[tor-talk] "EVIL bug" Linux Tor Browser Bundle (2.2.35-8)

Jude Young jude at 10equals2.me
Wed Mar 21 12:54:35 UTC 2012

For Anyone who knows that this happened on their home linux system....
If you are on debian, install package secure-delete (close to that 
anyways.. Copy is here:http://www.thc.org)

NOTE: This is dangerous, and only to be attempted by one who has a clue 
how to rescue a hosed system.
If you don't, then I have absolutely no pity on you.

If you have a separate home partition, make sure that you substitute 
/home here.
also if you do home, you will not have to reboot or enter single-user. 
Instead of rebooting,
umount /home  #do the journal and sfill stuff... it's below...
mount /dev/{whatever partition} /home

Exit all programs, act like you're about to shutdown.

Now run these commands:
sudo init 1  # This should drop you down to a terminal, in single-user mode.

sudo sfill -v / & #Overwrite all free space on the root partition with 
random data 35 times.
That'll take a few days on anything greater than 100Gb... Or you know, 
really long time on anything much bigger...

if you don't want to wait as long, you can wipe just the folder TBB was,
or you can make it less secure (still pretty much completely removed..) 
by running this:
sudo sfill -v -l -z / && sudo sfill -v -l / #write once random, write 
once zero, write twice random. far less time...

If you are using a modern filesystem, that will NOT get rid of all of 
the data.
ext3/4, btrfs, reiserfs, jfs, xfs, all of these have journals.

You'll also need to get rid of the journal.
On ext3/4, run this BEFORE you start sfill:
sudo mount -no remount,ro /dev/{whatever your hd is} #Remount the FS 
sudo tune2fs -O ^has_journal /dev/{whatever your hd is try typing 'sudo 
mount' if you don't know.}
sudo dumpe2fs /dev/{ditto} | more #use this to make sure the journal is 
Then run one of the sfill commands, run a fs check, and create a new 
mount -n /dev/{ditto} /  #remount the fs.  necessary for the sfill 
command to work.
#run one of the sfill commands...
sudo mount -no remount,ro /dev/{ditto} #remount readonly again
sudo e2fsck -f /dev/{ditto}  #force a fs check
sudo tune2fs -j /dev/{ditto} #create a net journal

Now your FS is in a slightly unstable state.
Now you can either reboot, or remount the fs.
It's probably cleaner just to reboot.
sudo shutdown -rF now  # This will reboot, and force a FS check when it 
comes back up.

Now, assuming that all went ok,
check to see if you can find the file in question:
http://extundelete.sourceforge.net/   Use this tool/tools.

Q    Is this dangerous/could I lose data?
A    YES
Q    The first answer scares me...
A    Then don't do this.
Q    Will this guarantee it's really gone?
A    NO
Q    I messed up!!
A    did you read the whole thing and google anything you didn't know? 
if so read Q1.
Q    Have you actually tried this?
A    Nope, but I have seriously messed with my FS before.  This SHOULD 
work. but it might not.

Good luck, if everything went well, every deleted file on your system 
should be practically unrecoverable.


More information about the tor-talk mailing list