LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 07-11-2019, 04:13 PM   #1
drgibbon
Member
 
Registered: Nov 2014
Distribution: Slackware64 14.2
Posts: 469

Rep: Reputation: 280Reputation: 280Reputation: 280
Palemoon archive server breach


If you've downloaded from the Palemoon archive server you'll want to know about this: https://forum.palemoon.org/viewtopic.php?f=17&t=22526

I don't use it personally, just a heads up for anyone that does.
 
Old 07-11-2019, 04:17 PM   #2
hitest
Guru
 
Registered: Mar 2004
Location: Prince Rupert, B.C., Canada
Distribution: Slackware, OpenBSD
Posts: 5,822

Rep: Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980
Thanks for the heads-up. I don't use it, I browse with FF and Chrome.
 
Old 07-11-2019, 08:13 PM   #3
ttk
Member
 
Registered: May 2012
Location: Sebastopol, CA
Distribution: Slackware64
Posts: 817
Blog Entries: 26

Rep: Reputation: 1083Reputation: 1083Reputation: 1083Reputation: 1083Reputation: 1083Reputation: 1083Reputation: 1083Reputation: 1083
Thanks, drgibbon! It sounds like only Windows executables were infected, so Linux-only users should be in the clear.
 
1 members found this post helpful.
Old 07-11-2019, 09:07 PM   #4
orbea
Senior Member
 
Registered: Feb 2015
Distribution: Slackware64-current
Posts: 1,698

Rep: Reputation: Disabled
Quote:
Originally Posted by ttk View Post
Thanks, drgibbon! It sounds like only Windows executables were infected, so Linux-only users should be in the clear.
I don't think the point is that Linux is not affected, but...

Quote:
According to the date/time stamps of the infected files, this happened on 27 December 2017 at around 15:30. It is possible that these date/time stamps were forged, but considering the backups taken from the files, it is likely that this is the actual date and time of the breach.
https://www.bleepingcomputer.com/new...lware-dropper/

How does something like this go undetected for 2 years? Makes me wonder what else has not already been discovered.
 
2 members found this post helpful.
Old 07-11-2019, 09:26 PM   #5
drgibbon
Member
 
Registered: Nov 2014
Distribution: Slackware64 14.2
Posts: 469

Original Poster
Rep: Reputation: 280Reputation: 280Reputation: 280
Quote:
Originally Posted by orbea View Post
How does something like this go undetected for 2 years? Makes me wonder what else has not already been discovered.
When I looked into the project way back it seemed a bit flakey to me. Anyway the compromised server was running Windows, of all things!
 
Old 07-11-2019, 09:35 PM   #6
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 15,086
Blog Entries: 25

Rep: Reputation: 4263Reputation: 4263Reputation: 4263Reputation: 4263Reputation: 4263Reputation: 4263Reputation: 4263Reputation: 4263Reputation: 4263Reputation: 4263Reputation: 4263
Quote:
How does something like this go undetected for 2 years?
Stuff gets discovered well after the fact all the time. Not saying it's the norm, but it happens far too frequently. Too many outfits (I'm not saying this applies to Palemoon because I don't use it and I don't know) see security as overhead, not as best practice.

Last edited by frankbell; 07-11-2019 at 09:40 PM.
 
2 members found this post helpful.
Old 07-12-2019, 01:27 AM   #7
orbea
Senior Member
 
Registered: Feb 2015
Distribution: Slackware64-current
Posts: 1,698

Rep: Reputation: Disabled
Quote:
Originally Posted by frankbell View Post
Stuff gets discovered well after the fact all the time. Not saying it's the norm, but it happens far too frequently. Too many outfits (I'm not saying this applies to Palemoon because I don't use it and I don't know) see security as overhead, not as best practice.
This is not some one liner backdoor that someone hide in their source code, but long since compromised binaries on their archive server which simple md5sums should of revealed...

The skeptic in me makes me want to consider that this wasn't mere incompetence, but the malware was intentionally placed and the breach is a cover story.
 
2 members found this post helpful.
Old 07-12-2019, 02:20 AM   #8
elcore
Member
 
Registered: Sep 2014
Distribution: Slackware
Posts: 605

Rep: Reputation: Disabled
Remember when kernel.org got breached, that too must have been an inside job by Linus himself!
Too much wailing over some archived windows binaries, AFAIK the git repo's not affected.
 
4 members found this post helpful.
Old 07-12-2019, 02:38 AM   #9
orbea
Senior Member
 
Registered: Feb 2015
Distribution: Slackware64-current
Posts: 1,698

Rep: Reputation: Disabled
I am assuming you mean this?

https://www.eweek.com/security/suspe...ization-breach

There is a huge difference in a breach that is discovered in a few months and one that is discovered two years later.
 
