Virus or Trojan on archive.palemoon.org ?

About this bulletin board and the Pale Moon website

Moderators: FranklinDM, Lootyhoof

User avatar
therube
Board Warrior
Board Warrior
Posts: 1188
Joined: 2018-06-08, 17:02

Re: Virus or Trojan on archive.palemoon.org ?

Post by therube » 2019-07-11, 00:09

Thank you (sha256) :-).

User avatar
Moonraker
Board Warrior
Board Warrior
Posts: 1261
Joined: 2015-09-30, 23:02
Location: uk.

Re: Virus or Trojan on archive.palemoon.org ?

Post by Moonraker » 2019-07-11, 08:12

https://www.ghacks.net/2019/07/11/pale- ... nt-4416928

Hornets have already started stinging in this thread sadly.
Xenial puppy linux 32-bit.
Tahrpup 6.0.5.32 bit.
Pale moon 28.8.1.

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 6879
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Virus or Trojan on archive.palemoon.org ?

Post by New Tobin Paradigm » 2019-07-11, 10:25

Well there is nothing that can be done except make damn sure nothing like this happens again. I am not gonna read the comments though.

I am sure we will see it referenced for years to come on every piece of Pale Moon post on ghacks ever.
Image
- NoScript allowed is not! Is extension forbidden! -
https://binaryoutcast.com/ | http://thereisonlyxul.org/ | Freenode #binaryoutcast

User avatar
Night Wing
Knows the dark side
Knows the dark side
Posts: 4139
Joined: 2011-10-03, 10:19
Location: Texas, USA

Re: Virus or Trojan on archive.palemoon.org ?

Post by Night Wing » 2019-07-11, 11:14

I have never used the archive server. I've always used the main distribution channels. I also don't use the internal updater to go from an older version of Pale Moon to the newest version of Pale Moon. I always uninstall (in Windows 7) the previous version and then install the newest version. Takes take me all of three minutes of time, but I prefer this method over the internal updater (in Windows 7).

In Windows 7, I'm always using the main distribution channel and in my case the Americas, I also put the previous and newest versions of Pale Moon on three thumb/flash drives in the event if I have to go back to a previous version, I've got it. I use my thumb/flash drives for this instead of the archive server. And I've been using this method since the year 2011.

I do a slightly different method for linux Pale Moon since in my linux Mint (Xfce), my linux Pale Moon is never installed. I run linux Pale Moon from the executable file and I create the linux Pale Moon launcher icon. So in linux Pale Moon the previous version of the linux Pale Moon tarball is saved to those three thumb/flash drives as well.

Would this "hack" of the archive server make me quit using Pale Moon? The simple answer is "No". Speaking just for myself; Pale Moon is easy to customize and I prefer Pale Moon over Chrome, Firefox, Brave, Vivaldi and Opera when it comes to choosing a default browser.

And I will close by saying I'm not a power user in either Linux or Windows 7.
Linux Mint 19.3 (Tricia) Xfce 64 Bit with 64 Bit linux Pale Moon

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 26074
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Post by Moonchild » 2019-07-11, 12:04

I'm wearing my scale mail suit today and have made sure to seal all obvious hornet-sized openings.

Of course the fanbois are trying to make more of a stink out of it than it should be. And of course they will continue to reference it because oh noes, we're not perfect. Heck, the reason this happened to begin with is not even because we did anything wrong, but because an assumed-safe environment provided by a third party turned out not to be.

I'll draw an analogy for all the people who missed the details of the situation:
Compare it to living in an apartment building. You assume your apartment is safe because the door locks, and you always make sure to lock it and keep the key safely in your pocket. The building has a more secure entrance with a door that can't possibly be breached/picked open.
Now imagine having a break-in from either one of your fellow tenants because the lock on your apartment door is busted or crappy, or the landlord who just lets himself in with the master key. Whose fault would that be? Yours or the landlord's (in both cases)?
To continue the analogy: I've moved out of the building as a result, and will move to a building where I have known and trusted the landlord for many years.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
therube
Board Warrior
Board Warrior
Posts: 1188
Joined: 2018-06-08, 17:02

Re: Virus or Trojan on archive.palemoon.org ?

