Page 5 of 15 FirstFirst ... 34567 ... LastLast
Results 41 to 50 of 142

Thread: YOU THERE!! Malicios script installed as a DEB, please read!

  1. #41
    NoaHall is offline May the Ubuntu Be With You!
    Join Date
    Mar 2009
    Beans
    1,562
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    This is what is located at the javascript file -
    Code:
    /*
    RedVase, version 1.6
    (c) Copyright 2007 Bravenet Media Network. All Rights Reserved.
    */
    
    if (!Array.prototype.push) {
      // implements Array.push since this may not be available
      Array.prototype.push = function() {
        var al = arguments.length; var l = this.length;
        for ( var i = 0; i < al; ++i ) {
          this[l+i] = arguments[i];
        }
        return this.length;
      };
    }
    
    if ( typeof(RedVase) == 'undefined' ) {
      var RedVase = (function() {
        var _url_base = 'http://redvase.bravenet.com';
        var _page_ads = [];
    
        // converts ad hash into url
        function _to_url(ad) {
          var url = [ _url_base ];
          var query_string = [ ];
    
          // construct base url
          url.push((ad.content == 'html' || ad.content == 'iframe' ? 'creative' : ad.content)); delete ad.content;
          url.push(ad.publisher); delete ad.publisher;
          url.push(ad.kind); delete ad.kind;
          if (ad.alternate) { url.push(ad.alternate); delete ad.alternate; }
    
          // append the iframe formats if needed
          if (ad.format) { 
            var matches = ad.format.match(RedVase.FORMAT_REGEX)
            query_string.push('ifh=' + matches[1]);
            query_string.push('ifw=' + matches[2]);
            delete ad.format; 
          }
    
          // append randomizer
          query_string.push('r=' + (ad.random || new Date().getTime()))
          if (ad.random) { delete ad.random; }
    
          // unshift any other params so randomizer is last
          for (var key in ad) {
            if (typeof(ad[key]) == 'string') query_string.unshift([key] + '=' + ad[key]);
          }
    
          return url.join('/') + '?' + query_string.join('&');
        }
    
        // injects the ad onto the document
        function _show(ad) {
          document.writeln('<script src="' + _to_url(ad) + '" type="text/javascript" charset="utf-8"><\/script>');
        }
    
        // shortcut method
        function _record_and_show(ad) {
          _page_ads.push(ad);
          _show(ad);
        }
    
        // converts options hash to attribute string
        function _to_pop_options(hash) {
          if (typeof hash == 'string') return hash;
          var result = [];
          for (var key in hash) {
            result.push(key+'='+hash[key]);
          }
          return result.join(',');
        }
    
        return {
          placement: function(block) {
            var ad = {};
            block(ad);
            if ((new RedVase.Sanitizer(ad)).check()) {
              _record_and_show(ad);
            }
          },
          show_popunder: function(url, name, options) {
            if (!url) throw "required url missing";
            name = name || '_blank';
            options = _to_pop_options(options || {});
            return window.open(url, name, options);
          }
        };
      })();
    
      RedVase.FORMAT_REGEX = /(\d+)x(\d+)/;
      RedVase.Sanitizer = function(ad) {
        this.ad = ad;
        this.sane = true;
      };
      RedVase.Sanitizer.prototype  = {
        update: function(result) {
          if (this.sane && !result) {
            this.sane = false;
          }
          return result;
        },
        assert_exists: function(flag) {
          return this.update(flag);
        },
        assert_string: function(flag, allow_undefined) {
          if (typeof(allow_undefined) === 'undefined') allow_undefined = false;
          return (allow_undefined || this.update(this.assert_exists(flag)) && typeof(flag) == 'string');
        },
        assert_content: function(flag) {
          if (flag != 'html' && flag != 'pop' && flag != 'iframe') {
            flag = 'html';
          }
          return flag;
        },
        assert_format: function(flag, allow_undefined) {
          if (typeof(allow_undefined) === 'undefined') allow_undefined = false;
          if (typeof(flag) === 'undefined' && allow_undefined) return null;
          
          if ( this.update( this.assert_string(flag, true) && RedVase.FORMAT_REGEX.test(flag) ) ) {
            return flag.match(RedVase.FORMAT_REGEX)[0];
          }
          return null;
        },
        check: function() {
          var ad = this.ad;
          // make sure ad.content is set
          ad.content = this.assert_content(ad.content);
          this.assert_string(ad.publisher);
          this.assert_string(ad.kind);
          this.assert_string(ad.alternate, true);
          ad.format = this.assert_format(ad.format, true);
          if (ad.format === null) delete ad.format;
          return this.sane;
        }
      };
    }
    
    if (typeof(redvase_ad) != 'undefined') {
      (function(redvase_ad_var) {
          RedVase.placement(function(ad) {
          for (var k in redvase_ad_var) {
            ad[k] = redvase_ad_var[k];
          }
        });
      })(redvase_ad);
      redvase_ad = null;
    }
    Just for ads, as far as I can tell.

