Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
06-30-2006, 05:53 PM
|
#1
|
LQ Newbie
Registered: Jun 2006
Posts: 1
Rep:
|
Simular Problems
//moderator note: posts pruned from Linux Spyware. Please do NOT revive stale threads.
I just wanted to jump in and note that I am also having some of the problems
that BajaNick is suggesting. When surfing i am now getting a lot of specific adds
with my city etc. This has happened after a sudden surge in junk emails. (20-30 per
day from zero) This also seems to spread to a second computer on my home network and
other logins. Both are running RH9, altho one is a dual boot with Win Me. The systems
are on a home network behind a netgear router with a firewall. Does having this type
of information available to random websites not suggest spy-ware? Or is there something
else? How does one stop broadcasting this type of information over the internet?
Last edited by unSpawn; 02-18-2007 at 04:52 AM.
|
|
|
06-30-2006, 06:27 PM
|
#2
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
The information is obtained from your IP address on the internet. IP addresses are supplied in block to your IP, and the web site is simply finding out where your IP address is.
These popups sound like a variant on the block popup scam. Firstly, they didn't even notice that you are not using windows. So you know they weren't looking for any spyware. The anti-spyware software that they supply is most likely spyware.
|
|
|
06-30-2006, 06:39 PM
|
#3
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by MikeNorth
I just wanted to jump in and note that I am also having some of the problems
that BajaNick is suggesting. When surfing i am now getting a lot of specific adds
with my city etc. This has happened after a sudden surge in junk emails. (20-30 per
day from zero) This also seems to spread to a second computer on my home network and
other logins. Both are running RH9, altho one is a dual boot with Win Me. The systems
are on a home network behind a netgear router with a firewall. Does having this type
of information available to random websites not suggest spy-ware? Or is there something
else? How does one stop broadcasting this type of information over the internet?
|
your approximate geographical location can be obtained by your IP address... google for "geoip" and you'll see how... there's also other info that websites you visit get from you without the need for spyware... to have an idea, run the following privacy test:
http://network-tools.com/analyze/
just my ...
|
|
|
02-14-2007, 02:15 PM
|
#4
|
Member
Registered: Nov 2006
Location: UK
Distribution: Mandriva 2007
Posts: 93
Rep:
|
unexpected hardrive activity preventing immediate shutdown
whoops wrong place. sorry
|
|
|
02-15-2007, 06:57 AM
|
#5
|
Member
Registered: Jun 2003
Location: UK
Distribution: Devuan Beowulf
Posts: 514
Rep:
|
To the OP, consider using something that disallows scripts in your browser, such as the noscript plugin for firefox. The popups are usually javascript driven, and stopping js generally kills the popups. Noscript as an example disallows all scripts on a site by default. You then allow the ones you need as and when required.
As for linux spyware i've never heard of any so far. The nearest you might get is someone hacking you and adding a trojan to your machine.
Its not something you should lose sleep over, as long as you keep your machine updated.
|
|
|
02-15-2007, 07:42 AM
|
#6
|
Member
Registered: Nov 2004
Location: Hellas
Distribution: Zenwalk 6.4
Posts: 337
Rep:
|
This kind of ad you show is surely something that your browser can give away pretty easy and can be found by your ip address since you are not behind a proxy server to have anonymity.
As for the security part... Red Hat 9 drop the support for the updates at mid 2004. So if red hat is the most famous corporate distro in america and you got hacked once, then it's most probably going to happen again due to it's vulnerability of not having updates anymore.
For your sanity my friend update the system to something more recent.
|
|
|
02-15-2007, 08:02 AM
|
#7
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
Code:
I thought there was no spyware for Linux?
Bring technical facts. This is wrong.
|
|
|
02-17-2007, 11:44 PM
|
#8
|
Member
Registered: Jul 2003
Location: NY
Distribution: Slackware, Termux
Posts: 877
|
Quote:
Originally Posted by BajaNick
I received a a popup. It showed my IP address, my physical location (Los Angeles) and it also showed me my ISP name and the time and date of my current connection and it was not like any other popup i have received before, It didnt seem to want to sell me anything like the usual ones it was just there with no other information, it was kind of freaky.
|
You'd be surprised to see what you can do with Javascript and Java, by themselves or together. Sending an IP address (which you give up on connecting to something) to a site which returns geo-location and then displaying that info back to the user is not very complex. You can find zipcodes; sometimes hostnames given by your ISP can reveal the city you're in. RoadRunner is big on this, I've seen Verizon do it too.
-a residential cable modem in central New York.
Tools like p0f can guess your kernel version, uptime, and network connection with accuracy. There's not alot of talk about snmp, but if a system is running snmp services and they are accessible, you can tell just about anything about that system from where in the world it is to who owns it, and what it's running at the moment, to where it itself is connecting.
The data is out there, add in a little guess work and you can come up with data that appears to be knowable only by you.
|
|
|
02-18-2007, 01:00 AM
|
#9
|
LQ Guru
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211
Rep:
|
Almost no Windows user could tell you what every file is on their system. That's scary.
