1 |
gentoo.taijin posted |
2 |
<2b30dc310604251739u27abbe81o5d64ffcf3e99c705@××××××××××.com>, excerpted |
3 |
below, on Tue, 25 Apr 2006 17:39:19 -0700: |
4 |
|
5 |
> Im having some very weird internet problems. I posted in the |
6 |
> forums earlier today but still no luck. <span>About 90% of the the |
7 |
> urls that I type into firefox and konqueror take me to a page that says |
8 |
> the requested url was not found on this server. for example when I type |
9 |
> in <a href="http://google.com/" target="_blank" onclick="return |
10 |
> top.js.OpenExtLink(window,event,this)">google.com</a> I get this <a |
11 |
> href="http://img288.imageshack.us/img288/5751/screenshot18wl.png" |
12 |
> target="_blank" onclick="return |
13 |
> top.js.OpenExtLink(window,event,this)">http://img288.imageshack.us/img288/5751/screenshot18wl.png</a> |
14 |
> but when I type in <a href="http://www.google.com/" target="_blank" |
15 |
> onclick="return top.js.OpenExtLink(window,event,this)"> |
16 |
> www.google.com</a> it works fine some other urls that work are <a |
17 |
> href="http://www.yahoo.com">www.yahoo.com</a> and <a |
18 |
> href="http://www.aol.com">www.aol.com</a>. some sites have weird images |
19 |
> like <a href="http://www.afterdawn.com/" target="_blank" onclick="return |
20 |
> top.js.OpenExtLink(window,event,this)"> www.afterdawn.com</a> <a |
21 |
> href="http://img288.imageshack.us/img288/6292/screenshot2ni.png" |
22 |
> target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> |
23 |
> http://img288.imageshack.us/img288/6292/screenshot2ni.png</a> It get's |
24 |
> even more weird. I can access all websites through lynx, with no |
25 |
> problems and all the other computers at my house work fine. I have tried |
26 |
> changing nameservers ethernet cards recompiling firefox, putting myself |
27 |
> on virtual DMZ. I am at my wits end. I would like to avoid reinstalling |
28 |
> gentoo if at all possible, because I just reinstalled a month ago and |
29 |
> things were working fine till two days ago.</span> <br |
30 |
> clear="all"><br>-- <br>I lost an hour, has anyone found it? I want it |
31 |
> back!!! |
32 |
|
33 |
After you get it fixed, consider turning off HTML for your posts, I |
34 |
understand that it's not your priority at the moment, but you can see what |
35 |
a mess it makes of your posts, for those of us who choose not to use HTML, |
36 |
above. Faced with that sort of jumble, can you blame anyone who'd simply |
37 |
skip the post and go onto the next? |
38 |
|
39 |
Try disabling all plugins/extensions/java/javascript. Also verify your |
40 |
proxy settings. It appears your firefox has been set to redirect thru |
41 |
a hostile proxy. |
42 |
|
43 |
Try setting up a new Linux user account (with a clean configuration) and |
44 |
see if it is also redirected. If not, you can gamble that you haven't been |
45 |
entirely rooted. If it's redirected as well, consider yourself rooted, and |
46 |
that everything on the system (all files, passwords, any banking records, |
47 |
etc) is now both known to the cracker, and potentially compromised. |
48 |
Check for a keylogger, noting of course that a rootkit will have likely |
49 |
replaced your ps and etc with versions that won't report the existence of |
50 |
such a keylogger. Best to reinstall from a known clean LiveCD or the like. |
51 |
|
52 |
Even if there's no evidence that you've been fully rooted, it's at least |
53 |
possible that anything you've done with firefox, checking your mail, |
54 |
online banking, whatever, has been watched by the cracker, who now knows |
55 |
those passwords. If you do online banking, alert your bank immediately, |
56 |
making arrangements to change your password and having them watch for |
57 |
questionable transactions (if you don't decide to shut down that account |
58 |
and open a new one entirely). Same with any webmail accounts (which it |
59 |
appears you use) and the like. The cracker may or may not have been able |
60 |
to intercept secure sessions, but I would assume that he did. If you |
61 |
know how to verify the legitimacy of an SSL session in firefox, and do so |
62 |
religously, chances are you are still safe, but again, I'd take no |
63 |
chances. If not, I'd /certainly/ consider anything you've done online to |
64 |
now be known to this cracker, and shut down those accounts, not just |
65 |
change passwords, opening new ones. |
66 |
|
67 |
After you've cleaned up the damage, be sure to alter your behavior |
68 |
sufficiently that this won't happen again. Maybe you didn't keep firefox |
69 |
updated and he got in thru a known vuln there. Maybe you do keep it |
70 |
updated, but it was an extension that let you down. In any case, |
