Moderator: Forum moderators
@Neo_78 ,
Extract and run update.sh
Move the extracted directory /chrome-linux to /opt
create a start script in /root/my-applications/bin
Code: Select all
#!/bin/sh
run-as-spot /opt/chrome-linux/chrome-wrapperOr
Code: Select all
#!/bin/sh
/opt/chrome-linux/chrome-wrapper --no-sandbox drag the script to the desktop which will create a shortcut icon to it
I tested the default Live-CD with a manually configured Firefox run as spot today without any noticeable incidents in the browser so far.
A couple of things I noticed in the system logs under PupSysInfo:
- I booted the system around 8.30 but the first log entry would state 10.38. Is it possible that the system time had not been synchronized online yet at that moment?
- I see a process that is executed every 5 minutes:
daemon.err dhcpcd[12290]: script_runreason: /lib/dhcpcd/dhcpcd/dhcpcd-run-hooks: WEXITSTATUS 1
Later I checked the interface statistics diagram of my router and noticed a sharp incoming traffic spike with a max value of 98MB at around 4.00. In the past, this basically happened when the attacker would send a payload to my system to prepare for an attack.
This is probably not a Puppy Linux specific question, but is there a way to log and correlate incoming traffic spikes with a foreign IP to check where exactly the data is coming from and what is being received?
I noticed the IP Info interface, which displays active connections with foreign IPs, but it will not show the traffic size and data cannot be easily copied to check IP locations.
Thanks for your feedback.
@Neo_78:
Is it possible that the system time had not been synchronized online yet at that moment?
The kernel gets the time from the hardware clock. It does not know whether the hardware clock is set to local time or UCT, and it does not know what is your time zone, so it assumes UCT/UTC.
Later, after the file system is created,the file /etc/adjtime can be accessed and the system time can be set from the hardware clock. The time is set in the file /initrd/init and also in /etc/rc.d/rc.country.
I see a process that is executed every 5 minutes
dhcpcd-run-hooks sets your dns nameserver in /etc/resolv.conf
Does the contents of the /etc/resolv.conf file look reasonable? Or is it set to a malware url?
noticed a sharp incoming traffic spike with a max value of 98MB at around 4.00
Something might be automatically updating the ppm (Puppy Package Manager) or equivalent.
iftop is a useful program, to see what is connected to your network. For example:
Code: Select all
# Host name (port/service if enabled) last 2s last 10s last 40s cumulative
--------------------------------------------------------------------------------------------
1 192.168.0.108 => 8.47KB 3.83KB 1.47KB 38.3KB
13.225.185.88 <= 603KB 194KB 74.6KB 1.89MB
2 192.168.0.108 => 0B 246B 95B 2.40KB
52.89.81.52 <= 0B 625B 240B 6.10KB
3 192.168.0.108 => 0B 69B 51B 1.30KB
72.21.91.29 <= 0B 102B 76B 1.93KB
4 192.168.0.108 => 0B 15B 73B 1.87KB
1.0.0.1 <= 0B 39B 136B 3.45KB
--------------------------------------------------------------------------------------------
Total send rate: 8.50KB 4.20KB 5.84KB
Total receive rate: 603KB 195KB 379KB
Total send and receive rate: 611KB 199KB 385KB
--------------------------------------------------------------------------------------------
Peak rate (sent/received/total): 16.7KB 1.43MB 1.45MB
Cumulative (sent/received/total): 152KB 9.62MB 9.77MB
============================================================================================The output of iftop can be sent to a file, e.g.
iftop -n -B -i wlan0 -t > /tmp/iftop.log
nethogs can be useful.
This can show listening ports and established connections, and the name of the process that it is connected to:
netstat -utap
I don't remember if it has a repeat option. This script will execute netstat every 15 seconds, and write the results to a log file:
Code: Select all
#!/bin/sh
while true
do
netstat -utap
sleep 15
done >> /tmp/netstat.logFor example:
Code: Select all
netstat -utap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 4865/dnsmasq
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 4208/cupsd
tcp 0 0 192.168.0.108:45056 34.117.237.239:443 ESTABLISHED 10186/firefox
tcp 0 0 192.168.0.108:43074 52.33.128.245:443 ESTABLISHED 10186/firefox
udp 0 0 0.0.0.0:53 0.0.0.0:* 4865/dnsmasq
udp 0 0 0.0.0.0:68 0.0.0.0:* 4525/dhcpcd
#check where exactly the data is coming from and what is being received?
a network sniffer can do that. i think wireshark is a packet sniffer. Maybe nmap can sniff packets? Maybe not.
newlisp comes with a script to sniff packets. I used it to determine that a dropbox server was what was trying to connect to me every 10 seconds or so.
