Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HACKED??? routed to russian isp/mozilla exploit?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
lo-jay
l33t
l33t


Joined: 27 Feb 2005
Posts: 862

PostPosted: Sun Mar 18, 2012 11:16 pm    Post subject: HACKED??? routed to russian isp/mozilla exploit? Reply with quote

noticed a very slow internet connection, could not reach a lot of sites,
activating vpn only brings me to other east-european isp addresses

a check-ip site gives this:

Quote:
>
> IP 46.211.222.21
> DNS
> COUNTRY Ukraine
> You do not use Perfect Privacy.
>
> JAVASCRIPT enabled
> JAVA disabled
> FLASH enabled
> HTTP_ACCEPT text/html application/xhtml+xml application/xml;q=0.9 */*;q=0.8
> HTTP_USER_AGENT Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0
> HTTP_REFERER
> HTTP_VIA 1.1 sahaidachniy:3128 (squid/2.5.STABLE11)
> HTTP_CLIENT_IP
> HTTP_CLIENT_IP (DNS)
> HTTP_FROM
> HTTP_X_REAL_IP
> HTTP_X_FORWARDED_FOR 87.169.108.167
> HTTP_CONNECTION keep-alive
> HTTP_ACCEPT_LANGUAGE en-us en;q=0.8 zh-cn;q=0.6 zh;q=0.4 zh-hk;q=0.2
> HTTP_ACCEPT_ENCODING gzip deflate
> HTTP_ACCEPT_CHARSET
>
> WHOIS % The objects are in RPSL format.
> %
> % The RIPE Database is subject to Terms and Conditions.
> % See http://www.ripe.net/db/support/db-terms-conditions.pdf
>
> % Note: this output has been filtered.
> % To receive output for a database update use the "-B" flag.
>
> % Information related to '46.211.192.0 - 46.211.255.255'
>
> inetnum: 46.211.192.0 - 46.211.255.255
> netname: KYIVSTAR-NET-12
> descr: Kyivstar GSM
> descr: Ukrainian mobile phone operator
> country: UA
> admin-c: KSUA-RIPE
> tech-c: KSUA-RIPE
> status: ASSIGNED PA
> mnt-by: KYIVSTAR-MNT
> mnt-lower: KYIVSTAR-MNT
> mnt-routes: KYIVSTAR-MNT
> source: RIPE # Filtered
>
> role: Kyivstar GSM
> address: Degtyarevskaya 53
> address: Kiev Ukraine
> e-mail: noc@kyivstar.net
> admin-c: AEL17-RIPE
> tech-c: JEDI-RIPE
> tech-c: VZ485-RIPE
> tech-c: AEL17-RIPE
> tech-c: VSZ1-RIPE
> nic-hdl: KSUA-RIPE
> mnt-by: KYIVSTAR-MNT
> source: RIPE # Filtered
>
> % Information related to '46.211.0.0/16AS15895'
>
> route: 46.211.0.0/16
> descr: Kyivstar GSM Kiev Ukraine
> origin: AS15895
> mnt-by: KYIVSTAR-MNT
> source: RIPE # Filtered
>
> % Information related to '46.211.128.0/17AS15895'
>
> route: 46.211.128.0/17
> descr: Kyivstar GSM Kiev Ukraine
> origin: AS15895
> mnt-by: KYIVSTAR-MNT
> source: RIPE # Filtered


my isp is the german telekom thought!!!

am i part of a bot net now? how can i narrow down
the possible hack, rkhunter doesn t come up with anything
extraordinary...

where do i start?

cheers!

ps: did put that box offline, posting from another...
_________________
lo-jay

The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"

taken from "Two Lane Blacktop"


Last edited by lo-jay on Mon Mar 19, 2012 6:28 pm; edited 3 times in total
Back to top
View user's profile Send private message
lo-jay
l33t
l33t


Joined: 27 Feb 2005
Posts: 862

PostPosted: Mon Mar 19, 2012 3:38 am    Post subject: Reply with quote

could this be related:

Quote:
Moron running hacker/spambot on 173.174.57.115
01:40 PM Guest Modifying Profile
173.174.57.115
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2a1pre) Gecko/20090405 Firefox/3.6a1pre

Resolve Host: cpe-173-174-57-115.austin.res.rr.com

http://www.forumpostersunion.com/showthread.php?p=88455#post88455


???
_________________
lo-jay

The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"

taken from "Two Lane Blacktop"
Back to top
View user's profile Send private message
lo-jay
l33t
l33t


Joined: 27 Feb 2005
Posts: 862

PostPosted: Mon Mar 19, 2012 6:53 pm    Post subject: Reply with quote

ok, did this ( i have no experience with this kind of stuff whatsoever ...)

