View previous topic :: View next topic |
Author |
Message |
Darkyyo n00b
Joined: 27 Sep 2022 Posts: 21
|
Posted: Tue Nov 22, 2022 4:23 pm Post subject: [SOLVED] Clearing suspicion of malware having been installed |
|
|
This is a bit of a relatively silly issue, but I am unable to log in to any of my sensitive accounts until it is resolved. I'm fairly new to Linux, and while I know that isn't an excuse for not knowing better about e-security, I've just realized I've clicked on a phishing link a few days ago. I'll admit: the urgency got to me. However, I didn't even get to the "login-details-harvesting" stage; a blank/broken page was all that was displayed. This leads me to believe the link was repurposed to be infectious as people spread the word of its original nature, and that I was thus still affected.
Again, I'm not completely sure. I did notice a slight increase in my CPU usage a minute after, but this is no longer the case and could've been a placebo (OpenJDK running at the time does this sometimes). Someone who touched on this issue jokingly called it a RAT link, which may not be too far from the truth. I mean, I am well aware malware for the community targeted needs to bypass both written and visual forms of authentication to be effective.
I did what seemed best: I ran a full ClamAV scan (which gave me this reportedly false positive) and changed the most sensitive passwords input while unaware of being a possible victim, from a separate device. Local semi-professional advice tells me I should also look into closing any suspicious/unnecessary ports and startup processes, though I'm not too sure about how I'd correctly go on to do so. I'm even thinking of reinstalling just in case, but that already seems like too much work, and so far, no damage has been done.
I know of Linux's superior security and that this may be an overreaction, but I just want to act responsibly: learn how one usually contains or eliminates a possible/perceived threat in this OS — preferably without having to reinstall it.
Last edited by Darkyyo on Sat Jan 28, 2023 4:19 pm; edited 1 time in total |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Tue Nov 22, 2022 5:12 pm Post subject: |
|
|
Maybe have wireshark or tcpdump run all day and check if there is any suspicious traffic.
Right now in the EU there is mayhem going on about pegasus and predator malawares.
But i think they target more ios and android.
There is another horrible kind of attack called zero-click.
No need for you to click on a link.
I wouldn/t worry too much.
Which browser were you using?
Maybe delete its .config and .cache?
Just a naive thought.
I think best is tcpdump way.
Just have it run without your using your machine.
For a day or two.
Have you seen this
https://noscript.net/ _________________
|
|
Back to top |
|
|
Darkyyo n00b
Joined: 27 Sep 2022 Posts: 21
|
Posted: Tue Nov 22, 2022 5:29 pm Post subject: |
|
|
I was using Firefox.
Yes, I've used NoScript for some time. However, I had disabled using said extension long before this incident due to recurrent inconvenience.
Are there any particular factors that would define these "suspicious" packets I am to look for? |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3131
|
Posted: Tue Nov 22, 2022 5:38 pm Post subject: |
|
|
Do you do any backups?
Perhaps it would be possible to compare the current state of your system with a known safe copy?
You don't have to immediately restore it, just check which files are new/modified to filter out the vast majority of stuff that's obviously OK, then you should be able to drop files you created from the remaining list, and some gentoo files, maybe a few other categories of safe stuff, and you might and up with only a handful of files which require their content to be inspected.
Now what backup was intended to do, but it is something that backup makes possible. |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Tue Nov 22, 2022 5:48 pm Post subject: |
|
|
Quote: |
Are there any particular factors that would define these "suspicious" packets I am to look for?
|
Packets to/from external ip addresses? _________________
|
|
Back to top |
|
|
Darkyyo n00b
Joined: 27 Sep 2022 Posts: 21
|
Posted: Tue Nov 22, 2022 5:59 pm Post subject: |
|
|
szatox,
I unfortunately did not generate any backups beforehand, though I definitely will after this is resolved. Perhaps there are any other naturally generated logs that I could look at for reference?
Examining my network's traffic seems like a solid measure for now.