2 members found this post helpful.
Old 07-12-2019, 08:30 AM   #10
khronosschoty
Member
 
Registered: Jul 2008
Distribution: Slackware
Posts: 425
Blog Entries: 2

Rep: Reputation: 222Reputation: 222Reputation: 222
It only effected users who intentionally used older versions; and grabbed them from the archive server instead of the main distribution channels.

Also Its likely the breech wasn't that long

https://forum.palemoon.org/viewtopic...170903#p170903

Last edited by khronosschoty; 07-12-2019 at 08:34 AM.
 
3 members found this post helpful.
Old 07-12-2019, 11:41 AM   #11
ehartman
Member
 
Registered: Jul 2007
Location: Delft, The Netherlands
Distribution: Slackware
Posts: 724

Rep: Reputation: 343Reputation: 343Reputation: 343Reputation: 343
Quote:
Originally Posted by orbea View Post
There is a huge difference in a breach that is discovered in a few months and one that is discovered two years later.
And we've (the FOSS community) had security problems that went UNdetected for longer, like the major (Heartbleed) one in openssl
Quote:
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
Open source does not always mean all problems in the code are detected sooner.

This one, by the way, affected not just Linux, but a majority of ALL ssl using applications as most of them did use the affected code, either directly or indirect by encorporating it in their own code.

Last edited by ehartman; 07-12-2019 at 11:43 AM.
 
5 members found this post helpful.
Old 07-13-2019, 09:30 AM   #12
orbea
Senior Member
 
Registered: Feb 2015
Distribution: Slackware64-current
Posts: 1,698

Rep: Reputation: Disabled
Quote:
Originally Posted by ehartman View Post
And we've (the FOSS community) had security problems that went UNdetected for longer, like the major (Heartbleed) one in openssl
At the risk of repeating myself heartbleed was a missing bounds check, this was a 3 mb payload.

To put this in perspective this would be equivalent to someone replacing binaries in a well used Slackware mirror for no one to actually verify the packages for another 2-3 years... I personally would be surprised if something like that ever happened.
 
5 members found this post helpful.
Old 07-13-2019, 09:59 AM   #13
crts
Senior Member
 
Registered: Jan 2010
Posts: 1,724

Rep: Reputation: 528Reputation: 528Reputation: 528Reputation: 528Reputation: 528Reputation: 528
Quote:
Originally Posted by orbea View Post
Does anyone know what has happened since then? I searched for more information on this issue but could not find anything. Has the guy been tried yet? Has he been released?
 
Old 07-13-2019, 01:44 PM   #14
TheRealGrogan
Member
 
Registered: Oct 2010
Location: Ontario, Canada
Distribution: Slackware, Manjaro (for gaming)
Posts: 75

Rep: Reputation: 47
Not quite the equivalent of the example of a Slackware mirror, because Windows users generally don't compare checksums and are so used to ignoring unsigned binaries that a big yellow warning doesn't phase them. It usually just means that someone couldn't be arsed to jump through Microsoft's hoops. Most of the time it's legit. (Even shit like HP uninstallers did that)

Guilty... a few years back the ClassicShell repository got trojaned (more prankish than malicious). I was so used to installing that program on systems, and so used to yellow warnings about unsigned binaries that I thought nothing of it (huh... the installer doesn't work), until I rebooted to a modified MBR with bootstrap halted and some prankish text. Fortunately that was all they did and I just had to use bootrec to fix it. I ended up blowing it away for other reasons anyway, but that got me back in to continue troubleshooting problems. I was actually quite butthurt over that, because it was the FIRST time I ever infected any computer system (other than on purpose in house for testing cleanup software) and that was a customer system too.
 
2 members found this post helpful.
Old 07-13-2019, 11:28 PM   #15
ehartman
Member
 
Registered: Jul 2007
Location: Delft, The Netherlands
Distribution: Slackware
Posts: 724

Rep: Reputation: 343Reputation: 343Reputation: 343Reputation: 343
Quote:
Originally Posted by orbea View Post
To put this in perspective this would be equivalent to someone replacing binaries in a well used Slackware mirror for no one to actually verify the packages for another 2-3 years...
When you can replace the binaries, it is easy enough to replace all md5sum or sha*sum files too, and probably the private keys were available too on that server to generate corrected gpg signatures. Remember, it WAS the master archive server AND a Windows hosted one, so doesn't have the protection a Linux one would have had.

And no, it has never happened on the master Slackware mirror server (as far as we know....).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Palemoon browser not building... FTIO Slackware 38 07-12-2016 07:24 PM
Palemoon in Slackware Current AlexSlack Slackware 14 05-01-2016 01:33 PM
Palemoon segmentation fault with Slackware-current mfgordon Slackware 10 04-16-2016 06:11 PM
What's your opinion on PaleMoon compared to Firefox? Mr. Alex Linux - Software 16 06-19-2014 02:56 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 04:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration