# HACKED??? routed to russian isp/mozilla exploit?

## lo-jay

noticed a very slow internet connection, could not reach a lot of sites,

activating vpn only brings me to other east-european isp addresses

a check-ip site gives this:

 *Quote:*   

> >
> 
> > IP 	46.211.222.21
> 
> > DNS 	
> ...

 

my isp is the german telekom thought!!!

am i part of  a bot net now? how can i narrow down

the possible hack, rkhunter doesn t come up with anything

extraordinary...

where do i start?

cheers!

ps: did put that box offline, posting from  another...

----------

## lo-jay

could this be related:

 *Quote:*   

> Moron running hacker/spambot on 173.174.57.115
> 
> 01:40 PM Guest Modifying Profile
> 
> 173.174.57.115
> ...

 

???

----------

## lo-jay

ok, did this ( i have no experience with this kind of stuff whatsoever ...)

- deleted mozilla-thunderbird-11.0

- changed user & root password

- run opera as browser

result so far: check-ip shows me my german provider, stuff works

THIS does of course NOT MEAN that my system is clean by now,

therefore the question howto proceed more systematically???

cheers

ps: do this file show anything suspicious?

```
locate *firefox*

/home/.mozilla/firefox

/usr/portage/app-misc/beagle/files/beagle-0.3.9-firefox-3.6.patch

/usr/portage/mail-client/sylpheed/files/sylpheed-2.4-firefox.diff

/usr/portage/metadata/cache/www-client/firefox-10.0

/usr/portage/metadata/cache/www-client/firefox-10.0.1

/usr/portage/metadata/cache/www-client/firefox-10.0.1-r1

/usr/portage/metadata/cache/www-client/firefox-11.0

/usr/portage/metadata/cache/www-client/firefox-3.6.20

/usr/portage/metadata/cache/www-client/firefox-3.6.22

/usr/portage/metadata/cache/www-client/firefox-8.0

/usr/portage/metadata/cache/www-client/firefox-9.0

/usr/portage/metadata/cache/www-client/firefox-bin-10.0.2

/usr/portage/metadata/cache/www-client/firefox-bin-11.0

/usr/portage/sci-chemistry/ccp4/files/ccp4i-default-to-firefox.patch

/usr/portage/www-client/firefox

/usr/portage/www-client/firefox-bin

/usr/portage/www-client/firefox/ChangeLog

/usr/portage/www-client/firefox/ChangeLog-2009

/usr/portage/www-client/firefox/Manifest

/usr/portage/www-client/firefox/files

/usr/portage/www-client/firefox/firefox-10.0.1-r1.ebuild

/usr/portage/www-client/firefox/firefox-10.0.1.ebuild

/usr/portage/www-client/firefox/firefox-10.0.ebuild

/usr/portage/www-client/firefox/firefox-11.0.ebuild

/usr/portage/www-client/firefox/firefox-3.6.20.ebuild

/usr/portage/www-client/firefox/firefox-3.6.22.ebuild

/usr/portage/www-client/firefox/firefox-8.0.ebuild

/usr/portage/www-client/firefox/firefox-9.0.ebuild

/usr/portage/www-client/firefox/metadata.xml

/usr/portage/www-client/firefox/files/firefox-default-prefs.js

/usr/portage/www-client/firefox/files/firefox.1

/usr/portage/www-client/firefox/files/fix-preferences-gentoo.patch

/usr/portage/www-client/firefox/files/gentoo-default-prefs.js

/usr/portage/www-client/firefox/files/gentoo-default-prefs.js-1

/usr/portage/www-client/firefox/files/icon

/usr/portage/www-client/firefox/files/xulrunner-1.9.2-gtk+-2.21.patch

/usr/portage/www-client/firefox/files/icon/firefox-1.5-unbranded.desktop

/usr/portage/www-client/firefox/files/icon/firefox-1.5.desktop

/usr/portage/www-client/firefox/files/icon/firefox.desktop

/usr/portage/www-client/firefox-bin/ChangeLog

/usr/portage/www-client/firefox-bin/Manifest

/usr/portage/www-client/firefox-bin/files

/usr/portage/www-client/firefox-bin/firefox-bin-10.0.2.ebuild

/usr/portage/www-client/firefox-bin/firefox-bin-11.0.ebuild

/usr/portage/www-client/firefox-bin/metadata.xml

/usr/portage/www-client/firefox-bin/files/10firefox-bin

/usr/portage/www-client/firefox-bin/files/firefox-bin-prefs.js

/usr/portage/www-client/firefox-bin/files/firefox-bin.desktop

/usr/portage/www-client/icecat/files/firefox-default-prefs.js

```

----------

## bigbangnet

You can always start with a broadband check. For example, you can go on dslreports.com and do  a speedtest, a line quality test. You might need to register but it's free anyways. If it works with Opera and not on Firefox it might indicate something wrong with Firefox alone and nothing else too.

----------

## cach0rr0

that you were being routed through a proxy is especially suspicious to me

```

> HTTP_VIA 1.1 sahaidachniy:3128 (squid/2.5.STABLE11) 

<snip>

> HTTP_X_FORWARDED_FOR 87.169.108.167 

```

i dont really have enough information on your problem to say much, i would be suspicious of a compromise though - and the moment i have any suspicion of compromise, i wipe everything out completely, reformat, etc. But that's me. 

Take backups of course, but do remember you may be restoring the vuln when you restore your backup. 

RE: opera not exhibiting this behaviour - Firefox keeps its proxy settings in one of the javascript files under your profile (i think prefs.js). If your global proxy settings were unaltered, i would guess the infiltration is limited to a firefox exploit.

----------

## Fitzcarraldo

lo-jay, if you don't mind me asking, how do you think your Firefox browser was infected? Was it a specific Web site you visited?

----------

## lo-jay

ok,

got this files on my box, where should i dig?

```
locate *prefs.js*

/home/user/.adobe/Acrobat/9.0/Preferences/mozilla/prefs.js

/home/user/.thunderbird/535zyfqj.default/prefs.js

/opt/Adobe/Reader9/Reader/intellinux/mozilla/prefs.js

/usr/lib64/openoffice/basis3.3/program/defaults/pref/browser-prefs.js

/usr/lib64/openoffice/basis3.3/program/greprefs/security-prefs.js

/usr/lib64/thunderbird/defaults/pref/channel-prefs.js

/usr/portage/mail-client/thunderbird/files/thunderbird-gentoo-default-prefs.js

/usr/portage/mail-client/thunderbird-bin/files/thunderbird-gentoo-default-prefs.js

/usr/portage/net-libs/xulrunner/files/xulrunner-default-prefs.js

/usr/portage/www-client/firefox/files/firefox-default-prefs.js

/usr/portage/www-client/firefox/files/gentoo-default-prefs.js

/usr/portage/www-client/firefox/files/gentoo-default-prefs.js-1

/usr/portage/www-client/firefox-bin/files/firefox-bin-prefs.js

/usr/portage/www-client/icecat/files/firefox-default-prefs.js

/usr/portage/www-client/icecat/files/gentoo-default-prefs.js

/usr/portage/www-client/icecat/files/gentoo-default-prefs.js-1

```

cheers!

ps: chkrootkit shows:

```
Checking `chkutmp'...  The tty of the following user process(es) were not found

 in /var/run/utmp !

! RUID          PID TTY    CMD

! user          3365 tty7   /usr/bin/X -nolisten tcp :0 -auth /home/user/.serverauth.3348

chkutmp: nothing deleted

```

----------

