Web Exploit

ysbeer · n00b Joined: 08 Jul 2016 Posts: 65

i am so sorry for asking this, but i am a pretty paranoid person by nature: for most of my internet browsing i use VirtualBox with guest Debian and Gentoo Host, which gives me a sense of privacy/security.

on my Gentoo host i accidentally visited about 10 random Linux related websites in a hurry to search for conky config files, they where random websites so i can not list them here, but now i feel that their might have been a possibility for a web exploit, because i did not had no script enabled.

i have been monitoring with tools like ''tcptrack" "netstat" "iftop" "htop" all night and did not see anything suspicious, beside "all-systems.mcast.net" which makes me believe is my router/modem.

Question: do i need to reinstall Gentoo just to make sure i am "clean", or am i just being too paranoid?

NeddySeagoon · Posted: Sat Jul 30, 2016 10:13 am Post subject:

ysbeer,

It all depends on your level of paranoia. There is no way to be sure without reinstalling.

At best, remote web exploits can compromise the user that you were using the web as, if that user was root, that's your entire install.
Browsing the web as root is just wrong.

You are probably OK. A reasonable compromise to satisfy your paranoia is to destroy the user running the browser session an create a new user.
You may not salvage anything from /home/<username> but that's what backups are for.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

ysbeer · n00b Joined: 08 Jul 2016 Posts: 65

thanks for the response, my paranoia is on a high level at this moment, with Debian i would zero wipe my hard disk and reinstall every day, however with Gentoo this seems to consume too much time.

i know about "chkrootkit" "netstat" "tcptrack" "htop" "iftop" i might look into "aide" later, are there any more options that are useful for checking if a linux system got polluted with malicious software?

how big do you think is the threat after browsing approximately 10 random Linux website?

would you personally reinstall your system in such a case?

how often do you reinstall your system?

NeddySeagoon · Posted: Sat Jul 30, 2016 6:45 pm Post subject:

ysbeer,

I only ever install on new hardware. The install I'm using now wan done in 2009. My previous install was done in 2002.
The only reason I reinstalled in 2009 was that there is no 32 bit to 64 bit migration path.

You can do binary installs of Gentoo, much like a binary distro but you need to prepare the binaries yourself.
The all in one piece binary install is called a stage4. It requires that you have created the stage4 beforehand.

The piece by piece binary install requires that you preserve /etc/portage, your world file and /usr/portage/packages.
Your /usr/portage/packages will be empty as the default in not to keep binary packages of everything that you build.
Turning on that feature is a way to quickly revert an emerge that installs a non working package.

I'll answer

patrix_neo · Guru Joined: 08 Jan 2004 Posts: 520 Location: The Maldives

With a script taking some measure to where your firewall might be intruded, you might get lucky catching a lurker.
Even preventing such.

What you might need, is a live DVD. Use it is better than complie the whole damn thing.

Ant P. · Watchman Joined: 18 Apr 2009 Posts: 6920

We need to start from the beginning.

You seem convinced someone out there has the resources and motive to target you specifically, on multiple Linux distros, via crafted browser exploits — describe your threat model here, who your attacker is, what system they're trying to control, and why any of this makes economic sense.

Other than cargo-cult Windows practices like reformatting, what steps have you taken to defend yourself against the would-be attacker? Hardened? grsec? NoScript??

ysbeer · n00b Joined: 08 Jul 2016 Posts: 65

i was trolled for a long period of time by some people i knew in real life trough church, they installed some sort of spyware on my macbook that was not detectable, i can list the symptoms that occurred but that seems pointless at this stage.

ever since i am monitoring my system however i found something strange with the "who" command

at first when "who" it displayed my users account twice (one with a older time stamp) however if i "who" right now i can only see 1 user account with the current time stamp.

can someone explain this behavior of "who" ?

NeddySeagoon · Posted: Sun Jul 31, 2016 8:22 am Post subject:

ysbeer,

who tells currently logged on users. You get one entry for each time you are logged on.

jonathan183 · Guru Joined: 13 Dec 2011 Posts: 318

ysbeer · n00b Joined: 08 Jul 2016 Posts: 65

Thanks for all the useful information,

i do not think my system got compromised at this moment, i think its rather paranoia, i can not seem to see the danger in visiting 10 random Linux help websites about Conky, but i might be wrong?

Beside that i am monitoring my processes with htop, checking the network traffic, users logged in, startup scripts, chkrootkit, so i guess you can call it a learning process.

who
myusername tty1 Jul 31 17:07

its strange that i only see tty1 logged in, when i open up a bunch of xfce4-terminals, it does not display them with the "who" command.

also my next project will be looking into "aide" cause that seems helpful.

thank you for the idea about backing up config files for restoring the system, however if i do a fresh install i might just start from scratch.

another concern have been ssh, but i been told several times, if the ssh server is not started, the ssh daemon can not do much harm.

NeddySeagoon · Posted: Sun Jul 31, 2016 4:23 pm Post subject:

ysbeer,

To be compromised from a compromised website then either
a) the site has been cracked
b) the site is deliberately malicious

Linux sites tend not to be targeted by crackers as the number of potential users are far higher for Windows and Android sites.
Deliberately malicious sites focused on Linux users may not have a very long life as many Linux users would spot it.
Also, the rewards are far higher by targeting Windows or Android users.

We are talking motives and probabilities here. The reward motive does not exist an the probability is very small.

You can run a paranoid firewall. Nothing is allowed except that which is expressly permitted.
That helps stop nasties that do get in from phoning home.

Look at tripwire too but keep your tripwire data on a removable drive.

Tripwire and paranoid firewalls are not too intrusive. Both will need some setup and maintenance time.

You need to assess the threat you want to defend against, then put the measures in place to defend against your perceived threats.

A government will just send the boys round to beat your secrets out of you.
That's far faster than breaking into your PC.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.