JAVA.Exploit.Agent-2

[Tony]

"If T6 had of been using AVG "for years" he would have said it found False Positives too." and "No need to be putting down Avast!, all AV's have their traits, well off the Topic at hand."

why you say this?  i mentioned avast because is what i used until 2011, before that, i used avg only

I'm sorry T6, I was trying to say most Anti Virus can produce FP's. In no way would I be saying anything personally towards your merits, they are very plain to see, but rather the AV's. My sincere apologies for my English Usage, which is my first and only language.

People who can express themselves in a tongue other than their own are in my mind extraordinary, especially in a Technical environment.

It is good to understand who you are, what you think and do. We have similar backgrounds it seems, although you have mastered Linux. 
I hope you can see my statement was just as it was, a defense that Avast! Home (free) Edition is not any better or worse than AVG, or Avira, even Kaspersky. They all rely on a ever changing database. Instead of deleting things; quarantining files, uploading them to online scanners, waiting for updated virus databases and rescanning are practices I advise whenever these situations of an infection arise as some do not know these things so those who don't know will benefit maybe.

I so much enjoy being a Linux user these days, this is a very different environment for me. What I said had nothing implied at you T6, and none was intended. I hate AV's, but learnt so much from the older guys at the Avast! Forum for many years, plus so many other places, learning to plug the holes in MS OS's by understanding how they worked, that it's like beginning over changing to PCLinuxOS. Similar journey learning how Linux works, or how to use it more importantly at the moment.

I try to express that not just one solution will cure malware, on a Win System, all the time tools are being created to keep up with the malcreants who are leaping forward with their own scripts of deception, as you would surely know. I also fall back into Malware Alert mode sometimes, which is intense.

i ask you, are you crazy?

When I want to be 

[T6]

"although you have mastered Linux"

no, i'm not even close to become a advanced user   

"When I want to be"

that makes us two, then, lets eat some ice cream

[Serj]

dougmack,
if Avast does not start after the update, you need to add to the end of file /etc/sysctl this line:

Code: [Select]

kernel.shmmax = 134217728
I have Avast! works well.
Good luck!

[dougmack]

I'm sorry you have taken offense, T6.  No offense was meant. 

--doug

[Tony]

"although you have mastered Linux"

no, i'm not even close to become a advanced user  

"When I want to be"

that makes us two, then, lets eat some ice cream

Gelatti, thanks T6 ! A sweet note to end on  

[T6]

 

following the paranoia wave that generates this java virus world we are living, i decided to install clamav and explore files since i use a couple of java apps that connects to internet

i found none but it seems that i have to update virus db first and the guide to do it is not so simple, freshclam does nothing 

will try later with another av

[Tony]

I think if Java was to be exploited in Linux; due to the many locked down / - root (Admin - System) files/permissions basically the malcreant would be after your Bandwidth. To add to their Bot, or collective of compromised Computers, subtley 'leaking' Bandwidth, or CPU Cycles.

As I understand, compromised Linux Systems would indicate having Admin (root) Permissions; where it shouldn't have such permissions...  

If your a 'Home User', target would be to gain privileges to steal a little Bandwidth; or as I said CPU Cycles. Everything is locked down so tight breaking root priviledges/permissions seems the first step.

In a Network situation, like a Company, Trojans may be more likely; searching out Passwords, Account numbers, General juicy info. Also stealing collective Bandwidth and Computing Power.

Honestly I'm just guessing. There is but a few Linux Viruses, as such ?

Java is pretty conspicuous when active. As I haven't read any reports of anyone being specifically 'Exploited' by this Java Security hole, and haven't spent much time looking for that info; who knows ?
I'm not up with Linux sites dealing with Malware.

So in General; Symptons to look out for; Sluggish performance, your Modem/Router lights are flashing but you're not knowingly sending or receiving data; redirects to other pages than ones your intending to go to when Browsing online.
   I dunno, just common sense.

