Paranoia for Beginners

For discussions about security.
Message
Author
nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#196 Post by nooby »

Was it McAfee or some other security firm that told eager reporters on IDG News? PCWorld maybe? Or on BBC World Service or ...

Recently them admitted that the current way of using anti virus does not work in a good way.

the better way has to be intelligent programs that watch for peculiar activity that could be something odd going on.

That is not what them wrote but my crude retranslatio from them translating from English to Swedish and me back to English. Whoah

So instead of having AV that look for "Signatures" and us updating the Signatures that are always some hours or days too late.

the next versions of AV will be programs that watch for activity that would be not normal for the person using the computer.

May I predict it will not be easy? I mean when one use such programs them warn and warn and warn and one get tired of all the warnings one have no idea what them try to say and one shut it all down getting too annoyed by all the noise it produces?

So what to do?
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#197 Post by Lobster »

nooby wrote:So what to do?
Panic!
Run for the hills!
. . . well maybe not

Note the enclosed pic
This is my root - it looks different for no reason :?
As far as I know I have not installed 'Puppy File Sharing'
I am using Transmission and Slacko beta 3

Have I been hacked by a non existent Puppy Black Ops
file sharing team?

Please advise by post or encrypted carrier pigeon :shock:


**********************Puppy File Sharing******************

This script uses Curlftpfs, Mpscan, Pure-ftpd, and Rox to setup a file sharing system, that is similar to Samba (windows) file sharing to the user. The intent is that this will be used between two computers running Puppy linux. However, another operating system (Windows), can connect to the server using a web browser. Just type in the IP address in the address field (eg. ftp://192.168.254.2).

Before doing anything, you must be connected to your network

Inside of the File-Sharing folder you will find a Rox application named Setup-Sharing. Clicking on Setup-Sharing will open a series of windows. The first menu will ask you if you want to connect to a folder on another computer (Client) or share a folder on your computer (server).

If you select to share a folder on your computer, so that another computer can connect to it, you will be presented with two options:

* Anonymous No password required for others to connect.

This will allow others to connect to your computer without a user name or password. However, they will only be able to connect to /root/ftpd. So place any items you want to share in that folder.

* Password A user name and password will be required for others to connect.

This will require others to use a user name and password to connect to your computer. In Puppy you normally run as a user named root, your home folder is /root, and the default password is woofwoof. If you choose this option you should change your root password. To do this open a terminal (The console icon on the desktop) and type:

# passwd

You'll be prompted to enter a new password. User root is the superuser (he can do anything), so you may not want others logging in as root. So if you want, you can add new users. If you wanted to add a new user named doug and give doug a home directory of /mnt/home/doug, you can do this by opening a terminal and typing:

# adduser doug -h /mnt/home/doug

You'll be prompted for a new password for doug and the folder /mnt/home/doug will be created. Now someone can connect to your computer by using the user name doug and whatever password you entered. When they login as doug, they will see whatever is in /mnt/home/doug. You can use just about any user name you like and the home folder doesn't have to be /mnt/home/doug, use whatever you like.


Next, you will be asked if you want to start the sever for just this session or if you want it to start on every boot. If you choose to start it on every boot an entry will made in /etc/rc.d/rc.local.






If you choose to connect to another computer, you will be presented with two options:

* Scan Search your local network for a connection.

This will scan your local network (subnet) and list any ftp servers it finds. You will then be asked if you want to create a connection. If the connection requires a user name and password you will be asked for it.


* Manual Enter an IP address. (Optional username and password)

This will let you enter a user name, password and a IP address to create a new connection.

After selecting one of the above options a new connection will be created in the File-Sharing folder. By clicking on one of the newly created Shared-xxx icons, a window will open for that network connection and you can drag and drop files to and from it.


Limitations:

* Permissions are not allways preserved, so ROX reports errors. Copied files are created with a umask of 022.
* Symlinks don't copy.
* When scanning for servers, somtimes your server may not be found, try again.
* If your computers are on a DHCP network (IP address are automaticly assigned), The the connection short-cuts (rox apps) may not work the next time you boot because of IP address changes. In this case you'll have to scan and create a new connection.
Attachments
h1.jpg
(30.85 KiB) Downloaded 1299 times
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
Dave_G
Posts: 453
Joined: Thu 21 Jul 2011, 13:53

#198 Post by Dave_G »

Watch a lot of American movies Lobster?

