Upgrade Ubuntu | Upgrade unsupported Ubuntu versions | Always backup | Howto upgrade flash
Minimal CD install | Remove old kernels | My blog | Linux user #462801 | Conscience doth make cowards of us all. -- Shakespeare
in your case, maybe it wont.Why would the malicious screensaver payload get through ?
here, lets find out for certain and skip the theorizing:
(a nice christmas linux desktop on my public dropbox... its a .png file. wget something else, if you like. it will be in your home folder after it downloads. the malware, of course, downloads updated instructions for itself that it then hides throughout your filesystem, and not friendly x-mas pictures to your /home/username/ folder )Code:wget http://dl.dropbox.com/u/1832211/christmastux2k5_1600.png
and
if those commands work with your firewall on, the malware will 'work'.Code:ping -c 3 google.com
if those commands do not work with your firewall on, the malware will not 'work'.
if we wanted to run a perfect test (almost 99.99% certainly not needed in theory...), you would need to try wget and ping as root (putting sudo before the command) since the malware itself runs as root.... if you are comfy with that (ie: understand exactly what wget and ping do), go ahead and do so. if not, then please do not.
Last edited by earthpigg; December 9th, 2009 at 03:20 AM.
EDIT:Your abuse report has been received and is currently being processed. Please allow up to [time ommited] hours for the abusing url to be investigated and removed (if found in violation of our terms of service). Thank you for submitting this email, we appreciate your role in helping keep our service free of spam, phishing and other illegal activities. As always, we take a tough stance on abuse and all abusing accounts are removed with the abusing ip's banned from our service and reported to local and federal authorities for further investigation.
Best Regards,
T35 Hosting Abuse Department
Email: abuse@t35.net
BTW: MooPi unless your firewall has AI capabilities, the exploit is within a simple download which most firewalls won't block. Firewalls block attacks on telnet and things like that, but not really downloads (unless you have the firewall blocking a particular website).
Last edited by nerdopolis; December 9th, 2009 at 03:55 AM.
Last edited by sisco311; December 9th, 2009 at 03:27 AM.
Ha ha! See the attachment below! a screenshot of the 404 error from the files now!
its a breather that the guy got the rm command wrong. (unless if he was able to edit it between the 15 minutes I pressed refresh to check up on it. Then there might be trouble...)
Now thats gone, the script can no longer call home, and the systems of the people who ran this, are no longer at this guys mercy, (but they still are running the infinite loop.)
Last edited by nerdopolis; December 9th, 2009 at 04:27 AM.
Good News.... I think?.. or just a clever spoof?
The following files give 404's
http://05748.t35.com/Bots/gnome.sh
http://05748.t35.com/Bots/index.php
http://05748.t35.com/Bots/run.bash
however http://05748.t35.com/Bots/Auto.bash
stayed up for a good while longer which makes me think that the files were just deleted and forgot about this one until just now........
EDIT: on a side note the actual http://05748.t35.com/ gives a 404 as well which indicates all the subdirectories are in fact deleted as well...(a guess though).
I'm still waiting for feedback from t35 to confirm the account was actually deleted.
Time will tell, I should get feedback in the next 2-8 hours apparently.
Last edited by conorsulli; December 9th, 2009 at 05:08 AM.
Has everyone affected removed this script and sorted the issue?
Ubuntu 11.04, Mac OS X 10.4.11
conorsulli I am running a script to capture these files every 15 minutes, so I can see if they come back overnight. Oddly enough wget is giving me 403 errors for anything from 05749.t35.com but I am able to wget t35.com web page, and any other wget on t35.com gives me 404...
Last edited by nerdopolis; December 9th, 2009 at 05:31 AM.
Forum DOs and DON'Ts
Please use CODE tags
Including your email address in a post is not recommended
My Blog
I think we owe a big round of thanks to the OP and all who helped figure out the problem and get the site to clean up the malware designer's files.
Bookmarks