well, I bet the site requires javascript and cookies turned on, and uses iframes, flash etc itself. But anything nasty coming from the sysadmins is likely to strike at the login phase. i.e. before you browse to any specific post.


The most they can try is tricking your web-aware apps (browser) to run something malicious. That's why you browse with noscript active, flash and cookies inactive.

You're right to be cancerned - there are no linux botnet members so far, but linux servers have been subverted to run botnets (anecdotal).

SELinux will stop things from acting out of context - but browsers can do quite a bit. Try looking through your cookies. If you are really concerned, you can get your firewall to log weird outgoing connections. Check the site's privacy policy. Never log in as root.

But really, don't visit such an irresponsible site. Compare with LQ - Jeremy runs a pretty tight ship here.



Yes you are right about them being irresponsible. That has been my feeling exactly.

I don't know if their server is run with Linux or not I've heard the term "botnets" but don't know exactly what they are I will have to look that up.

Do you mean the "noscript" add on for Firefox? or just turning scripts off? I have had the add on I forgot to reinstall it i have to say one thing about it : it makes browsing a pain,too bad.

Many sites such as ebay require cookies turned on Yahoo too I believe.
Do you mean turn them off just for sites that are suspect or leave them off untill you have no choice but to turn them on?

how do i turn off flash? Is it easy to turn back on?

SELinux I've heard that term also but don't know what it is .Is it something that they (site admin) must use on their server or something that the average user can use on their system ? I have a feeling it's the former.

Thanks
 
Old 01-03-2008, 01:39 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by astromech View Post
Do you mean the "noscript" add on for Firefox? or just turning scripts off? I have had the add on I forgot to reinstall it i have to say one thing about it : it makes browsing a pain,too bad.
I'm pretty sure he meant NoScript.

I've got it installed and I honestly don't find browsing to be a pain - of course that's subjective.

Quote:
Many sites such as ebay require cookies turned on Yahoo too I believe.
Do you mean turn them off just for sites that are suspect or leave them off untill you have no choice but to turn them on?
IMHO the most feasible approach would be to whitelist cookies. There should be several extensions that do this. I just did a quick search and found this one.

Quote:
how do i turn off flash? Is it easy to turn back on?
NoScript will take care of Flash.

If you want an extension that is made specifically for Flash maybe try something like Flashblock.

Yes, enabling Flash for a particular site is easy, it should take nothing but a mouse click or two IIRC.

Quote:
SELinux I've heard that term also but don't know what it is .Is it something that they (site admin) must use on their server or something that the average user can use on their system ? I have a feeling it's the former.
It can be used for both clients and servers. It's not something an average desktop user would use unless it came pre-configured with their distro. That said, the types of attack you seem to be describing are precisely why extensions like NoScript were created - I highly recommend it.

Last edited by win32sux; 01-03-2008 at 01:50 PM.
 
Old 01-03-2008, 02:14 PM   #7
astromech
LQ Newbie
 
Registered: Feb 2007
Posts: 12

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by win32sux View Post
I'm pretty sure he meant NoScript.

I've got it installed and I honestly don't find browsing to be a pain - of course that's subjective.

IMHO the most feasible approach would be to whitelist cookies. There should be several extensions that do this. I just did a quick search and found this one.

NoScript will take care of Flash.

If you want an extension that is made specifically for Flash maybe try something like Flashblock.

Yes, enabling Flash for a particular site is easy, it should take nothing but a mouse click or two IIRC.

It can be used for both clients and servers. It's not something an average desktop user would use unless it came pre-configured with their distro. That said, the types of attack you seem to be describing are precisely why extensions like NoScript were created - I highly recommend it.

Hi thanks! Right after I posted I installed the Noscript add-on for Firefox and Flashblock .I turned off my cookies for now but will use a whitelist after I have reinstalled my OS just to be sure nothing is actually on my computer that shouldn't be there.


>>an example of the pain in the butt noscript can be I couldn't post this reply without allowing everything here. It's tedious.
 
