Welcome!

Please read this important information about MX sources lists.
News
  • MX Linux on social media: here
  • Mepis support still here
Current releases
  • MX-17 beta 1 release info here
  • MX-16.1 release info here
  • antiX-17 release info here
    New users
    • Please read this first, and don't forget to add system and hardware information to posts!
    • Read Forum Rules

Firefox highjacked!

Here users can ask questions about security and tutorials about security can be posted to help others, too.
Message
Author
User avatar
TenderFoot
Forum Regular
Forum Regular
Posts: 584
Joined: Sun May 03, 2009 2:34 pm

Re: Firefox highjacked!

#31 Postby TenderFoot » Tue Feb 11, 2014 5:12 pm

Thanks everyone - I kinda agree with you all!

Just tried M11 before and after (final?) install and no such issues.

In M8 Konqueror starts with a blank page and thus no problems when type http://www.google.co.uk into url bar.

An infected SD card has been removed from the equation. indeed M11 was installed from it!

So, as suggested from the beginning that (very old) Mozilla page must contain exploits not envisaged at the time - but by what mechanism? If it is a highjacked DNS then that has rather more worrying implications beyond just M8.

The current router setup is as supplied by my isp TalkTalk (apart from passwords and WPA2 key). However, TalkTalk prides itself on taking a very parochial (nanny) position on security (for our own good!) and take control of the DNS servers by default

DNS Information

Connection Name Primary DNS Secondary DNS
nas_0_38 62.24.139.8 62.24.202.70
nas_0_65 0.0.0.0 0.0.0.0
ttyUSB0 0.0.0.0 0.0.0.0


[Sorry about the loss of formatting but I couldn't find a way!. It looks OK in the editor!]

Not sure why there are three sets - only ever been one pair on previous routers.

Furthermore, I've discovered that they also take control of the firewall with all filters disabled locally....

User avatar
uncle mark
Forum Veteran
Forum Veteran
Posts: 4871
Age: 2016
Joined: Sat Nov 11, 2006 10:42 pm

Re: Firefox highjacked!

#32 Postby uncle mark » Tue Feb 11, 2014 7:01 pm

All ISPs set up their own DNS servers (or ones they contract with) by default.

Change them to 8.8.8.8 and 8.8.4.4 and see what happens.
Desktop: Custom build Asus/AMD/nVidia -- MEPIS 11
Laptop: Acer Aspire 5250 -- MX-15
Assorted junk: assorted Linuxes

User avatar
qtech
Forum Regular
Forum Regular
Posts: 662
Joined: Wed Nov 28, 2007 12:21 pm

Re: Firefox highjacked!

#33 Postby qtech » Tue Feb 11, 2014 8:53 pm

uncle mark wrote:A couple people have said they can't duplicate what's described. My guess is based on Occam's Razor as well as what I know about Linux and networking. It's unique to his network, and the chances of a poisoned DNS referral of an old obsolete browser startup URL are much more likely (IMO) than him having anything amiss in his local Linux file system.


An upstream poisoned DNS referral on a consumer-grade ISP that is unique to a single eight year old browser, on launch only, on a single version of a Linux box that doesn't effect any other system on the LAN network? Why would anyone go out of their way to do that? Besides when was the last time you encountered DNS poisoning of an ISP on a modern network? Are you sure that's not a Gillette?

Doesn't an existing script, possibly quite old, crafted specifically for that particular version of FF, running locally from the browser cache seem statistically more likely? An infection somehow relating to the original .iso download perhaps from a torrent for instance? I'm not saying I know how this is happening but come on man, even if this was Windows, you'd guess browser infection before you would DNS Cache Poisoning or the likes. Unless you know something specific about the nature of TalkTalk Communications DNS architecture or infecting Firefox 3 on deb linux?

User avatar
uncle mark
Forum Veteran
Forum Veteran
Posts: 4871
Age: 2016
Joined: Sat Nov 11, 2006 10:42 pm

Re: Firefox highjacked!

#34 Postby uncle mark » Tue Feb 11, 2014 9:46 pm

What browser cache? This is occurring with virgin live media with good mds5's, which tells me it has to be upstream in the network and not local. But hell, it could be that TF has pizzed off MI5 or the NSA or something, too. Switching DNS servers would go a long way toward determining if I'm off my rocker -- or not.
Desktop: Custom build Asus/AMD/nVidia -- MEPIS 11
Laptop: Acer Aspire 5250 -- MX-15
Assorted junk: assorted Linuxes

User avatar
richb
Administrator
Posts: 15421
Joined: Wed Jul 12, 2006 2:17 pm

Re: Firefox highjacked!

#35 Postby richb » Tue Feb 11, 2014 9:50 pm

I know little about this, but frankly I do not see the harm of trying the other DNS servers to put that question to bed.
Forum Rules
Guide - How to Ask for Help

Rich
SSD Production: MX-15- 64 - migrated to MX-16 RC1
HD Test: MX-16 RC1
AMD A8 7600 FM2+ CPU R7 Graphics, fglrx driver, 16 GIG Mem. Samsung EVO SSD 250 GB, 350 GB HD

User avatar
uncle mark
Forum Veteran
Forum Veteran
Posts: 4871
Age: 2016
Joined: Sat Nov 11, 2006 10:42 pm

Re: Firefox highjacked!