Darkyyo wrote: | Local semi-professional advice tells me I should also look into closing any suspicious/unnecessary ports and startup processes, though I'm not too sure about how I'd correctly go on to do so. |
Are the above measures any relevant, or just shots in the dark? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54220 Location: 56N 3W
|
Posted: Tue Nov 22, 2022 6:09 pm Post subject: |
|
|
Darkyyo,
There no no may to be sure of the absence of something.
Look at SETI. We have done a lot of searching but found nothing.
Absence of evidence is not evidence of absence.
You only safe course of action is a clean reinstall. You can't even trust your data post 'possible infection', so that has to be restored from a backup.
If you don't need that level of assurance, the advice here is good.
I had something get into a KVM a few months ago. It was trying to connect to several IP addresses in China using ports that my firewall does not permit.
I do check logs from time to time.
That KVM was recreated and the original shut down for a later investigation. I'll probably just delete it when I need the HDD space. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Tue Nov 22, 2022 6:19 pm Post subject: |
|
|
Also you might wish to run
Code: |
find ~ -type f -newermt 'yyyy-mm-dd' -ls
|
to find files created or modified after the date you clicked the link.
Then try to recognize anything suspicious. _________________
|
|
Back to top |
|
|
psycho Guru
Joined: 22 Jun 2007 Posts: 534 Location: New Zealand
|
Posted: Tue Nov 22, 2022 8:34 pm Post subject: |
|
|
NeddySeagoon wrote: | You only safe course of action is a clean reinstall. |
Amen. It sounds unlikely that anything's wrong, but replacing it is the only way to be 100% sure, if you want to get rid of that nagging suspicion. Given that most of the work in a Gentoo install involves manual configs (the kernel .config, and a bunch of stuff like fstab under /etc, especially /etc/portage), it's really not such a big deal to do a fresh install when you already have all the configs you need. You can do whatever you like while stuff's compiling... there's not a huge amount of manual effort involved in creating a new Gentoo install when you've already got one fully configured.
In any case, you need a backup (as this experience demonstrates... you could have done a format and full reinstall in less than five minutes), and creating a backup from a system you don't fully trust is a horrible idea... so I would just get it over with and wipe and reinstall it, creating a backup as soon as you've got a nice working system again. Honestly, even if it's a false alarm it's doing you a favour by establishing the habit of backups. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21607
|
Posted: Tue Nov 22, 2022 9:04 pm Post subject: |
|
|
File mtime is only advisory. touch can easily make a file appear much older than it really is, so using mtime to find files that were modified by a hypothetical intruder is not reliable. A clever intruder would restore the mtime of any files that it needed to change. |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1144 Location: Romania
|
Posted: Wed Nov 23, 2022 4:49 am Post subject: |
|
|
I guess you could try an equery k \* (part of gentoolkit) which will verify which files have changed since they were last installed. Maybe modified time can be faked, but its more unlikely an intruder would actually go to the trouble of faking the installation signatures as well. Each distro is different and gentoo is not exactly popular. This will _NOT_ tell you if files were added to the system, but at least you can see if something was modified, which is better than nothing. |
|
Back to top |
|
|
steve_v Guru
Joined: 20 Jun 2004 Posts: 388 Location: New Zealand
|
Posted: Wed Nov 23, 2022 10:14 am Post subject: |
|
|
It certainly won't catch everything, but FWIW opensnitch (pentoo overlay) is quite functional these days and can be set to alert, block, and/or log outgoing connection attempts from new processes or to new hosts.
There are many other utilities, such as rkhunter, tripwire, lynis, auditd etc. that will scan for known rootkit behaviour, detect modified system files, watch for listening ports, etc.
The catch is that all of these work best when set up before something suspicious goes down.
As for clamav, you might as well ignore it. Last I checked pretty much all it's signatures are for windows malware, and it's primary use is protecting downstream windows endpoints - e.g. scanning email.
Otherwise, yeah. The only way to be properly sure is to nuke it from orbit. This is one of the reasons we have backups.
That said, the chances of you catching a drive-by from a web browser are small, and smaller still that it somehow managed to escalate to root and impact anything beyond your user account. _________________ Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.
