Author |
Message |
UnderCovers
Joined: 07 May 2013 Posts: 2
|
Posted: Tue 07 May 2013, 09:52 Post subject:
Precise 5.4.3 LiveCD contains botnet client? (Solved) Subject description: Botnet malware included in validated Precise 5.3.3 iso for x86 |
|
Months ago, when 5.3.3 was the latest Puppy Precise distro, I downloaded the iso for an x86 system. Everything expected to be included works fine. THE UNEXPECTED "live" software is a BOTNET CLIENT. Once the ethernet LAN connection is enabled, the bot client tries to connect to a command server. On each boot, the command server IP changes but port 80 used as the destination port. The source port on the Precise system seems to be a random high port number.
The MD5 checked when I downloaded this .ISO. HIGHLY recommend not using this version of Precise unless you want to watch BOT client behavior.
Note my ISP provided a warning of BOT activity detected on their network when I left the system run for an hour.
I WILL EXAMINE the same x86 LiveCD for 5.5 to see if the client code remains.
|
Back to top
|
|
 |
Flash
Official Dog Handler

Joined: 04 May 2005 Posts: 12823 Location: Arizona USA
|
Posted: Tue 07 May 2013, 10:43 Post subject:
|
|
It might actually be helpful if you gave the URL to where you downloaded the 5.3.3 iso from.
|
Back to top
|
|
 |
rcrsn51

Joined: 05 Sep 2006 Posts: 11889 Location: Stratford, Ontario
|
Posted: Tue 07 May 2013, 11:38 Post subject:
|
|
IIRC, the first version of Precise was 5.4, not 5.3.3.
|
Back to top
|
|
 |
R-S-H
Joined: 18 Feb 2013 Posts: 490
|
Posted: Tue 07 May 2013, 12:03 Post subject:
|
|
Hi.
Actually I do have a Precise version 5.3.3.3 and iirc, I did download from official download site.
Can not confirm any bot activity on this version - only a few times used - offline only!
RSH
_________________ LazY Puppy Home
The new LazY Puppy Information Centre
|
Back to top
|
|
 |
nooby
Joined: 29 Jun 2008 Posts: 10548 Location: SwedenEurope
|
Posted: Tue 07 May 2013, 12:19 Post subject:
|
|
Using google I find this on DistroWatch
2012-05-05: Distribution Release: Puppy Linux 5.3.3 "Slacko"
so that is Slacko or is that Puppy Slacko Precise?
I guess Precise is not slack but based on Ubuntu so
I search again and find this
Upup Precise 5.3.3.3 has been uploaded. See the first post.
http://www.murga-linux.com/puppy/viewtopic.php?t=77697
Edit so that one have an extra 3 there so that is not the same?
So which Precise is it we talk about?
Or is the OP referring to the usual Google check that the IP works?
what is the name of that General or Captain or Major or what is title
that have a famous server that do such service.
On the other hand the ISP told the OP that such Bot activity was going on.
So hope he gives us more details
_________________ I use Google Search on Puppy Forum
not an ideal solution though
|
Back to top
|
|
 |
R-S-H
Joined: 18 Feb 2013 Posts: 490
|
Posted: Tue 07 May 2013, 12:32 Post subject:
|
|
May Data:
Full Name of ISO: precise-5.3.3.3-SCSI.iso
Full Name of DevX: devx_precise_5.3.3.3.sfs
_________________ LazY Puppy Home
The new LazY Puppy Information Centre
|
Back to top
|
|
 |
nooby
Joined: 29 Jun 2008 Posts: 10548 Location: SwedenEurope
|
Posted: Tue 07 May 2013, 12:47 Post subject:
|
|
Thanks could that be the one that he refers to then?
So how can one find that code that ask a program to connect
to that server he talks about?
If security firms ahs told about such urls recently one maybe
can search for it but most likely such is hashed in the code
so one should look for something hashed can that be easily done
using Pfind?
Edit I have changed from one computer to another and
most likely has it on the small Netbook or the otehr small netbook
and are too lazy to fire it up one need to find cables
and it is crampy and tights there and Ifeel for TV and music
and not fiddling with cables today but if none else have it
apart from OP and RSH and I then we could compare things
the coming days.
Where would a botnet hide it's code? Any statistics on where to look?
_________________ I use Google Search on Puppy Forum
not an ideal solution though
|
Back to top
|
|
 |
Pence
Joined: 30 Jul 2005 Posts: 201
|
Posted: Tue 07 May 2013, 13:19 Post subject:
|
|
Probably should wait for UnderCover's second post, just to be sure that he is not a prankster.
|
Back to top
|
|
 |
nooby
Joined: 29 Jun 2008 Posts: 10548 Location: SwedenEurope
|
Posted: Tue 07 May 2013, 13:27 Post subject:
|
|
His choice of user name can be a hint that he love to troll?
But I feel very un-polite thinking that way. So it is sad he
did not give more details in that first post.
Okay we wait then
_________________ I use Google Search on Puppy Forum
not an ideal solution though
|
Back to top
|
|
 |
L18L
Joined: 19 Jun 2010 Posts: 3431 Location: www.eussenheim.de/
|
Posted: Tue 07 May 2013, 14:39 Post subject:
Re: Precise 5.3.3 LiveCD contains botnet client |
|
on his blog bk wrote: | Precise Puppy 5.4
This is it, the very first official release of Precise Puppy! Brief announcement:
Precise Puppy is built from ... |
rcrsn51 RC
|
Back to top
|
|
 |
UnderCovers
Joined: 07 May 2013 Posts: 2
|
Posted: Tue 07 May 2013, 23:26 Post subject:
correction and more info |
|
Sorry for the delay but original post was done quickly followed by long trip to a dinner. It was Precise 5.4.3, not a 5.3.3 iso. Got to the file via download page from www.puppylinux.com. I had pulled the 5.5 Precise and 5.5 Wary versions today.
Both show similar behavior after boot and X start of GUI. IPstats show traffic from Puppy PC to 198.101.241.44:80. Surprise, surprise, the Precise version starts traffic even before I configure the network connection (eth0) via DHCP. With the startup configure box up but prior to selections, I checked IPstats and the system already had eth0 enabled with an IP address from lan DHCP server. Normally I had done the eth0 configure by selecting AutoDHCP myself, thinking the system was offnet until doing configure.
I did not find much useful about 198.101.241.44. No DNS or hostname but traceroute stopped at a Rackspace Hosting Cloud Servers subnet.Note this IP is different from the 2 used with the 5.4.3 version on post-startup (don't have my notes or I would post; likely somewhere else in the clouds).
If this connection is legit and documented somewhere, please educate me.
I will try an iso image from the ibiblio.org folder for slackware 5.5.
|
Back to top
|
|
 |
Flash
Official Dog Handler