Neo_78 wrote: Wed Dec 29, 2021 10:56 pmI am working in an environment where we frequently have issues with browser hijacking; i.e. an infected URL is visited and an attacker gains access to the browser in order to execute malicious JavaScript.
Is it possible to run Puppy Linux from a Live-CD without installation with a non-root user and to also run the web browser (ideally latest versions of Chrome or Firefox) as a non-root user?
I would also have to be able to install browser extensions under that setup.
The idea is then to boot every time from a fresh, uninfected system.
Appreciate your feedback.
I run Fatdog in a similar manner, modified version of a EasyOS container type setup. Uses the main SFS system file, but where root is severely crippled, down to restricted user type levels, root in name only. CLI/root, browser ...etc. are pretty much useless within that environment, other than for browsing and 'normal' activities. And it all runs in ram, so when closed and another instance reopened, that just takes a second or two, you're back to a 'clean' session again.
As it uses the main SFS as its base - that's already in ram (so very light to initiate another instance), that does mean anything I want to be reflected into the container has to have those changes recorded in the main sfs. I use Fatdog multi-session save style for that purpose and unsquash the changes recorded in those into the main session before making a new main SFS.
EasyOS makes all of that sort of thing easier, however for my purposes I like the stability of Fatdog and for how I use it making/recording changes etc. is relatively easy. EasyOS has the added advantage that rather than just using a copy of the main 'host' system as the contained sessions system, it can load any other system (different Puppy), but that does increase the overheads.
Back when I first started configuring/using that I assumed that a browser flaw permitted root cli access, and tried all sorts of mischief/damage/attacks to no avail, such that my confidence in its security/integrity is high. Can't for instance access the router admin login screen, can't access the main disks, can't spy the Xserver etc. (uses a combination of Xephyr for a separate X server, unsharing/capabilities dropping and chroot ... pretty much as all figured out by Barry).
@williams2 resolv.conf just shows 8.8.8.8, which is the Google DNS resolver and expected result as the router is configured in this way.
iftop and netstat look useful. Do you have an idea if they have a filter option to only display incoming connections that exceed a certain peak rate? I think in this way I should be able to exclude the noise and identify the source of the incoming traffic spike. I am pretty certain that this will be the initial attack source as I do not update the system during work and also nothing is being downloaded. Once the source has been identified, maybe I can then use wireshark or nmap to analyze what data exactly is received.
Is a tool like cleanram able to delete what is being sent from RAM or is a complete reboot required to start with a fresh system?
Also when you boot Puppy Linux from a Live-CD, will the identifier of the live system always be the same or does it change with each boot operation? I am just wondering if an active directory system would be able to recognize the same live system booted from the same CD.
@rufwoof How does Fatdog differ from normal Puppy Linux? Does it use containers by default or did you modify it in that way? Can it be remastered like Puppy Linux?
Unfortunately I have to report that the attacker was able to hijack the browser again today. They were able to mark text in text fields and jump tabs to new windows. I worked with latest Firefox run as spot.
As soon as I connect to the internet, I directly observe an incoming traffic spike. I noticed a second spike after having to visit a URL in our IS that was probably infected by the attacker. This essentialy means that they are able to recognize as soons as my machine connects to the internet, send the payload but then require further "permission" which seems to be silently given by visiting an infected URL inside the IS.
I would appreciate your suggestions how to harden the system or what to try next.
Thank you!
EDIT:
Attacker is able to set bookmarks in the browser and close Firefox completely. I see a large number of processes executed as spot in htop which are associated with Firefox and occupy virtual memory. CPU is elavated to 45%, which should normally idle around 3-5%. This looks like an attempt to overload and crash the system. Looks like the attacker was able to root the OS again.
Vanilla Dpup has weekly releases, with the latest security updates from Debian, applications like Firefox and Transmission are configured to run as spot, ads and malicious sites are blocked by default, and Firefox is pre-configured for better privacy.
