YOU THERE!! Malicios script installed as a DEB, please read!

[Enlightened Shadow]

The point is that I was dumb enough to think that Ubuntu was secure enough out here in the Linux wonderland that I love so much that I ended up on gnome-look downloading everything that looked cool without examining everything first.

[LuisGMarine]

OMG I installed this earlier today. It hasn't done anything to me yet please tell me how to remove it!

lol 0wned!

[Enlightened Shadow]

Concerning.

The .deb should be safe to remove through standard tools. There is a postrm script, but it's apparently harmless:

Code:

#!/bin/sh
set -e
# Automatically added by dh_makeshlibs
if [ "$1" = "remove" ]; then
        ldconfig
fi
# End automatically added section

Delete these:

/usr/bin/Auto.bash
/usr/bin/run.bash
/etc/profile.d/gnome.sh

Make sure none of them are still running either. It seems to only trigger when gnome.sh is run.

I sent an email through gnome-look.org's Report Abuse link.

I deleted both usr/bin/auto.bash
and etc/profile.d/gnome.sh
However the run.bash was not there at all.

[conorsulli]

lol 0wned!

i know.........

[akashiraffee]

Well it's too late for that now. I'm afraid that I just deleted that file. I hope I didn't mess up.

That is evidence that it was working, because I do not think there is a legitimate "gnome.sh".

Turns out it is a WoW fanboy... most important thing is to get the identity of this person and pull down the file

There is not a clear connection between this person and http://05748.t35.com/; they have different IP addresses.

However, he does appear to download lil' script packs as well, and is a ubuntu user...somebody should register for the site and investigate, I guess. And of course phishing is very bad.

[imbjr]

http://05748.t35.com/

That's just a convenient holding bucket, probably another innocent party.

[pbrane]

mtr 05748.t35.com comes up with a couple of IPs that all point to Interserver, Inc.

you can report abuse to them at abuse@trouble-free.net if you want.

[snova]

I deleted both usr/bin/auto.bash
and etc/profile.d/gnome.sh
However the run.bash was not there at all.

That is good, it isn't downloaded until it runs.

That is evidence that it was working, because I do not think there is a legitimate "gnome.sh".

Nowhere in official repos at least:

Code:

$ apt-file search /etc/profile.d
gvfs-bin: /etc/profile.d/gvfs-bash-completion.sh
speech-dispatcher: /etc/profile.d/speechd-user-port.sh

It's gone from gnome-look.org already. That was quick...

[hwttdz]

Yup, looks like a DDOS (distributed denial of service) setup. A bunch of computers repeatedly pinging an address can possibly bring down a server. It seems unlikely and naieve, as a clever ip address will either deny pings or deny repeated pings from the same address. They can point the gun at whoever they will by changing the ip address, currently pointed at the world of warcraft site.

Also, all I have in my /etc/profile.d/ is gvfs-bash-completion.sh and speechd-user-port.sh of which only the first has execute permissions (probably due to me disabling user accessibility features). So if you have other crazy nonsense there you can dump it. Of course the easy way would be to look at when the file was created and just delete recent stuff.

I'm suggesting something like

find /etc/profile.d/ -mtime 2 | xargs -n 1 sudo rm -i

[conorsulli]

http://05748.t35.com/

That's just a convenient holding bucket, probably another innocent party.

Ok, my mistake however both users are into shady stuff... Ill investigate further