Welcome!
Important information
-- Spectre and Meltdown vulnerabilities
-- Change in MX sources

News
-- MX Linux on social media: here
-- Mepis support still here

Current releases
-- MX-17.1 Final release info here
-- antiX-17 release info here

New users
-- Please read this first, and don't forget to add system and hardware information to posts!
-- Here are the Forum Rules

Firefox highjacked!

Here users can ask questions about security and tutorials about security can be posted to help others, too.
Message
Author
User avatar
qtech
Forum Regular
Forum Regular
Posts: 662
Joined: Wed Nov 28, 2007 12:21 pm

Re: Firefox highjacked!

#11 Post by qtech » Sun Feb 09, 2014 9:58 pm

TenderFoot wrote:
That rather misses the point - it only occurs on a virgin install and first launch of FF. Updating can't occur until I access the Mepis sites to copy/paste current repos and similarly sort out gpg errors!
This happens on a clean install? That is a very serious claim. The chance that someone altered the Mepis source files are very slim. Can you post an md5 hash of your mepis .iso file? Can you post a screen shot of the infected browser? Most likely, either your DNS has been hijacked at the router or you installed from an infected usb drive.

Open a terminal, navigate to where the .iso is stored and type:

Code: Select all

md5sum mepiswhatever.iso
You might have to install md5sum, I don't recall if it is a default in M8.

User avatar
uncle mark
Forum Veteran
Forum Veteran
Posts: 4972
Joined: Sat Nov 11, 2006 10:42 pm

Re: Firefox highjacked!

#12 Post by uncle mark » Sun Feb 09, 2014 10:24 pm

qtech wrote:This happens on a clean install? That is a very serious claim. The chance that someone altered the Mepis source files are very slim.
Which means it has to be upstream in his network. Hence my suggestion to change his DNS server. What he is describing points to DNS poisoning, or even a MITM attack. It's definitely not local.
Desktop: Custom build Asus/AMD/nVidia -- MEPIS 11
Laptop: Acer Aspire 5250 -- MX-15
Assorted junk: assorted Linuxes

User avatar
chippy52
Forum Regular
Forum Regular
Posts: 316
Joined: Wed Jul 29, 2009 6:05 pm

Re: Firefox highjacked!

#13 Post by chippy52 » Sun Feb 09, 2014 10:46 pm

Couple of things spring to mind when reading this. Are you preserving your home folder when doing the fresh install? Have you tried to delete the .mozilla / firefox / default folder and start a fresh profile?
MX15-x64_KDE_added_June_2016
Intel i5 2400, Asus P8H67-M-EVO, G-Skill Ripjaws 2x4GB DDR3-1333, nVidia GeForce GT430, Seagate 500GB sata3 HDD

User avatar
TenderFoot
Forum Regular
Forum Regular
Posts: 600
Joined: Sun May 03, 2009 2:34 pm

Re: Firefox highjacked!

#14 Post by TenderFoot » Mon Feb 10, 2014 11:29 am

qtech

MD5 matches
SimplyMEPIS-CD_8.0.15-rel_64.iso MD5= 1bb191f05047d51eebca64f60173e496
This happens on a clean install?
It happens even on the liveusb - nothing added, nothing taken away!

chippy52

See above and
Are you preserving your home folder when doing the fresh install?
When actually installed it is to a newly formatted partition!

Just tested again from liveusb. As soon as enter is pressed after typing http://www.google.co.uk into url bar, it redirects, briefly to a.zerodirect2... then to backup.getprz.com which then insists (through recurring pop-ups) on wanting to install PCBackup.

When I get past this (logout and back, relaunch FF), all seems to well. As described in OP, this only happens with Mepis which starts with a very old FF and Mozilla page which may contain vulnerabilities. Once Google has been set up as my homepage, I'm never bothered again.

I have absolutely no evidence that this a router/dns issue as it does not manifest itself anywhere else across 5 multi-boot machines (though I may be mistaken in the general fuzz of all the configuration and maintenance that this entails!).

