Shell Usage
Posted: Thu Oct 16, 2014 3:12 am
I found a very strange thing the other day. I went to debug something and pulled up WireShark and noticed very strange traffic. A couple of looks at netstat revealed that sockets were owned by the shell script that passes data to SteadyFlow! Not, steadyflow or the browser, but the /bin/sh. Doesn't make any sense does it? I closed the browser, and it made no change. Quitting steadyflow (which showed no downloads) stopped the (likely malicious) traffic and killed the script.
Needless to say, I don't like to see my computer transferring data from sites I didn't click on! I did look at the script. It looks like it just does a quick echo and then passes some parameters. I would get rid of the script completely (would help for people that need a non-executable /tmp for example). You really don't need it since you can do a fork/exec and set environment variables and all that (or are plug-ins not allowed to fork?). To what is the 'echo' being sent? I'd really like to know what those extra connections were all about. I didn't save the data, but I certainly will if I see it again. I keep Wireshark pretty handy these days.
At the very least, throw some quotes around the site being passed around (why the program name is quoted and not the URL seems odd). A malicious URL could easily take over the shell with stuff that looks like a valid URL. Letting the shell look at it could be a security issue.
Needless to say, I don't like to see my computer transferring data from sites I didn't click on! I did look at the script. It looks like it just does a quick echo and then passes some parameters. I would get rid of the script completely (would help for people that need a non-executable /tmp for example). You really don't need it since you can do a fork/exec and set environment variables and all that (or are plug-ins not allowed to fork?). To what is the 'echo' being sent? I'd really like to know what those extra connections were all about. I didn't save the data, but I certainly will if I see it again. I keep Wireshark pretty handy these days.
At the very least, throw some quotes around the site being passed around (why the program name is quoted and not the URL seems odd). A malicious URL could easily take over the shell with stuff that looks like a valid URL. Letting the shell look at it could be a security issue.