Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 22 Nov 2014, 05:20
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Precise 5.4.3 LiveCD contains botnet client? (Solved)
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
Page 1 of 2 Posts_count   Goto page: 1, 2 Next
Author Message
UnderCovers

Joined: 07 May 2013
Posts: 2

PostPosted: Tue 07 May 2013, 09:52    Post_subject:  Precise 5.4.3 LiveCD contains botnet client? (Solved)
Sub_title: Botnet malware included in validated Precise 5.3.3 iso for x86
 

Months ago, when 5.3.3 was the latest Puppy Precise distro, I downloaded the iso for an x86 system. Everything expected to be included works fine. THE UNEXPECTED "live" software is a BOTNET CLIENT. Once the ethernet LAN connection is enabled, the bot client tries to connect to a command server. On each boot, the command server IP changes but port 80 used as the destination port. The source port on the Precise system seems to be a random high port number.

The MD5 checked when I downloaded this .ISO. HIGHLY recommend not using this version of Precise unless you want to watch BOT client behavior.

Note my ISP provided a warning of BOT activity detected on their network when I left the system run for an hour.

I WILL EXAMINE the same x86 LiveCD for 5.5 to see if the client code remains. Sad
Back to top
View user's profile Send_private_message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 11153
Location: Arizona USA

PostPosted: Tue 07 May 2013, 10:43    Post_subject:  

It might actually be helpful if you gave the URL to where you downloaded the 5.3.3 iso from.
Back to top
View user's profile Send_private_message 
rcrsn51


Joined: 05 Sep 2006
Posts: 9256
Location: Stratford, Ontario

PostPosted: Tue 07 May 2013, 11:38    Post_subject:  

IIRC, the first version of Precise was 5.4, not 5.3.3.
Back to top
View user's profile Send_private_message 
R-S-H

Joined: 18 Feb 2013
Posts: 490

PostPosted: Tue 07 May 2013, 12:03    Post_subject:  

Hi.

Actually I do have a Precise version 5.3.3.3 and iirc, I did download from official download site.

Can not confirm any bot activity on this version - only a few times used - offline only!

RSH

_________________
LazY Puppy Home
The new LazY Puppy Information Centre

Back to top
View user's profile Send_private_message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Tue 07 May 2013, 12:19    Post_subject:  

Using google I find this on DistroWatch
2012-05-05: Distribution Release: Puppy Linux 5.3.3 "Slacko"

so that is Slacko or is that Puppy Slacko Precise?
I guess Precise is not slack but based on Ubuntu so
I search again and find this

Upup Precise 5.3.3.3 has been uploaded. See the first post.
http://www.murga-linux.com/puppy/viewtopic.php?t=77697

Edit so that one have an extra 3 there so that is not the same?

So which Precise is it we talk about?

Or is the OP referring to the usual Google check that the IP works?
what is the name of that General or Captain or Major or what is title
that have a famous server that do such service.

On the other hand the ISP told the OP that such Bot activity was going on.
So hope he gives us more details

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send_private_message 
R-S-H

Joined: 18 Feb 2013
Posts: 490

PostPosted: Tue 07 May 2013, 12:32    Post_subject:  

May Data:

Full Name of ISO: precise-5.3.3.3-SCSI.iso
Full Name of DevX: devx_precise_5.3.3.3.sfs

_________________
LazY Puppy Home
The new LazY Puppy Information Centre

Back to top
View user's profile Send_private_message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Tue 07 May 2013, 12:47    Post_subject:  

Thanks could that be the one that he refers to then?
So how can one find that code that ask a program to connect
to that server he talks about?

If security firms ahs told about such urls recently one maybe
can search for it but most likely such is hashed in the code
so one should look for something hashed can that be easily done
using Pfind?

Edit I have changed from one computer to another and
most likely has it on the small Netbook or the otehr small netbook
and are too lazy to fire it up one need to find cables
and it is crampy and tights there and Ifeel for TV and music
and not fiddling with cables today but if none else have it
apart from OP and RSH and I then we could compare things
the coming days.

Where would a botnet hide it's code? Any statistics on where to look?

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send_private_message 
Pence

Joined: 30 Jul 2005
Posts: 201

PostPosted: Tue 07 May 2013, 13:19    Post_subject:  

Probably should wait for UnderCover's second post, just to be sure that he is not a prankster.
Back to top
View user's profile Send_private_message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Tue 07 May 2013, 13:27    Post_subject:  

His choice of user name can be a hint that he love to troll?
But I feel very un-polite thinking that way. So it is sad he
did not give more details in that first post.