  2. #42
    Join Date
    Oct 2009
    Location
    LinuxVille
    Beans
    41
    Distro
    Ubuntu 11.04 Natty Narwhal

    Red face Re: YOU THERE!! Malicios script installed as a DEB, please read!

    I INSTALLED THE STUPID DEB FILE A FEW HOURS AGO... WHAT DO I DO TO GET RID OF IT??? HELP!!! Quit talking... wheres the solution... is this thing gonna do anything to harm my computer??? ?????????????????????????????????????????????????? ?

  3. #43
    Join Date
    Dec 2007
    Location
    Gainesville, Florida
    Beans
    Hidden!
    Distro
    Xubuntu 12.04 Precise Pangolin

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Quote Originally Posted by doas777 View Post
    the run.bash is pretty minimal (just a ping, albeit a large one), but I haven't been able to get a look at the php file without rendering it. I'm pretty sure that it is a phishing knock-off site.

    EditL:
    @Noa, it looks like your noscripts removed a crucial part of the page. all that is there is advertising links, and a call to a javascript for alexa and quantserv.
    Looks like its complete. index.php is the web page of 05748.t35.com

  4. #44
    NoaHall is offline May the Ubuntu Be With You!
    Join Date
    Mar 2009
    Beans
    1,562
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Code:
    sudo rm -f /usr/bin/Auto.bash /usr/bin/run.bash /etc/profile.d/gnome.sh index.php run.bash
    Run that in the terminal.
    Last edited by NoaHall; December 8th, 2009 at 09:50 PM.

  5. #45
    Join Date
    Dec 2007
    Location
    The last place I look
    Beans
    Hidden!
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    redvase.js is just a counter for the alexa advertising/stat platform. very common. same with the quantserv script.

    the real payload should be between these tags:
    Code:
    <!-- T35 Hosting Ad Code End --> 
     
    </noscript></noframes> 
    <!-- T35 Hosting Ad Code Begin -->
    all the rest of the code is from a t35 template, which is designed so that the specific page desired is rendered between the tags, probably via frames. noscript blocked the frame from running at all, as close as I can tell.

    that or this kid forgot to load any content pages. that is a possibility.
    Last edited by doas777; December 8th, 2009 at 09:50 PM.

  6. #46
    Join Date
    Oct 2006
    Location
    New York
    Beans
    1,118
    Distro
    Xubuntu 12.10 Quantal Quetzal

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Beat to the punch.
    xubuntu minimal, extensive experience, lshw: http://goo.gl/qCCtn
    blog: http://goo.gl/yLg78
    Linux viruses: http://goo.gl/6OCKA

  7. #47
    Join Date
    Dec 2007
    Location
    Gainesville, Florida
    Beans
    Hidden!
    Distro
    Xubuntu 12.04 Precise Pangolin

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Quote Originally Posted by Cycron View Post
    I INSTALLED THE STUPID DEB FILE A FEW HOURS AGO... WHAT DO I DO TO GET RID OF IT??? HELP!!! Quit talking... wheres the solution... is this thing gonna do anything to harm my computer??? ?????????????????????????????????????????????????? ?
    remove it using apt-get --purge remove 116772-WaterFall.deb

    or at least that was the name when it was up on gnome-look

  8. #48
    Join Date
    Feb 2007
    Location
    Romania
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Quote Originally Posted by conorsulli View Post
    what Im worried about is the rm commands, it suggests that these containers were in use already!

    to be sure could someone who has not installed the rogue deb check if these files exist already? the could be needed for something

    I'm worried about the fact that the run.bash script is downloaded from a server every time before it's executed. What if the script was changed?

    Call me paranoid but I would backup my data and reinstall my OS.
    Last edited by sisco311; December 8th, 2009 at 09:52 PM.

  9. #49
    Join Date
    Oct 2009
    Location
    LinuxVille
    Beans
    41
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Quote Originally Posted by NoaHall View Post
    Code:
    sudo rm -f /usr/bin/Auto.bash /usr/bin/run.bash /etc/profile.d/gnome.sh
    Run that in the terminal.
    I just did that... is it OK now??

  10. #50
    NoaHall is offline May the Ubuntu Be With You!
    Join Date
    Mar 2009
    Beans
    1,562
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: YOU THERE!! Malicios script installed as a DEB, please read!

    Well, for the time being. What was the output from it?

    Also, you may want to run
    Code:
    sudo apt-get --purge remove 116772-WaterFall.deb

Page 5 of 15 FirstFirst ... 34567 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •