[solved] Suspicious happenings after pacman update

esquesque · 2012-02-11 04:06:47

Hello folks. I did a pacman -Syu not a few a hours ago and now it appears that all Google services appear to be hijacked.

The offender is what seems to be called creditpuma.com hijack. I google-fu-d and found that only Windows machines are being infected. google.com is being spoofed to redirect me from each search result to a middleman page on every browser (firefox, opera, chrome) that I have installed. gmail, youtube, google accounts, nor google docs resolve. I wasn't aware that this was possible on Linux, though, as I am posting in Newbie Corner, I am not certain. I'm resetting all of my passwords now and preparing to back up my important documents for a full system nuke. What disturbs me is that this happened /right after/ a pacman system update. It was quite an update too, over 200 packages. I don't run any exploit-prone programs, not to my knowledge, I just develop software and browse the internet. No suspicious websites were visited recently.

Could someone shed some light on how this might have happened? Which files may be affected?

Thank you and sorry if this post is stupid.

Last edited by esquesque (2012-02-11 07:09:35)

karol · 2012-02-11 04:27:16

http://forums.dropbox.com/topic.php?id=53662&replies=2 shows a similar story from Ubuntu.
http://www.enigmasoftware.com/creditpumacom-removal/ says it's js related.

hadrons123 · 2012-02-11 04:33:38

I read that the malware works on windows based systems.Did you do a search on their website?

update:
it works on linux too, interesting!

Last edited by hadrons123 (2012-02-11 04:38:39)

/dev/zero · 2012-02-11 04:42:21

@OP: does the redirect continue to take effect if you log in as a different user? (Just make a test user that you can delete later if no one else uses your machine.)

esquesque · 2012-02-11 04:46:59

Interesting indeed. Turning JS off in Firefox fixed the search page spoofing, but none of the Google sub-services are resolving, while they are on other machines in the house. I'm not sure if this is DNS-level interception, or what. I thought of running a traffic analysis but ethereal won't compile from the AUR. Currently looking into alternatives... does anyone know where the infection is likely to be located? I can post my recent pacman.log if need be, but as I said, it was a large update.

@/dev/zero, trying that now.

edit; there isn't a unified JS package that I can delete, is there? AFAIK all the mainstream browsers use different JS engines so how can it be affecting all of them?

Last edited by esquesque (2012-02-11 04:59:12)

brebs · 2012-02-11 05:04:24

FUD! As in "fear, uncertainty and doubt - the spreading of".

Where's the tiniest bit of evidence that this is a rootkit? I see none.

Sounds like a JavaScript flaw. Just back up your bookmarks file, and rename ~/.mozilla/ (if using firefox).

These days, I run firefox under AppArmor's protection - here's my profile.

Edit: Along with the usual adblock, and also privoxy.

Last edited by brebs (2012-02-11 05:20:46)

esquesque · 2012-02-11 05:35:11

Thank you for your tips brebs, and I appreciate your skepticism. I probably jumped the gun on that one, and I'm currently working on gathering evidence. It's just that I felt rather emotional at the fact that my invulnerable machine is now vulnerable If this isn't malware then I'm at a loss to what's happening.

Last edited by esquesque (2012-02-11 05:35:41)

/dev/zero · 2012-02-11 05:39:01

esquesque wrote:

Thank you for your tips brebs, and I appreciate your skepticism. I probably jumped the gun on that one, and I'm currently working on gathering evidence. It's just that I felt rather emotional at the fact that my invulnerable machine is now vulnerable If this isn't malware then I'm at a loss to what's happening.

Maybe I'm putting words in his or her mouth, but I don't think brebs was being skeptical about this being malware. I think the skepticism was about whether this is a rootkit.