71 |
scripting, java, and plugins are best off by default, turned on only for |
72 |
sites you trust. I understand that a per-site scripting permissions |
73 |
extension is available for firefox -- that it doesn't have per-site |
74 |
permissions resolution by default. You can either install it, or simply |
75 |
keep scripting off by default and toggle it on where needed. Similarly |
76 |
for java/plugins/cookies (altho session cookies aren't so bad and are |
77 |
often helpful, and some tools let you treat all cookies as session |
78 |
cookies). Greasemonkey, due to the way it works, is an especially |
79 |
critical extension to keep updated, and be aware of how it functions and |
80 |
the potential weaknesses of the approach. It can be used fairly securely, |
81 |
but you need to be aware of things when you use it, as it can increase |
82 |
security risk for those not used to routinely evaluating the risk and |
83 |
modifying their actions accordingly. |
84 |
|
85 |
I have to mention that HTML mail you sent here too, since it is the belief |
86 |
of many (yours truly included, as should be obvious) that HTML, while |
87 |
fine for web pages, is an unneeded security hazard for mail, and that the |
88 |
only folks using it for mail are the crackers (who exploit its |
89 |
vulnerabilities), the spammers (who exploit its ability to hide spam |
90 |
filter confounding text), and the aoler/noobs that wouldn't know a |
91 |
security hole if they tripped and fell in. While that may be a bit |
92 |
strong, the correlation between your use of HTML mail and the fact that |
93 |
you are dealing with the apparent effects of a successful exploit is hard |
94 |
to avoid. Safe computing, like safe sex, is a choice -- you have to make |
95 |
the choice to learn about it, then the choice to put it into practice -- |
96 |
failing to do so is putting both yourself and others at risk. Many would |
97 |
argue that someone using HTML mail either doesn't know or simply doesn't |
98 |
care about safe computing, and that it's exactly that attitude which now |
99 |
finds you in this situation. |
100 |
|
101 |
Something else you may consider is privoxy. I use it here, with |
102 |
konqueror, my browser of choice, but it'll work for firefox or the like |
103 |
just as well. http://www.privoxy.org Even if your browser of choice |
104 |
doesn't allow per-site toggling of various things (cookies, scripting, |
105 |
plugins, etc), privoxy does. For example, I have privoxy set to turn all |
106 |
cookies into session-only cookies, with per-site exceptions where |
107 |
necessary. I then set konqueror to accept session-only cookies by |
108 |
default, which is a global checkbox in addition to its usual per-site |
109 |
settings, but do /not/ check the box that would tell konqueror to make |
110 |
/all/ cookies into session cookies, because privoxy does that for me, and |
111 |
checking that box would make konqueror set the cookies for the sites I |
112 |
want to keep cookies for to session-only as well. Privoxy does a lot of |
113 |
other things too. I have mine customized with a rather detailed filter |
114 |
(that I created myself) that enforces my light text on a dark background |
115 |
preferences, without killing color entirely (it turns a bright robin's egg |
116 |
blue background to navy blue, and makes a dark brick red text designed to |
117 |
be visible on white, to a bright red that's readable on a dark background, |
118 |
etc), for instance. Privoxy's rules don't apply to secure pages, of |
119 |
course, since for those it just forwards the request, since it's encrypted |
120 |
and privoxy can't read it. |
121 |
|
122 |
When your done, you should still be doing security updates, but if you |
123 |
somehow miss one or it doesn't come out before a cracker starts exploiting |
124 |
the problem, you'll probably not be victimized anyway, because the |
125 |
scripts necessary for the exploit simply won't run on sites that might |
126 |
consider hosting them, as you'd hopefully not trust such sites enough to |
127 |
toggle it on, and it'll be off except where you /have/ turned it on. |
128 |
Similarly with potentially vulnerable extensions and plugins, as well as |
129 |
the cookies which otherwise make it so easy for the doubleclicks of the |
130 |
world to track your movements from site to site. |
131 |
|
132 |
-- |
133 |
Duncan - List replies preferred. No HTML msgs. |
134 |
"Every nonfree program has a lord, a master -- |
135 |
and if you use the program, he is your master." Richard Stallman in |
136 |
http://www.linuxdevcenter.com/pub/a/linux/2004/12/22/rms_interview.html |
137 |
|
138 |
|
139 |
-- |
140 |
gentoo-amd64@g.o mailing list |