Post by therube » 2019-07-11, 12:05

Hornets have already started stinging in this thread sadly.
The article was very well written & balanced.

Likewise, I too will simply ignore the comments.

User avatar
Isengrim
Board Warrior
Board Warrior
Posts: 1074
Joined: 2015-09-08, 22:54
Location: 127.0.0.1
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Post by Isengrim » 2019-07-11, 13:29

Moonchild wrote:
2019-07-11, 12:04
Heck, the reason this happened to begin with is not even because we did anything wrong, but because an assumed-safe environment provided by a third party turned out not to be.
The only other thing I can think of is using a Windows server. ;) (Honestly though, plenty of people use Windows servers connected to the internet without a problem, so I doubt that the choice of OS was a factor here.)

Who was the previous VPS provider for the archive server?
Linux Mint 19.2 Cinnamon (64-bit), Windows 7 (64-bit), Windows 10 build 1803 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 26074
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Post by Moonchild » 2019-07-11, 13:47

Isengrim wrote:
2019-07-11, 13:29
Who was the previous VPS provider for the archive server?
I already stated that in my report: Frantech/BuyVM
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
Tharthan
Lunatic
Lunatic
Posts: 420
Joined: 2019-05-20, 20:07
Location: New England

Re: Virus or Trojan on archive.palemoon.org ?

Post by Tharthan » 2019-07-11, 18:05

@Moonchild:

So, in other words, sometimes your flat falls flat?

:D
"This is a war against individuality and intelligence. Only thing we can do is stand strong."adesh, 9 January 2020

coffeebreak
Moon Magic practitioner
Moon Magic practitioner
Posts: 2118
Joined: 2015-09-26, 04:51
Location: U.S.

Re: Virus or Trojan on archive.palemoon.org ?

Post by coffeebreak » 2019-07-11, 21:15

Moonchild, thank you for providing the list of hashes, and thanks to therube for requesting them.

Would you consider adding a link to the list on pastebin to the Data breach post-mortem, under "How do I verify my downloaded files are clean?" - that's where people who don't already know the location of the list would most likely look for such information.

Update: It seems the link has been added. Thank you, Moonchild.

User avatar
Herb_
Hobby Astronomer
Hobby Astronomer
Posts: 26
Joined: 2019-02-13, 07:05
Location: Opposite the brewery

Re: Virus or Trojan on archive.palemoon.org ?

Post by Herb_ » 2019-07-12, 06:47

Thinking about the infection date in 12.17 it came to my mind that I've downloaded 14 of the portable .exe's on the hash list end of March this year!
I've definitely worked with 7 of them within April several days.
I have win10 with active defender, there was never any occurrence nor with malwarebytes monthly scans since then.

All this leads me to think, the timestamp was manipulated as well and the infection was actually later than March this year.

Does all this make sense?
web 2.0, industry 3.0 - rubbish, Automobile 5.0 rocks - Mustang feif lidäähh, goil :mrgreen:

User avatar
FranklinDM
Add-ons Team
Add-ons Team
Posts: 216
Joined: 2017-01-14, 02:40
Location: Manila, Philippines
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Post by FranklinDM » 2019-07-12, 09:47

Herb_ wrote:
2019-07-12, 06:47
All this leads me to think, the timestamp was manipulated as well and the infection was actually later than March this year.
I also have the same suspicion as yours. I downloaded a few older portables last year while preserving the modified time from the server:

Code: Select all

Palemoon-Portable-20.0.1.exe, modified: 08/01/2015 11:08:50 AM, downloaded: 11/19/2018, 8:49:37 PM
Palemoon-Portable-26.5.0.win32.exe, modified: 09/28/2016 ‏‎12:01:28 PM, downloaded: 09/05/2018 4:44:52 PM
Palemoon-Portable-27.5.0.win32.exe, modified: 09/30/2017 2:29:10 PM, downloaded: 08/26/2018 7:40:33 PM
The hashes provided match the ones I've got from these portables. My timestamps might be in (UTC+08:00).

