Precise 5.4.3 LiveCD contains botnet client? (Solved)

For discussions about security.
Message
Author
UnderCovers
Posts: 2
Joined: Tue 07 May 2013, 13:33

Precise 5.4.3 LiveCD contains botnet client? (Solved)

#1 Post by UnderCovers »

Months ago, when 5.3.3 was the latest Puppy Precise distro, I downloaded the iso for an x86 system. Everything expected to be included works fine. THE UNEXPECTED "live" software is a BOTNET CLIENT. Once the ethernet LAN connection is enabled, the bot client tries to connect to a command server. On each boot, the command server IP changes but port 80 used as the destination port. The source port on the Precise system seems to be a random high port number.

The MD5 checked when I downloaded this .ISO. HIGHLY recommend not using this version of Precise unless you want to watch BOT client behavior.

Note my ISP provided a warning of BOT activity detected on their network when I left the system run for an hour.

I WILL EXAMINE the same x86 LiveCD for 5.5 to see if the client code remains. :(

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#2 Post by Flash »

It might actually be helpful if you gave the URL to where you downloaded the 5.3.3 iso from.

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#3 Post by rcrsn51 »

IIRC, the first version of Precise was 5.4, not 5.3.3.

R-S-H
Posts: 487
Joined: Mon 18 Feb 2013, 12:47

#4 Post by R-S-H »

Hi.

Actually I do have a Precise version 5.3.3.3 and iirc, I did download from official download site.

Can not confirm any bot activity on this version - only a few times used - offline only!

RSH
[b][url=http://lazy-puppy.weebly.com]LazY Puppy Home
The new LazY Puppy Information Centre[/url][/b]

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#5 Post by nooby »

Using google I find this on DistroWatch
2012-05-05: Distribution Release: Puppy Linux 5.3.3 "Slacko"

so that is Slacko or is that Puppy Slacko Precise?
I guess Precise is not slack but based on Ubuntu so
I search again and find this

Upup Precise 5.3.3.3 has been uploaded. See the first post.
http://www.murga-linux.com/puppy/viewtopic.php?t=77697

Edit so that one have an extra 3 there so that is not the same?

So which Precise is it we talk about?

Or is the OP referring to the usual Google check that the IP works?
what is the name of that General or Captain or Major or what is title
that have a famous server that do such service.

On the other hand the ISP told the OP that such Bot activity was going on.
So hope he gives us more details
I use Google Search on Puppy Forum
not an ideal solution though

R-S-H
Posts: 487
Joined: Mon 18 Feb 2013, 12:47

#6 Post by R-S-H »

May Data:

Full Name of ISO: precise-5.3.3.3-SCSI.iso
Full Name of DevX: devx_precise_5.3.3.3.sfs
[b][url=http://lazy-puppy.weebly.com]LazY Puppy Home
The new LazY Puppy Information Centre[/url][/b]

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#7 Post by nooby »

Thanks could that be the one that he refers to then?
So how can one find that code that ask a program to connect
to that server he talks about?

If security firms ahs told about such urls recently one maybe
can search for it but most likely such is hashed in the code
so one should look for something hashed can that be easily done
using Pfind?

Edit I have changed from one computer to another and
most likely has it on the small Netbook or the otehr small netbook
and are too lazy to fire it up one need to find cables
and it is crampy and tights there and Ifeel for TV and music
and not fiddling with cables today but if none else have it
apart from OP and RSH and I then we could compare things
the coming days.

Where would a botnet hide it's code? Any statistics on where to look?
I use Google Search on Puppy Forum
not an ideal solution though

Pence
Posts: 200
Joined: Sat 30 Jul 2005, 13:27

#8 Post by Pence »

Probably should wait for UnderCover's second post, just to be sure that he is not a prankster.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#9 Post by nooby »

His choice of user name can be a hint that he love to troll?
But I feel very un-polite thinking that way. So it is sad he
did not give more details in that first post.

Okay we wait then :)
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
L18L
Posts: 3479
Joined: Sat 19 Jun 2010, 18:56
Location: www.eussenheim.de/

Re: Precise 5.3.3 LiveCD contains botnet client

#10 Post by L18L »

on his blog bk wrote:Precise Puppy 5.4
This is it, the very first official release of Precise Puppy! Brief announcement:

Precise Puppy is built from ...


rcrsn51 RC :D

UnderCovers
Posts: 2
Joined: Tue 07 May 2013, 13:33

correction and more info

#11 Post by UnderCovers »

Sorry for the delay but original post was done quickly followed by long trip to a dinner. It was Precise 5.4.3, not a 5.3.3 iso. Got to the file via download page from www.puppylinux.com. I had pulled the 5.5 Precise and 5.5 Wary versions today.