Problem installing an Anti Virus scanner on Linux, you'll still just find Windows Viruses, which isn't much help      

I did a Virus scan yesterday and Avast! said my 'etc/hosts' file was a Virus.
I have tried adding entries to it, like: "127.0.0.1  facebook.com", but I obviously don't understand how the hosts file works on Linux, so I reset it to it's basic default, 127.0.0.1 localhost.localdomain.
I've seen my Son go to facebook so it obviously wasn't working  
[  http://winhelp2002.mvps.org/hosts.htm - http://www.putorius.net/2012/01/block-unwanted-advertisements-on.html ]

I use Adblock in Firefox, and have a huge list [ https://easylist-downloads.adblockplus.org/exceptionrules.txt ] that I subscribe to which Automatically updates, "set it and forget it", so blocking Adds, Bad sites isn't a worry.

Also I'm running linux, clear all my Tracks from my Browser, and are invisible online, almost.
Internet security vulnerability Test: ShieldsUp !  https://www.grc.com/x/ne.dll?bh0bkyd2
Doesn't hurt to review youe Security from time to time anyway.
You'd likely know if your Computer seems to be infected, although I've never had a Virus, MS, or otherwise, there are obvious symptoms. Blah, enough already ...

[Tony]

Just out of interest ran:
Internet security vulnerability Test: ShieldsUp ! https://www.grc.com/x/ne.dll?bh0bkyd2
This Internet Common Ports Probe attempts to establish standard TCP Internet connections with a collection of standard, well-known, and often vulnerable or troublesome Internet ports on YOUR computer. Since this is being done from our server, successful connections demonstrate which of your ports are "open" or visible and soliciting connections from passing Internet port scanners.

Your system has achieved a perfect "TruStealth" rating.

Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests.
Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests).
From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet.

Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.

Code: [Select]

GRC Port Authority Report created on UTC: 2012-09-02 at 02:44:21

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
                            119, 135, 139, 143, 389, 443, 445,
                            1002, 1024-1030, 1720, 5000

    0 Ports Open
    0 Ports Closed
   26 Ports Stealth
---------------------
   26 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - NO Ping reply (ICMP Echo) was received.


[dougmack]

1. You have to be root to run freshclam.  Then it should work--it always does for me.
2. A recent post by pinoc "Security Update: Java SE 6 Update 35" states that Java 1.6.0 has been updated to 1.6.0-35, and that will appear shortly in the Synaptic repos.
As of Saturday nite, 10:30PM EDT,  java 1.6.0-sun seems to be updated, as promised.  Q: A lot of Java 1.5.x had been installed (before this present mess)--should it be?
3. A post on another Linux list, today, says:" Oh, and you might want to update your Java version to 1.7 update 7
(Java7u7) downloaded from www.java.com, it was released in the last 48 hrs and fixes some security issues. That will
likely prevent stuff like that from happening again while you do your web browsing on unsafe sites."
   So, the question is, is 1.6.0-35 actually the latest, or should we expect 1.7 any hour or day now, or what? I'm hoping for some guidance.

I seem to have opened a can of worms!  I trust that the good gurus here can put the cover back on it!

--doug

[T6]

"1. You have to be root to run freshclam"

i was root at the moment but it kept complaining about a .conf file somewhere so i just uninstalled it

"I seem to have opened a can of worms"

no, you didn't, this is java fault and you are just like us, trying to solve this mess, investigating and learning how to do it

[dougmack]

Reinstalled java-realated files I had removed at the start of this thread. Except 3 that don't seem to be in the repo anymore.  I am attaching a list of the files I removed, and marked those that I can't find anymore to reinstall. ***   PROBLEM: YouTube has no audio output anymore.  A radio station that uses RealPlayer plays. Note that the replaced files for java -1.6.0-sun
are now replaced with the updated _35 versions.

java-1.5.0-sun will be removed
java-1.5.0-sun-alsa will be removed
java-1.5.0-sun-fonts will be removed
java-1.5.0-sun-jdbc will be removed
java-1.5.0-sun-plugin will be removed
java-1.6.0-sun will be removed
java-1.6.0-sun-alsa will be removed
java-1.6.0-sun-fonts will be removed
java-1.6.0-sun-jdbc will be removed
java-1.6.0-sun-plugin will be removed
jpackage-utils will be removed
jre will be removed
libobasis3.5-extension-javascript-script-provider will be removed ***
libobasis3.5-javafilter will be removed***
lsb-test will be removed
ooobasis3.4-javafilter will be removed***
task-java will be removed
weatherbug will be removed
webcamstudio will be removed