Maybe it's the Puppy for you.
https://vanilla-dpup.github.io/
http://forum.puppylinux.com/viewtopic.php?t=4093
I think the problem really is the root account in Puppy Linux. Once the attacker has taken the first step and is inside the OS, he has full permissions to execute his code and that's game over then. I think even a container cannot prevent that if the whole system gets rooted.
So the ideal situation would be a Live-CD with a real non-sudo user with 0 privileges without a "finger print" to avoid system recognition. I think part of the probem is also if a OS is easily recognizable or identifiable, which can then be used to programmatically automate an attack against that system. This relates back to the question what makes a system unique in a network or active directory system and how this "identifier" can be randomized with each boot operation. So the same system would appear different after each boot process.
Is it possible to remaster FatDog or EasyOS with the desired browser setup, create a non-sudo user and burn the whole thing on a CD?
resolv.conf just shows 8.8.8.8, which is the Google DNS resolver
That seems ok.
It is possible to use another nameservers file.
for example, I configured dnsmasq to use /etc/resolv2.conf
Code: Select all
# nslookup 8.8.8.8
Server: 127.0.0.1
Address: 127.0.0.1:53
Non-authoritative answer:
8.8.8.8.in-addr.arpa name = dns.google
which says that the dns server address that I'm using is 127.0.0.1:53 which is my dnsmasq server, which is correct.
filter option to only display incoming connections that exceed a certain peak rate?
I think iftop sorts by default the rate of the "last 10 seconds"
nethogs would sort by maximun rate or amount of traffic.
Is a tool like cleanram able to delete what is being sent from RAM
I don't know what cleanram tool that you are talking about.
I don't think any pf them are particulary useful.
will the identifier of the live system always be the same or does it change with each boot
Do you mean the host name, like puppypc10358?
I think that is set in /etc/hosts
I don't know if that is a random number or not.
or maybe you are referring to /etc/machine-id ?
Barry Kauler's EasyOS can boot with the hard drives locked (inaccessable even by user root)
Unfortunately I have to report that the attacker was able to hijack the browser again today. They were able to mark text in text fields and jump tabs to new windows. I worked with latest Firefox run as spot.
If Firefox can execute shell commands, it could be possible for an intruder to invade the OS as root.
If intruders have got in your system, that would be a serious problem.
You should be able to run Puppy completely in ram, which should not be infected.
There are boot sector viruses, which would start running before Puppy is loaded and starts running.
When a big network like Google or Facebook or a government system are attacked, usually they shut down the system until they can fix it.
how to harden the system or what to try next.
i don't know if you are the admin of the system or just a user.
if you a just a user, i would contact the admin.
I would check the md5sum of the Puppy iso.
I would compare the vmlinuz and initrd and the sfs files in the iso to what you have installed.
I would look in /initrd/pup_rw/ to see if the changes make sense or not.
Intrusion in a commercial network is a serious problem, and beyond my paygrade.
AFAIK I have never had a virus or root kit.
If there is an intruder, it sounds like the intruder is using something like VNC to remote control your computer.
@williams2 the Puppy iso has been sum-checked and is clean. My system is stable after a complete format and reinstallation with a VM or with hard drives disconnected + Live-CD. So I don't think the image is corrupted.
Problems start a day after I connect with a fresh system to our work IS in the browser (PHP-based), where I notice the mentioned incoming traffic spike. My conclusion is that this is coming from an insider who uses the established database connection to upload malware to my machine and prepare it for the next step of the attack. Afterwards there seems to be a cron-job running on the attacking system that checks every 10 minutes if my system is online and has the base infection and uploads it if not present. That's why I was asking regarding the identifier (e.g. host name or machine id) and how to randomize it at boot. The final step is then to visit an infected URL in the IS, which gives the attacker the final "permission" and control over my browser.
If you have an insider admin making accessibility for attacks possible, you are in a tough position Why are you not trying out the TOR browser? There is also using Puli as the OS. Or TAILS.
I am having a hard time visualizing how the attacks are able to identify you and seize control by executing shell commands via the browser. What are you doing exactly that brings your browser into contact with this malicious code? What network are you logging into? So when you do login there is an immediate amount of significant network incoming traffic. Then they begin to do poltergeist activities on your system?
williams2 wrote: Sat Jan 08, 2022 9:35 pmhow to harden the system or what to try next.
i don't know if you are the admin of the system or just a user.
if you a just a user, i would contact the admin...........
