1. Forum
  2. FidoNet
  3. ALT.OS.LINUX.MAGEIA

  • Malware Problem.

    From Doug Laidlaw@2:250/1 to All on Sat May 16 20:09:51 2020
    This started on my Android tablet. (Android is VERY insecure, meaning
    that it works perfectly for our COVID app, while the iPhone has privacy issues.) It hasn't shown up on my Linux box, no doubt because of the
    more advanced firewall.

    I was running the Opera browser, when I suddenly got swamped with a big malware hit, obviously well thought out. It knew what browser I was
    using, and had a list of URLs, so that if I closed the current one,
    another popped up.

    A Web page says that Opera is different from other browsers. All
    malware attaches itself as an app, not a cookie, and is difficult to
    remove. Sure enough, all attempts at removal failed, so I uninstalled
    Opera, and went back to Firefox.

    The same malware turned up on Firefox almost straight away. Firefox
    boasts about the number of malware sites it knows of, but it didn't know
    this one. The Firefox Help told me to install the cookie deletion
    extension, "Cookie Auto-Delete," available for all platforms. This
    deletes all used cookies when a Firefox session is closed. It can be
    set to delete cookies 15 seconds after they are used. It has a
    whitelist for logins, etc. Since I installed the extension, the malware hasn't returned; only its icon still appears as a recent page.

    HTH,

    Doug.

    --- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
    * Origin: Aioe.org NNTP Server (2:250/1@fidonet)
  • From Bit Twister@2:250/1 to All on Sat May 16 21:08:31 2020
    On Sun, 17 May 2020 05:09:51 +1000, Doug Laidlaw wrote:
    This started on my Android tablet. (Android is VERY insecure, meaning
    that it works perfectly for our COVID app, while the iPhone has privacy issues.) It hasn't shown up on my Linux box, no doubt because of the
    more advanced firewall.

    I was running the Opera browser, when I suddenly got swamped with a big malware hit, obviously well thought out. It knew what browser I was
    using, and had a list of URLs, so that if I closed the current one,
    another popped up.

    A Web page says that Opera is different from other browsers. All
    malware attaches itself as an app, not a cookie, and is difficult to
    remove. Sure enough, all attempts at removal failed, so I uninstalled
    Opera, and went back to Firefox.

    The same malware turned up on Firefox almost straight away. Firefox
    boasts about the number of malware sites it knows of, but it didn't know
    this one.

    It would have been nice if you had posted the url for us to play with.


    The Firefox Help told me to install the cookie deletion
    extension, "Cookie Auto-Delete," available for all platforms.

    Personally I just configure firefox to delete cookies upon exit.


    --- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)
  • From faeychild@2:250/1 to All on Sat May 16 23:14:31 2020
    On 17/5/20 6:08 am, Bit Twister wrote:
    On Sun, 17 May 2020 05:09:51 +1000, Doug Laidlaw wrote:
    This started on my Android tablet. (Android is VERY insecure, meaning
    that it works perfectly for our COVID app, while the iPhone has privacy
    issues.) It hasn't shown up on my Linux box, no doubt because of the
    more advanced firewall.

    Hi Doug Hi Bits.


    It's nice to see a bit of life stirring.
    So far so good here
    I am also running ghostery and noscript which I think offers no
    protection against that sort off attack. So far I'm just lucky

    regards


    --
    faeychild
    Running plasmashell 5.15.4 on 5.6.8-desktop-1.mga7 kernel.
    Mageia release 7 (Official) for x86_64 installed via Mageia-7-x86_64-DVD.iso


    --- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)
  • From Doug Laidlaw@2:250/1 to All on Sun May 17 11:06:29 2020
    On 17/5/20 6:08 am, Bit Twister wrote:
    It would have been nice if you had posted the url for us to play with.

    Which URL. The one from Firefox?

    The Firefox Help told me to install the cookie deletion
    extension, "Cookie Auto-Delete," available for all platforms.
    Personally I just configure firefox to delete cookies upon exit.

    That is what I have done now on my tablet. It is the same extension for
    all platforms:

    https://addons.mozilla.org/en-US/firefox/addon/cookie-autodelete/?src=search

    But it seems that you have been able to do it without an extension.

    About Opera, I just found this one:

    https://www.2-spyware.com/remove-opera-redirect-virus.html

    The page I found first was:

    https://keonesoftware.com/tutorials/remove-malware-opera/

    --- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
    * Origin: Aioe.org NNTP Server (2:250/1@fidonet)
  • From Doug Laidlaw@2:250/1 to All on Sun May 17 11:13:15 2020
    On 17/5/20 8:14 am, faeychild wrote:
    On 17/5/20 6:08 am, Bit Twister wrote:
    On Sun, 17 May 2020 05:09:51 +1000, Doug Laidlaw wrote:
    This started on my Android tablet.  (Android is VERY insecure, meaning
    that it works perfectly for our COVID app, while the iPhone has privacy
    issues.) It hasn't shown up on my Linux box, no doubt because of the
    more advanced firewall.

      Hi Doug    Hi Bits.


    It's nice to see a bit  of life stirring.
    So far so good here
    I am also running ghostery and noscript which I think offers no
    protection against that sort off attack. So far I'm just lucky

    regards


    As I wrote, having a decent firewall helps. On a tablet, you probably
    need root access, and the everyday offerings do not offer it. Google
    are good at changing ANY search to something that will bring in money
    for them. Search for anything with Google; you expect to be taken to Wikipedia, but instead, you are given a list of media links, with
    Wikipedia hidden somewhere down the bottom. I use DuckDuckGo as default.