- deleted mozilla-thunderbird-11.0

- changed user & root password

- run opera as browser

result so far: check-ip shows me my german provider, stuff works

THIS does of course NOT MEAN that my system is clean by now,

therefore the question howto proceed more systematically???

cheers

ps: do this file show anything suspicious?

Code:
locate *firefox*
/home/.mozilla/firefox
/usr/portage/app-misc/beagle/files/beagle-0.3.9-firefox-3.6.patch
/usr/portage/mail-client/sylpheed/files/sylpheed-2.4-firefox.diff
/usr/portage/metadata/cache/www-client/firefox-10.0
/usr/portage/metadata/cache/www-client/firefox-10.0.1
/usr/portage/metadata/cache/www-client/firefox-10.0.1-r1
/usr/portage/metadata/cache/www-client/firefox-11.0
/usr/portage/metadata/cache/www-client/firefox-3.6.20
/usr/portage/metadata/cache/www-client/firefox-3.6.22
/usr/portage/metadata/cache/www-client/firefox-8.0
/usr/portage/metadata/cache/www-client/firefox-9.0
/usr/portage/metadata/cache/www-client/firefox-bin-10.0.2
/usr/portage/metadata/cache/www-client/firefox-bin-11.0
/usr/portage/sci-chemistry/ccp4/files/ccp4i-default-to-firefox.patch
/usr/portage/www-client/firefox
/usr/portage/www-client/firefox-bin
/usr/portage/www-client/firefox/ChangeLog
/usr/portage/www-client/firefox/ChangeLog-2009
/usr/portage/www-client/firefox/Manifest
/usr/portage/www-client/firefox/files
/usr/portage/www-client/firefox/firefox-10.0.1-r1.ebuild
/usr/portage/www-client/firefox/firefox-10.0.1.ebuild
/usr/portage/www-client/firefox/firefox-10.0.ebuild
/usr/portage/www-client/firefox/firefox-11.0.ebuild
/usr/portage/www-client/firefox/firefox-3.6.20.ebuild
/usr/portage/www-client/firefox/firefox-3.6.22.ebuild
/usr/portage/www-client/firefox/firefox-8.0.ebuild
/usr/portage/www-client/firefox/firefox-9.0.ebuild
/usr/portage/www-client/firefox/metadata.xml
/usr/portage/www-client/firefox/files/firefox-default-prefs.js
/usr/portage/www-client/firefox/files/firefox.1
/usr/portage/www-client/firefox/files/fix-preferences-gentoo.patch
/usr/portage/www-client/firefox/files/gentoo-default-prefs.js
/usr/portage/www-client/firefox/files/gentoo-default-prefs.js-1
/usr/portage/www-client/firefox/files/icon
/usr/portage/www-client/firefox/files/xulrunner-1.9.2-gtk+-2.21.patch
/usr/portage/www-client/firefox/files/icon/firefox-1.5-unbranded.desktop
/usr/portage/www-client/firefox/files/icon/firefox-1.5.desktop
/usr/portage/www-client/firefox/files/icon/firefox.desktop
/usr/portage/www-client/firefox-bin/ChangeLog
/usr/portage/www-client/firefox-bin/Manifest
/usr/portage/www-client/firefox-bin/files
/usr/portage/www-client/firefox-bin/firefox-bin-10.0.2.ebuild
/usr/portage/www-client/firefox-bin/firefox-bin-11.0.ebuild
/usr/portage/www-client/firefox-bin/metadata.xml
/usr/portage/www-client/firefox-bin/files/10firefox-bin
/usr/portage/www-client/firefox-bin/files/firefox-bin-prefs.js
/usr/portage/www-client/firefox-bin/files/firefox-bin.desktop
/usr/portage/www-client/icecat/files/firefox-default-prefs.js

