Serious security breach on Developer Blog

News, happenings
Message
Author
User avatar
SirDuncan
Posts: 829
Joined: Sat 09 Dec 2006, 20:35
Location: Ohio, USA
Contact:

Re: Doesn't this sound relevant?

#61 Post by SirDuncan »

prehistoric wrote:he appears to speak German as well as he speaks any language.
And he appears to be unable to identify French since he posted in English in a French thread stating that he didn't understand what was going on.

I agree that some of his posts appear completely random and nonsensical, like what a spammer uses to tag a forum, but others seem well-informed and relevant to the thread.

My guess is that he is not a spammer, and that his posts that made no sense were just a literal translation of some German colloquialism that doesn't mean the same thing when directly translated. That doesn't really explain the comment to Mr. Murga (put what in spam?), though.
Be brave that God may help thee, speak the truth even if it leads to death, and safeguard the helpless. - A knight's oath

raffy
Posts: 4798
Joined: Wed 25 May 2005, 12:20
Location: Manila

php scripts

#62 Post by raffy »

As long as one uses Web/PHP scripts, one is advised to check for updates daily and install those updates. Also, a user-friendly configuration of both Apache and PHP allows easy injection of code to the website. So it's really user vigilance that matters.

Possible moral of the story: when you go on leave, disable all scripts and run only static HTML. And make all folders read-only.
Puppy user since Oct 2004. Want FreeOffice? [url=http://puppylinux.info/topic/freeoffice-2012-sfs]Get the sfs (English only)[/url].

maddox
Posts: 454
Joined: Fri 28 Sep 2007, 20:37
Location: sometimes in France

#63 Post by maddox »

hi guys, I was on the french forum while it happened
was talking to Botanic about the french forum mods.... here

Code: Select all

bear
Joined: 25 Dec 2007
Posts: 14
PostPosted: Today, at 8:23 am    Post subject: 	 
I'm not quite sure what you suppose to say
not really fluent english so goes with Sir Duncan's thoughts
rather good translation though, but not perfect.

hope I didn't let the devil in by mistake...
maddox

John Doe
Posts: 1681
Joined: Mon 01 Aug 2005, 04:46
Location: Michigan, US

#64 Post by John Doe »

looks like a bot to me. I've seen one in another forum. Same sort of strange postings, that somewhat correlate to the text but don't really seem to be part of the conversation.

Bear, you out there?

Are you a bot or a real person?

User avatar
SirDuncan
Posts: 829
Joined: Sat 09 Dec 2006, 20:35
Location: Ohio, USA
Contact:

#65 Post by SirDuncan »

Some of his posts were very specific and not likely the ramblings of a bot (unless he is a better one than the ones I am used to). For instance:
bear wrote:lI'm running win2000 on a 25 GB file in virtualbox. Seamless integration is great!
With JWM you will have to use autohide tray.

Sometimes I use it as a fileserver, but note that bridge-utils won't work in newer puppies.
So there is only NAT.
in <http://www.murga-linux.com/puppy/viewto ... 0&start=15>. That doesn't look a bot to me.
Be brave that God may help thee, speak the truth even if it leads to death, and safeguard the helpless. - A knight's oath

John Doe
Posts: 1681
Joined: Mon 01 Aug 2005, 04:46
Location: Michigan, US

#66 Post by John Doe »

SirDuncan wrote:That doesn't look a bot to me.
hmmm.. You're right, that looks like an actual conversation. Either he's real or the AI is getting way better.

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

bear hunting

#67 Post by prehistoric »

@Sir Duncan,

The post aimed at me at time 6:23 reads like English produced by a native German speaker. Human, not a bot. Early posts, before this security breach thread started, also sound like English produced by a native German speaker with some education. Some other posts wouldn't read well in either English or German, except, of course, the statement about Nathan, which appears to be from a native speaker of German. That one has time 7:25, and couldn't have been prepared before John posted the announcement at 6:57.

Because I did several edits, I don't know the exact time I inserted my postscript. It seems, to me, like he decided the identity was known to sys admin. when he read that I had deliberately provoked him. Then, he made that revealing reply to John Murga, and the 'bot took over. This is the kind of bot herding which has been characteristic of our problems.

prehistoric

User avatar
Ted Dog
Posts: 3965
Joined: Wed 14 Sep 2005, 02:35
Location: Heart of Texas

Multiple host broken, servage, and North Carolina

#68 Post by Ted Dog »

About this time last year BarryK and I set our domains to a FSF support host via the Univ. of NC.
I was informed by a friend of hacking scripts he located that was attacking, puppylinux.net ( which is registered to me ) I notified BarryK. I think it was in October. We disbanded the host of Univ. of NC, but somehow our domains remain interlocked. try puppylinux.net (no www.) and www.puppylinux.net its different.
I think his login and passwords was captured, once and secondary root pass accounts were setup.
Or, the puppylinux.net domain still points to Univ of NC, and its DNS is pointing to servage.

