Virus or Trojan on archive.palemoon.org ?

About this bulletin board and the Pale Moon website

Moderators: FranklinDM, Lootyhoof

User avatar
therube
Board Warrior
Board Warrior
Posts: 1650
Joined: 2018-06-08, 17:02

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by therube » 2019-07-11, 00:09

Thank you (sha256) :-).

User avatar
Moonraker
Board Warrior
Board Warrior
Posts: 1878
Joined: 2015-09-30, 23:02
Location: uk.

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Moonraker » 2019-07-11, 08:12

https://www.ghacks.net/2019/07/11/pale- ... nt-4416928

Hornets have already started stinging in this thread sadly.
user of multiple puppy linuxes..upup,fossapup.scpup,xenialpup..... :thumbup:

Pale moon 29.4.1

New Tobin Paradigm

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by New Tobin Paradigm » 2019-07-11, 10:25

Well there is nothing that can be done except make damn sure nothing like this happens again. I am not gonna read the comments though.

I am sure we will see it referenced for years to come on every piece of Pale Moon post on ghacks ever.

User avatar
Night Wing
Knows the dark side
Knows the dark side
Posts: 5151
Joined: 2011-10-03, 10:19
Location: Piney Woods of Southeast Texas, USA

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Night Wing » 2019-07-11, 11:14

I have never used the archive server. I've always used the main distribution channels. I also don't use the internal updater to go from an older version of Pale Moon to the newest version of Pale Moon. I always uninstall (in Windows 7) the previous version and then install the newest version. Takes take me all of three minutes of time, but I prefer this method over the internal updater (in Windows 7).

In Windows 7, I'm always using the main distribution channel and in my case the Americas, I also put the previous and newest versions of Pale Moon on three thumb/flash drives in the event if I have to go back to a previous version, I've got it. I use my thumb/flash drives for this instead of the archive server. And I've been using this method since the year 2011.

I do a slightly different method for linux Pale Moon since in my linux Mint (Xfce), my linux Pale Moon is never installed. I run linux Pale Moon from the executable file and I create the linux Pale Moon launcher icon. So in linux Pale Moon the previous version of the linux Pale Moon tarball is saved to those three thumb/flash drives as well.

Would this "hack" of the archive server make me quit using Pale Moon? The simple answer is "No". Speaking just for myself; Pale Moon is easy to customize and I prefer Pale Moon over Chrome, Firefox, Brave, Vivaldi and Opera when it comes to choosing a default browser.

And I will close by saying I'm not a power user in either Linux or Windows 7.
Linux Mint 21.3 (Virginia) Xfce w/ Linux Pale Moon, Linux Waterfox, Linux SeaLion, Linux Firefox
MX Linux 23.2 (Libretto) Xfce w/ Linux Pale Moon, Linux Waterfox, Linux SeaLion, Linux Firefox
Linux Debian 12.5 (Bookworm) Xfce w/ Linux Pale Moon, Linux Waterfox, Linux SeaLion, Linux Firefox

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35475
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Moonchild » 2019-07-11, 12:04

I'm wearing my scale mail suit today and have made sure to seal all obvious hornet-sized openings.

Of course the fanbois are trying to make more of a stink out of it than it should be. And of course they will continue to reference it because oh noes, we're not perfect. Heck, the reason this happened to begin with is not even because we did anything wrong, but because an assumed-safe environment provided by a third party turned out not to be.

I'll draw an analogy for all the people who missed the details of the situation:
Compare it to living in an apartment building. You assume your apartment is safe because the door locks, and you always make sure to lock it and keep the key safely in your pocket. The building has a more secure entrance with a door that can't possibly be breached/picked open.
Now imagine having a break-in from either one of your fellow tenants because the lock on your apartment door is busted or crappy, or the landlord who just lets himself in with the master key. Whose fault would that be? Yours or the landlord's (in both cases)?
To continue the analogy: I've moved out of the building as a result, and will move to a building where I have known and trusted the landlord for many years.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
therube
Board Warrior
Board Warrior
Posts: 1650
Joined: 2018-06-08, 17:02

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by therube » 2019-07-11, 12:05

Hornets have already started stinging in this thread sadly.
The article was very well written & balanced.

Likewise, I too will simply ignore the comments.

User avatar
Isengrim
Board Warrior
Board Warrior
Posts: 1325
Joined: 2015-09-08, 22:54
Location: 127.0.0.1
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Isengrim » 2019-07-11, 13:29

Moonchild wrote:
2019-07-11, 12:04
Heck, the reason this happened to begin with is not even because we did anything wrong, but because an assumed-safe environment provided by a third party turned out not to be.
The only other thing I can think of is using a Windows server. ;) (Honestly though, plenty of people use Windows servers connected to the internet without a problem, so I doubt that the choice of OS was a factor here.)

Who was the previous VPS provider for the archive server?
a.k.a. Ascrod
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35475
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Moonchild » 2019-07-11, 13:47

Isengrim wrote:
2019-07-11, 13:29
Who was the previous VPS provider for the archive server?
I already stated that in my report: Frantech/BuyVM
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Tharthan
Board Warrior
Board Warrior
Posts: 1409
Joined: 2019-05-20, 20:07
Location: New England

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Tharthan » 2019-07-11, 18:05

@Moonchild:

So, in other words, sometimes your flat falls flat?

