sidefind.com coming up in lo packets

[yokosucks]

suse 9.2, kernel updates >178 days old, as thats how long the machine has been up. all other updates ~45 days old iirc

 

im on a different machine as i dont trust that box

 

output of uname -a:

Linux hostname 2.6.8-24.17-default #1 Tue Jul 19 08:56:33 UTC 2005 i686 i686 i386 GNU/Linux

 

i have kismet running, and the box isnt netted with anything

 

snippet of the output from ethereal (typing from one screen to the next, might not be completely accurate but i'll try my best):

 

Code:

no.    time        source             destination        protocol    info

2337   1100.0025   www.sidefind.com   www.sidefind.com   TCP   rtsclient > designspace-lm [PSH, ACK] Seq=217347 Ack=1046 Win=32768 Len=123 TSV=2557323704 TSER=25573226
2338   1100.0025   www.sidefind.com   www.sidefind.com   TCP   designspace-lm > rtsclient [ACK] Seq=1046 Ack=217470 Win=49160 Len=0 TSV=2557323704 TSER=2557323704
2339   1101.0482   www.sidefind.com   www.sidefind.com   TCP   rtsclient > designspace-lm [PSH, ACK] Seq=217470 Ack=1046 Win=32768 Len=124 TSV=2557324750 TSER=25573237
2340   1101.0482   www.sidefind.com   www.sidefind.com   TCP   designspace-lm > rtsclient [ACK] Seq=1046 Ack=217594 Win=49168 Len=0 TSV=2557324750 TSER=2557324750

 

there is also some data with it. the only ones with any data in this snippet are 2337 and 2339

 

first 2337:

Code:

Data (123 bytes):

..*CARD:  eth1 orinoco .o rin. 4 0 32334 1  .*TIME: 1141151 998.*GPS: 0.0 0. 0 0.0 0.0 0.0 0  .*INFO: 30 322334  14 0 0 0 0 0 58  48 .

now 2339:

Code:

Data (124 bytes):

..*CARD:  eth1 orinoco .o rin. 10 0 32334  1 .*TIME: 114115 1999.*GPS: 0.0 0 .0 0.0 0.0 0.0 0  .*INFO: 30 3233 4 14 0 0 0 0 0 5 8 48 .

 

why am i posting?

 

google 'sidefind' and you will see a slew of adware removal help pages (for windows). then goto www.sidefind.com (NOT with IE, only with something else such as firefox and with an effective popup blocker, as if you dont the toolbar may become installed. or dont, and just take my word for it)

 

i dont get popups except when i used the stock realplayer that came with the OS, and so i stopped using realplayer.

 

oh and btw. you may be wondering why this is coming up in the packet dump for lo... well i looked in /etc/hosts and found:

 

127.0.0.1 www.sitefind.com

 

i didnt put that there (not that i can recall) and i dont use an ad blocking hosts file, which is probably a stupid move by me

 

any and i mean ANY response you can give me would be greatly appreciated, even if its a flame. i can also post the ethereal packetlist, or a link to it, if need be.

[anyweb]

i dont get it, why are these showing up on a suse linux machine ? or am i mis-understanding something....

 

please explain

 

cheers

anyweb

[znx]

In short.. having:

127.0.0.1 www.sitefind.com

 

Will mean that all the traffic caught by ethereal will not be "www.sitefind.com" but instead localhost (just renamed!).

 

This means you don't have spyware at all.. if you never put that there.. then someone else did!

 

Ensure your permissions on the file:

Code:

# ls -l
-rw-r--r--  1 root root 708 Jan 27 18:43 /etc/hosts

 

If its the same.. then someone AS root altered the file.. change your password..

[yokosucks]

firstly, my mistake, the hosts file said sidefind, not sitefind.

 

secondly, having '127.0.0.1 www.sidefind.com' in the hosts file only means all packets getting sent to sidefind will be redirected to lo. it doesnt explain why there is something apparently trying to send packets to sidefind. i just got back from somewhere, im gonna do some troubleshooting (close firefox, sniff, close kismet, sniff, etc) to see what it could possibly be.

