Page 13 of 15 FirstFirst ... 31112131415 LastLast
Results 121 to 130 of 142

Thread: YOU THERE!! Malicios script installed as a DEB, please read!

  1. #121
    Join Date
    May 2006
    Location
    Amsterdam
    Beans
    1,731
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Quote Originally Posted by pbrane View Post
    When I whois the site I get abuse@trouble-free.net

    05748.t35.com is hosted by Interserver, Inc

    if abuse@t35.net is the right one I'll email that too.
    Mail both. The webiste is hosted at t35.com, and access is provided by Interserver. Both need to be aware of this.
    Upgrade Ubuntu | Upgrade unsupported Ubuntu versions | Always backup | Howto upgrade flash
    Minimal CD install | Remove old kernels | My blog | Linux user #462801 | Conscience doth make cowards of us all. -- Shakespeare

  2. #122
    Join Date
    Apr 2008
    Location
    California Republic
    Beans
    2,658

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Why would the malicious screensaver payload get through ?
    in your case, maybe it wont.

    here, lets find out for certain and skip the theorizing:

    Code:
    wget http://dl.dropbox.com/u/1832211/christmastux2k5_1600.png
    (a nice christmas linux desktop on my public dropbox... its a .png file. wget something else, if you like. it will be in your home folder after it downloads. the malware, of course, downloads updated instructions for itself that it then hides throughout your filesystem, and not friendly x-mas pictures to your /home/username/ folder )

    and
    Code:
    ping -c 3 google.com
    if those commands work with your firewall on, the malware will 'work'.

    if those commands do not work with your firewall on, the malware will not 'work'.

    if we wanted to run a perfect test (almost 99.99% certainly not needed in theory...), you would need to try wget and ping as root (putting sudo before the command) since the malware itself runs as root.... if you are comfy with that (ie: understand exactly what wget and ping do), go ahead and do so. if not, then please do not.
    Last edited by earthpigg; December 9th, 2009 at 03:20 AM.
    Semper Fi

    My Non-Ubuntu Blog.
    All posts by me are Public Domain.

  3. #123
    Join Date
    Apr 2009
    Beans
    298
    Distro
    Kubuntu

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Your abuse report has been received and is currently being processed. Please allow up to [time ommited] hours for the abusing url to be investigated and removed (if found in violation of our terms of service). Thank you for submitting this email, we appreciate your role in helping keep our service free of spam, phishing and other illegal activities. As always, we take a tough stance on abuse and all abusing accounts are removed with the abusing ip's banned from our service and reported to local and federal authorities for further investigation.


    Best Regards,


    T35 Hosting Abuse Department
    Email: abuse@t35.net
    EDIT:
    BTW: MooPi unless your firewall has AI capabilities, the exploit is within a simple download which most firewalls won't block. Firewalls block attacks on telnet and things like that, but not really downloads (unless you have the firewall blocking a particular website).
    Last edited by nerdopolis; December 9th, 2009 at 03:55 AM.

  4. #124
    Join Date
    Feb 2007
    Location
    Romania
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Quote Originally Posted by earthpigg View Post

    if we wanted to run a perfect test (almost 99.99% certainly not needed in theory...), you would need to try wget and ping as root (putting sudo before the command) since the malware itself runs as root.... if you are comfy with that (ie: understand exactly what wget and ping do), go ahead and do so. if not, then please do not.
    ping is a setuid root command, it runs as root anyway.
    Last edited by sisco311; December 9th, 2009 at 03:27 AM.

  5. #125
    Join Date
    Apr 2009
    Beans
    298
    Distro
    Kubuntu

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Ha ha! See the attachment below! a screenshot of the 404 error from the files now!

    its a breather that the guy got the rm command wrong. (unless if he was able to edit it between the 15 minutes I pressed refresh to check up on it. Then there might be trouble...)

    Now thats gone, the script can no longer call home, and the systems of the people who ran this, are no longer at this guys mercy, (but they still are running the infinite loop.)
    Attached Images Attached Images
    Last edited by nerdopolis; December 9th, 2009 at 04:27 AM.

  6. #126
    Join Date
    Dec 2007
    Beans
    124

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Good News.... I think?.. or just a clever spoof?

    The following files give 404's

    http://05748.t35.com/Bots/gnome.sh
    http://05748.t35.com/Bots/index.php
    http://05748.t35.com/Bots/run.bash

    however http://05748.t35.com/Bots/Auto.bash

    stayed up for a good while longer which makes me think that the files were just deleted and forgot about this one until just now........

    EDIT: on a side note the actual http://05748.t35.com/ gives a 404 as well which indicates all the subdirectories are in fact deleted as well...(a guess though).

    I'm still waiting for feedback from t35 to confirm the account was actually deleted.

    Time will tell, I should get feedback in the next 2-8 hours apparently.
    Last edited by conorsulli; December 9th, 2009 at 05:08 AM.

  7. #127
    Join Date
    Oct 2009
    Location
    South Florida, US
    Beans
    209
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Has everyone affected removed this script and sorted the issue?
    Ubuntu 11.04, Mac OS X 10.4.11

  8. #128
    Join Date
    Apr 2009
    Beans
    298
    Distro
    Kubuntu

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    conorsulli I am running a script to capture these files every 15 minutes, so I can see if they come back overnight. Oddly enough wget is giving me 403 errors for anything from 05749.t35.com but I am able to wget t35.com web page, and any other wget on t35.com gives me 404...
    Last edited by nerdopolis; December 9th, 2009 at 05:31 AM.

  9. #129
    Join Date
    Jun 2007
    Location
    Porirua, New Zealand
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Quote Originally Posted by conorsulli View Post
    Good News.... I think?.. or just a clever spoof?

    The following files give 404's

    http://05748.t35.com/Bots/gnome.sh
    http://05748.t35.com/Bots/index.php
    http://05748.t35.com/Bots/run.bash

    however http://05748.t35.com/Bots/Auto.bash

    stayed up for a good while longer which makes me think that the files were just deleted and forgot about this one until just now........

    EDIT: on a side note the actual http://05748.t35.com/ gives a 404 as well which indicates all the subdirectories are in fact deleted as well...(a guess though).

    I'm still waiting for feedback from t35 to confirm the account was actually deleted.

    Time will tell, I should get feedback in the next 2-8 hours apparently.
    Caution! Popup on site! (Appears to be an ad for an IQ test)
    Forum DOs and DON'Ts
    Never assume that information you find using a search engine is up-to-date.

  10. #130
    Join Date
    May 2009
    Beans
    1,934
    Distro
    Ubuntu Studio 9.10 Karmic Koala

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    I think we owe a big round of thanks to the OP and all who helped figure out the problem and get the site to clean up the malware designer's files.

Page 13 of 15 FirstFirst ... 31112131415 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •