Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Had a phone call from my Mum last night. She is running Mandriva 10 on her laptop, connected wirelessly to a router. Other Windows computers sit on the internal network.
She has found that when loading firefox in the last couple of days, clicking on her google bookmark redirects her to AssociationVoice dot com. Also, the general network speed of her browser has slowed. I thought she was going through a proxy so I asked her (over the phone) to bring up her firefox proxy settings. This were set to the default option of "Use system proxy settings" so she changed it to "connect directory". This seemed to sort the problem as google would then load when entering it in the addressbar or clicking her boookmark.
However, my concern is that either firefox or her computer has been compromised. I cannot quiet believe it is her computer since she is running Mandriva rather than Windows, keeps it updated and does not generally surf for anything dodgy. Still, the possibility remains. Has anyone seen this behaviour before? I am going to see her tonight so will have a chance to poke around further.
She is not very computer savvy but likes to research on the internet on various historical sites. The redirect behaviour seems to tally with her deciding to play Patience online (KPatience is installed but she didnt know that) so picked the first google listing she came to. The site had music playing, flash game etc... Whether this was the cuplrit for changing the proxy settings on her machine, I have no idea but seems the only likely possibility.
The problem appears at this moment to be confined to her laptop. Other computers connect to google etc... without any issues.
Inadvertent installation of some plugin or add on. It's not impossible for these to be cross platform. After all, I've seen Microsoft targeted infections attempting an installation through Firefox on Linux.
Install ad block and no-script. Shameful that many sites rely on adverts for income - too bad the advertising agencies don't have enough scruples to insure the safety of the customer. Some sites do have safe ads. LQ is on my safe list
I am afraid this took a turn for the worst last night and today. First, some minor facts.
Firefox is a 3.6 version (Mandriva latest rpm update)
Extensions installed are noScript, Adblock+ and KDE's plasma notify.
Plugins installed are flash and totem.
Laptop is wirelessly connected to BT home hub downstairs.
I emptied the cache, history etc... and set these to be dumped upon exiting of the browser.
The problem sporadically occurs. I think it seems to be when the wireless signal is particularly weak. The reason for this is that the redirection occurred for me as Mum walked into the room (maybe blocking the signal). It is irrelevant which webpage I clicked on as all her boookmarks usually redirected back to this one site. However, few seconds later and clearing the cache, things were fine.
I say usually as occasionally an IIS status screen would appear instead showing that the given webpage was missing. Kind of like a page missing in a cache. This was external since it was IIS but also showed the directory of the cached page to be D:\Web... (cannot remember the full path).
So I thought all this may be DNS hijacking of some kind so I have changed the DNS settings of the laptop to openDNS servers to see if that would make a difference. So far so good.
This morning...
My father received a call from a gentleman claiming to be from BT who had noted a problem in their region concerning google redirects and had a patch that would fix the problem. Dad said he would phone me and I would call the guy back. Of course, I rang BT who confirmed the call was fraudulent. Now I want to know how they got my parent's phone number.
My father surfs the internet with Mandriva same as my Mother. However, he does have a dual booted computer (Windows). Assuming for instance, the Windows partition was compromised, how would it be possible to compromise the networking/router. I just cannot believe linux is the source of the attack vector, especially since konqueror did not show any of this behaviour last night.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.