(old)Puppy Linux Discussion Forum

Is there any likelihood that the Linux-malware recently found in Gentoo might metasticize to Puppy and other distros?

http://www.zdnet.com/blog/bott/linux-in ... ag=nl.e539

Could this be the beginning of attacks on complacent Linux users?

I have observed that the recent releases of Quirky and Wary come with Firewalls by default - did Barry see this coming?

Thanks indeed for telling about this.

Update 12:30PM PDT 14-Jun-2010: It’s much worse than it appears. According to this report, the malware-compromised code was included in the official Gentoo distribution:

Would you consider it to be a big deal if it was found in a distribution? Gentoo just released an update to remove the backdoor.

http://packages.gentoo.org/package/net-irc/unrealircd

I’m sure there will be others, I believe the package is also available in Arch. I haven’t really looked to see if it was anywhere else.

http://www.zdnet.com/blog/bott/linux-in ... ag=nl.e539

The text he write about comes from here
http://www.fewt.com/2010/06/linux-infected.html

Someone explained on another list ...

It is specifically Unreal3.2.8.1.tar.gz on a small subset of mirror sites, and not particularly a Gentoo problem but any distro that includes the Unreal Tournament IRC server. The sad part is it has been there for several months and was just now noticed; the good news is that as soon as it was noticed, the corrupt version of that file was removed and replaced with a clean copy. So that's not a "shame on Gentoo" problem; it's a shame on the maintainers of the Unreal mirrors.

More technically literate details here

So it was more a vulnerable server upload thing than Gentoo Linux as such?

That makes me feel a bit more secure. Hmm

If what I'm understanding is correct, the problem was with the people distributing the Unreal source code. It was some of their mirrors that were compromised, and they were the idiots that weren't signing their files with PGP. Without the PGP signature the people at Gentoo had no way of realizing that the source code was tainted. The Gentoo folks then distributed the compromised file from their trusted (but insecure) source code provider.

It should also be noted that this would only affect people that installed Unreal. It wasn't actually included with the base distro (with Gentoo the kernel isn't even included with the base distro, you have to compile it yourself). Since Gentoo distributes only source code and does not have binaries on their servers, there was no way for a virus scanner to catch the corrupted files.

I suppose the folks at Gentoo shouldn't have used an unsigned file, but I don't think that I would have considered the possibility of the official Unreal mirrors distributing bad code so I can't really bash them.

Constant vigilance!

edoc wrote:I have observed that the recent releases of Quirky and Wary come with Firewalls by default - did Barry see this coming?

In fact ALL official releases since 4.12 (at least) have the firewall installed and on by default. That certainly was the case with 4.2x releases, and I'm pretty sure it is true of 4.3x too.

firewall in puppy

and on by default

Nope we have to activate it using the set up. That is how I get it.

I've wondered about this lately myself. I always use the firewall wizard when configuring a new Puppy or using pfix=ram., but note that:

1. whether your use the "automatic" or the "default" method, the result seems to be the same

2. there's no indication whether it's running or not, as promised by the displayed messges.

3. there's no indication of any method of turning it off, should you wish to use another firewall or no firewall at all. To believe the display, once configured and saved, it will start at bootup every time.

So while I'm not sure what to believe now - is the firewall on by default or not? And can it be turned off once saved to the 2fs file?

There are numerous menus in Puppy that appear to respond to user input, but in the end achieve nothing. They have not been functional for years, if ever, and simply have never been removed or fixed.

I've wondered about this lately myself. I always use the firewall wizard when configuring a new Puppy or using pfix=ram., but note that:

1. whether your use the "automatic" or the "default" method, the result seems to be the same

2. there's no indication whether it's actually running as promised by the displayed messages.

3. there's no indication of any method of turning it off, should you wish to use another firewall or no firewall at all. To believe the display, once configured and saved, it will start at bootup every time.

So I'm not sure what to believe now - is the firewall on by default or not? And can it be turned off once saved to the 2fs file?

