Virus or Trojan on archive.palemoon.org ?

About this bulletin board and the Pale Moon website

Moderators: FranklinDM, Lootyhoof

User avatar
Tharthan
Board Warrior
Board Warrior
Posts: 1409
Joined: 2019-05-20, 20:07
Location: New England

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Tharthan » 2019-07-13, 04:18

Moonchild wrote:
2019-07-12, 10:47
Thanks for that. I'll update the report accordingly.
In your report you said:

"Estimate now is somewhere between April and June 2019."

Might it have occurred roughly around 26 May 2019? You did say that "another incident" occurred at that time.

Furthermore (and this may be nothing) but note that it is the "27th" of December that the forged date uses. Could they not have thought "Oh, let's make this look older. Well, if we had '26/27 May 2017', that would seem a bit too odd, so let's change the month to a later month", or something like that?

Does *archive.org* have backups that might be able to confirm this, I wonder? Or do you use a robots.txt?
"This is a war against individuality and intelligence. Only thing we can do is stand strong."adesh, 9 January 2020

"I used to think I was a grumpy old man, but I don't hold a candle compared to Tharthan."Cassette, 9 September 2020

Image

Tohuwabohuix

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Tohuwabohuix » 2019-07-13, 05:20

Were Pale Moon unstable releases ("blood moon" branded) ever archived on archive.palemoon.org ?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Moonchild » 2019-07-13, 10:53

Tharthan wrote:
2019-07-13, 04:18
Might it have occurred roughly around 26 May 2019?
No.. that is likely when they doubled-down and destroyed the server to cover their tracks from an -earlier- point of infection.

The date was likely forged by way of changing the system date before infecting files to make investigation harder/throw us off (it worked, at least for a while).
Tharthan wrote:
2019-07-13, 04:18
Does *archive.org* have backups that might be able to confirm this, I wonder?
Unknown if archive.org has anything aside from what was manually uploaded.
It's likely it wasn't routinely archived, also because access was via FTP not HTTP previously.
Scrapers are being blocked in the HTTP setup, though.
Sartorix wrote:
2019-07-13, 05:20
Were Pale Moon unstable releases ("blood moon" branded) ever archived on archive.palemoon.org ?
No. Unstable is a rolling release from development tip. Nothing is archived or even retained for that matter from the unstable channel.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
plushkava
Apollo supporter
Apollo supporter
Posts: 46
Joined: 2015-07-31, 04:53
Location: Clown World

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by plushkava » 2019-07-13, 16:40

Moonchild wrote:
2019-07-10, 23:45
I looked at hashmyfiles and it refused to traverse subdirectories, and the output was MUCH too verbose to be useful.
While this tip comes rather too late, busybox-w32 is good for this and happens to be distributed with a GPG signature. Download, launch "busybox.exe sh", cd in to the relevant directory then run:

Code: Select all

find -type f -exec sha256sum {} + > "$HOME/checksums.txt"
It works because its find builtin implements -exec in such a way that it is able to call any of its (very useful) builtins, including sha256sum. EDIT: It also has an sha3sum builtin.

rnduser

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by rnduser » 2019-07-20, 07:16

Long time palemoon user here. I've just stumbled onto this. The incident itself isn't that bad. Shit happens, we all know it. But the handling? Oh my... Blaming the provider (a very respected and knowledgeable one btw), really??? Just apologize and find someone with experience in server administration, OK? This is as unprofessional and childish as it gets.

Oh, you can censor this all you want. It's obvious to anyone with the slightest bit of a clue. You might want to check https://www.lowendtalk.com/discussion/1 ... the-breach There is even a reply by the provider in question (hint: he doesn't care because he knows everyone is laughing).

:thumbdown:

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Moonchild » 2019-07-20, 11:14

Normally I would not approve this kind of borderline flaming post, but seriously, this was handled as well as it could.

I do apologize for this happening. It should never have happened. Everyone is absolutely right about that and clearly everything has been done to make absolutely sure it doesn't happen again (including moving to a different provider).
Providing full transparency despite the bad situation is also what would be expected from professionals and that is what I did, despite the bad situation. What is childish is the blown out of proportion responses as if I was some bumbling fool that shouldn't be let near a server (including your response here).

I -do- blame the provider for the reasons I already outlined. Perhaps I was too complacent in trusting the environment to the level I did, which would be my fault in retrospect, but that doesn't make my administration of the server poor per se. There's only so much you can be paranoid about in your administration. The point is, I assume that if I pay for a virtual server, that that virtual server is properly secured and separated as an environment at the node side, which doesn't seem to have been the case. And yes, they clearly don't care, because they provide insecure services for some of the operating systems they offer, and I'm no longer a customer of theirs so there is no reason to try and retain my patronage. For all I know it was targeted sabotage by the provider itself which honestly can't be avoided by any security setup you may have. I do give them the benefit of the doubt and won't go that far, though, and just assume it has been insufficient VPS separation at the node level, abused by one of their other clients. If there was any doubt about the setup not being remotely secure, I would have owned up to it, but I know for a fact that it was -- all reasonable steps were taken to prevent unauthorized desktop/session access to the Windows server, including a specific IDS for all services running on it that would grant remote access.
I'm a long-time system administrator and have done work in the past on both Windows and Linux for high-sec companies (including e.g. the company providing server setups for the Dutch Digital ID (DigID) government service), so I damn well know how to do system administration.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

rnduser

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by rnduser » 2019-07-20, 12:56