Last edited by steve_v on Wed Nov 23, 2022 10:19 am; edited 1 time in total |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1144 Location: Romania
|
Posted: Wed Nov 23, 2022 10:18 am Post subject: |
|
|
I thought of another thing. You can't trust netstat, because it could be patched and/or modified, but you certainly can nmap the system to see if it has some open ports that shouldn't be open. Only don't do it from the same system, but use one you can trust. |
|
Back to top |
|
|
C5ace Guru
Joined: 23 Dec 2013 Posts: 472 Location: Brisbane, Australia
|
Posted: Wed Nov 23, 2022 1:18 pm Post subject: |
|
|
I had a couple of years ago an attack through wine that filled up the disk with many small files. The guy wanted $500.00 paid with Bitcoins to let me restore my old Windows games and other stuff. He was not impressed when I emailed him to f...k off.
To be save I ran dd on the disk, partitioned, formatted and restored my backup. This took about 15 minuted keyboard time. Now Windows programs only run in VirtualBox. _________________ Observation after 30 years working with computers:
All software has known and unknown bugs and vulnerabilities. Especially software written in complex, unstable and object oriented languages such as perl, python, C++, C#, Rust and the likes. |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1144 Location: Romania
|
Posted: Wed Nov 23, 2022 1:37 pm Post subject: |
|
|
C5ace wrote: | I had a couple of years ago an attack through wine that filled up the disk with many small files. The guy wanted $500.00 paid with Bitcoins to let me restore my old Windows games and other stuff. He was not impressed when I emailed him to f...k off.
To be save I ran dd on the disk, partitioned, formatted and restored my backup. This took about 15 minuted keyboard time. Now Windows programs only run in VirtualBox. |
Did you run wine as root?)
A normal user wouldn't have filled the "disk" with anything. Only the home of said user. You could have just deleted the home dir and not the whole disk. Just sayin...
Same goes to the original poster. A normal user doesn't mean automatic escalation to root. Browsing is another thing you shouldn't do as root.
Also, running VMs creates a false sense of security. A windows VM can be just as compromised and attack your own network. |
|
Back to top |
|
|
Leonardo.b Apprentice
Joined: 10 Oct 2020 Posts: 294
|
Posted: Wed Nov 23, 2022 4:17 pm Post subject: |
|
|
For the future, consider to set up a sandbox for your web browser. |
|
Back to top |
|
|
C5ace Guru
Joined: 23 Dec 2013 Posts: 472 Location: Brisbane, Australia
|
Posted: Wed Nov 23, 2022 9:48 pm Post subject: |
|
|
axl wrote: | C5ace wrote: | I had a couple of years ago an attack through wine that filled up the disk with many small files. The guy wanted $500.00 paid with Bitcoins to let me restore my old Windows games and other stuff. He was not impressed when I emailed him to f...k off.
To be save I ran dd on the disk, partitioned, formatted and restored my backup. This took about 15 minuted keyboard time. Now Windows programs only run in VirtualBox. |
Did you run wine as root?)
A normal user wouldn't have filled the "disk" with anything. Only the home of said user. You could have just deleted the home dir and not the whole disk. Just sayin...
Same goes to the original poster. A normal user doesn't mean automatic escalation to root. Browsing is another thing you shouldn't do as root.
Also, running VMs creates a false sense of security. A windows VM can be just as compromised and attack your own network. |
Wine was installed under /usr/bin/wine-vanilla. The user files where under /home/user/.wine/ (dosdevices, drive_c; drive_j). Today Win98 is in a VirtualBox without networking.
The vdi and other files are located under /home/vbox/win98/. A backup copy is stored at /home/vbox/win98.tar.xz. _________________ Observation after 30 years working with computers:
All software has known and unknown bugs and vulnerabilities. Especially software written in complex, unstable and object oriented languages such as perl, python, C++, C#, Rust and the likes. |
|
Back to top |
|
|
axl Veteran
Joined: 11 Oct 2002 Posts: 1144 Location: Romania
|
Posted: Wed Nov 23, 2022 10:25 pm Post subject: |
|
|
C5ace wrote: | Wine was installed under /usr/bin/wine-vanilla. The user files where under /home/user/.wine/ (dosdevices, drive_c; drive_j). Today Win98 is in a VirtualBox without networking. |
But you see, that is my point. Wine doesn't offer a way in as root. It doesn't matter how it was installed or where. It matters how its run. Do not run it as root, and, it's also prolly a good idea to keep wine chrooted to it's own environment. See that Z drive that allows access to the home directory. I think it's Z. I don't have an intel machine to test it atm.
Anyway, just delete your home, not the entire system. It's overkill. |
|
Back to top |
|
|
C5ace Guru
Joined: 23 Dec 2013 Posts: 472 Location: Brisbane, Australia
|
Posted: Thu Nov 24, 2022 1:27 pm Post subject: |
|
|
axl wrote: | C5ace wrote: | Wine was installed under /usr/bin/wine-vanilla. The user files where under /home/user/.wine/ (dosdevices, drive_c; drive_j). Today Win98 is in a VirtualBox without networking. |
But you see, that is my point. Wine doesn't offer a way in as root. It doesn't matter how it was installed or where. It matters how its run. Do not run it as root, and, it's also prolly a good idea to keep wine chrooted to it's own environment. See that Z drive that allows access to the home directory. I think it's Z. I don't have an intel machine to test it atm.
Anyway, just delete your home, not the entire system. It's overkill. |
I don't know how it got in. Rkhunter identified it as "BillGates" or similar. That's why I believe it had something to do with Windows/Wine. Anyway, the matter is solved on my end in a way that it's very unlikely to happen again. _________________ Observation after 30 years working with computers:
All software has known and unknown bugs and vulnerabilities. Especially software written in complex, unstable and object oriented languages such as perl, python, C++, C#, Rust and the likes. |
|
Back to top |
|
|
Darkyyo n00b
Joined: 27 Sep 2022 Posts: 21
|
Posted: Sat Nov 26, 2022 2:11 pm Post subject: |
|
|
My apologies for not continuing the flow of the thread sooner. Having read all suggestions, I suppose I shall abide by the consensus: that of reinstalling being the only way of being completely sure.
psycho wrote: | Given that most of the work in a Gentoo install involves manual configs (the kernel .config, and a bunch of stuff like fstab under /etc, especially /etc/portage), it's really not such a big deal to do a fresh install when you already have all the configs you need. You can do whatever you like while stuff's compiling... there's not a huge amount of manual effort involved in creating a new Gentoo install when you've already got one fully configured. |
Good point. I feared having to do everything from scratch, but completely forgot the advantage of widespread text-file-based configuration.
Before I proceed, however, I wanted to clear some doubts:
(answered already through forum messages)
Would the danger cease as soon as I create a new GPT from the LiveCD?
NeddySeagoon wrote: | That depends. The partition table is a table of pointers to filesystems. Its not actually required to mount a partition (See the -o offset= to mount). The filesystem is still intact and can be accessed.
Why is the nastyware restricted to the filesystem?
It can change the BIOS too. It all depends how paranoid you are.
When you make new filesystems on the new GPT, it all gets much harder to recover the content. Its all still there but the metadata has been destroyed. At that point, its not impossible, just impractical to recover the old data. If as SSD is involved making a new filesystem sends the device the discard signal for the space allocated to the filesystem, so everything there will soon be erased. |
Would it be fine to just backup my config files somewhere else? Would I not have to worry about them carrying this suspected infection to a given storage medium?
NeddySeagoon wrote: | Its safe to keep them for reference - to look at but not for reuse, unless you know how the nastyware works. |
Anything else to note beyond waiting until I have a minimal installation ready, configuring portage, emerging @world, and then replacing the rest of the config files?
NeddySeagoon wrote: | Recreate, not reuse the config files. |
Last edited by Darkyyo on Sat Jan 28, 2023 4:13 pm; edited 1 time in total |
|
Back to top |
|
|
Leonardo.b Apprentice
Joined: 10 Oct 2020 Posts: 294
|
|
Back to top |
|
|
|