Can someone please suggest what I have to do to get YouTube audio to work again? This is very important to me.
Thank you for your assistance--doug

[dougmack]

Reply to myself:  I forgot to add that trying to reinstall the files I had removed because of the Exploit, I ran into this problem:

While installing package java-1.5.0-sun-1.5.0.22-2pclos2010:
Error in file "/usr/share/applications/xcam.desktop": "foo/bar" is an invalid MIME type ("foo" is an unregistered media type)
Error in file "/usr/share/applications/xcam.desktop": "foo2/bar2" is an invalid MIME type ("foo2" is an unregistered media type)
Error in file "/usr/share/applications/xscanimage.desktop": "foo/bar" is an invalid MIME type ("foo" is an unregistered media type)
Error in file "/usr/share/applications/xscanimage.desktop": "foo2/bar2" is an invalid MIME type ("foo2" is an unregistered media type)


--doug

[T6]

why do you install java 1.5 packages?

about flash and audio on videos, that sounds like a hardware issue, pulseaudio related, any video card with hdmi output?

[Bald Brick]

Just out of interest ran:
Internet security vulnerability Test: ShieldsUp ! https://www.grc.com/x/ne.dll?bh0bkyd2
This Internet Common Ports Probe attempts to establish standard TCP Internet connections with a collection of standard, well-known, and often vulnerable or troublesome Internet ports on YOUR computer. Since this is being done from our server, successful connections demonstrate which of your ports are "open" or visible and soliciting connections from passing Internet port scanners.

Your system has achieved a perfect "TruStealth" rating.

Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests.
Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests).
From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet.

Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.

Yes, it seems that new versions of PSLinuxOS stealth everything including port 113, which used to be unstealthed by default.

[Tony]

Commit Log for Sat Sep  1 00:46:59 2012


Upgraded the following packages:
java-1.6.0-sun (1.6.0.33-1pclos2012) to 1.6.0.35-1pclos2012
java-1.6.0-sun-alsa (1.6.0.33-1pclos2012) to 1.6.0.35-1pclos2012
java-1.6.0-sun-fonts (1.6.0.33-1pclos2012) to 1.6.0.35-1pclos2012
java-1.6.0-sun-jdbc (1.6.0.33-1pclos2012) to 1.6.0.35-1pclos2012
java-1.6.0-sun-plugin (1.6.0.33-1pclos2012) to 1.6.0.35-1pclos2012

dougmack ,
1.) open Synaptic
2.) Reload.
3.) Search > java
4.) See pic of my Synaptic

5.) See that  java 1.6.0.35-1pclos2012 is the installed version ?
6.) When the java 1.6.0.35-1pclos2012 package is in the Repository you use, it will appear when you click: Mark All Upgrades
6.) Is java 1.6.0.35-1pclos2012 appearing when you Reload, Mark all Upgrades ?
7.) If not, it has not yet been synched to the repository you use.
8.) What Repository do you use ? If java update is not appearing, change to:
 [http://ftp.heanet.ie/pub/pclinuxos/apt/] It has the java update 1.6.0.35
That's it !  

" ...3. A post on another Linux list, today, says:" Oh, and you might want to update your Java version to 1.7 update 7..."(Java7u7)

Security Update: Java SE 6 Update 35
Do not worry; the correct update is java-1.6.0-sun (1.6.0.33-1pclos2012) to 1.6.0.35-1pclos2012
It is Jave Runtime Environment ; JRE , which is the correct java aplication for what we use.
Java7u7 (Java SE)is not the required package.


dougmack
Go to --  http://www.mozilla.org/en-US/plugincheck/
To rule out that your Shockwave Flash Shockwave Flash 11.2 r202 is installed.


*As T6 says:

about flash and audio on videos, that sounds like a hardware issue, pulseaudio related, any video card with hdmi output?

dougmack start a new thread if a day goes by and no one replies to help with your Sound issue.

Regards,

Tony