Moonchild wrote:
2019-07-20, 11:14
What is childish is the blown out of proportion responses as if I was some bumbling fool that shouldn't be let near a server (including your response here).
Well, i admit some people might be a bit harsh but you have to understand the part that gets you the backlash is where you blame the provider. It's a huge accusation backed with pretty much nothing. Do you really think you can 100% rule out external intrusion? That kind of overconfidence and blame shifting sets off red flags all over the place and causes people to question your abilities.
Moonchild wrote:
2019-07-20, 11:14
Perhaps I was too complacent in trusting the environment to the level I did, which would be my fault in retrospect, but that doesn't make my administration of the server poor per se. There's only so much you can be paranoid about in your administration.
I disagree. You can and should be paranoid about EVERYTHING. If everything is to much to keep track of chances are you have to large of an attack surface and you should minimize it. Sure, oversights happen. Zero days happen. Even negligence happens. Been there, done that. Believe me, just taking responsibility would have made you look so much better.
Moonchild wrote:
2019-07-20, 11:14
The point is, I assume that if I pay for a virtual server, that that virtual server is properly secured
Unless you buy managed services securing the VPS is your responsibility. Always been like that and always will be.
Moonchild wrote:
2019-07-20, 11:14
and separated as an environment at the node side, which doesn't seem to have been the case.
And this is where it gets really interesting. How do you come to that conclusion? Given we are talking about a virtualized instance of windows here full virtualization and thereby separation can be assumed by default. Are you pointing towards internal networking? I am genuinely curious. Please clarify.
Moonchild wrote:
2019-07-20, 11:14
And yes, they clearly don't care, because they provide insecure services for some of the operating systems they offer
Care to give some examples? As is that says pretty much nothing at all as "Insecure" is a pretty broad term. Again i am genuinely curious what you mean.
Moonchild wrote:
2019-07-20, 11:14
For all I know it was targeted sabotage by the provider itself which honestly can't be avoided by any security setup you may have.
Sure they could do that but for what reason? Is there anything to gain for them? No. A repuation to lose? Yes. You are not talking about some kiddy bedroom hoster here, mind you.
Moonchild wrote:
2019-07-20, 11:14
If there was any doubt about the setup not being remotely secure, I would have owned up to it, but I know for a fact that it was -- all reasonable steps were taken to prevent unauthorized desktop/session access to the Windows server, including a specific IDS for all services running on it that would grant remote access.
Jeez... Resonable secure? Sure why not. Unbreakable? Give me a break. You can't be serious. It's such statements that make people doubt your abilities.


TL;DR: Please add some technical details to your claims so it's possible to evaluate how you came to these conclusions. Who knows, maybe you have a point but as is it sounds like hot air, sorry.

Btw, what's the reasoning for using windows on a file server?

New Tobin Paradigm

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by New Tobin Paradigm » 2019-07-20, 13:00

The facts are the server was compromised and then destroyed and the recent backup was infected. We will likely never know exactly what happened with 100% certainty.

What we do know for sure is the window was NOT the two years initally thought which was frankly a ridiculous notion from the start. Also, that the environment in which whatever happened.. happened no longer exists. The archive server is on a different host that does have long standing trust including mine and is a secured nginx served CentOS 7 VM with all files manually verified from older copies from protected local storage. Not the backup from the old server as was initially used.

In any case, whatever actually happend, who is at fault, no matter what the truth is.. at this point the incident will be used for political/market gain, cover-your-ass liability disclaimers, and of course as ammo by whomever talks about it for years to come. So it no longer matters. Not in any tangible sense anyway.

So let's move forward knowing:
New Tobin Paradigm wrote:
2019-07-12, 14:25
If there was a lesson to be learned, and I am not saying there is, rest assured it was learned very well.

rnduser

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by rnduser » 2019-07-20, 13:41

New Tobin Paradigm wrote:
2019-07-20, 13:00
We will likely never know exactly what happened with 100% certainty.
Now that's something i can fully agree with.
New Tobin Paradigm wrote:
2019-07-20, 13:00
What we do know for sure is the window was only a week or two at most and NOT the two years initally thought which was frankly a ridiculous notion from the start.
Yeah, the small window lessens the severity a lot. I don't think it would have been ridiculous though. Might have been a hole that had been patched ages ago but was open long enough to install some rootkit. I've seen so much crap over the years i'll never be able 100% trust any server again even if everything looks perfectly fine. Damn, i've sometimes stared at packet dumps for unhealthy periods of time just because there was some tiny hickup and the paranoia said "look for C&C traffic!". :lol:
New Tobin Paradigm wrote:
2019-07-20, 13:00
In any case, what ever actually happend, no matter what the truth is.. at this point the incident will be used for political gain and ammo by whomever talks about it. It doesn't actually matter anymore.
Well, whatever happend won't stop me from using palemoon. I am already semi relieved that i was at least able to post my "uncomfortable" questions and i am sure other people will see it the same way. If there will be satisfactory answers is another question but maybe you are right and it doesn't really matter anymore.
New Tobin Paradigm wrote:
2019-07-12, 14:25
If there was a lesson to be leared, and I am not saying there is, rest assured it was learned very well.
As long as part of the lesson is that bold claims not backed by technical evidence isn't the brightest idea i guess i can life with that ;)

Locked