Re: Linux security

He is likely ill-informed and knows nothing about Linux.

Re: Linux security

I'll be more blunt: He's blowing smoke thinking that Linux is just as insecure as Windows.

Since Linux email clients don't respond to attachments the way ActiveX does, the only way YOUR box could have been infected is if you saved the attachment, added the execute permission to it, then ran it in a Konsole. In other words, social engineering. But, manually attacking your box, where you were probably creating your web page, and adding some script to your html pages in the hope that you wouldn't notice before you posted them is the hard way of doing things.


Hackers rarely hacked into personal PC running Linux and usually don't manually hack into Windows PCs any more because the risks are too high and the rewards are too small. Most hackers these days aren't script kiddies wanting to deface a web page for prestige points, they are professional thieves after monetary gain. The hacker didn't hack your PC, he hacked the server that Comcast is hosting your web page on. Comcast runs F5 Big IP, Solaris, Win2003, unknown, and Linux servers.

He could have hacked your index.html page and added a javascript that automatically redirected to his IP address, but that is a high effort low return approach. It would make more sense for him to poison the Comcast DNS server(s) and replace the IP part of a LOT of domain name:IP address pairs with his IP address. Once your visitor landed on his page they would encounter his more elaborate scripted infection techniques. Even then, they usually only affect Windows boxes, again because of the vulnerability of ActiveX controls.

Post the URL of your web page and I'll check to see what kind of server Comcast is running it on.

Re: Linux security

Thanks for the input guys, it makes me feel a little better.

The email client that I use is the web based client that Comcast provides so I don't think there is anything getting through that way.

The url is http://home.comcast.net/~fun2shoot/

When this first started, I figured out that my index.html file was hacked. There was scripting that was added to the file. I deleted the scripting and changed the password which made the problem go away for about a week. I pulled all my files but at that point accessing the above url would redirect for some reason. That is when I got Comcast involved.

During this whole ordeal I was doing some research online and came across an article discussing Comcast and that they had some DNS vulnerabilites. I am not well versed in this area but I assume that is where the hacking took place.

Re: Linux security

The fact that he claimed to have talked to a "lot" of people running linux proves he's a liar. Most linux users I know either don't waste their time with first level support or don't bother to mention they run linux when having a problem.

I had a problem with earthlink once (turned out to be their hardware) and the support-diot actually told me I had to install windows before they could help me. Needless to say - there were some choice words used in the next few minutes that eventually got me to someone who wasn't reading from a script.

I find some well pointed questions when someone makes a comment like that can be fun like;

"Really? How many Concast (misspelling intended) users run linux?"
"What viruses are they being affected by?"

The following back-pedaling and sputtering can be hilarious...

Re: Linux security

If you can account for the following Javascript code in "My Website - Default Page.html":
and near the end of the source listing:
then I see no source of infection on your default web page.

In the last 90 days you've had only 4 redirects and, according to this your site does not contain any malware.

Also, the location of the site to which your visitors were redirected is in Turkey. (93.186.127.0)

A report of your website by Netcraft is here.

Your name server is dns101.comcast.net
Your IP address is 216.87.188.9 (if it is static)
You are being hosted on a Linux server running Apache, which is why I suspect that your dns listing was poisoned. Because of 4 reports your site is now being blocked by Google protection services. The Google page I referenced above gives a contact point to get your site delisted. (IF you ARE the writer of that piece of Java code, s_code.js, which is on your server and unaccessible - I won't hack a server, that is illegal).

Re: Linux security

My answer to the general question (as usual, I could be wrong).

Linux is much safer than windoze:

(1) There's substantially less interest in hacking Linux because there are so many more machines running windoze, and windoze is easy to hack because M$ does not fix known vulnerabilities in a timely manner and (even if they did) many windoze lusers don't update their software even when updates are available.

(2) On the other hand, Linux vulnerabilities are publicised as quickly as possible after they are found and are fixed as rapidly thereafter as possible, because:
(a) The software authors (including corporations like IBM and Sun) gain credit with their customers by repairing vulnerabilities (M$ would lose credit if normal users realized how sloppy some windoze code is).
(b) Many of the unpaid, non-commercial software developers take pride in their code and want to make it as secure as possible.
(c) Competition between Linux distributions includes prompt distribution of updates repairing known vulnerabilities (this is not a factor that M$ needs to consider).
(d) It is substantially easier to find Linux vulnerabilities because the source code is easily available.

Honesty, compels me to add that I used to know some (now retired) developers of code for windoze who took pride in their work and wrote code that was as tight and well-tested as humanly possible. I imagine that this is still true of the current generation.

Re: Linux security

Thanks for all of the information. Comcast took care of the problem last night. I am not sure what they did but they must have cleaned out the files that were hidden from me and reloaded a default web page. I have not reloaded my page yet.

I knew that my website was not hosting the malware and that it was redirecting. Most of the browsers and/or security software were catching the problem and would warn the user before it redirected.

Re: Linux security

It looks like they took down that dns (68.87.29.164) and put your name:ip pair on another one. So, I'd guess that it was DNS poisoning, probably facilitated by poor administration practices.

Re: Linux security

That sounds like the issue.

Rather than blame it on their practices they had to throw the blame on a Linux issue.

Re: Linux security

OK, now I have something else a little strange.

I went into Google Webmaster Tools and there is now a new user that has been added as an owner of "my" website:
hwmailtest@gmail.com

Do you think this is Google or Comcast or a bad guy?

Re: Linux security

Write an email to that address and ask the person directly. Regardless, email Google and ask how he was added, and how to remove him.