There are numerous menus in Puppy that appear to respond to user input, but in the end achieve nothing. They have not been functional for years, if ever, and simply have never been removed or fixed.

Take a peek in etc/rc.d/rc.firewall, open as text and see for yourself what you can alter.

This you can test in the urxvt, rxvt or console or terminal or CLI.

like this

# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
TRUSTED all -- anywhere anywhere state NEW

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere state INVALID

Chain TRUSTED (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
DROP icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
#

you write

iptables -L

if it says accept in all places then most likely it is not activated.


But more than than that I have no idea how to know how good it is.

But my experience is that if one don't activate it then it is active but of no use at all. It is active in the sense that it is there but it is allowing everything both in and out.

But if one run the set up then it activate the Drop things you can see there but I don't get what it means. Hopefully somebody explain it to us.

what tubby refers to is how you can detail every little thing it can change.

While the set up allow what I quoted. A preset by the developer

Take a peek in etc/rc.d/rc.firewall, open as text and see for yourself what you can alter.

thanks tubby, will have a look, but I doubt I'll understand enough to make changes. I'm used to Zonealarm.

This you can test in the urxvt, rxvt or console or terminal or CLI.

thanks Nooby. PS. do you ever regret your pessimistic choice of username?

Hahah, if you have a good suggestion do write me a PM and I will consider it.

Nooby is a crazy name but it is kind of very apt. I am like an eternal Newbie. Knowledge almost never get remembered due to my bad attention.

Should I call myself maybe Nobody?

Hmm

Promise to send me a PM with a good suggestion so nobody else take it.

You mean you'd consider changing your username? Is that even possible.?

I guess you'd still be recognizable by your avatar.

I could certainly make some suggestions. Send me a pm or e-mail and tell me more about yourself. I have the impression you're in Sweden or thereabouts.

Your claimed memory deficit doesn't sound plausible though. You're forever posting references, while I have trouble just remembering not to waste my time with the BBS search engine.

Somebody complained about me writing Europe. But I failed to find where to correct it.

The mods told me it is allowed to change username as long as one don't use such change for trolling or anything bad.

As you say my avatar would reveal me but most revealing is my writing style.

None else are as naive in their posting as me. Unfortunately for me I have no way to pretend to be somebody else. my body automatically write in my style even if I try to be like everybody else. Hopeless case.

It isn't possible for a user to change his own name (with the current settings), but an administrator can change a user's names upon request as long as there's a decent reason - e.g. the name offends somebody or brings up painful memories or makes people not take them seriously, etc., so they want to change it to something different.

Pizzasgood wrote:It isn't possible for a user to change his own name (with the current settings), but an administrator can change a user's names upon request as long as there's a decent reason - e.g. the name offends somebody or brings up painful memories or makes people not take them seriously, etc., so they want to change it to something different.

Good to know.And then all of their posts would be reattributed to the new name, presumably.

Some forums are completely rigid on this point.

When registering for another online forum I made a typo and got myself registered as "otorpogo". I immediately contacted the admin about it and requested a correction. The answer was "absolutely not", no reason given.

So I've been stuck with it for years now.

I trust Pizzasgood on this. I guess the Mods here felt so sorry for my poor choice of name that they allowed me on spot to change when I did mention it in Dec 2009 whatever.

Since then I have cooled down a bit on changing it.

Yes all old posts would be in the new name if I get it too.

@Nooby- you think you can't remember things? Fifty+ years ago, my maths lecturer used to come in, write for a couple of minutes in a corner of the blackboard, draw a box round it, and say "For the benefit of Mr (me), that's what we learnt last week." And then start his lecture. Things haven't improved....

gerry

Thanks Gerry.

Sometimes I wonder if not Nobody would be a good nick name to use.

or this one "Whatever". Or why not "Ignorius" or "When Will I Be Loved"
or ... I lack imagination to come up with something that really would work.

Heheheh, we have PuppyLuvr so maybe I should name myself

QuirkyTester but that sounds too demanding too. I am not tested. More of a
Quirky:MessMaker, QuirkyConfuser, ...