Firefox Issue

Home » CentOS » Firefox Issue
CentOS 23 Comments

Everyone is back at work and starting to use computers on our smallest network which has Internet access through a rather old Linksys router.  Two systems were left on and screen-locked over the extra long weekend.  There does not appear to have been any Internet access interruption in our absence.

A Firefox browser on one system was left pointing to a commonly used web site: https://www.yahoo.com/.  This Yahoo web page was not displayed when the user unlocked the screen and brought up the browser from the task bar. 

Instead, a site located at the link https://gaibacoupontec.com was displayed with a message indicating that there was an urgent Firefox update required.  There was a button to download and to install the update.  I killed the Firefox browser rather than getting rid of it with the X in the upper right hand corner.

This event has the aroma of an unwanted cyber intrusion, which is why I killed the browser.  I have also copied and stored the full URL displayed in the browser, but have only included the first part “https://gaibacoupontec.com” here so as not to tempt anyone to risk access.

Is it possible that a new Firefox flaw has been detected and is being exploited for malicious purposes?

23 thoughts on - Firefox Issue

  • Have you checked the user’s Firefox profile for any unusual extensions? That would be my first suspicion.

  • Maybe is was an ad redirect. I get this a lot on my phone where people are putting malicious js in ads that redirects me to advertisements for rock hard erections whilst I’m reading articles. Its very noisome!

  • Firefox, like other web browsers, usually displays text in HTML mode. Seeing a “link” for https://gaibacoupontec.com does not guarantee the hidden ‘A HREF’ code is actually for that site.

    Yes. Alertness and improving security are continuous tasks.

    SQL injection attempts, made by suffixing usually very long strings of SQL coding to valid parameters such as domain.com/info.php?aaaa345, has been popular with the Russians for at least the last few years. The only method of preventing it compromising a site is to test the acceptable maximum length of the parameter (in this example ‘12345’) and if exceeded block the IP address in iptables.

    Cyber attacks are gradually replacing armed conflicts.

  • SQL Injection is a server side issue, not a browser issue.

    no, the proper method of preventing it is not checking the length of the parameter, rather, its ensuring you don’t construct SQL queries out of arbitrary URL input without proper parameter substitution techniques such as passing parameters by value rather than string substitution, or using the appropriate string escaping techniques for your database API..

  • James B. Byrne wrote:

    Yes, but… attacks on the friggin’ IoT could result in lots of blood. Or, less so, what do you mean all the rail lines have been knocked out of commission for a week, and we can’t get food to the eastern half of the country? Or power?

    mark

  • Agreed. One of my Apache defences is to redirect probes/hacks to
    127.0.0.1 :-)

    Another is to use sudo to block their IPs.

  • (1) For national infrastructures, a “parallel” Internet-type communications network, totally isolated from the real Internet.

    (2) Governments should educate their country’s computer people to recognise vulnerabilities and how to block them; too many self-declared
    “komputar xperts” haven’t a clue about robust security.

    Query: How did the Reds get into the Democrats computer systems ?
    Hope it wasn’t a Redhat/CentOS system but an ‘open Windoze’ set-up.

  • Thank you SO very much for this. I am still laughing at the irony after
    5 whole minutes. This made my entire Monday.

    John Pessimists just can’t win: the damned glass is half full of air.

    — Logos01, #rhel

  • primary attack was cracking a too easy password on Podesta’s webmail account, quite probably via phishing/human engineering. doesn’t matter what the OS is.

  • Would you be willing to share this rewrite rule with the list, please?
    Some may find it useful. Thank you.

    John

  • I’m redirecting some things to http://www.fbi.gov as well as 127.0.0.1 here, plus using mod_geoip, ipset, and the mother of all network level blacklists in ipset. One large list that cut the number of attacks was blocking ALL Amazon AWS services. That reduced attacks by at least half.

  • Clousflare would be another one worth mentioning. They are much nastier, BTW, IMHO:

    https://wordtothewise.com/2012/07/cloudflare-and-spamhaus/

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • Always Learning wrote:
    Or, less so, what do you mean all the rail lines have been knocked out of commission for a week, and we can’t get food to the eastern half of the country? Or power?

    it wasn’t a Redhat/CentOS system but an ‘open Windoze’ set-up.

    In at least one of the several, it was a phishing attack. In another case, someone responded slowly to a query… and had a typo saying the *reverse*
    of what they meant to say.

    mark

  • (1) Hosting several web sites on a single IPv4 address.

    (2) Create Apache Virtual Hosts for each web site plus one extra.

    (3) Assuming the IP address is 1.2.3.4 and that IP address has a host name of dummy.domain.com *and* no web site is hosted with the name dummy.domain.com

    (4) The ‘extra’ Apache Virtual Host file contains ….


    DocumentRoot /prod/web/domains/dummy/
    ServerName 1.2.3.4
    CustomLog …………
    ErrorLog ………..
    HostnameLookups Off


    Header set Access-Control-Allow-Methods “GET”
    Order Deny,Allow
    Allow from all

    RedirectMatch permanent ^/(.*)$ http://127.0.0.1/

    (5) Any attempt to access:-

    * using the IP address as a web site host name, or

    * the host name of the IP address as a web site host name,

    is diverted to 127.0.0.1

  • Hello Paul,

    Why do you add dummy.domain.com:80 here as the match is done on the ServerName?