... from someone's sig.
So... how many linux users can state what every file is on their system? And what is so scary about that?
Last edited by Simon Bridge; 02-18-2007 at 05:09 PM.
|
|
|
02-18-2007, 02:14 AM
|
#10
|
Member
Registered: Nov 2004
Location: Hellas
Distribution: Zenwalk 6.4
Posts: 337
Rep:
|
That's correct but probably jayjwa meant you can always learn by opening the file and reading the comments.
Can you open a file under C:/windows and find out what is it?
But we are off the topic here..
|
|
|
02-18-2007, 02:50 AM
|
#11
|
Senior Member
Registered: Feb 2002
Distribution: t2 - trying to anyway
Posts: 2,541
Rep:
|
The server that serves whatever you are looking at kind of needs to know your IP address
|
|
|
02-18-2007, 08:33 AM
|
#12
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,863
|
"Spyware" pretty much consists of a rogue Javascript (or in some cases, a bit of code attached to an image). The only way to effectively stop it is with a proxy-filter such as privoxy, which is readily available for both Windows and Linux.
A "proxy" is a program that sits between you and the web. Your browser must forward its traffic to the proxy, which retransmits it to the web. The proxy can filter objectionable content in both directions.
In the Windows environments, the core problem is that most users run as Administrators. When presented with a prompt for an admin password, they reflexively type it in. And so they allow any bit of code from the Internet to run with unrestricted access to their machines, and chaos ensues.
In the Linux and OS/X environments, users typically do not run with full, unrestricted privileges. Thus, "rogue" programs do not have unrestricted privileges either, and when that is the case it is quite difficult for a rogue to do global, lasting harm. And this is why Apple has been able to get so much press from the tag-line that "Windows has 144,000 viruses and OS/X has none."
Ironically, Windows has just as much potential ability to deflect viruses, in exactly the same way, but for tens of millions of Windows systems out there on the Internet all of that protection is turned off! Users do not know about it because they are never told about it. They spend millions of dollars on useless "anti-virus" programs, having been lectured that these are essential when in many cases they are part of the problem.
|
|
|
02-18-2007, 04:08 PM
|
#13
|
LQ Guru
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211
Rep:
|
Quote:
Originally Posted by exodist
Chort, I have seen the argument before, it is true that A reason linux has less worms and viruses is because the attackers want more targets, but linux really hasn't been tested aganst a majior virus flood like windows has, I personaly believe that the layout of a linux system would protect it and prevent the kind of mass-failure and mass-hysteria like a few eeeks ago n windows.
|
This has been thrashed out before. For example:
http://www.theregister.co.uk/securit...dows_vs_linux/
Quote:
This reasoning backfires when one considers that Apache is by far the most popular web server software on the Internet. According to the September 2004 Netcraft web site survey, [1] 68% of web sites run the Apache web server. Only 21% of web sites run Microsoft IIS. If security problems boil down to the simple fact that malicious hackers target the largest installed base, it follows that we should see more worms, viruses, and other malware targeting Apache and the underlying operating systems for Apache than for Windows and IIS. Furthermore, we should see more successful attacks against Apache than against IIS, since the implication of the myth is that the problem is one of numbers, not vulnerabilities.
Yet this is precisely the opposite of what we find, historically. IIS has long been the primary target for worms and other attacks, and these attacks have been largely successful. The Code Red worm that exploited a buffer overrun in an IIS service to gain control of the web servers infected some 300,000 servers, and the number of infections only stopped because the worm was deliberately written to stop spreading. Code Red.A had an even faster rate of infection, although it too self-terminated after three weeks. Another worm, IISWorm, had a limited impact only because the worm was badly written, not because IIS successfully protected itself.
|
The statistics have changed a bit since 2004 - see http://en.wikipedia.org/wiki/Compari...dows_and_Linux
Quote:
Historically, Windows has tended to dominate in the desktop and personal computer markets (about 89.2% of the desktop market share), and Linux has achieved between 50 - 80% market share of the web server, render farm, and supercomputer markets.
|
... so, we should see the vast majority of attacks to be leveled against linux in this area. Yet this is still not the case.
The other one we've seen is the myth that OS is inherently less secure because the source code is available to attackers. Thus, attackers can peruse the code for vulnerabilities. Add to this the increasing trend for new malware to be written by people who are quite expert in coding and it sounds like a nasty combination.
Quote:
The evidence begs to differ. The number of effective Windows-specific viruses, Trojans, spyware, worms and malicious programs is enormous, and the number of machines repeatedly infected by any combination of the above is so large it is difficult to quantify in realistic terms. Malicious software is so rampant that the average time it takes for an unpatched Windows XP to be compromised after connecting it directly to the Internet is 16 minutes -- less time than it takes to download and install the patches that would help protect that PC. [3]
As another example, the Apache web server is open source. Microsoft IIS is proprietary. In this case, the evidence refutes both the "most popular" myth and the "open source danger" myth. The Apache web server is by far the most popular web server. If these two myths were both true, one would expect Apache and the operating systems on which it runs to suffer far more intrusions and problems than Microsoft Windows and IIS. Yet precisely the opposite is true. Apache has a near monopoly on the best uptime statistics. Neither Microsoft Windows nor Microsoft IIS appear anywhere in the top 50 servers with the best uptime. Obviously, the fact that malicious hackers have access to the source code for Apache does not give them an advantage for creating more successful attacks against Apache than IIS.
|
[3] Unpatched PC "Survival Time" Just 16 Minutes, by Greek Keiser, TechWeb News. See references section below for URL.
