Puppy Linux Discussion Forum

[UnderCovers]

Months ago, when 5.3.3 was the latest Puppy Precise distro, I downloaded the iso for an x86 system. Everything expected to be included works fine. THE UNEXPECTED "live" software is a BOTNET CLIENT. Once the ethernet LAN connection is enabled, the bot client tries to connect to a command server. On each boot, the command server IP changes but port 80 used as the destination port. The source port on the Precise system seems to be a random high port number.

The MD5 checked when I downloaded this .ISO. HIGHLY recommend not using this version of Precise unless you want to watch BOT client behavior.

Note my ISP provided a warning of BOT activity detected on their network when I left the system run for an hour.

I WILL EXAMINE the same x86 LiveCD for 5.5 to see if the client code remains.

[Flash]

It might actually be helpful if you gave the URL to where you downloaded the 5.3.3 iso from.

[rcrsn51]

IIRC, the first version of Precise was 5.4, not 5.3.3.

[R-S-H]

Hi.

Actually I do have a Precise version 5.3.3.3 and iirc, I did download from official download site.

Can not confirm any bot activity on this version - only a few times used - offline only!

RSH

[nooby]

Using google I find this on DistroWatch
2012-05-05: Distribution Release: Puppy Linux 5.3.3 "Slacko"

so that is Slacko or is that Puppy Slacko Precise?
I guess Precise is not slack but based on Ubuntu so
I search again and find this

Upup Precise 5.3.3.3 has been uploaded. See the first post.
http://www.murga-linux.com/puppy/viewtopic.php?t=77697

Edit so that one have an extra 3 there so that is not the same?

So which Precise is it we talk about?

Or is the OP referring to the usual Google check that the IP works?
what is the name of that General or Captain or Major or what is title
that have a famous server that do such service.

On the other hand the ISP told the OP that such Bot activity was going on.
So hope he gives us more details

[R-S-H]

May Data:

Full Name of ISO: precise-5.3.3.3-SCSI.iso
Full Name of DevX: devx_precise_5.3.3.3.sfs

[nooby]

Thanks could that be the one that he refers to then?
So how can one find that code that ask a program to connect
to that server he talks about?

If security firms ahs told about such urls recently one maybe
can search for it but most likely such is hashed in the code
so one should look for something hashed can that be easily done
using Pfind?

Edit I have changed from one computer to another and
most likely has it on the small Netbook or the otehr small netbook
and are too lazy to fire it up one need to find cables
and it is crampy and tights there and Ifeel for TV and music
and not fiddling with cables today but if none else have it
apart from OP and RSH and I then we could compare things
the coming days.

Where would a botnet hide it's code? Any statistics on where to look?

[Pence]

Probably should wait for UnderCover's second post, just to be sure that he is not a prankster.

[nooby]

His choice of user name can be a hint that he love to troll?
But I feel very un-polite thinking that way. So it is sad he
did not give more details in that first post.

Okay we wait then

[L18L]

[UnderCovers]

Sorry for the delay but original post was done quickly followed by long trip to a dinner. It was Precise 5.4.3, not a 5.3.3 iso. Got to the file via download page from www.puppylinux.com. I had pulled the 5.5 Precise and 5.5 Wary versions today.

Both show similar behavior after boot and X start of GUI. IPstats show traffic from Puppy PC to 198.101.241.44:80. Surprise, surprise, the Precise version starts traffic even before I configure the network connection (eth0) via DHCP. With the startup configure box up but prior to selections, I checked IPstats and the system already had eth0 enabled with an IP address from lan DHCP server. Normally I had done the eth0 configure by selecting AutoDHCP myself, thinking the system was offnet until doing configure.

I did not find much useful about 198.101.241.44. No DNS or hostname but traceroute stopped at a Rackspace Hosting Cloud Servers subnet.Note this IP is different from the 2 used with the 5.4.3 version on post-startup (don't have my notes or I would post; likely somewhere else in the clouds).

If this connection is legit and documented somewhere, please educate me.
I will try an iso image from the ibiblio.org folder for slackware 5.5.

[Flash]

Seems to me that this or a very similar thing has been reported before, perhaps years ago, for other versions of Puppy. I don't recall for sure, but I think it was decided that Puppy does it for some benign reason.

Could Puppy be looking for printers on the LAN?

[James C]

Might be related to this......
http://www.murga-linux.com/puppy/viewtopic.php?p=514460&search_id=1948834318#514460

[nooby]

[nooby]

Sorry me so laxy. I did take a look and my old Lupu 528-005
does connect to 198.101.241.44 I have had the OS running now
since about 6AM and still now 10.13 it still list it in the IPstat
that comes up if one click on the icon in tray. It says
FIN_WAIT1 whatever that refers to.

I should look in /usr/sbin/ipinfo now
it says?