Intrusion in a commercial network is a serious problem,,,,,,,,
If you are the admin, I would think your first priority would be to discover the nature and severity of the attack, not seek to harden or find an alternative OS to mitigate an attack of unknown origin and specification.
If you are not the admin, you do realize your inquires here could appear to be an attempt to reverse engineer something in a network where you only have limited privileges?
@williwaw I am an authorized end user of the mentioned system of my organization and do not seek to escalate my privileges or reverse engineer illegal access. With the data that I have gathered so far, the only conclusion is that an admin in my organization is illegally accessing and hacking my OS. Strange situation, I admit, but I have no other explanation for the incidents. This is simply an attempt to protect my own OS from illegal access and modification.
@Neo_78
I'm sorry, I don't see your situation, but it seems really weird.
Do you communicate your problems with the IT department? They should cooperate and help you and not the other way around.
And if there is a really serious problem with one particular person from the IT department, the supervisor (director, owner) should know about it and resolve the situation.
@Feek correct, a weird situation. They outsourced our IT department and supervisor team offshore. IT does not provide support and pretends that there is no problem. Company owner does not care as long as the cash flow is running. As an end user it is almost impossible to document a hacking attack if you are not a skilled system admin. So pretty lost situation. Under normal circumstances you would leave an organization like this, but Covid makes job hunting difficult... 
@Neo_78 Not a problem!! You are documenting the hack attack quite well enough to understand what is happening. I am working on some ideas because now I am interested in showing up these guys and stuffing a counter attack right up their noses.
Puppy's grow up into dogs. Some Dogs can and will bite viciously. Sometimes on command. Maybe these Puppy's will bite back enough to be noticed. Would be a shame if the attacker's system imploded, simply a crisis if the something like the GPU over heats mysteriously. They must know the moment they connect to upload and inject what ever code they are, that leaves them vulnerable to something streaming in the other way.
I will be asking for some more details......
I always like the statement: "Puppy Linux.....you will be assimilated.....resistance is futile...."
You wanna mess around? My neighbor has a pack of Chihuahua's.....absolute killers.....add a few pounds and some inches (centimeters) and watch out. They have the heart of Lions and don't care that they are less then a foot tall.....
Really appreciate your effort @rockedge and everyone's input and knowledge sharing. Puppy has a great community and I am glad that there is a friendly and welcoming environment like this available for less technical Linux users. Thanks everyone!!! 
@Neo_78 On something of a lighter note, did you know that Puppy Linux is named after a Chihuahua?
This handsome guy is Puppy and he was part of BarryK's family.
Neo_78 wrote: Sun Jan 09, 2022 6:09 pmLooks like a funny, little guy...
I am still getting used to all the dog vocabulary...
Partially because of the dog and cat vocabulary, it makes many make the mistake of taking this family of distros not that seriously.
Usually later, to their surprise, the realization comes on how wrong they were to assume that it's "just a fun little distro" and can't do any "serious" work.
Really works in our favor in cases such as yours.
I'm pretty sure now that they are using a rootkit. Avast's rootkit definition and the section on "How do rootkits get installed?" closely match the observed attack and social engineering component.
https://www.avast.com/c-rootkit
"Hackers bundle their rootkits with two partner programs — a dropper and a loader — that work together to install the rootkit. Together, the three pieces of malware compose a blended threat. Let’s take a closer look at the tools rootkits use to get installed:
Dropper: The dropper imports the rootkit onto the victim’s computer. The dropper is the first stage of the installation process. When the victim activates the dropper, the dropper in turn activates the loader.
Loader: As the dropper executes, the loader springs into action, installing the rootkit onto the target system. Loaders often do this by triggering a buffer overflow. This is a common security exploit that lets hackers land their code in otherwise inaccessible areas of a computer’s memory.
...
The cybercriminal’s challenge is to land the blended threat package. Here are a few ways a hacker might do this to install a rootkit on your computer:
Hijacking messaging programs: A blended threat can hijack instant messaging clients to spread itself to a victim’s contacts. When the recipients click the malicious link in the message, their computers become infected as well. This type of social engineering attack is a highly effective method for spreading rootkits.