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 26074
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Post by Moonchild » 2019-07-12, 10:47

Thanks for that. I'll update the report accordingly.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
Isengrim
Board Warrior
Board Warrior
Posts: 1074
Joined: 2015-09-08, 22:54
Location: 127.0.0.1
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Post by Isengrim » 2019-07-12, 12:35

Wow, that's much better news than previously. Thanks for the update!

Edit: I commented about the update on the ghacks article about the hack. Hopefully it got submitted correctly and Martin updates the article. It probably won't shut up the comment hyenas, though.
Linux Mint 19.2 Cinnamon (64-bit), Windows 7 (64-bit), Windows 10 build 1803 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story

User avatar
John connor
Board Warrior
Board Warrior
Posts: 1198
Joined: 2015-01-21, 05:06
Location: From RLG fly heading 053 intercept 315 DVV look for the SAM

Re: Virus or Trojan on archive.palemoon.org ?

Post by John connor » 2019-07-12, 14:12

This is exactly why I check all hashes if provided for a download and then scan it at Virus Total.

Should have rolled AWS S3. But it's your ship.
Imagine if God created a creature that was bipedal, soft and cuddly, stood about 9 inches tall and sang. Then called him Gizmo.

Interested in a secure Linux environment? Check out Qubes. Wanna help secure your browsing? Check out the now free Sandboxie.

User avatar
John connor
Board Warrior
Board Warrior
Posts: 1198
Joined: 2015-01-21, 05:06
Location: From RLG fly heading 053 intercept 315 DVV look for the SAM

Re: Virus or Trojan on archive.palemoon.org ?

Post by John connor » 2019-07-12, 14:13

What are the chances the main update server that the built-in update facility in the browser its self gets infected next?
Imagine if God created a creature that was bipedal, soft and cuddly, stood about 9 inches tall and sang. Then called him Gizmo.

Interested in a secure Linux environment? Check out Qubes. Wanna help secure your browsing? Check out the now free Sandboxie.

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 6879
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Virus or Trojan on archive.palemoon.org ?

Post by New Tobin Paradigm » 2019-07-12, 14:25

Unless it is top down as in someone controlling the node or even higher as in the datacenter its self.. None. They are secure linux servers. This kind of thing that happened required a specific set of circumstances and events that shall not be allowed to happen again.

If there was a lesson to be leared, and I am not saying there is, rest assured it was learned very well.
Last edited by New Tobin Paradigm on 2019-07-12, 14:28, edited 2 times in total.
Image
- NoScript allowed is not! Is extension forbidden! -
https://binaryoutcast.com/ | http://thereisonlyxul.org/ | Freenode #binaryoutcast

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 26074
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Post by Moonchild » 2019-07-12, 14:26

F22 Simpilot wrote:
2019-07-12, 14:12
Should have rolled AWS S3. But it's your ship.
I'm pretty sure I already explained why not. Do you have some vested interest in Amazon getting money from us on a volume-based service that can be abused in other ways?
F22 Simpilot wrote:
2019-07-12, 14:13
What are the chances the main update server that the built-in update facility in the browser its self gets infected next?
Pretty much zero.
Tell me though... are you now having trust issues with everything we do all of a sudden? Because it seems like you're blowing this way out of proportion.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
Tharthan
Lunatic
Lunatic
Posts: 420
Joined: 2019-05-20, 20:07
Location: New England

Re: Virus or Trojan on archive.palemoon.org ?

Post by Tharthan » 2019-07-13, 00:20

F22 Simpilot wrote:
2019-07-12, 14:12
Should have rolled AWS S3. But it's your ship.
Moonchild wrote:
2019-07-12, 14:26
Do you have some vested interest in Amazon getting money from us on a volume-based service that can be abused in other ways?
Image ?
Not serious, of course.
"This is a war against individuality and intelligence. Only thing we can do is stand strong."adesh, 9 January 2020

User avatar
mintoyatsu
Moongazer
Moongazer
Posts: 13
Joined: 2019-03-02, 08:44

Re: Virus or Trojan on archive.palemoon.org ?

Post by mintoyatsu » 2019-07-13, 00:43

A big thank you to everyone that has worked to get this resolved... I was not personally affected since I did not download old versions off the archive server, but a swift response nonetheless.

Locked