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#199 Post by Lobster »

Watch a lot of American movies Lobster?
Yes indeed and European. Why do you ask? :)

I am not aware of downloading or setting up the file sharing program in the picture.
I use Transmission.
Does anyone recognise the program? Where it comes from etc?

I am preparing a new version of GROWL
look in the 'cutting edge' section for Slacko Growl. :)
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
Dave_G
Posts: 453
Joined: Thu 21 Jul 2011, 13:53

#200 Post by Dave_G »

Because you have a directory called NTSC. :wink:

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#201 Post by Lobster »

NTSC = National Television System Committee?

:) I did not create that directory
or 'Go' or 'Let' or 'Me' and a few others (all empty)

So I should imagine I might actually have been hacked :roll:
The program was also added which would be a real first, creating directories not so much so.

Am I quacking in fear? Sadly no my paranoia is not developed sufficiently :roll:

What I think is far more likely is I inadvertently installed a pet that is expected to do this. Maybe unloaded it in the wrong place or it could be part of another package . . .
Should I be installing forensics? Honeypots? Separate firewall server?
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
Dave_G
Posts: 453
Joined: Thu 21 Jul 2011, 13:53

#202 Post by Dave_G »

Lobster,

That is exactly why I asked you jokingly about watching American movies.
NTSC is the TV standard of the USA (amongst others) whilst that of
most of Western Europe is PAL with France being the exception using SECAM.
Ex-soviet states of eastern Europe also still use SECAM (I think).

You say you didn't create the NTSC directory, so unless you installed a pet
that was for video editing/recording/transcoding/watching and created that dir, what other
explanation is there for it?

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#203 Post by Lobster »

what other
explanation is there for it?
tsk tsk
Have you lost all sense of fear and potential interference from 'them'? :roll:
(Govt, hackers from other dimensions, script kiddies, puppy's with rabies, commercial scan bots, the penguin viruses etc . . .) :wink:
Talking of viruses
installed and running this avast virus scanner in Slacko beta 4
http://bkhome.org/blog/?viewDetailed=02494
That should keep the CPU and paranoia ticking over nicely
opted for thorough scan of e v e r y t h i n g
Last edited by Lobster on Sat 24 Sep 2011, 14:04, edited 1 time in total.
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#204 Post by Lobster »

It must be worse than I thought . . . :shock:

Avast found several PHP viruses on my HD (used as a backup)
These were specific to Wordpress and have to run on a server I shouuld imagine.
The viri were PHP Agent-BD -[TH]

Then Avast locked up my computer. Could it have been attacked by a virus?
Enclosed is my frozen screen. :roll:

Given Avast another HD to feed its virus hunting skills.
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
Dave_G
Posts: 453
Joined: Thu 21 Jul 2011, 13:53

#205 Post by Dave_G »

Lobster,

Are you sure that those php scripts really are "nasties"?
Avast and others often report false positives.

Dave.

Remember, just because you can't see them, it don't mean they aren't after you. :wink:

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#206 Post by nooby »

Lobster, Dave are right. Some or all AV software has at least one or two "false positives" them point out snippets of code that may be examples that somebody has put in to make a point or something. Some joke even.

But I wonder about this one:
Talking of viruses
installed and running this avast virus scanner in Slacko beta 4
http://bkhome.org/blog/?viewDetailed=02494
So is that one then better than the xf-prot that also can be run from Lupu-528?

I mean if I now install Barry's version of Avast would that one not find the build in signatures for Xf-prot and bark loud and even lock the computer or destroy the xf-prot?

Should I uninstall the xf-prot first?

8-bit says
I had read a review of linux antivirus packages and fprot failed to find viruses that Avast found so I installed Avast.
Lobster Barry gave you advice to cut out /sys however one do such things.

I wonder if not all of this is way over my poor head?

So first I uninstall xf-prot and then I install the pet that Barry made.
Then change things like he describe there from that facebook thing?
Hm I barely get what he write.

Should we not have a simple to follow thing on this.
Avast wants my email address for to give a code so it start working?
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
Dave_G
Posts: 453
Joined: Thu 21 Jul 2011, 13:53

#207 Post by Dave_G »

Lobster,

Keep in mind that AV pgms are not perfect.
Often they see code that could be a risk and flag it.
The fact that ir could be a risk does not mean that it is.

