Firefox for Linux hacked (malware)

1

I'm running Linux Mint, with Firefox 12.0 (Mozilla Firefox 1.0 for Linux Mint). I also have one Firefox extension installed: Live HTTP headers. I am not using Firefox Sync.

Whenever I go to any website using Firefox, I observe on the bottom status-bar that my browser is contacting a domain called "my-top-fun.com".

I assume this is some malware that is tracking which sites I visit, probably to use as marketing data.

My first thought was to make sure that only Firefox is affected, and this isn't some deeper issue. So, I tried a simple wget, and also downloaded and installed Google-Chrome for Linux. Both are unaffected - so the problem is definitely isolated to Firefox.

I've Googled around for "my-top-fun.com", but other than whois and other domain registration information, there is literally no information available about this domain. I grep'd around for my-top-fun.com in ~/.mozilla but found nothing other than references to the domain in the Cache files and in the .mozilla/firefox/mwad0hks.default/sessionstore.js file.

Using the Live HTTP Headers extension, I can see that Firefox is making a request to my-top-fun.com whenever I vist any site:

http://my-top-fun.com/script.js

GET /script.js HTTP/1.1
Host: my-top-fun.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://superuser.com/
Cookie: __utma=203335309.1541668361.1361278532.1361278532.1361278532.1; __utmc=203335309; __utmz=203335309.1361278532.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=%22my-top-fun.com%22
If-Modified-Since: Sun, 17 Feb 2013 23:40:24 GMT
If-None-Match: "1180033-36f-4d5f421e93750"
Cache-Control: max-age=0


So, what are some strategies to attempt to remove this malware from Firefox? Should I just uninstall, and then re-install Firefox?

Channel72

Posted 2013-02-19T17:17:00.870

Reputation: 121

2Do you have any Firefox extensions installed? – gronostaj – 2013-02-19T17:19:22.813

Are you using Firefox sync? Could it be a plugin synced from another machine? Have you checked for suspicious plugins? – user 99572 is fine – 2013-02-19T17:19:58.607

I have one Firefox extension: Live HTTP headers. – Channel72 – 2013-02-19T17:21:17.543

I am not using Firefox sync – Channel72 – 2013-02-19T17:21:43.890

Answers

0

I would use Bleachbit to clear the FF cache, and perhaps delete the FF folder from ~/. it will be regenerated next time you open FF, but your settings will be cleared (along with everything else.)

Frank Thomas

Posted 2013-02-19T17:17:00.870

Reputation: 29 039

Cleaning cache isn't going to do anything. – sourcejedi – 2013-02-19T17:57:09.573

thats not really true in linux. assuming that you are not running as root (as is default in Mint), the only changes that a piece of mal-script can make are to your profiles local cache. by deleting it and allowing it to be recreated, you eliminate any malware that had been running within its context, unless you made some really bad choices in configuring and running FF. – Frank Thomas – 2013-02-19T18:04:36.400

0

I had the same issue. It came from a youtube viewer add-on I had in Firefox. When I disabled the viewer, my-top-fun went away. It was amazing how much that file slowed down browsing.

brian

Posted 2013-02-19T17:17:00.870

Reputation: 1

The name of this add-on might be helpful. Please edit your answer and add it if you know. – slm – 2013-07-12T13:31:53.023