Posted on 09/21/2005 7:57:22 AM PDT by general_re
Infected binary or source code files aren't anything new. And sometimes they are found on public servers. Mozilla.org is the latest example. Korean distributives for mozilla and thunderbird for linux turned out to be infected - mozilla-installer-bin from mozilla-1.7.6.ko-KR.linux-i686.installer.tar.gz and mozilla-xremote-client from thunderbird-1.0.2.tar.gz were infected with Virus.Linux.RST.b
This virus searches for executable ELF files in the current and /bin directories and infects them. When infecting files, it writes itself to the middle of the file, at the end of a section of code, which pushes the other sections lower down. It also contains a backdoor, which downloads scripts from another site, and executes them, using a standard shell.
The infected files have now been removed, but it took some time. And this isn't the first time that infected binary or source code files have been placed on public servers. Yet another example of why you should have an up to date antivirus solution, and scan EVERYTHING you download, without exception.
Maybe on Linspire - a Linux for newbies that logs users on as root (like WinderzXP). Not on my Debian box.
The tripwire daemon should be monitoring the size of the executables in /bin, not the downloaded file. Those are the normal targets, all the regular Unix commands that are run frequently.
Assuming you're not running as a privileged user, sure. Of course, it'll still try to touch every file it can - run one as root later on, and you're hosed ;)
Ah, sorry - I thought you were asking about the moz/TB binaries. In that case, Tripwire would presumably sound the alarm if files started changing.
Surely it's not that simple.
You would normally su to root to install the software. While unzipping and untarring the executables wouldn't do anything, they probably contain executables will be owned by root and can therefore run as root if the suid bit is turned on.
So even if you're browsing the web as Joe Blow, you might not be safe.
Of course, most savvy Unix SAs install things like web servers under an account like 'nobody' that is deliberately designed to have no privileges at all. But many would unthinkingly su to root to install client software on workstation machines.
GNU Project's FTP Servers Hacked
Things like this happen when you let just anyone view your source code.
Seems to be a recurring problems for these Mozilla guys.
http://www.mozillazine.org/talkback.html?article=6771
Nice blimp.
ten or 10 in binary, which is a few less? :)
Shoot, I always favored my Radio Shack 2k TRS-80.
i...........
There's 10 kinds of people who understand binary... Those who do, and those who don't. :)
i=sqrt(-1).............
Just think. If IBM had chosen CP/M instead of MSDOS, Bill Gates would be just another computer geek..............
i=sqrt(-1)............. Very imaginative! :)
He says to the Bartender,"I just lost and electron!"
Bartender says,"Are you sure?"
Atom replies,"I'm positive!".......
Trash-80. OS in ROM. No viruses.
Since I'm a Suse user, not Debian, I had to check what 'apt' is, but probably yes. Certainly Yast only runs as root.
That's why these automatic installers are so dangerous. They run as root so they can update the startup/shutdown scripts, but this makes them vulnerable to attacks like this.
apt runs as sudo (when you install) but programs can't invoke root on their own.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.