Bug 28790

Summary: ransomeware attack
Product: Mageia Reporter: william bastian <rfarc2000>
Component: RPM PackagesAssignee: All Packagers <pkg-bugs>
Status: RESOLVED INVALID QA Contact:
Severity: major    
Priority: Normal CC: davidwhodgins, ftg, ouaurelien
Version: 8   
Target Milestone: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Source RPM: firefox CVE:
Status comment:

Description william bastian 2021-04-16 18:32:28 CEST 
Description of problem:
My wife was using Mageia 8 64 and all of a sudden a "ransomeware" hit:it said "Microsoft has determined your computer is being used to distribute porn,  Call these Microsoft Numbers xxxxxxx to unlock your computer"  The page was a exact duplicate of something from Microsoft Windows, looked exactly as though it was a Microsoft alert.  
   In nearly 20 years of using Mandrake/Mandriva/Mageia on the internet this is the FIRST TIME this has ever happened. Some time back the LULZSec hackers hacked a microsoft Windows computer I had, without disturbing the Mageia Linux computers.  After an expert cleaned out the Windows computer I simply did not hook it to the internet.  All of our internet work here is done with Mageia Linux.
   The computer was totally locked up,no command would get rid of it.  I had to format the hard drive and reload Mageia 8 64 in order to get rid of it.
   My wife was using the Firefox browser that came with Mageia 8.  She uses Facebook with the Firefox Browser.  
   We are using CenturyLink Fiber Optic internet system, they sent me  the most advanced fiber optic modem they have, and I recently put in  a Cisco router in series for an extra firewall.  
Version-Release number of selected component (if applicable):

The Mageia 8 I downloaded from the Mageia.org site
How reproducible:

It has not reoccurred so far.  
Steps to Reproduce:
1.not reproduceable.  
2.
3.
Comment 1 Aurelien Oudelet 2021-04-16 18:52:19 CEST 
Hi, thanks reporting this.

We really doubt your system was hacked.

We only think that a firefox window was put in full screen without window controls and a message was displayed. This is rather a firefox bug.

Even a cold restart should ditch this.


So, as long as this is un reproducible, and you did not provide proof like screenshot or taken a picture with a smartphone, I tend to close this invalid.

Assigning globally, added to firefox tracker.

CC: (none) => ouaurelien
Ever confirmed: 1 => 0
Assignee: bugsquad => pkg-bugs
Source RPM: (none) => firefox
Status: NEW => UNCONFIRMED

Aurelien Oudelet 2021-04-16 18:52:52 CEST

Blocks: (none) => 28788

Comment 2 David Walser 2021-04-16 19:07:26 CEST 
This wouldn't be a Mageia bug anyway.  The forum or discuss Mailing list would be better places to ask for help.

QA Contact: security => (none)
Blocks: 28788 => (none)
Status: UNCONFIRMED => RESOLVED
Component: Security => RPM Packages
Resolution: (none) => INVALID

Comment 3 Dave Hodgins 2021-04-16 19:13:37 CEST 
I agree it's very unlikely the computer was hacked. More likely is that one of
the websites being loaded in firefox was hacked, or one of the scripts on one
of those pages was loaded from a hacked site.

CC: (none) => davidwhodgins

Comment 4 Frank Griffin 2021-04-16 19:35:34 CEST 
If it happens again, use Ctrl-Alt-Fn (anything other than 1) to get to a tty, login as your ID, and issue "killall firefox"; then Ctrl-Alt-F1 to get back.

CC: (none) => ftg

Comment 5 william bastian 2021-04-17 16:22:16 CEST 
A cold reboot did NOT clear this.  I tried that twice. Each time the false screen came up without ANY sign of the Mageia 8 bootup sequence or any sign that Mageia was even in existence. I would not dismiss this so hastily.  
  It took a complete format the hard drive and reload Mageia 8 to get rid of this screen.  Again, it was an exact copy of a Windows screen.  It appeared quickly as soon as power was applied to the computer without any sign of Mageia.
Comment 6 Dave Hodgins 2021-04-17 19:42:20 CEST 
Try booting a live iso and see if it can see, mount, and read the hard drive
partitions.
Comment 7 Dave Hodgins 2021-04-17 20:24:25 CEST 
I just read comment 5 again. Noticed that the drive has already been formatted.
I could see this type of thing happening if the user was running things such
as firefox as root. There are various things javascript can do to a user's
account, but not to things like grub, without root level access.

If Mageia has already been re-installed, there is not much that can be done
to gather more info.