Okay we wait then Smile

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send_private_message 
L18L

Joined: 19 Jun 2010
Posts: 2574
Location: Moved from Hosla to www.eussenheim.de

PostPosted: Tue 07 May 2013, 14:39    Post_subject: Re: Precise 5.3.3 LiveCD contains botnet client  

on his blog bk wrote:
Precise Puppy 5.4
This is it, the very first official release of Precise Puppy! Brief announcement:

Precise Puppy is built from ...


rcrsn51 RC Very Happy
Back to top
View user's profile Send_private_message 
UnderCovers

Joined: 07 May 2013
Posts: 2

PostPosted: Tue 07 May 2013, 23:26    Post_subject: correction and more info  

Sorry for the delay but original post was done quickly followed by long trip to a dinner. It was Precise 5.4.3, not a 5.3.3 iso. Got to the file via download page from www.puppylinux.com. I had pulled the 5.5 Precise and 5.5 Wary versions today.

Both show similar behavior after boot and X start of GUI. IPstats show traffic from Puppy PC to 198.101.241.44:80. Surprise, surprise, the Precise version starts traffic even before I configure the network connection (eth0) via DHCP. With the startup configure box up but prior to selections, I checked IPstats and the system already had eth0 enabled with an IP address from lan DHCP server. Normally I had done the eth0 configure by selecting AutoDHCP myself, thinking the system was offnet until doing configure.

I did not find much useful about 198.101.241.44. No DNS or hostname but traceroute stopped at a Rackspace Hosting Cloud Servers subnet.Note this IP is different from the 2 used with the 5.4.3 version on post-startup (don't have my notes or I would post; likely somewhere else in the clouds).

If this connection is legit and documented somewhere, please educate me.
I will try an iso image from the ibiblio.org folder for slackware 5.5.
Back to top
View user's profile Send_private_message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 11153
Location: Arizona USA

PostPosted: Wed 08 May 2013, 00:05    Post_subject:  

Seems to me that this or a very similar thing has been reported before, perhaps years ago, for other versions of Puppy. I don't recall for sure, but I think it was decided that Puppy does it for some benign reason.

Could Puppy be looking for printers on the LAN?
Back to top
View user's profile Send_private_message 
James C


Joined: 26 Mar 2009
Posts: 5932
Location: Kentucky

PostPosted: Wed 08 May 2013, 01:03    Post_subject:  

Might be related to this......
http://www.murga-linux.com/puppy/viewtopic.php?p=514460&search_id=1948834318#514460
Back to top
View user's profile Send_private_message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Wed 08 May 2013, 02:03    Post_subject:  

James C wrote:
Might be related to this......
http://www.murga-linux.com/puppy/viewtopic.php?p=514460&search_id=1948834318#514460


That is the Mayor I remembered http://majorhayden.com/.

Btu that does not explain that the ISP confirmed something very bad
was going on. Sad that ISP gave no good documentation on it.

198.101.241.44. should not security firms know about such then?

Reading that whole thread it ends with this horrible text.
http://www.murga-linux.com/puppy/viewtopic.php?p=547747#547747

It got me so scared that I shut down the page and forgot the text
I could not cope with it. Is that true or is it a kind of conspiracy text?

I used google and found this one
198.101.241.44 ISP Unknown Lamoni, Iowa, United States User/Unknown

Could CIA have a server then in Lamoni, Iowa.
does General Hayden live there maybe?

How does other linuxes test if their connection is established?
Any statistics on how many Linux distros that make use of General Hayden? blasphemous speculation does his Son take over when he
die out of old age? Smile Or is he just a friendly face for CIA
So he is not personally running the service just accept to it is named
as belonging to him? A kind of honoring his loyalty?

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send_private_message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Wed 08 May 2013, 04:16    Post_subject:  

Sorry me so laxy. I did take a look and my old Lupu 528-005
does connect to 198.101.241.44 I have had the OS running now
since about 6AM and still now 10.13 it still list it in the IPstat
that comes up if one click on the icon in tray. It says
FIN_WAIT1 whatever that refers to.

I should look in /usr/sbin/ipinfo now
it says?

Quote:

PROGRAM: ipdisp
# AUTHOR: Vovchik
# PURPOSE: GUI to show IP config info
# DATE: 14 May 2009
...
# external ip
var0="`wget -O - -q icanhazip.com`"



I remember from other threads that
icanhazip.com` is what General Hayden server may be named.

So it would be possible to change that name but most likely it
only last for that session and get back when one reboot?

So either a very innocent way to check that it works
or a CIA way to have total control through Linux?

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send_private_message 
Display_posts:   Sort by:   
Page 1 of 2 Posts_count   Goto page: 1, 2 Next
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
 Forum index » Off-Topic Area » Security
Jump to:  

Rules_post_cannot
Rules_reply_cannot
Rules_edit_cannot
Rules_delete_cannot
Rules_vote_cannot
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0833s ][ Queries: 12 (0.0074s) ][ GZIP on ]