Once you tell us whether it's user-specific or affects your whole system, we'll know whether it's a problem with one of the packages, or just something that's been modified in your own user settings.

brebs · 2012-02-11 05:57:15

Another quick test to do:

<close firefox if open>
mv ~/.mozilla{,-bak}
firefox &

Is the exploit still there? I expect not.

esquesque · 2012-02-11 06:15:05

Thank you for your patience through my noobish panic and conflation. I just logged in as root and started wmii, firefox and no exploit. Log out, log in, gmail works and the spoofing is gone. I didn't do anything. What do you think was going on brebs? Why did it stop without any help?

brebs · 2012-02-11 06:28:06

Gaah! No-one said to run firefox as *root*! Don't do that. Especially when you suspect malware.

You need to be more specific about what you're doing. Especially if you're gonna do such questionable things.

I'm not clear on what you've done or not done any longer. I still have my original assumption that the exploit is just a small javascript redirection.

I tried going to creditpuma.com and datingpuma.com (to tempt fate, confident in my ~/.mozilla/ backup and apparmor to protect me), but they just show a non-working search engine (even after disabling privoxy). I have other protection in place, e.g. iptables blocks and /etc/hosts entries pointing to 127.0.01, to confuse matters.

esquesque · 2012-02-11 06:38:31

haha, it seems I'm completely ignorant about internet security. Wonder why I got whatever it was... I was prepared to nuke the system /shrug. My studies haven't forced me to deal with it yet so I have blissfully ignored it. Linux is invulnerable to all types of malware, right? I know lots about the theoretical aspects of computing, off in the clouds. Again, as has been proven time and time again, theory often has nothing to do with practice. A piece of information I left out is that I was being variously directed to buffpuma.com as well.

Valuable lesson, thanks.

brebs · 2012-02-11 06:47:22

Linux is *not* invulnerable. For instance, the main reason I made the effort to run firefox under apparmor, is because flash has so many exploits.

/dev/zero · 2012-02-11 07:00:11

esquesque wrote:

Linux is invulnerable to all types of malware, right?

Wrong. See Wikipedia: Linux malware.

Anything you can do as a user can also be done by a malicious script if it can manage to get itself executed. And if it gets executed by root, all bets are off.

Unix-like OSes are in general fairly safe because the users/groups/permissions system makes for natural quarantine. Unix, after all, was designed from the start to operate in a networked, multi-user environment. To this natural safety, Linux adds a healthy peer review system.

That makes Linux almost indestructible, but don't ignore the potential for bugs and human error.

esquesque · 2012-02-11 07:07:48

Thank you both, I am going to start fresh and begin using AppArmor.

Arch Linux

#1 2012-02-11 04:06:47

[solved] Suspicious happenings after pacman update

#2 2012-02-11 04:27:16

Re: [solved] Suspicious happenings after pacman update

#3 2012-02-11 04:33:38

Re: [solved] Suspicious happenings after pacman update

#4 2012-02-11 04:42:21

Re: [solved] Suspicious happenings after pacman update

#5 2012-02-11 04:46:59

Re: [solved] Suspicious happenings after pacman update

#6 2012-02-11 05:04:24

Re: [solved] Suspicious happenings after pacman update

#7 2012-02-11 05:35:11

Re: [solved] Suspicious happenings after pacman update

#8 2012-02-11 05:39:01

Re: [solved] Suspicious happenings after pacman update

#9 2012-02-11 05:57:15

Re: [solved] Suspicious happenings after pacman update

#10 2012-02-11 06:15:05

Re: [solved] Suspicious happenings after pacman update

#11 2012-02-11 06:28:06

Re: [solved] Suspicious happenings after pacman update

#12 2012-02-11 06:38:31

Re: [solved] Suspicious happenings after pacman update

#13 2012-02-11 06:47:22

Re: [solved] Suspicious happenings after pacman update

#14 2012-02-11 07:00:11

Re: [solved] Suspicious happenings after pacman update

#15 2012-02-11 07:07:48

Re: [solved] Suspicious happenings after pacman update

Board footer