:D
"This is a war against individuality and intelligence. Only thing we can do is stand strong."adesh, 9 January 2020

"I used to think I was a grumpy old man, but I don't hold a candle compared to Tharthan."Cassette, 9 September 2020

Image

coffeebreak
Moon Magic practitioner
Moon Magic practitioner
Posts: 2986
Joined: 2015-09-26, 04:51
Location: U.S.

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by coffeebreak » 2019-07-11, 21:15

Moonchild, thank you for providing the list of hashes, and thanks to therube for requesting them.

Would you consider adding a link to the list on pastebin to the Data breach post-mortem, under "How do I verify my downloaded files are clean?" - that's where people who don't already know the location of the list would most likely look for such information.

Update: It seems the link has been added. Thank you, Moonchild.

Herb_

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Herb_ » 2019-07-12, 06:47

Thinking about the infection date in 12.17 it came to my mind that I've downloaded 14 of the portable .exe's on the hash list end of March this year!
I've definitely worked with 7 of them within April several days.
I have win10 with active defender, there was never any occurrence nor with malwarebytes monthly scans since then.

All this leads me to think, the timestamp was manipulated as well and the infection was actually later than March this year.

Does all this make sense?

User avatar
FranklinDM
Add-ons Team
Add-ons Team
Posts: 575
Joined: 2017-01-14, 02:40
Location: Philippines
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by FranklinDM » 2019-07-12, 09:47

Herb_ wrote:
2019-07-12, 06:47
All this leads me to think, the timestamp was manipulated as well and the infection was actually later than March this year.
I also have the same suspicion as yours. I downloaded a few older portables last year while preserving the modified time from the server:

Code: Select all

Palemoon-Portable-20.0.1.exe, modified: 08/01/2015 11:08:50 AM, downloaded: 11/19/2018, 8:49:37 PM
Palemoon-Portable-26.5.0.win32.exe, modified: 09/28/2016 ‏‎12:01:28 PM, downloaded: 09/05/2018 4:44:52 PM
Palemoon-Portable-27.5.0.win32.exe, modified: 09/30/2017 2:29:10 PM, downloaded: 08/26/2018 7:40:33 PM
The hashes provided match the ones I've got from these portables. My timestamps might be in (UTC+08:00).

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35475
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Moonchild » 2019-07-12, 10:47

Thanks for that. I'll update the report accordingly.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Isengrim
Board Warrior
Board Warrior
Posts: 1325
Joined: 2015-09-08, 22:54
Location: 127.0.0.1
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Isengrim » 2019-07-12, 12:35

Wow, that's much better news than previously. Thanks for the update!

Edit: I commented about the update on the ghacks article about the hack. Hopefully it got submitted correctly and Martin updates the article. It probably won't shut up the comment hyenas, though.
a.k.a. Ascrod
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story

John connor

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by John connor » 2019-07-12, 14:12

This is exactly why I check all hashes if provided for a download and then scan it at Virus Total.

Should have rolled AWS S3. But it's your ship.

John connor

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by John connor » 2019-07-12, 14:13

What are the chances the main update server that the built-in update facility in the browser its self gets infected next?

New Tobin Paradigm

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by New Tobin Paradigm » 2019-07-12, 14:25

Unless it is top down as in someone controlling the node or even higher as in the datacenter its self.. None. They are secure linux servers. This kind of thing that happened required a specific set of circumstances and events that shall not be allowed to happen again.

If there was a lesson to be leared, and I am not saying there is, rest assured it was learned very well.
Last edited by New Tobin Paradigm on 2019-07-12, 14:28, edited 2 times in total.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35475
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Moonchild » 2019-07-12, 14:26

F22 Simpilot wrote:
2019-07-12, 14:12
Should have rolled AWS S3. But it's your ship.
I'm pretty sure I already explained why not. Do you have some vested interest in Amazon getting money from us on a volume-based service that can be abused in other ways?
F22 Simpilot wrote:
2019-07-12, 14:13
What are the chances the main update server that the built-in update facility in the browser its self gets infected next?
Pretty much zero.
Tell me though... are you now having trust issues with everything we do all of a sudden? Because it seems like you're blowing this way out of proportion.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Tharthan
Board Warrior
Board Warrior
Posts: 1409
Joined: 2019-05-20, 20:07
Location: New England

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by Tharthan » 2019-07-13, 00:20

F22 Simpilot wrote:
2019-07-12, 14:12
Should have rolled AWS S3. But it's your ship.
Moonchild wrote:
2019-07-12, 14:26
Do you have some vested interest in Amazon getting money from us on a volume-based service that can be abused in other ways?
Image ?
Not serious, of course.
"This is a war against individuality and intelligence. Only thing we can do is stand strong."adesh, 9 January 2020

"I used to think I was a grumpy old man, but I don't hold a candle compared to Tharthan."Cassette, 9 September 2020

Image

User avatar
mintoyatsu
Hobby Astronomer
Hobby Astronomer
Posts: 25
Joined: 2019-03-02, 08:44

Re: Virus or Trojan on archive.palemoon.org ?

Unread post by mintoyatsu » 2019-07-13, 00:43

A big thank you to everyone that has worked to get this resolved... I was not personally affected since I did not download old versions off the archive server, but a swift response nonetheless.

Locked