Piggybacking on trusted software: Hackers can insert a computer rootkit into otherwise-trustworthy programs and apps, then upload those poisoned apps to various download portals. When you install the infected app, you unwittingly install the rootkit, too.
Using other malware: Viruses and Trojans can be used as rootkit spreaders, because both are highly effective at getting onto your computer. When you execute the program containing the virus, or execute the Trojan, the rootkit is installed on your device.
Hiding in rich-content files: With the advent of rich-content files such as PDFs, hackers no longer need to hide malware in dedicated websites or programs. Instead, they can embed rootkits into these simple rich-content files. When you open up the tainted file, the rootkit dropper executes automatically."
---
The dropper component is uploaded via the established database connection in our IS. The first time this happens manually by the attacker and is then automated on a daily basis with a Cron-job that is executed every 10 minutes to check if my machine is online.
The loader component is then executed via social engineering: an infected URL in the IS, PDF, Google document or image that is being shared.
That also explains why they are able to infect even a VM or a system loaded into RAM with a Live-CD, because the system's signature / machine id / or host name is recognized by the infecting upload script.
Using a non-root account limits the possibilities of the attacker but the problem of the automated base infection remains.
That pretty much describes what's going on... 
Yes I also think this is a root-kit attack. Lots of good information in the above post. We'll need to by-pass the root-kit to be able to find it I think. Or make the loader component error out and fail and track it by the error messages. We need to defeat the loader I think but I'll double check that.
We are getting closer to a solution.
Perhaps time to try a root-kit detector. What other operating system is on the machine?
something perhaps like this : http://rkhunter.sourceforge.net/
more info : https://sourceforge.net/p/rkhunter/rkh_ ... les/README
I previously installed chkrootkit, ClamAV and rkhunter on a clean Ubuntu system and also the Ubuntu VM:
http://rkhunter.sourceforge.net/
If you scan it from inside the infected system, it showed 0 infections or relevant results. The problem is that rootkits are stealthy and can almost perfectly hide inside the system, which makes them very difficult to detect. In this regard a software firewall like UFW is also without effect.
There are tools like Snort, but that is beyond my level of knowledge and I think it has to be installed on a second machine that is not infected to ensure that results are valid:
Currently I have no hard discs connected to the system running everything from Live-CDs in RAM. So there is no other OS installed (only BIOS present of course).
Isn't it possible to harden Linux to such an extent that programm installations and executions are impossible at a kernel level, except for the necessary programs that are needed for work, i.e. the browser? Or it might be possible to intercept the inital payload on a network level and reject it?
Yes there is the hardened kernel. I might go ahead and see if I can compile a puppy huge kernel that has all the hardening features enabled. I have not yet made one of these and it will take some research. I am looking over some of these to get an idea on how to intercept the initial incoming "dropper" or trigger:
https://github.com/milabs/awesome-linux-rootkits
I see you have already run detectors with little success. Let's look at some of the network options there are. I think if we can get you going in a virtual machine running on a host Live system, there probably is a way to observe the traffic in such a way as to be able to identify the correct signal. Then be able to block it or intercept and redirect if that in fact is the case.
First off we need to get you going on fully functional Fossapup64
Neo_78 wrote: Mon Jan 10, 2022 5:09 pmCurrently I have no hard discs connected to the system running everything from Live-CDs in RAM. So there is no other OS installed (only BIOS present of course).
this should isolate one session from another
Neo_78 wrote: Mon Jan 10, 2022 5:09 pmIsn't it possible to harden Linux to such an extent that programm installations and executions are impossible at a kernel level, except for the necessary programs that are needed for work, i.e. the browser? Or it might be possible to intercept the inital payload on a network level and reject it?
you have a dedicated os for work on your machine? infected to some degree?
wouldn't you want to run a different os for non-work/personal? perhaps a different machine even if that did not provide enough isolation?
Do you need both work and non work os instances to access the internet through the work network?
with a Cron-job that is executed every 10 minutes to check if my machine is online.
do you have any reason to suspect the machine is ID'd rather than the OS or the browser?
@williwaw the affected machine is used exclusively for work and has never been used for non-work or personal purposes. This particular internet access and router is also only used for work purposes.
I don't know how machine or OS finger printing or IDing works. So I cannot say for certain how the system is identified in a PHP-based CMS, active directory system or network. I can imagine that this happens software or hardware-based but I assume someone with a systems engineering background could elaborate on that.