Both show similar behavior after boot and X start of GUI. IPstats show traffic from Puppy PC to 198.101.241.44:80. Surprise, surprise, the Precise version starts traffic even before I configure the network connection (eth0) via DHCP. With the startup configure box up but prior to selections, I checked IPstats and the system already had eth0 enabled with an IP address from lan DHCP server. Normally I had done the eth0 configure by selecting AutoDHCP myself, thinking the system was offnet until doing configure.

I did not find much useful about 198.101.241.44. No DNS or hostname but traceroute stopped at a Rackspace Hosting Cloud Servers subnet.Note this IP is different from the 2 used with the 5.4.3 version on post-startup (don't have my notes or I would post; likely somewhere else in the clouds).

If this connection is legit and documented somewhere, please educate me.
I will try an iso image from the ibiblio.org folder for slackware 5.5.

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#12 Post by Flash »

Seems to me that this or a very similar thing has been reported before, perhaps years ago, for other versions of Puppy. I don't recall for sure, but I think it was decided that Puppy does it for some benign reason.

Could Puppy be looking for printers on the LAN?

User avatar
James C
Posts: 6618
Joined: Thu 26 Mar 2009, 05:12
Location: Kentucky

#13 Post by James C »


nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#14 Post by nooby »

James C wrote:Might be related to this......
http://www.murga-linux.com/puppy/viewto ... 318#514460
That is the Mayor I remembered http://majorhayden.com/.

Btu that does not explain that the ISP confirmed something very bad
was going on. Sad that ISP gave no good documentation on it.

198.101.241.44. should not security firms know about such then?

Reading that whole thread it ends with this horrible text.
http://www.murga-linux.com/puppy/viewto ... 747#547747

It got me so scared that I shut down the page and forgot the text
I could not cope with it. Is that true or is it a kind of conspiracy text?

I used google and found this one
198.101.241.44 ISP Unknown Lamoni, Iowa, United States User/Unknown

Could CIA have a server then in Lamoni, Iowa.
does General Hayden live there maybe?

How does other linuxes test if their connection is established?
Any statistics on how many Linux distros that make use of General Hayden? blasphemous speculation does his Son take over when he
die out of old age? :) Or is he just a friendly face for CIA
So he is not personally running the service just accept to it is named
as belonging to him? A kind of honoring his loyalty?
I use Google Search on Puppy Forum
not an ideal solution though

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#15 Post by nooby »

Sorry me so laxy. I did take a look and my old Lupu 528-005
does connect to 198.101.241.44 I have had the OS running now
since about 6AM and still now 10.13 it still list it in the IPstat
that comes up if one click on the icon in tray. It says
FIN_WAIT1 whatever that refers to.

I should look in /usr/sbin/ipinfo now
it says?
PROGRAM: ipdisp
# AUTHOR: Vovchik
# PURPOSE: GUI to show IP config info
# DATE: 14 May 2009
...
# external ip
var0="`wget -O - -q icanhazip.com`"
I remember from other threads that
icanhazip.com` is what General Hayden server may be named.

So it would be possible to change that name but most likely it
only last for that session and get back when one reboot?

So either a very innocent way to check that it works
or a CIA way to have total control through Linux?
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
James C
Posts: 6618
Joined: Thu 26 Mar 2009, 05:12
Location: Kentucky

#16 Post by James C »

01micko had the answer on the next page of the thread in this post
http://www.murga-linux.com/puppy/viewto ... 729#514729
see /usr/sbin/ipinfo

This has been discussed many times. If you don't like it remove it.

User avatar
James C
Posts: 6618
Joined: Thu 26 Mar 2009, 05:12
Location: Kentucky

#17 Post by James C »

Yes......same deal as the other thread.
We found 2 hostnames for IP Address 198.101.241.44 [ Lookup this IP ]
1. icanhazip.com
2. 198.101.241.44
from

http://198.101.241.44.ipaddress.com/

User avatar
James C
Posts: 6618
Joined: Thu 26 Mar 2009, 05:12
Location: Kentucky

#18 Post by James C »

nooby wrote:Sorry me so laxy. I did take a look and my old Lupu 528-005
does connect to 198.101.241.44 I have had the OS running now
since about 6AM and still now 10.13 it still list it in the IPstat
that comes up if one click on the icon in tray. It says
FIN_WAIT1 whatever that refers to.