    --- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
    * Origin: Aioe.org NNTP Server (2:250/1@fidonet)
  • From Bit Twister@2:250/1 to All on Sun May 17 11:54:28 2020
    On Sun, 17 May 2020 20:06:29 +1000, Doug Laidlaw wrote:
    On 17/5/20 6:08 am, Bit Twister wrote:
    It would have been nice if you had posted the url for us to play with.

    Which URL.

    The malware site/url

    --- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)
  • From faeychild@2:250/1 to All on Mon May 18 00:09:54 2020
    On 17/5/20 8:13 pm, Doug Laidlaw wrote:

    As I wrote, having a decent firewall helps.  On a tablet, you probably
    need root access, and the everyday offerings do not offer it.  Google
    are good at changing ANY search to something that will bring in money
    for them.  Search for anything with Google; you expect to be taken to Wikipedia, but instead, you are given a list of media links, with
    Wikipedia hidden somewhere down the bottom. I use DuckDuckGo as default.


    I have occasionally gone to Steve Gibson's site and run his online
    Shieldsup test.

    Apparently I fail at one only by actively rejecting a UPnP probe,
    "replying that there is no active service available at the UDP port
    1900." Obviously "radio silence" would be ideal

    This would be a firewall setting I should educate myself with ONE DAY!!


    And I agree that Google has run off the rails; some of the hits are a
    bit bizarre even suspicious. I don't have the complacent trust that I
    used to. They are now to be regarded as actively doubtful, possibly malevolent.

    Is Dogpile still a goer?

    regards



    --
    faeychild
    Running plasmashell 5.15.4 on 5.6.8-desktop-1.mga7 kernel.
    Mageia release 7 (Official) for x86_64 installed via Mageia-7-x86_64-DVD.iso


    --- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)
  • From Bit Twister@2:250/1 to All on Mon May 18 02:20:22 2020
    On Mon, 18 May 2020 09:09:54 +1000, faeychild wrote:
    On 17/5/20 8:13 pm, Doug Laidlaw wrote:

    As I wrote, having a decent firewall helps.  On a tablet, you probably
    need root access, and the everyday offerings do not offer it.  Google
    are good at changing ANY search to something that will bring in money
    for them.  Search for anything with Google; you expect to be taken to
    Wikipedia, but instead, you are given a list of media links, with
    Wikipedia hidden somewhere down the bottom. I use DuckDuckGo as default.


    I have occasionally gone to Steve Gibson's site and run his online
    Shieldsup test.

    which is a short 'nmap' scan of your WAN ip address.


    Apparently I fail at one only by actively rejecting a UPnP probe,
    "replying that there is no active service available at the UDP port
    1900."

    There have been several articles about modem/router cracks through the Universal-Plug-n-Play port.

    I disable the plug n play feature in all my equipment anytime I see
    the feature/option.

    --- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)
  • From faeychild@2:250/1 to All on Mon May 18 21:48:20 2020
    On 18/5/20 11:20 am, Bit Twister wrote:

    Apparently I fail at one only by actively rejecting a UPnP probe,
    "replying that there is no active service available at the UDP port
    1900."

    There have been several articles about modem/router cracks through the Universal-Plug-n-Play port.

    I disable the plug n play feature in all my equipment anytime I see
    the feature/option.


    I may have to bring forward my date with google and firewall setup research.
    I wonder why, of all the ports, this one actually responds. It is the
    default setting

    Regards
    --
    faeychild
    Running plasmashell 5.15.4 on 5.6.8-desktop-1.mga7 kernel.
    Mageia release 7 (Official) for x86_64 installed via Mageia-7-x86_64-DVD.iso


    --- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)
  • From Bit Twister@2:250/1 to All on Mon May 18 22:03:27 2020
    On Tue, 19 May 2020 06:48:20 +1000, faeychild wrote:
    On 18/5/20 11:20 am, Bit Twister wrote:

    Apparently I fail at one only by actively rejecting a UPnP probe,
    "replying that there is no active service available at the UDP port
    1900."

    There have been several articles about modem/router cracks through the
    Universal-Plug-n-Play port.

    I disable the plug n play feature in all my equipment anytime I see
    the feature/option.


    I may have to bring forward my date with google and firewall setup research. I wonder why, of all the ports, this one actually responds. It is the
    default setting

    Yep, Universal-Plug-n-Play normally open by default. I find it handy to download modem/router manual, and use the pdf viewer tool's find feature
    to quickly locate the screen for the setting. Then I log into the device
    to go set it.

    I also spend time making sure Admin access setting from WAN/Internet
    side is disabled.

    I document all changes in a html file for easy access when playing
    in the device. I also export/save settings to a file in the event
    a factory reset is executed and I need to add back my settings.


    --- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)
  • From faeychild@2:250/1 to All on Wed May 20 22:41:58 2020
    On 19/5/20 7:03 am, Bit Twister wrote:


    Yep, Universal-Plug-n-Play normally open by default. I find it handy to download modem/router manual, and use the pdf viewer tool's find feature
    to quickly locate the screen for the setting. Then I log into the device
    to go set it.

    It found that it is disabled on my modem


    I also spend time making sure Admin access setting from WAN/Internet
    side is disabled.

    That one I'll look up too.

    The firewall rule need to be modified slightly.

    iptables --list-rules | grep udp
    -A reject -p udp -j REJECT --reject-with icmp-port-unreachable
    [root@unimatrix ~]#


    regards


    --
    faeychild
    Running plasmashell 5.15.4 on 5.6.8-desktop-1.mga7 kernel.
    Mageia release 7 (Official) for x86_64 installed via Mageia-7-x86_64-DVD.iso


    --- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)