Are you safe? Internet security on Linux, don't fool yourself!
The other day a friend came to me with a problem, he had been surfing the internet for information about the conficker worm virus. As he misspelled the name as configer virus, he didn't find a lot of real information on the virus. What he did find, were a lot of links, to sites which were indicated by google as harmful to your computer. You know the kind. Where google says near the link:
This site can harm your computer.
Curiosity kills
Curious about what would be on the site, he did some investigation. He searched google for the url of the site. What came up was someone stating it was just an annoying flash movie, displaying a fake virus scanner. The site installs a fake virus scanner on your computer, and after that the fake virus scanner annoys you with a lot of pop-ups.
False sens of security
This guy runs Linux on his computer, so he is not afraid of anything harming his computer. This false sense of security, combined with to much curiosity, made him access the site anyway.
After watching the funny site, which displays a fake virus scanner, scanning a windows system which is intended to look like it's your own system (Which is very funny if your sitting at a Linux box), he just clicked on some pop-ups to see what would happen. And the site did indeed try to install some windows executable.
Blocked request
After laughing about it a bit, he went on to his own website, to try and post some interesting stuff.
At the moment he tried to post something to his own site, he got a message from the hosting provider on his screen, saying that his request was blocked due to trying to upload some known malicious code, which could be used to crack websites. This scared the hell out of him! And it was good it did.
This was definitely a case of a malicious site attempting some cross site scripting.
No fear
My friend felt a bit to secure, by his use of the Linux operating system. As many people do. He wasn't afraid, because he knows there are second to none active Linux viruses around. Which is a good thing. But he also had the feeling of being immune, which is a very big risk factor.
No virus scanner
This guy had no firewall and no virus scanner on his computer. So now he got really paranoid.
When he came to me we first booted his computer from a live cd and scanned his harddisk for malware. While it is true there are not much (general)viruses which we have to be afraid of, there's a lot of malware like worms and backdoor trojans, which are also detected by virus scanners. This is the reason why you should still be running a virus scanner on Linux.
As we didn't find any malware, we proceeded by installing a firewall, something every internet connected device should be running. As a simple misconfiguration can provide a worm a way in to your system. Furthermore if anything tries to contact something on the internet on a strange port, like irc for instance (if you don't use it) it would be nice to notice this happening. These things run with almost no overhead on Linux and their benefit is great. It can be a slight inconvenience sometimes. But my friend now knows, how inconvenient it can be, if you don't even dare to start your computer anymore.
Malware scanning
After we did all this, we first scanned his site with an online malware scanner website. This site found no problem, so we downloaded his complete website to a local system and scanned all contents for malware/viruses.
Investigation
To be completely sure about what the site did I did a little investigation. I downloaded the index file of the site on the command line. This was a very interesting file, which had an obfuscated forward to another site. I did notice these guys are being very smart, they use an url which starts with vvwvv instead of www and if you read it fast it seems to be a completely different link. It appears to be the www. subdomain of an url forwarding website. While it is a completely different site.
The site
First it seems to forward you to a site in Russia, and then again to another site, which hosts the malicious script and the fake virus scanner. I downloaded the last sites contents on the command line and I found out it was indeed only a few javascripts. One of them contained a download link which tries to make you install a .exe file. This is most definitely a windows trojan. The rest was just crafted to do the cross site scripting attack. I'm pretty sure we can assume this was a site aimed at windows users, so my friend can sleep again.
The guidelines
So if your one of these people feeling secure, think about this next time your go online. There is no bigger security hole than the one between chair and computer. This site was rated insecure, and this person has a good hosting company and he was using Linux. Think about what could have happened if things would have been different.
So if you don't want your site to be hacked, don't want to have your personal information stolen, don't want to get robbed and don't want to provide a means for criminals to do this to others, I have some tips.
Use a firewall, use a virus scanner, be careful on the internet, don't click on those links marked as dangerous(I know it sounds obvious), watch out with pop-ups and last but not least: don't use windows
want to read more by J00p34? The Blog root is here
Popular content
add cool to google
Cool's blog feed
site feed
Recent blog posts
- HP linux netbook
- Toshiba Android netbook
- android video terminal
- rugged android phone
- Linux PC Robot < 500$ DIY Linux robot
- Q7 Linux MID nice but missing most important feature
- BD remote for android available soon
- Intelligent Linux based scriptable network camera
- Edge the first foldable dual screen ebook reader/netbook
- iPed chinese for iPad
don't forget to vote if you find something useful!!
- Hm
43 weeks 4 days ago - What is it called?
44 weeks 1 day ago - i done everything . when i
47 weeks 1 day ago - 11. Be logged in with more
49 weeks 5 days ago - Additions to computer user
49 weeks 5 days ago - Source code Philips tv
49 weeks 6 days ago - philps 5604 source code
49 weeks 6 days ago - Getting a error ___Main__.PY error any ideas?