See also:
http://www.varlinux.org/vl/html/modu...Gregg%20Keizer
http://www.itnews.com.au/newsstory.aspx?CIID=19387
The other mistake I see around here is more subtle. It involves stating a single metric and basing the conclusion on that. The issues involved are far too complex to yield to a single point of analysis. As an example of why this is important, consider:
Quote:
Ask yourself this question: If you experienced a heart attack at this very moment, to which hospital emergency room would you rather be taken? Would you want to go to the one with the best average response time from check-in to medical treatment? Or would you rather be taken to an emergency room with a poor record for average response time, but where the patients with the most severe medical problems always get immediate attention?
One would obviously choose the latter, but not necessarily because the above information proves it is the better emergency room. The latter choice is preferable because it includes two metrics, one of which is more important to you at that precise moment.
|
... aww shucks, just read the article.
Note: the register article is quite out of date in terms of statistics. However, up to date statistics are available for their most important metrics - and the case is, if anything, even better today than when the article was written.
None of this refers to windows vista - which has removed many of the problems associated with previous releases. (But added some odd vulnerabilities deliberately.) For eg. legacy support has been dropped from the kernel (replaced by emulation) and users no longer work with administrator privileges.
|
|
|
02-18-2007, 04:36 PM
|
#14
|
LQ Guru
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211
Rep:
|
Source of Security Vulnerabilities in Linux
(Inside information from Symantec)
I went to university with some guys who ended up as programmers for synaptec - one was specifically looking for vulnerabilities in linux, solaris etc and I knew he had a strong unix background. So I asked him if linux users are justified in being smug about security.
He says: yes.
In that professional's opinion, the main strength of linux against malware has traditionally been due to users compiling their own system from source. Symantec have been increasingly concerned about the proliferation of packet-managed distributions with have their managers running as root. Users could be social-engineered to accept third party packets without question.
Social engineering has always been the number one way malware gets on the system ("run this script './install-malware.sh' as root to improve system performance"). Just look at the "success" of the "I love you" virus - it wasn't a well written virus, it's just that so many people seem to be curious about any attachment called "I love you". That's the social part
He also pointed out some very nasty viruses written for linux - not so much for what they did but because the code and the timing ... suggested a new kind of attacker. One with skills and forethought.
He also pointed me at some viruses designed to migrate between windows and linux environments - systems running WINE are particularly vulnerable in this way since WINE is "very faithful" (his words) to the windows API, warts and all. WINE systems can be vulnerable to some windows malware too, of course. Particularly if IE is used under WINE for browsing.
But wait: there's more -
Contrary to popular optinion, linux systems have been tested against major virus outbreaks. In server environments, where linux holds a market majority. Damage was minimal because linux's structure made it difficult for the worm to get anywhere bad, and linux sysadmins were typically more knowledgable of their systems. Response time was fast, and the various developers were extremely cooperative in plugging the holes.
Lastly:
Operating Systems are very secure now across the board. So much so that attackers are looking to applications rather than the OS itself. They are focusing on the services you run.
Linux folk get to be smug there too because linux policy has always been to start with everything shut down by default... so it is unlikely that anyone running a service is unaware of it (they had to physically enable it, after all). In windows admin it is quite normal for novice admins to run services they do not intend to.
Linux folk are used to running headless machines remotely where windows admins usually expect physical access to the box. Anyone who has had to recover their root password knows that physical access is total access. There, they expect a gui where linux admin will expect to use CLI - in cli you get precise control where a gui adds heavy abstraction.
So symantec are not very concerned about social engineering in linux.
Caveat: Symantec do not have an official position on the vulnerability of any OS or system. This is entirely off the record, hence the lack of attribution. Symantic sell security related products for windows and mac, with no major market investment in linux that I can find... we could interpret this as saying that symantec have a financial interest in painting windows as inherently insecure (read: without their product).
I've also discussed this before in another thread.
Last edited by Simon Bridge; 02-18-2007 at 04:43 PM.
|
|
|
02-18-2007, 04:47 PM
|
#15
|
LQ Guru
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211
Rep:
|
Quote:
Originally Posted by XavierP
Simon - you have responded to a thread which is 4 years old. Is this the thread you wanted?
|
hmmm ... odd, I have received the following link in my e-mail this morning:
http://www.linuxquestions.org/questi...8&goto=newpost
... if you figure out what this is supposed to point to before I do, let me know and I'll figure out if the replies are valid there. (Could I modify them and get them moved?)
Thanks for the head's up
Simon
|
|
|
All times are GMT -5. The time now is 09:35 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|