User avatar
qtech
Forum Regular
Forum Regular
Posts: 662
Joined: Wed Nov 28, 2007 12:21 pm

Re: Firefox highjacked!

#15 Post by qtech » Mon Feb 10, 2014 7:58 pm

TenderFoot wrote: It happens even on the liveusb - nothing added, nothing taken away!
By what you have told us then, everything is pointing to your flash drive being infected. Is this flash drive used in a mixed environment (windows and linux)? Open up the flash drive, allow for hidden files to be viewed. See if anything jumps out at you as not belonging (eg a hidden folder named "System Volume Information" or a folder named simply, ".", or perhaps an autorun.inf in the root directory). If you have a windows environment, you could install McShield (set to paranoid mode with heuristics enabled) and scan it with that. Likewise a scan with Kaspersky's Tdsskiller would be helpful to check for rootkits and hidden file systems. You can also use gparted (or equivalent) to check for hidden partitions.

That's pretty spooky. I would love to have a copy of whatever 'this' is. You didn't happen to find this flash drive in a parking lot did you? This sounds like a zero-day cross-platform firefox exploit that was discovered about 8 months ago.

User avatar
qtech
Forum Regular
Forum Regular
Posts: 662
Joined: Wed Nov 28, 2007 12:21 pm

Re: Firefox highjacked!

#16 Post by qtech » Mon Feb 10, 2014 8:01 pm

What version of Firefox is on M8?

User avatar
megatotoro
Forum Regular
Forum Regular
Posts: 676
Joined: Wed Jun 09, 2010 5:59 pm

Re: Firefox highjacked!

#17 Post by megatotoro » Mon Feb 10, 2014 8:36 pm

qtech wrote:What version of Firefox is on M8?
MEPIS 8.0.15 comes with FF 3.5.6. Pretty old, right? :p Currently posting from it.

I just popped my good ol' M8 CD into the tray and, after logging in to live session, typed google.co.uk as the OP said. I got into Google without any problems or issues...

Beats me...

User avatar
TenderFoot
Forum Regular
Forum Regular
Posts: 600
Joined: Sun May 03, 2009 2:34 pm

Re: Firefox highjacked!

#18 Post by TenderFoot » Mon Feb 10, 2014 9:05 pm

You didn't happen to find this flash drive in a parking lot did you?
Actually it's an SD card reader - and the card is reformatted before a burn!

However, tomorrow I'll burn to CD and report on results...

User avatar
lucky9
Forum Veteran
Forum Veteran
Posts: 11380
Joined: Wed Jul 12, 2006 5:54 am

Re: Firefox highjacked!

#19 Post by lucky9 » Mon Feb 10, 2014 9:24 pm

Formatting won't fix things a lot of the time. You need to do a zero-write wipe of the SD card involved. A copy of DBAN should work.
Yes, even I am dishonest. Not in many ways, but in some. Forty-one, I think it is.
--Mark Twain

User avatar
qtech
Forum Regular
Forum Regular
Posts: 662
Joined: Wed Nov 28, 2007 12:21 pm

Re: Firefox highjacked!

#20 Post by qtech » Mon Feb 10, 2014 11:06 pm

TenderFoot wrote:
You didn't happen to find this flash drive in a parking lot did you?
Actually it's an SD card reader - and the card is reformatted before a burn!

However, tomorrow I'll burn to CD and report on results...
It's a part of what's called Advanced Persistent Threat and it will survive a reformat, generally by creating a hidden partition and using its own encrypted file system. No need for Dban though. Just open a terminal and do:

Code: Select all

dd if=/dev/zero of=/dev/sdX bs=512
Wait until it tells you the job is complete. It's a slow process but highly effective.

X= your drive. Use with abundance of caution as data recovery will not be possible.

Also, there is no need to burn Mepis to CD. If the .iso or source files were tampered with then the checksum would not match. And I should point out that any computer you've plugged into with that card is likely infected to some degree as well.

Post Reply

Return to “Security”