1 year 1 week ago - Meh....
1 year 3 weeks ago - not the smallest
1 year 3 weeks ago
Navigation
Arduino starter kit
nederlandse arduino tutorials
Smallest Linux PC, smaller
than an apple
Linux home automation
Electrical superbike
powered by Linux
Coolest Linux robot ever
transforming,camera,
remote control
Samsung tv Linux hack
Linux multimedia
dream machine
More cool stuff
like this solid gold macbook
at criticalcold.com
Tags
Best karma users
- mr-Z
- Ian_js
- dave-d
- gamer2k2
- links9
Categories
odd
Anonymous 2 years 43 weeks 6 days 5 hours ago
You have a very strange way of making conclusions.
"Everybody should use AV" is drawn from "we found absolutely no malware on the system"
As for the firewall, it is installed with every linux distro - it is built into the kernel - iptables*. Though it could be unconfigured, but that isn't the case with most distros. Shorewall, Firestarter etc. are only different front-ends for iptables.
And getting the 'xxx.xxx.xxx.xxx tried to access port xxx' messages is not that useful, albeit it more induces paranoia than doing anything useful. I have received many questions regarding 'somebody is trying to hack me', but most of the time it is just a network sniffer, or even a standard methods internet providers use to check whether you are still online.
* it looks like it will be replaced with nftables in the future, like it was the case with the old ipchains
I've only just tried out a
Anonymous 2 years 44 weeks 2 days 5 hours ago
I've only just tried out a few distros of linux, but did my research before doing so. I wanted to know the truth about linux's vulnerability to malware. Everything that I read says that, while the malware will not likely harm your linux system, you can still be a carrier and will infect others that you contact. For this reason, it was always recommended that you still practice the same safety basics that you would for a Windows system. (my 2 cents)
Writing style leaves something to be desired
Anonymous 2 years 44 weeks 5 days 4 hours ago
No trollish behaviour intended, but you may want to reconsider the style of writing used in this article. Ignoring the grammar and punctuation problems, the structure leaves a lot to be desired as well. The vacillation between personal story-telling mode and technical security article mode is annoying, and overall the amateurish nature is off-putting.
While I whole-heartedly embrace citizen journalism and enthusiastically support open source empowerment, content like this on the web unfortunately adds to the negative perception of Linux and OSS as non-commercial, unprofessional endeavours.
My 2c.
Interesting...
Anonymous 2 years 44 weeks 6 days 11 hours ago
Interesting stuff. Thanks for that.
(You could have spaced the v v w v v to more easily visually display what you mean to describe. Took me a while to figure it out.)
D.
No firewall?
Anonymous 2 years 44 weeks 6 days 12 hours ago
I thought all major distros had at least iptables running from the first boot. PCLinuxOS does but you can change it to Shorewall in the PC Control Center.
I too have hit those malicious sites but it wasn't on purpose. Each time I was doing a Google blog search for "Linux" oddly enough. Unfortunately I couldn't find a link to report the malicious site anywhere on Google.
It's a problem and I feel badly for the poor sods who feel that Microsoft is the only one who "makes the computer go".
I also played with the attempted malware install but my firewall was up and running. I also have Gkrellm up on my desktop at all times and I keep an eye on the Ethernet. If I see anything suspicious I fire up WireShark and take a close look at the activity. I do not, however, have any anti-virus software installed. If I were on a network that had at least one Windows computer then I would install Clam AV.
The day is coming when Linux users will have to work a little harder on their security. That day hasn't arrived in my opinion, but it wouldn't hurt to be a little more vigilant.
report malicious site
admin 2 years 44 weeks 6 days 6 hours ago
google uses an automated process, there's no user submit function as far as I know.
StopBadware.org has a lot of information. And in the get involved section there are some options for reporting sites.
NoScript
Anonymous 2 years 44 weeks 6 days 14 hours ago
Using NoScript can help to prevent cross site scripting (XSS) attacks.
But yes, many people don't get it that Linux users are still vulnerable to phishing etc...
Use NoScript firefox
Anonymous 2 years 44 weeks 6 days 15 hours ago
Use NoScript firefox extension and you´re done.
Better than the virus scanner
Anonymous 2 years 44 weeks 6 days 17 hours ago
He should have been using NoScript on Firefox. He could then have enable Scripting for the malicious site temporarily, if he was that curious. Later when he went to a different site the cross script attack would not have worked.
NoScript is turned on by default, or it should be, which means scripts won't run until you deliberately allow them.
Your friend would probably find the Addition of AdBlock and Flash block worthwhile as well. Oh and make the .Macromedia directory read only as well.