Re: Is my box compromised?



On Sun, 07 Mar 2010 17:52:07 +0100, userid wrote:

I'm running Mint 8, an Ubuntu derivate. I've tested the firewall on a
couple of security sites and it looked ok.

Yes, sounds like front door secured and backdoor left unlocked.

Black hats have moved from web side attacks to web client exploits
and through downloaded media files (flash, pdf, gif, MP3, WMA, WMV, MP2,...)


Ubuntu - as far as I understand ;) - uses a mixed policy: you log in as
a normal user but, using the same password, you may become a sudoer.

Yes, seen that policy. Instead of having to crack user and root passwords,
cracker just needs to crack one password. :(


I normally browse with user account (apparently, by default, there's no
root account).

Hmmm, try these three commands in a terminal.
grep $USER/etc/passwd
grep browser /etc/passwd
grep root /etc/passwd


But, shouldn't you see these popups every time, then?

Not necessarily.


They popped up just once,

Yep, to further hinder Anti-virus vendors from getting their hands on
a copy of malware, the infected site can keep a record of ip addresses
and not attempt to serve malware to an already logged ip address.

I was thinking to the mechanics of someone using my box as a proxy.

Think of a proxy as a software router which redirects traffic.
Normally it is transparent to the user.

Does it make any sense that _my_ browser pops something up?

Depends on the malware's design/goal in life. If it needs to click a
window or enter data, then yes.

Or, should it be invisible?

Well designed malware will keep it's activity hidden as much as possible.

Thank you very much for these suggestions, I would try them. I just
think though that a separate account to browse is far too complicate to
me, since I need it to work. It would be an endless switching

Hehehe, maybe a 5 line change, max, to /etc/sudoers
a little script that does a
qdbus org.kde.kwin /KWin org.kde.KWin.setCurrentDesktop 3 > /dev/null
xterm -e sudo /bin/su -l browser_login_id

and a desktop shortcut which runs script. Click shortcut, desktop switches
to desktop window 3 and launches log in into browser_login_id.
Above qdbus command assumes your running KDE4.x as desktop manager.

~browser_login_here/.bash_profile has something like
firefox $HOME/index.html
/bin/rm -rf .mozilla .macromedia
tar -xpvf $HOME/firefox.tar > /dev/null 2>&1
exit

That assumes you have already tar'ed up .mozilla and .macromedia into
/home/browser_login_id/firefox.tar

Upside, poisoned cache, cookies, memory, dns cache are deleted upon exit.
Downside to above is bookmarks are also deleted.

Not a problem for me. I keep urls with keyword hints in an ascii file.
I have a script to grep the file. example

$ urls bash doc
http://www.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html ! basic shell bash doc
http://gentoo-wiki.com/MAN_bash ! documentation
http://cfaj.freeshell.org/shell ! bash script tips usage doc
http://tldp.org/LDP/abs/html/index.html ! bash script advanced documentation
http://mywiki.wooledge.org/BashFAQ/050 ! bash script variable expansion doc
.



Relevant Pages