A few years back I made a wget type app for win machines
and many AV pgms marked my pgm as a trojan downloader
simply because I was statically linking to the API call URLDownloadToFileA
which of course is very often used in real trojans.

All I had to do is first get the ProcAdress of the function in the DLL
then load it using LoadLibraryA and it got right past the AV pgm.

I know this is for win32, put the point I'm trying to make is that AV pgms
often flag code as a threat which is not always the case and at the same time
don't properly check for workarounds and stuff can get thru if that
was the writers intention.
The same will apply to Linux.

Dave.

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#208 Post by Lobster »

Guys,
Yes I should think the PHP really are viruses/trojans/malware scripts because this is a backup of server material that I know has been compromised.

Some false positives - yes, there is one
EICAR Standard AntiVirus Test File that is in an f-prot file - that is a 'pretend virus' - again a back up . . .

In the preferences of Avast
you just add /sys and /proc
as exclusions - OK done that, running again . . .

I have Nandows 7 (or some such jinx food operating system) on a partition and that is probably infected :cry:
- barely used Nandows 7. Will now just delete.
You know how I think MS Nandows became infected?
Downloaded bit torrents were saved to an NTFS drive
by Puppy - included in the download were malware products designed to go into Windows directories. Oh boy.

So basically the php could run on a linux server and those backups were already compromised - I know that. The eicar is a test. The Windows partition is infected, either that or it slowed down and started behaving strangely just for fun . . .

As a side issue . . . my sister brought her new
Windows 7 powered Asus laptop along.
Somehow Norton virus checker was on there, offering to scan
She hates Norton as it created a year of problems for her
Like a virus it had installed itself and aggressively demanded to scan
Removing it was an exercise in getting her not to strangle the computer
How was it, this had appeared on the desktop without warning or agreement . . . (it was probably a 'free' offer)?
http://puppylinux.org/wikka/VirusScam
Slowly people begin to understand why we use Linux . . .

Puppy is fine. Virus checking continues. Still not scared. What am I doing wrong? 8)
Last edited by Lobster on Thu 29 Sep 2011, 07:21, edited 1 time in total.
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#209 Post by Lobster »

OK guys

Deleted the Winedows 7 contagion - removed from its partition
Did a 'standard' rather than 'thorough' Avast scan (Avast did not crash this time).
Need something new to worry about?
How about a neutrino powered virus from an entangled parallel universe? Perhaps based on the public domain descendant of Stuxnet type viruses?
However hacking computers is so yesterday. How do we influence the machine we are?

Does not bear thinking about? :roll:
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#210 Post by Lobster »

How much does it cost to be an elite cracker? $600 for a wifi cracking drone . . .

Look to the skies :roll:
http://www.dailytech.com/Flying+Drones+ ... e22701.htm
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#211 Post by Lobster »

Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#212 Post by Sylvander »

Is it possible/easy to make encrypted calls using Puppy Phone?

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#213 Post by Lobster »

Encrypted calls are coming

. . . meanwhile how many of these tests have you done?
http://article.gmane.org/gmane.linux.kernel/1197924

(that should keep the tin hats happy for a while . . . )
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#214 Post by Lobster »

http://techcrunch.com/2011/10/13/no-nee ... r-citizen/

The UK has more cameras than anywhere. Personally I look forward to open circuit TV access and the ability to monitor suspicious proprietary software engineers and others up to no good . . . :wink:
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#215 Post by nooby »

As a continues noob status guy sorry bad grammar there.
I wonder about something that happens almost every day and
several times every day.

I like old mechanical things with no batteries in them.
Clocks that you wind up and them being totally mechanical
no battery warns down and need to be replaced.

So I look for such at Ebay and similar places in my own language.

Take this one from Old Russia? Anlida Alarm Clock.
http://www.ebay.com/itm/ws/eBayISAPI.dl ... 0907058794

When I save the main picture of that one
then it say a script is still running.
Should I stop it or let it continue?
I have no idea what is safest thing to do.

Usually if one don't let it continue and
actually stop it then it does not save.


Now was that a download of a Trojan or Key Spy program on my computer?
What other purpose could such "scrips" have? Where do them end up?

Should I start a new thread about this one? It maybe derail this thread or drown in all the other themes we have here?
Last edited by nooby on Tue 18 Oct 2011, 06:08, edited 1 time in total.
I use Google Search on Puppy Forum
not an ideal solution though

Post Reply