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

Domains now seem fixed

#69 Post by prehistoric »

@Ted Dog,

The examples you gave now show the same result, for me. Is this true for everyone?

@bear

Still waiting for explanation. Are you a legitimate user whose account has been misused?

prehistoric

User avatar
MU
Posts: 13649
Joined: Wed 24 Aug 2005, 16:52
Location: Karlsruhe, Germany
Contact:

#70 Post by MU »

bears first 2 postings are too "on-topic" to be written by bots.
The rest is typical bot-behaviour.
It think his account was hacked by a bot, then the bot used this account to sporadically post messages.
Mark

Sage
Posts: 5536
Joined: Tue 04 Oct 2005, 08:34
Location: GB

#71 Post by Sage »

John should be able to locate 'bear' from his registration details (and ISP, if appropriate)? Has anyone advised John yet?

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#72 Post by Flash »

Bear has posted from a range of IP addresses, 7 posts from one, 2 from several others, and just 1 post from several, which is consistent with someone using ADSL or Cable.

I don't know why he hasn't replied to the questions in this thread. He contributed to it one time; surely he's been following it. (If he's really a human. :) )

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

notifying John Murga

#73 Post by prehistoric »

@ Sage,

I notified John Murga via PM while I was preparing the edit to the post which provoked a response, but have no reply from John, yet. When I sent that message I was not nearly as certain about bear as I now feel, so am not surprised, even if it turns out John saw my message and ignored it.

I am quite flattered that bear took John's announcement of a system shutdown for a security update as the result of behind the scenes coordination between us. Fooling some people is easy; for the paranoid there are no coincidences. To quote my sainted mother, "the wicked flee-eth when none pursue-eth".

prehistoric

User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

Re: Multiple host broken, servage, and North Carolina

#74 Post by BarryK »

Ted Dog wrote:About this time last year BarryK and I set our domains to a FSF support host via the Univ. of NC.
I was informed by a friend of hacking scripts he located that was attacking, puppylinux.net ( which is registered to me ) I notified BarryK. I think it was in October. We disbanded the host of Univ. of NC, but somehow our domains remain interlocked. try puppylinux.net (no www.) and www.puppylinux.net its different.
I think his login and passwords was captured, once and secondary root pass accounts were setup.
Or, the puppylinux.net domain still points to Univ of NC, and its DNS is pointing to servage.
Umm, I'm confused. Should I now login to the servage.net control panel and set the domain 'puppylinux.net' to point to same root directory as 'puppylinux.com'? I haven't done that yet, didn't know what the situation with puppylinux.net was.
[url]https://bkhome.org/news/[/url]

raffy
Posts: 4798
Joined: Wed 25 May 2005, 12:20
Location: Manila

puppylinux.net

#75 Post by raffy »

This is what it shows:

Code: Select all

 Welcome to Puppy Linux DOT net
ok this shows that my DNS record has been corrected
TedDog
(Same result with and without www.)

Maybe you want it to point to puptrix.org, as it is a source repository? If that's the case, then its domain pointer should be toward the puptrix.org host, and Ted should park the domain in his host. Ted should give the domain info. (It seems that these have been done already, and Ted should point it to an appropriate page).

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

New attack?

#76 Post by prehistoric »

Just found a Puppy-related site displaying a login for LoLoLa, (don't have the accents right,) which a Google search seems to show as a singles' site. If anyone finds others out there, get the time of the attack as closely as possible, so we can trace propagation. I've notified the operator by gmail, while checking other sites.

prehistoric

edit: Now identified this as a Trojan, with name LoLoLo. Above name was mistake due to appearance.

ymer
Posts: 16
Joined: Fri 18 May 2007, 22:20

#77 Post by ymer »

If that's a Trojan, then www . ttuuxx . com is hacked also, the same LoLoLo stuff is displayed at its front page.
Last edited by ymer on Fri 18 Jan 2008, 21:01, edited 1 time in total.

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

Linked to Trojan?

#78 Post by prehistoric »

@ymer,

Didn't you stop to think why I failed to provide a link to a Trojan?

Are you under the control of dark powers?

prehistoric

Caneri
Posts: 1513
Joined: Tue 04 Sep 2007, 13:23
Location: Canada

#79 Post by Caneri »

Thanks for the info.

eric
[color=darkred][i]Be not afraid to grow slowly, only be afraid of standing still.[/i]
Chinese Proverb[/color]

User avatar
RobertB
Posts: 145
Joined: Tue 03 Jan 2006, 01:06
Location: Big D
Contact:

#80 Post by RobertB »

I don't know if this is helpful to the problem, but I noticed in the TouTou Puppy thread ( http://www.murga-linux.com/puppy/viewtopic.php?t=24074 ) that there's a posting by "John Smith" that is an exact copy of the (French!) posting above it. It's the only posting by that user.

*EDIT* The duplicate posting features a link to a laser pointer sales site in the .sig. Also, when they cut-n-pasted the text, they turned "Cordialement ;)" into "Cordialement Wink"...

Post Reply