| 1 |
gentoo.taijin posted |
| 2 |
<2b30dc310604251739u27abbe81o5d64ffcf3e99c705@××××××××××.com>, excerpted |
| 3 |
below, on Tue, 25 Apr 2006 17:39:19 -0700: |
| 4 |
|
| 5 |
> Im having some very weird internet problems. I posted in the |
| 6 |
> forums earlier today but still no luck. <span>About 90% of the the |
| 7 |
> urls that I type into firefox and konqueror take me to a page that says |
| 8 |
> the requested url was not found on this server. for example when I type |
| 9 |
> in <a href="http://google.com/" target="_blank" onclick="return |
| 10 |
> top.js.OpenExtLink(window,event,this)">google.com</a> I get this <a |
| 11 |
> href="http://img288.imageshack.us/img288/5751/screenshot18wl.png" |
| 12 |
> target="_blank" onclick="return |
| 13 |
> top.js.OpenExtLink(window,event,this)">http://img288.imageshack.us/img288/5751/screenshot18wl.png</a> |
| 14 |
> but when I type in <a href="http://www.google.com/" target="_blank" |
| 15 |
> onclick="return top.js.OpenExtLink(window,event,this)"> |
| 16 |
> www.google.com</a> it works fine some other urls that work are <a |
| 17 |
> href="http://www.yahoo.com">www.yahoo.com</a> and <a |
| 18 |
> href="http://www.aol.com">www.aol.com</a>. some sites have weird images |
| 19 |
> like <a href="http://www.afterdawn.com/" target="_blank" onclick="return |
| 20 |
> top.js.OpenExtLink(window,event,this)"> www.afterdawn.com</a> <a |
| 21 |
> href="http://img288.imageshack.us/img288/6292/screenshot2ni.png" |
| 22 |
> target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"> |
| 23 |
> http://img288.imageshack.us/img288/6292/screenshot2ni.png</a> It get's |
| 24 |
> even more weird. I can access all websites through lynx, with no |
| 25 |
> problems and all the other computers at my house work fine. I have tried |
| 26 |
> changing nameservers ethernet cards recompiling firefox, putting myself |
| 27 |
> on virtual DMZ. I am at my wits end. I would like to avoid reinstalling |
| 28 |
> gentoo if at all possible, because I just reinstalled a month ago and |
| 29 |
> things were working fine till two days ago.</span> <br |
| 30 |
> clear="all"><br>-- <br>I lost an hour, has anyone found it? I want it |
| 31 |
> back!!! |
| 32 |
|
| 33 |
After you get it fixed, consider turning off HTML for your posts, I |
| 34 |
understand that it's not your priority at the moment, but you can see what |
| 35 |
a mess it makes of your posts, for those of us who choose not to use HTML, |
| 36 |
above. Faced with that sort of jumble, can you blame anyone who'd simply |
| 37 |
skip the post and go onto the next? |
| 38 |
|
| 39 |
Try disabling all plugins/extensions/java/javascript. Also verify your |
| 40 |
proxy settings. It appears your firefox has been set to redirect thru |
| 41 |
a hostile proxy. |
| 42 |
|
| 43 |
Try setting up a new Linux user account (with a clean configuration) and |
| 44 |
see if it is also redirected. If not, you can gamble that you haven't been |
| 45 |
entirely rooted. If it's redirected as well, consider yourself rooted, and |
| 46 |
that everything on the system (all files, passwords, any banking records, |
| 47 |
etc) is now both known to the cracker, and potentially compromised. |
| 48 |
Check for a keylogger, noting of course that a rootkit will have likely |
| 49 |
replaced your ps and etc with versions that won't report the existence of |
| 50 |
such a keylogger. Best to reinstall from a known clean LiveCD or the like. |
| 51 |
|
| 52 |
Even if there's no evidence that you've been fully rooted, it's at least |
| 53 |
possible that anything you've done with firefox, checking your mail, |
| 54 |
online banking, whatever, has been watched by the cracker, who now knows |
| 55 |
those passwords. If you do online banking, alert your bank immediately, |
| 56 |
making arrangements to change your password and having them watch for |
| 57 |
questionable transactions (if you don't decide to shut down that account |
| 58 |
and open a new one entirely). Same with any webmail accounts (which it |
| 59 |
appears you use) and the like. The cracker may or may not have been able |
| 60 |
to intercept secure sessions, but I would assume that he did. If you |
| 61 |
know how to verify the legitimacy of an SSL session in firefox, and do so |
| 62 |
religously, chances are you are still safe, but again, I'd take no |
| 63 |
chances. If not, I'd /certainly/ consider anything you've done online to |
| 64 |
now be known to this cracker, and shut down those accounts, not just |
| 65 |
change passwords, opening new ones. |
| 66 |
|
| 67 |
After you've cleaned up the damage, be sure to alter your behavior |
| 68 |
sufficiently that this won't happen again. Maybe you didn't keep firefox |
| 69 |
updated and he got in thru a known vuln there. Maybe you do keep it |
| 70 |
updated, but it was an extension that let you down. In any case, |
| 71 |
scripting, java, and plugins are best off by default, turned on only for |
| 72 |
sites you trust. I understand that a per-site scripting permissions |
| 73 |
extension is available for firefox -- that it doesn't have per-site |
| 74 |
permissions resolution by default. You can either install it, or simply |
| 75 |
keep scripting off by default and toggle it on where needed. Similarly |
| 76 |
for java/plugins/cookies (altho session cookies aren't so bad and are |
| 77 |
often helpful, and some tools let you treat all cookies as session |
| 78 |
cookies). Greasemonkey, due to the way it works, is an especially |
| 79 |
critical extension to keep updated, and be aware of how it functions and |
| 80 |
the potential weaknesses of the approach. It can be used fairly securely, |
| 81 |
but you need to be aware of things when you use it, as it can increase |
| 82 |
security risk for those not used to routinely evaluating the risk and |
| 83 |
modifying their actions accordingly. |
| 84 |
|
| 85 |
I have to mention that HTML mail you sent here too, since it is the belief |
| 86 |
of many (yours truly included, as should be obvious) that HTML, while |
| 87 |
fine for web pages, is an unneeded security hazard for mail, and that the |
| 88 |
only folks using it for mail are the crackers (who exploit its |
| 89 |
vulnerabilities), the spammers (who exploit its ability to hide spam |
| 90 |
filter confounding text), and the aoler/noobs that wouldn't know a |
| 91 |
security hole if they tripped and fell in. While that may be a bit |
| 92 |
strong, the correlation between your use of HTML mail and the fact that |
| 93 |
you are dealing with the apparent effects of a successful exploit is hard |
| 94 |
to avoid. Safe computing, like safe sex, is a choice -- you have to make |
| 95 |
the choice to learn about it, then the choice to put it into practice -- |
| 96 |
failing to do so is putting both yourself and others at risk. Many would |
| 97 |
argue that someone using HTML mail either doesn't know or simply doesn't |
| 98 |
care about safe computing, and that it's exactly that attitude which now |
| 99 |
finds you in this situation. |
| 100 |
|
| 101 |
Something else you may consider is privoxy. I use it here, with |
| 102 |
konqueror, my browser of choice, but it'll work for firefox or the like |
| 103 |
just as well. http://www.privoxy.org Even if your browser of choice |
| 104 |
doesn't allow per-site toggling of various things (cookies, scripting, |
| 105 |
plugins, etc), privoxy does. For example, I have privoxy set to turn all |
| 106 |
cookies into session-only cookies, with per-site exceptions where |
| 107 |
necessary. I then set konqueror to accept session-only cookies by |
| 108 |
default, which is a global checkbox in addition to its usual per-site |
| 109 |
settings, but do /not/ check the box that would tell konqueror to make |
| 110 |
/all/ cookies into session cookies, because privoxy does that for me, and |
| 111 |
checking that box would make konqueror set the cookies for the sites I |
| 112 |
want to keep cookies for to session-only as well. Privoxy does a lot of |
| 113 |
other things too. I have mine customized with a rather detailed filter |
| 114 |
(that I created myself) that enforces my light text on a dark background |
| 115 |
preferences, without killing color entirely (it turns a bright robin's egg |
| 116 |
blue background to navy blue, and makes a dark brick red text designed to |
| 117 |
be visible on white, to a bright red that's readable on a dark background, |
| 118 |
etc), for instance. Privoxy's rules don't apply to secure pages, of |
| 119 |
course, since for those it just forwards the request, since it's encrypted |
| 120 |
and privoxy can't read it. |
| 121 |
|
| 122 |
When your done, you should still be doing security updates, but if you |
| 123 |
somehow miss one or it doesn't come out before a cracker starts exploiting |
| 124 |
the problem, you'll probably not be victimized anyway, because the |
| 125 |
scripts necessary for the exploit simply won't run on sites that might |
| 126 |
consider hosting them, as you'd hopefully not trust such sites enough to |
| 127 |
toggle it on, and it'll be off except where you /have/ turned it on. |
| 128 |
Similarly with potentially vulnerable extensions and plugins, as well as |
| 129 |
the cookies which otherwise make it so easy for the doubleclicks of the |
| 130 |
world to track your movements from site to site. |
| 131 |
|
| 132 |
-- |
| 133 |
Duncan - List replies preferred. No HTML msgs. |
| 134 |
"Every nonfree program has a lord, a master -- |
| 135 |
and if you use the program, he is your master." Richard Stallman in |
| 136 |
http://www.linuxdevcenter.com/pub/a/linux/2004/12/22/rms_interview.html |
| 137 |
|
| 138 |
|
| 139 |
-- |
| 140 |
gentoo-amd64@g.o mailing list |
Archives
