# Web Exploit

## ysbeer

i am so sorry for asking this, but i am a pretty paranoid person by nature: for most of my internet browsing i use VirtualBox with guest Debian and Gentoo Host, which gives me a sense of privacy/security.

on my Gentoo host i accidentally visited about 10 random Linux related websites in a hurry to search for conky config files, they where random websites so i can not list them here, but now i feel that their might have been a possibility for a web exploit, because i did not had no script enabled.

i have been monitoring with tools like ''tcptrack" "netstat" "iftop" "htop" all night and did not see anything suspicious, beside "all-systems.mcast.net" which makes me believe is my router/modem.

Question: do i need to reinstall Gentoo just to make sure i am "clean", or am i just being too paranoid?

----------

## NeddySeagoon

ysbeer,

It all depends on your level of paranoia.  There is no way to be sure without reinstalling.

At best, remote web exploits can compromise the user that you were using the web as, if that user was root, that's your entire install.

Browsing the web as root is just wrong.

You are probably OK. A reasonable compromise to satisfy your paranoia is to destroy the user running the browser session an create a new user.

You may not salvage anything from /home/<username> but that's what backups are for.

----------

## ysbeer

thanks for the response, my paranoia is on a high level at this moment, with Debian i would zero wipe my hard disk and reinstall every day, however with Gentoo this seems to consume too much time.

i know about "chkrootkit" "netstat" "tcptrack" "htop" "iftop" i might look into "aide" later, are there any more options that are useful for checking if a linux system got polluted with malicious software?

how big do you think is the threat after browsing approximately 10 random Linux website? 

would you personally reinstall your system in such a case?

how often do you reinstall your system?

----------

## NeddySeagoon

ysbeer,

I only ever install on new hardware. The install I'm using now wan done in 2009.  My previous install was done in 2002.

The only reason I reinstalled in 2009 was that there is no 32 bit to 64 bit migration path.

You can do binary installs of Gentoo, much like a binary distro but you need to prepare the binaries yourself.

The all in one piece binary install is called a stage4.  It requires that you have created the stage4 beforehand.

The piece by piece binary install requires that you preserve /etc/portage, your world file and /usr/portage/packages.

Your /usr/portage/packages will be empty as the default in not to keep binary packages of everything that you build.

Turning on that feature is a way to quickly revert an emerge that installs a non working package. 

I'll answer  *Quote:*   

> your how big do you think is the threat after browsing approximately 10 random Linux website?

  with another quote.

 *Douglas Adams wrote:*   

> MISTER PROSSER:
> 
> Have you any idea how much damage that bulldozer would suffer if I just let it roll straight over you?
> 
> ARTHUR DENT:
> ...

 

OK, the risk is not "none at all" but its very low.

----------

## patrix_neo

With a script taking some measure to where your firewall might be intruded, you might get lucky catching a lurker.

Even preventing such.

What you might need, is a live DVD. Use it is better than complie the whole damn thing.

----------

## Ant P.

We need to start from the beginning.

You seem convinced someone out there has the resources and motive to target you specifically, on multiple Linux distros, via crafted browser exploits — describe your threat model here, who your attacker is, what system they're trying to control, and why any of this makes economic sense.

Other than cargo-cult Windows practices like reformatting, what steps have you taken to defend yourself against the would-be attacker? Hardened? grsec? NoScript??

----------

## ysbeer

i was trolled for a long period of time by some people i knew in real life trough church, they installed some sort of spyware on my macbook that was not detectable, i can list the symptoms that occurred but that seems pointless at this stage.

ever since i am monitoring my system however i found something strange with the "who" command

at first when "who" it displayed my users account twice (one with a older time stamp) however if i "who" right now i can only see 1 user account with the current time stamp.

can someone explain this behavior of "who" ?

----------

## NeddySeagoon

ysbeer,

who tells currently logged on users. You get one entry for each time you are logged on.

```
$ who

roy      tty1         Jul 31 09:03

roy      pts/0        Jul 31 09:16 (:0.0)
```

That's once at the console (tty1) anh once in a terminal window in Xorg pts/0.

If I open another terminal window

```
$ who

roy      tty1         Jul 31 09:03

roy      pts/0        Jul 31 09:16 (:0.0)

roy      pts/1        Jul 31 09:18 (:0.0)
```

```
lastlog
```

 may be more informative for watching out for nasties who have shell access.

----------

## jonathan183

 *ysbeer wrote:*   

> with Debian i would zero wipe my hard disk and reinstall every day, however with Gentoo this seems to consume too much time

 

 *ysbeer wrote:*   

> they installed some sort of spyware on my macbook that was not detectable

 

What others think is less relevant, I doubt you will be convinced everything is OK without a fresh install. I suggest you boot from a live CD/DVD backup etc usr/local/portage var/lib/portage/world other custom things you have done like kernel config usr/linux/.config and your data including home. Do a fresh install, treat your old system as compromised and pull across parts of text files you require manually - do not just copy etc to your fresh install.

I tend to do a fresh install on new hardware - but copy manually modified /etc information from an existing install.

I would also do a fresh install if I thought the system had been compromised - after trying to work out how it had been compromised (booting from a live CD/DVD).

If I make a real mess of something I also try to fix it before doing a fresh install.

A fresh install may take some computer time compiling, but you can do quite a bit to minimize the time you actually spend typing commands, modifying config files and other things you need to install  :Wink: 

systemrescuecd or the Gentoo DVD can be used and allow you to use the system for things while you build the system.

----------

## ysbeer

Thanks for all the useful information,

i do not think my system got compromised at this moment, i think its rather paranoia, i can not seem to see the danger in visiting 10 random Linux help websites about Conky, but i might be wrong?

Beside that i am monitoring my processes with htop, checking the network traffic, users logged in, startup scripts, chkrootkit, so i guess you can call it a learning process.

who

myusername tty1         Jul 31 17:07

its strange that i only see tty1 logged in, when i open up a bunch of xfce4-terminals, it does not display them with the "who" command.

also my next project will be looking into "aide" cause that seems helpful.

thank you for the idea about backing up config files for restoring the system, however if i do a fresh install i might just start from scratch.

another concern have been ssh, but i been told several times, if the ssh server is not started, the ssh daemon can not do much harm.

----------

## NeddySeagoon

ysbeer,

To be compromised from a compromised website then either 

a) the site has been cracked

b) the site is deliberately malicious

Linux sites tend not to be targeted by crackers as the number of potential users are far higher for Windows and Android sites.

Deliberately malicious sites focused on Linux users may not have a very long life as many Linux users would spot it.

Also, the rewards are far higher by targeting Windows or Android users. 

We are talking motives and probabilities here.  The reward motive does not exist an the probability is very small.

You can run a paranoid firewall. Nothing is allowed except that which is expressly permitted.

That helps stop nasties that do get in from phoning home.

Look at tripwire too but keep your tripwire data on a removable drive.

Tripwire and paranoid firewalls are not too intrusive.  Both will need some setup and maintenance time.

You need to assess the threat you want to defend against, then put the measures in place to defend against your perceived threats.

A government will just send the boys round to beat your secrets out of you. 

That's far faster than breaking into your PC.

----------