#36 Postby uncle mark » Tue Feb 11, 2014 10:00 pm

richb wrote:I know little about this, but frankly I do not see the harm of trying the other DNS servers to put that question to bed.


That's Rich's way of saying "Just do it to shut him up".
Desktop: Custom build Asus/AMD/nVidia -- MEPIS 11
Laptop: Acer Aspire 5250 -- MX-15
Assorted junk: assorted Linuxes

User avatar
richb
Administrator
Posts: 15421
Joined: Wed Jul 12, 2006 2:17 pm

Re: Firefox highjacked!

#37 Postby richb » Tue Feb 11, 2014 10:05 pm

uncle mark wrote:
richb wrote:I know little about this, but frankly I do not see the harm of trying the other DNS servers to put that question to bed.


That's Rich's way of saying "Just do it to shut him up".

LOL!
Forum Rules
Guide - How to Ask for Help

Rich
SSD Production: MX-15- 64 - migrated to MX-16 RC1
HD Test: MX-16 RC1
AMD A8 7600 FM2+ CPU R7 Graphics, fglrx driver, 16 GIG Mem. Samsung EVO SSD 250 GB, 350 GB HD

User avatar
qtech
Forum Regular
Forum Regular
Posts: 662
Joined: Wed Nov 28, 2007 12:21 pm

Re: Firefox highjacked!

#38 Postby qtech » Wed Feb 12, 2014 12:38 am

uncle mark wrote:What browser cache?


Agreed, a poor choice of words but you knew what I meant.

uncle mark wrote:This is occurring with virgin live media with good mds5's, which tells me it has to be upstream in the network and not local.


No. We only know that the .iso md5 is correct. We can only respectfully speculate as to the virginity of said media. For all we know he could be rooted and pwned on a different OS, drive or mbr. And unless that media card was zero'd out, it is still suspect. Technically speaking, infection could exist in the firmware of the card but I'm just saying... lots of other possibilities, granted, some more likely than others.


uncle mark wrote: But hell, it could be that TF has pizzed off MI5 or the NSA or something, too. Switching DNS servers would go a long way toward determining if I'm off my rocker -- or not.


I confess this thought crossed my mind as well. The feds that is, not your rocker status (which is speculative at best). But at this point I'm waiting for the gotcha, the unmentioned or forgotten detail. The unprotected wifi router, the 12 year old neighbor running a secret warez server, somebody playing with metasploit, etc. This sort of thing is just not an everyday occurrence for a Linux user.

User avatar
TenderFoot
Forum Regular
Forum Regular
Posts: 584
Joined: Sun May 03, 2009 2:34 pm

Re: Firefox highjacked!

#39 Postby TenderFoot » Wed Feb 12, 2014 11:49 am

uncle mark wrote:But hell, it could be that TF has pizzed off MI5 or the NSA or something, too.


Now you're getting the picture - it has been a long held suspicion (and I'm not paranoid)!

Anyway, qtech's view in #330401 kinda reflect my view! But perhaps this bug is a "sleeper" waiting just for me (no! I've told you - I'm not paranoid)!

However, this behaviour is in some way connected (sorry) to that opening Mozilla page if only as a catalyst. Unfortunately, I don't have a clue about about the meaning or significance of the zillion settings available in the router beyond the basics.

In the meantime I shall try the older (talktalk huawei) router which is more easily configurable and, hopefully, has retained my original manually set DNS choices and report back. It also has it's own locally set firewall.

[Talking of which, I've had to close Zonealarm on this netbook to be able access this or most other sites - except Google search pages. Most peculiar! Perhaps the conspiracy theories are valid...]

EDIT Have now tried M8 liveusb with older router and on this occasion FF was not highjacked! The DNS on that were already set at 8.8.8.8 and 8.8.4.4 (Google) servers. Not by me but must have been talktalk interfering then! My choice of servers was entirely different as are those currently set by taltalk and don't match any generally recommended public servers.

It has been a concern that if talktalk can modify the settings without my say-so then could that indicate that it could be hacked by a malevolent force either distantly over the wire or locally via wifi?

Personally I think talktalk's nannying is dangerous and will endeavour to restore control.

Anyway, it would appear (on a sample of one!) that uncle-mark was on the right track. However, I am still concerned about how that page could expose this vulnerabilty and what the exploit is?
Last edited by TenderFoot on Wed Feb 12, 2014 1:32 pm, edited 3 times in total.

User avatar
JBoman
Forum Guide
Forum Guide
Posts: 1303
Age: 59
Joined: Wed Jul 12, 2006 4:30 pm

Re: Firefox highjacked!

#40 Postby JBoman » Wed Feb 12, 2014 1:05 pm

Last edited by JBoman on Wed Feb 12, 2014 2:30 pm, edited 1 time in total.
http://patentabsurdity.com/
AMD 64x2 2.6GHz 4GB ram MX-15 regular updates
"beware a frequent flirt with potential disaster"


Return to “Security”

Who is online

Users browsing this forum: No registered users and 2 guests