Old 01-03-2008, 02:29 PM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by astromech View Post
>>an example of the pain in the butt noscript can be I couldn't post this reply without allowing everything here. It's tedious.
That's pretty strange. I have NoScript enabled right now as I'm posting this.
 
Old 01-03-2008, 03:00 PM   #9
astromech
LQ Newbie
 
Registered: Feb 2007
Posts: 12

Original Poster
Rep: Reputation: 0
Smile

Quote:
Originally Posted by win32sux View Post
That's pretty strange. I have NoScript enabled right now as I'm posting this.


This a happens a lot for me .I think I'll go to the NoScript home page and maybe I'll find something out .I could be doing something wrong.
 
Old 01-03-2008, 07:30 PM   #10
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Noscript should be stopping the javascript on this page, there in LQ itself, google analytics and doubleclick.net

Make sure you have set up noscript properly.
 
Old 01-05-2008, 10:47 PM   #11
astromech
LQ Newbie
 
Registered: Feb 2007
Posts: 12

Original Poster
Rep: Reputation: 0
Question

Quote:
Originally Posted by Simon Bridge View Post
Noscript should be stopping the javascript on this page, there in LQ itself, google analytics and doubleclick.net

Make sure you have set up noscript properly.

It's because I wasn't allowing google analytics ,google syndication ,doubleclick and stuff like that I was only temporarily allowing them .

So I'd go from site to site and each time i had to re-allow all this stuff .

Unless those aren't good things to allow?
 
Old 01-05-2008, 10:53 PM   #12
astromech
LQ Newbie
 
Registered: Feb 2007
Posts: 12

Original Poster
Rep: Reputation: 0
Smile Wondering...

Quote:
Originally Posted by Simon Bridge View Post
Noscript should be stopping the javascript on this page, there in LQ itself, google analytics and doubleclick.net

Make sure you have set up noscript properly.


Another friend experienced a DOS attack after clicking on the supect poster's link .Could such an attack be setup or initiated from something like that ?

And thanks again for all your help!
 
Old 01-06-2008, 04:58 AM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by astromech View Post
Another friend experienced a DOS attack after clicking on the supect poster's link .Could such an attack be setup or initiated from something like that ?
In parts of this discussion there are no references to the OS used. Is it GNU/Linux or any *NIX in all cases? Now without providing an URI example or detailed account of events, asking such a question can only result in speculation. I do not want to make our fellow LQ members trip over possibly hostile contents and posting the URI is prohibited, so if you could submit the forum linkout to me by e-mail I'd appreciate it.
 
Old 01-06-2008, 02:40 PM   #14
astromech
LQ Newbie
 
Registered: Feb 2007
Posts: 12

Original Poster
Rep: Reputation: 0
Post

Quote:
Originally Posted by unSpawn View Post
In parts of this discussion there are no references to the OS used. Is it GNU/Linux or any *NIX in all cases? Now without providing an URI example or detailed account of events, asking such a question can only result in speculation. I do not want to make our fellow LQ members trip over possibly hostile contents and posting the URI is prohibited, so if you could submit the forum linkout to me by e-mail I'd appreciate it.

Ubuntu was the OS for me and friend that were there.
 
Old 01-06-2008, 04:45 PM   #15
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,970
Blog Entries: 4

Rep: Reputation: 4027Reputation: 4027Reputation: 4027Reputation: 4027Reputation: 4027Reputation: 4027Reputation: 4027Reputation: 4027Reputation: 4027Reputation: 4027Reputation: 4027
It is certainly possible for a link, anywhere, to contain "rogue" JavaScript which can certainly play-the-deuce with your browser.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Humour - a guide to online forum posting vharishankar General 2 03-27-2006 06:49 AM
How to watch Online TV or listen to Online radiostations? polemon Linux - Newbie 4 10-07-2005 02:49 PM
Fedora Core Forum site down or hacked? maximalred General 2 01-15-2005 10:07 AM
SuSE Forum Hacked Adler General 26 10-17-2004 03:21 PM
Online Banking / Online Shopping in Linux? JROCK1980 Linux - General 14 02-27-2004 03:46 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration