YOU THERE!! Malicios script installed as a DEB, please read!

[slakkie]

Dunno if someone looked further, but the script is HARMFULL, it contains an rm -f /*.* entry (which will match only files containing dots, so it will leave most binaries unharmed), but run as root that script could hose your system.

I would remove it ASAP.

[koenn]

Dunno if someone looked further, but the script is HARMFULL, it contains an rm -f /*.* entry (which will match only files containing dots, so it will leave most binaries unharmed), but run as root that script could hose your system.

I would remove it ASAP.

see post 121

[slakkie]

see post 121

Yes, i saw it after i posted.

[earthpigg]

one of the first successful social engineering malware/botnet was reported here 4 hours ago.

within 3 hours, a community member has created a Trojan Horse Detector.

<3

edit: let's assume the bad guy is also reading this thread.

lets assume there are still folks out there affected by this, who will not have read this thread between now and the next time his botnets all 'calls home' for directions.

my prediction of his next move in the wargame...

he has his botnet all copy the binaries for wget and ping to "tegw" and "gnip" or something else to obfuscate the process name. the botnet no longer uses wget and ping. now it uses "tegw" and "gnip". so that the script posted above will no longer detect infection.

in fact, we need to go ahead and assume the script above will no longer function as of 6 hours from now.

posting this now as i think of our next move in this little ballet.

[conorsulli]

People, please report the issue to T35.com,

abuse@t35.net

We need this issue to be raised with the Host. here is an example of what I wrote:

http://05748.t35.com/ is being used as a point to carry out malicious attacks Debian based Linux desktops...

Please follow this thread where we are trying to resolve the issue and where I would request after you read the forum this account be promptly banned or the files removed.

http://ubuntuforums.org/showthread.php?t=1349678

The account also seems to be used for phishing
Myself and others affected by the issue would appreciate a prompt response.

Thank you

-----------------------------------------------

Please report back if you have done so so I may keep a tab on weather the complaint is being listened to. The only way we can truly remove this threat is to remove the threat from it's source.

All help appreciated we need to kill this nonsense fast.


E-mail = abuse@t35.net

[teward]

Report this to the host

Emailed them an abuse email, hopefully they read it.

[tacantara]

one of the first successful social engineering malware/botnet was reported here 4 hours ago.

within 3 hours, a community member has created a Trojan Horse Detector.

<3

edit: let's assume the bad guy is also reading this thread.

lets assume there are still folks out there affected by this, who will not have read this thread between now and the next time his botnets all 'calls home' for directions.

my prediction of his next move in the wargame...

he has his botnet all copy the binaries for wget and ping to "tegw" and "gnip" or something else to obfuscate the process name. the botnet no longer uses wget and ping. now it uses "tegw" and "gnip". so that the script posted above will no longer detect infection.

in fact, we need to go ahead and assume the script above will no longer function as of 6 hours from now.

posting this now as i think of our next move in this little ballet.

+1 earthpigg - This is another reason why Ubuntu is separate from the other "mainstream" operating systems. A similar attack on Windows would have resulted in a security update in the next "Update Tuesday," or whenever they decided to release a security update. The Forum has made it possible for word to get out almost immediately, and some solutions to be posted within a short time.

I'm glad that I don't download (or use) screen savers, but I realize that the possibility now exists for .DEB packages to carry malicious code. Thanks to all who have posted this vital information.

[scouser73]

+1 earthpigg - This is another reason why Ubuntu is separate from the other "mainstream" operating systems. A similar attack on Windows would have resulted in a security update in the next "Update Tuesday," or whenever they decided to release a security update. The Forum has made it possible for word to get out almost immediately, and some solutions to be posted within a short time.

I'm glad that I don't download (or use) screen savers, but I realize that the possibility now exists for .DEB packages to carry malicious code. Thanks to all who have posted this vital information.

+1, I don't download screen-savers myself but this issue has certainly made me think about the security of my computer.

[running_rabbit07]

Actually it would probably be up to the AV provider to catch and block the Trojan.

+1, I don't download screen-savers myself but this issue has certainly made me think about the security of my computer.

Same here. I always run NoScript in FF, but things like this could happen to me just as well, being I thought of gnome-look as being trusted. Other than themes from that site, all other software I get comes from known safe sites, such as cisco.netacad.net and mozilla.com.

[pbrane]

People, please report the issue to T35.com,

abuse@t35.net

When I whois the site I get abuse@trouble-free.net

05748.t35.com is hosted by Interserver, Inc

if abuse@t35.net is the right one I'll email that too.