I should look in /usr/sbin/ipinfo now
it says?
PROGRAM: ipdisp
# AUTHOR: Vovchik
# PURPOSE: GUI to show IP config info
# DATE: 14 May 2009
...
# external ip
var0="`wget -O - -q icanhazip.com`"
I remember from other threads that
icanhazip.com` is what General Hayden server may be named.

So it would be possible to change that name but most likely it
only last for that session and get back when one reboot?

So either a very innocent way to check that it works
or a CIA way to have total control through Linux?
Should have read the next page of the thread....
http://www.murga-linux.com/puppy/viewto ... 530#644530

rackerhacker wrote
I'm Major Hayden and I operate icanhazip.com. The purpose of the site is to allow people to find their external IPv4/IPv6 address with zero advertisements, cookies, or tracking of any kind. I work for a pretty large hosting company and I'm able to provide the service to people free of charge.

It sounds like Puppy Linux has been updated to query my site to figure out the external IP address of machines running Puppy Linux. I didn't make that change and I didn't have any input on the change.

With that said, I have absolutely no issues with Puppy Linux using my site and I welcome any other questions or comments you have about icanhazip.com.

As an aside, you should know that:


neither of my parents have Hayden as their last name
I have zero affiliations with any government agencies (I work for a large hosting provider)
I welcome any comments or questions that you have



You can find me on freenode as 'rackerhacker' if you want to get in touch.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#19 Post by nooby »

Sorry now that you remind me then I remember that exact post.
so typical of Nooby I can not rely on my memory but I did suggest
that it was a known thing in my first post?

I am in Zeven OS now and xUbuntu so would be cool to know if
them also use same IP how does one look?
I use Google Search on Puppy Forum
not an ideal solution though

roadkill13
Posts: 154
Joined: Wed 10 Aug 2011, 21:41
Location: United States
Contact:

#20 Post by roadkill13 »

rerwin wrote:
IIRC, the first version of Precise was 5.4, not 5.3.3.
I have a puppy that identifies itself as Puppy Precise 5.3. See below.
=== Distro ===

Precise Puppy 5.3.0

=== Window Manager/Desktop Environment ===

Current window manager: OPENBOX (starts from C.L. with: 'xwin openbox-session')

JWM vsvn-574
ROX-Filer 2.11

=== Network Interface ===

wlan0 connected

=== report-video ===

Precise Puppy, version 5.3.0 on Mon 4 Nov 2013

Chip description:
2.0 VGA compatible controller
Intel Corporation Mobile 945GM/GMS, 943/940GML Express Integrated Graphics Controller (rev 03)
oem: Intel(r) 82945GM Chipset Family Graphics Chip Accelerated VGA BIOS
product: Intel(r) 82945GM Chipset Family Graphics Controller Hardware Version 0.0

X Server: Xorg
Driver used: intel

X.Org version: 1.11.3
dimensions: 1280x800 pixels (338x211 millimeters)
depth of root window: 16 planes
Release Date: 2011-12-16
Build Date: 04 April 2012 11:58:38PM

=== /etc/rc.d/PUPSTATE ===

PUPMODE=12
PDEV1='sda1'
DEV1FS='ext4'
PUPSFS='sda1,ext4,/precise5.3.0frugal/puppy_precise_5.3.0.sfs'
PUPSAVE='sda1,ext4,/precise5.3.0frugal/precisesave.4fs'
PMEDIA='atahd'
#ATADRIVES is all internal ide/pata/sata drives, excluding optical, excluding usb...
ATADRIVES='sda '
#ATAOPTICALDRIVES is list of non-usb optical drives...
ATAOPTICALDRIVES='sr0 '
#these directories are unionfs/aufs layers in /initrd...
SAVE_LAYER='/pup_rw'
PUP_LAYER='/pup_ro2'
#The partition that has the precisesave file is mounted here...
PUP_HOME='/mnt/dev_save'
#(in /initrd) ...note, /mnt/home is a link to it.
#this file has extra kernel drivers and firmware...
ZDRV=''
#complete set of modules in the initrd (moved to main f.s.)...
ZDRVINIT='no'
#Partition no. override on boot drive to which session is (or will be) saved...
PSAVEMARK=''
PSUBDIR='/precise5.3.0frugal'
If 5.4 was the first official Precise which Puppy do I really have? I have not downloaded UPUP to the best of my knowledge.

Post Reply