Bullies get into FireFox, and make a mess in F-14, way too easily, forcing me to DBAN the hd & reinstall...

Rick Sewill rsewill at gmail.com
Mon Nov 21 00:11:46 UTC 2011


On Sunday, November 20, 2011 04:11:32 PM Linda McLeod wrote:
> The bullies who have been targeting my PC with computer problems have
> got into FireFox yet again, changing things..
> 

Questions please.  

Are you running Firefox as root or as a normal user?

Have you disabled SeLinux?

Do your accounts, both root and your normal account,
have strong passwords?  Could the bullies know your passwords?

Do these bullies have physical access to your PC? 
If the bullies physical access, the only way I can think to protect stuff,
is to encrypt everything.  I would prefer others describe how to do this.
I've never encrypted my hard disk.

If these bullies do not have physical access, 
are they coming in through the Internet?
If yes, this leads to a bunch of questions.

Do you have a firewall device or NAT router or something offering you
some protection between your PC and the Internet?
Have you made changes to your PC's firewall?

How are the bullies coming in if they are coming in over the Internet?
It's possible, if the bullies are not smart, you could look at log messages. 
Someone who's done this before, would she look in /var/log/secure?

If a bully were coming in to my PC, over the Internet, 
I would first suspect they were using ssh.

I dislike the default ssh server configuration on Fedora.
I believe the default is to allow incoming ssh connections,
to normal user accounts, using password authentication.
The default iptables configuration for ssh is allow connections from anywhere.
The first things I do on a new system is disable password authentication,
only allow certain users ssh access, 
and restrict incoming ssh connections to a trusted subset of my local LAN.
I wish the default Fedora configuration, at the very least,
limited ssh connections to the local LAN.
I wish the ssh server had an option to test passwords for strength,
and reject incoming connections to accounts with weak passwords.

Other ways they could come in over the Internet include things like VPN
or VNC.  If you don't know what VPN or VNC is, you haven't enabled it.
If you are running a VNC server, are those passwords strong and secure?

Have you installed any software or plugins that are letting the bullies in?
Were you asked for the root password, by some program, unexpectedly?

If I believe a bully has gotten into my system and compromised it,
I would strongly recommend reloading my system from a backup I trust.
This backup needs to be one I believe was before the bullies first got in.
Otherwise, there are Linux rootkits designed to hide how bullies got in,
what they are doing, and prevent you from keeping them out.

To be perfectly honest, and not knowing any facts,
I would first suspect you have a weak password they brute force guessed,
and they are coming in through ssh.  Unfortunately, once in, they could
cause havoc in your user account, and if they got into your root account,
there is no telling how much harm they did.


More information about the users mailing list