    Regards, Leonard.

  • Goeiemiddag Leonard,

    (5) IP addresses hosting multiple web sites will have a host name. That host name is unlikely to be the name of one of the hosted web sites. For example

    1.2.3.4
    4-3-2-1-static.friendly-ip.com

    Thus, if an attempt is made to connect to “a web site” with a domain name of “4-3-2-1-static.friendly-ip.com”, it will not be a genuine access attempt, by a genuine web user, to a genuine web site.

    It is likely an access attempt to a non-hosted web site name on 1.2.3.4
    will automatically be redirected by Apache to the 1.2.3.4 virtual domain. One could say the host name, 4-3-2-1-static.friendly-ip.com, is not absolutely required in the 1.2.3.4 virtual host file.

    Not knowing whether all access attempts to the IP host name will always be directed to the 1.2.3.4 virtual host file, I included the host name.

    (6) Another example is a Virtual Private Server (VPS) hosting multiple web sites and a mail server (Mail Transfer Agent = MTA) on a single IP
    address.

    The web sites could be:-

    sunshine-in-winter.com CentOS-is-wonderful.eu ilovelinux.uk ikhouvanmijbuurvrouw.nl etc.

    The mail server (MTA) could be:-

    mail3.example.com

    When someone attempts to access web site “mail3.example.com”, having that “web site name” in the Apache virtual host file, results in the request instantly being redirected to 127.0.0.1
    One can have several “web site names” in the virtual host file, in addition to the IP address.

    Similarly, if someone attempts to send emails to …..@mail3.example.com the mail server should reject it because that “domain name” is not a genuine email address domain name for the MTA.

    (7) I developed an Apache error processing system. It consists of several PHP routines. It does not work for status codes of 400 or 500 (I
    do not know why) but it does for 403 and 404.

    That system, shared by all hosted web sites, examines the requested web page name and compares it to two lists, one starting with /… and the other with keywords in any position. If a match is found, the IP address is placed in a monthly table (in IPtables) and blocked (sudo command in a PHP routine). This means after the first conspicuously wrong
    (deliberately wrong) attempt to access a non-existent web page, the IP
    address is instantly blocked.

    I’m a self-taught Linux user who chose CentOS years ago. I am glad I
    did. I am continually learning new things almost every day.

  • Though not being a professional cyber spy, still I don’t see how it’s possible at all to determine the source of the hack. Once someone’s machine succumbs to a phish, the attacker could install something like tor which would conceal all hacker traffic with the hacked machine.
    Indeed, a professional could, further, set up a chain or web of such compromised machines, each connected to the other via tor to further hide the hacker’s home… if that would even be necessary (?).

    Moreover, https://www.youtube.com/watch?v

  • Hi Paul,

    Heh :) . I was just thinking yesterday, “lekker ananas” :-) .

    After replying to your mail I realized that I’ve been using a fallback on my server for quite while now. Not a redirect to localhost, but a fallback page.

    The fact that all this stuff just works makes you forget the details. So I looked it up, and indeed, you do *not* need to specify the specific host name(s). I use a catch all virtual host


    ServerName 176.9.136.165

    which catches web access to a.o. mail.ottolander.nl and kelapa.ottolander.nl (coconuts not pineapples these days ;) ) without having to specify each domain name individually.

    Regards, Leonard.

  • We have several small networks, some of which have only four systems that are usually a mix of Windows 7 and CentOS 6 and CentOS 7 machines. All of these systems are Internet connected and updated regularly when yum finds packages available.  Information about one of the CentOS 6
    machines is included below.  This system experienced a Firefox issue.

    [user@computer]$ uname -a Linux computer 2.6.32-754.3.5.el6.x86_64 #1 SMP Tue Aug 14 20:46:41 UTC
    2018 x86_64 x86_64 x86_64 GNU/Linux
    [user@computer]$

    Several weeks ago, one of the Firefox updates did something unusual. It changed the browser-stored home page to https://www.CentOS.org/ from the original home page file:///usr/share/doc/HTML/index.html.  This original home page had been in place since 2014, and had survived all Firefox updates for a little over four years.

    Last week, someone left one browser running and the system went into power save mode.  To wake the system up we used the standard method of a quick push of the power button on the front of the Dell tower system. Although the system seemed to be running, the monitor and mouse never came to life.  We also could not SSH into the system from any other computer on the network.

    We decided to use a steady push on the power button to shut the system down.  After powering up again, the system seemed to run normally, but the browser home page was back to file:///usr/share/doc/HTML/index.html.

    Has anyone else experienced such an issue with Firefox recently?

  • I note each time there is a firefox yum update that the next time I
    start firefox from closed, that it brings up a tab with the CentOS
    homepage and another tab has my start page. The page on display (active tab) is the CentOS one …. next start is back to normal.