Track down and prevent launch of Thunderbird Bamboo plugin content?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Track down and prevent launch of Thunderbird Bamboo plugin content?
I was browsing my feeds using the Thunderbird plugin 'Bamboo' a couple of days ago, when one of the feeds I opened wasn't what I expected, it opened a page advertizing the "Buddies Locator" with the page title, "Entertainment Factory".
The page did not appear to function as intended. It has no links, just bright graphics and text.
It was interesting because it displayed an input field, claiming that if you input a mobile number, it can locate that phones current position. I tried it and it didn't work, so I closed the tab.
Now everytime I open Thunderbird, it opens again, but worse still, the java or javascript it's using is causing the whole screen to flash and somehow even seemed to cause Firefox to do some weird stuff.
How can I track this down, prevent it launching, etc?
I'm running Ubuntu 12.04 with the KDE4 desktop and all the latest updates.
I was browsing my feeds (..) a couple of days ago, when one of the feeds (..) opened a page (..) It was interesting because it displayed an input field, (..) I tried it and it didn't work, (..) I'm running Ubuntu 12.04 with the KDE4 desktop and all the latest updates.
Both advertising and malvertising try to overcome their intrusive nature, access vector or true nature by appealing to, confusing or luring people into doing things. Careful wording and seemingly official graphics try to establish a sense of urgency or trustworthiness and the promise of equally relief or reward entices the gullible to continue. Past examples of past malvertising, malware and virus infections alike teach you that if an offer is too good to be true, then it really is.
You've shown us the perfect example of what not to do.
Quote:
Originally Posted by snowweb
Now everytime I open Thunderbird, it opens again, but worse still, the java or javascript it's using is causing the whole screen to flash and somehow even seemed to cause Firefox to do some weird stuff. How can I track this down, prevent it launching, etc?
Launch your troubled Thunderbird account in safe mode and export your email and address book, then create a new, clean account and import your email and address book and see if that works.
Thanks for your reply. Are you so fast to judge everyone you've never met?
I have a dozen or so email accounts and various other types of accounts (IRC and news groups), plus themes and a couple of dozen plug-ins, so I'm afraid that is not feasible at this stage to migrate all of that to a new profile.
I have today however, discovered that if I don't open Bamboo, then the problem doesn't appear. Therefore, I suspect that by removing Bamboo, then removing the plug-ins' directory, I can then add a new Bamboo plug-in and the problem should be solved.
If that doesn't solve it, then probably rolling back the profile directory to a back up that's a 3 to 4 days old, should fix it, (since the mail itself is stored in separate directory).
I would recommend using the find command and verifying files have been modified since the time and date of the infection. If your lucky, the infection has been contained to the plugin location and removing it will solve your problem. If it does not, you will need to become more aggressive, like excising your Thunderbird account. If you have a backup to a time period prior to the incident, that would be a safer and more comprehensive approach than trying to remove the infection.
Thanks for that Norway2. Hadn't thought of that. Will have a look in the morning and see what find turns up. I do have daily backups going back a long way, so will make a decision about using them, based on the result on the modified files over the last 2 or 3 days.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.