Joined: 04 May 2005 Posts: 12823 Location: Arizona USA
|
Posted: Wed 08 May 2013, 00:05 Post subject:
|
|
Seems to me that this or a very similar thing has been reported before, perhaps years ago, for other versions of Puppy. I don't recall for sure, but I think it was decided that Puppy does it for some benign reason.
Could Puppy be looking for printers on the LAN?
|
Back to top
|
|
 |
James C

Joined: 26 Mar 2009 Posts: 6717 Location: Kentucky
|
Posted: Wed 08 May 2013, 01:03 Post subject:
|
|
Might be related to this......
http://www.murga-linux.com/puppy/viewtopic.php?p=514460&search_id=1948834318#514460
|
Back to top
|
|
 |
nooby
Joined: 29 Jun 2008 Posts: 10548 Location: SwedenEurope
|
Posted: Wed 08 May 2013, 02:03 Post subject:
|
|
That is the Mayor I remembered http://majorhayden.com/.
Btu that does not explain that the ISP confirmed something very bad
was going on. Sad that ISP gave no good documentation on it.
198.101.241.44. should not security firms know about such then?
Reading that whole thread it ends with this horrible text.
http://www.murga-linux.com/puppy/viewtopic.php?p=547747#547747
It got me so scared that I shut down the page and forgot the text
I could not cope with it. Is that true or is it a kind of conspiracy text?
I used google and found this one
198.101.241.44 ISP Unknown Lamoni, Iowa, United States User/Unknown
Could CIA have a server then in Lamoni, Iowa.
does General Hayden live there maybe?
How does other linuxes test if their connection is established?
Any statistics on how many Linux distros that make use of General Hayden? blasphemous speculation does his Son take over when he
die out of old age? Or is he just a friendly face for CIA
So he is not personally running the service just accept to it is named
as belonging to him? A kind of honoring his loyalty?
_________________ I use Google Search on Puppy Forum
not an ideal solution though
|
Back to top
|
|
 |
nooby
Joined: 29 Jun 2008 Posts: 10548 Location: SwedenEurope
|
Posted: Wed 08 May 2013, 04:16 Post subject:
|
|
Sorry me so laxy. I did take a look and my old Lupu 528-005
does connect to 198.101.241.44 I have had the OS running now
since about 6AM and still now 10.13 it still list it in the IPstat
that comes up if one click on the icon in tray. It says
FIN_WAIT1 whatever that refers to.
I should look in /usr/sbin/ipinfo now
it says?
Quote: |
PROGRAM: ipdisp
# AUTHOR: Vovchik
# PURPOSE: GUI to show IP config info
# DATE: 14 May 2009
...
# external ip
var0="`wget -O - -q icanhazip.com`"
|
I remember from other threads that
icanhazip.com` is what General Hayden server may be named.
So it would be possible to change that name but most likely it
only last for that session and get back when one reboot?
So either a very innocent way to check that it works
or a CIA way to have total control through Linux?
_________________ I use Google Search on Puppy Forum
not an ideal solution though
|
Back to top
|
|
 |
|