 

thirdly, nobody has access to that machine but me, and i only have one user account set up on it. i am behind a router, have no forwarded ports, and have a firewall on the box so i wasnt really too concerned with intrusion. i am suspecting one now.

 

finally, i have no more of a clue as to the reason this is happening than anyone else. youre not misunderstanding that its a suse machine. i dont know what else there is to explain, except that it seems that the data in the packets is related to kismet, due to the references to the wlan card it is monitoring with. also the data has an apparently blank value for GPS, which is appropriate as i dont have GPS.

[znx]

firstly, my mistake, the hosts file said sidefind, not sitefind.

 

Minor but it doesn't really change much ;)

 

secondly, having '127.0.0.1 www.sidefind.com' in the hosts file only means all packets getting sent to sidefind will be redirected to lo. it doesnt explain why there is something apparently trying to send packets to sidefind. i just got back from somewhere, im gonna do some troubleshooting (close firefox, sniff, close kismet, sniff, etc) to see what it could possibly be.

 

Incorrect.. the /etc/hosts will be looked at to translate 127.0.0.1 -> ? as well as the other way around. Its used like a "DNS" (cough, more correctly a cache).. therefore reverse and forward lookups are done.

 

thirdly, nobody has access to that machine but me, and i only have one user account set up on it. i am behind a router, have no forwarded ports, and have a firewall on the box so i wasnt really too concerned with intrusion. i am suspecting one now.

 

One, setting sidefind to 127.0.0.1 would cause the "spyware" that you think did this to fail, hence this defeats it?

 

Two, if someone had access do you think that they would alter the hosts file? Most would install a rootkit and thats that. If you are behind a router I doubt that anyone managed to get in.

 

You can install and run (preferably from a CD) rkhunter and chkrootkit.. doubt it will show up anything.

 

finally, i have no more of a clue as to the reason this is happening than anyone else. youre not misunderstanding that its a suse machine. i dont know what else there is to explain, except that it seems that the data in the packets is related to kismet, due to the references to the wlan card it is monitoring with. also the data has an apparently blank value for GPS, which is appropriate as i dont have GPS.

 

Yes the packets are kismet.. its talking INTERNALLY localhost to localhost (ie the incorrectly named 127.0.0.1 -> 127.0.0.1).

 

As for the data.. just because its talking about GPS .. doesn't mean you have it.. its probably just empty information incase another card has support?

[yokosucks]

i still dont recall ever even hearing of sidefind before this happened. and i still dont know how it got in my hosts file

 

i am behind a router and firewall, but i failed to consider that an XP box on my network had spyware on it for a couple days before i found and extinguished said spyware a few months ago. possibly someone could have gained access to my family member's compromised XP box and gained access to my BSD and Linux machines in the meantime.

 

so, i did some troubleshooting. did the obvious. i hashed out the line pointing to sidefind in the hosts file and added (heh) a line pointing to localhost. i restarted ethereal and it showed localhost. brilliant idea, z.

 

i ran chkrootkit and rkhunter and it found nothing, except some ssh config issues i overlooked (protocol one enabled, which i always avoided on the client end anyway, and remote root login) oversights due to laziness on my part. it also picked up an exploit in openssl, which was a false-positive as it was patched.

 

As for the data.. just because its talking about GPS .. doesn't mean you have it.. its probably just empty information incase another card has support?

 

i realize that. iirc, kismet asks if you want the gps option at compile time. nothing out of hte ordinary for it to be a blank value.

 

thanks for your help, i guess im just paranoid.

[znx]

so, i did some troubleshooting. did the obvious. i hashed out the line pointing to sidefind in the hosts file and added (heh) a line pointing to localhost. i restarted ethereal and it showed localhost. brilliant idea, z.

 

yeah thats exactly the correct thing to do.. ace!

 

thanks for your help, i guess im just paranoid.

 

paranoid = safe :) and as it is.. it helped you secure your SSH settings ;)