_________________
lo-jay

The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"

taken from "Two Lane Blacktop"
Back to top
View user's profile Send private message
bigbangnet
Apprentice
Apprentice


Joined: 11 Jun 2007
Posts: 174

PostPosted: Fri Mar 23, 2012 5:28 pm    Post subject: Reply with quote

You can always start with a broadband check. For example, you can go on dslreports.com and do a speedtest, a line quality test. You might need to register but it's free anyways. If it works with Opera and not on Firefox it might indicate something wrong with Firefox alone and nothing else too.
_________________
I'm a noob, be gentle with me. TEACH ME
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sat Mar 24, 2012 5:07 am    Post subject: Reply with quote

that you were being routed through a proxy is especially suspicious to me

Code:

> HTTP_VIA 1.1 sahaidachniy:3128 (squid/2.5.STABLE11)
<snip>
> HTTP_X_FORWARDED_FOR 87.169.108.167


i dont really have enough information on your problem to say much, i would be suspicious of a compromise though - and the moment i have any suspicion of compromise, i wipe everything out completely, reformat, etc. But that's me.

Take backups of course, but do remember you may be restoring the vuln when you restore your backup.

RE: opera not exhibiting this behaviour - Firefox keeps its proxy settings in one of the javascript files under your profile (i think prefs.js). If your global proxy settings were unaltered, i would guess the infiltration is limited to a firefox exploit.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
Fitzcarraldo
Veteran
Veteran


Joined: 30 Aug 2008
Posts: 1873
Location: United Kingdom

PostPosted: Sat Mar 24, 2012 8:42 pm    Post subject: Reply with quote

lo-jay, if you don't mind me asking, how do you think your Firefox browser was infected? Was it a specific Web site you visited?
_________________
Clevo W230SS: amd64 nvidia-drivers & xf86-video-intel.
Compal NBLB2: ~amd64 xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC eudev elogind & KDE on both.

Fitzcarraldo's blog
Back to top
View user's profile Send private message
lo-jay
l33t
l33t


Joined: 27 Feb 2005
Posts: 862

PostPosted: Mon Mar 26, 2012 9:00 pm    Post subject: Reply with quote

ok,

got this files on my box, where should i dig?

Code:
locate *prefs.js*
/home/user/.adobe/Acrobat/9.0/Preferences/mozilla/prefs.js
/home/user/.thunderbird/535zyfqj.default/prefs.js
/opt/Adobe/Reader9/Reader/intellinux/mozilla/prefs.js
/usr/lib64/openoffice/basis3.3/program/defaults/pref/browser-prefs.js
/usr/lib64/openoffice/basis3.3/program/greprefs/security-prefs.js
/usr/lib64/thunderbird/defaults/pref/channel-prefs.js
/usr/portage/mail-client/thunderbird/files/thunderbird-gentoo-default-prefs.js
/usr/portage/mail-client/thunderbird-bin/files/thunderbird-gentoo-default-prefs.js
/usr/portage/net-libs/xulrunner/files/xulrunner-default-prefs.js
/usr/portage/www-client/firefox/files/firefox-default-prefs.js
/usr/portage/www-client/firefox/files/gentoo-default-prefs.js
/usr/portage/www-client/firefox/files/gentoo-default-prefs.js-1
/usr/portage/www-client/firefox-bin/files/firefox-bin-prefs.js
/usr/portage/www-client/icecat/files/firefox-default-prefs.js
/usr/portage/www-client/icecat/files/gentoo-default-prefs.js
/usr/portage/www-client/icecat/files/gentoo-default-prefs.js-1


cheers!

ps: chkrootkit shows:

Code:
Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! user          3365 tty7   /usr/bin/X -nolisten tcp :0 -auth /home/user/.serverauth.3348
chkutmp: nothing deleted

_________________
lo-jay

The mechanic "One of 'em Dodge Chargers - let him go by."
The driver "Not today!"

taken from "Two Lane Blacktop"
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum