[Solved] Am I Infected by a virus?

Kernels & Hardware, configuring network, installing services

[Solved] Am I Infected by a virus?

Postby bester69 » 2018-12-21 08:09

Hi,

Did I get infected by a virus or a troyan?
Image


It's happening from a week or so, sometimes, suddenly The keyboard behave extrange, like with some kind of a lag, the Internet browser start to do some kind blinding and I cant't type properly anymore anywhere. I let the konsole by itself was typing alone that extrange character showed in capture... It happend just when waking up from sleep... It's happend more time (tree times or so) from some weeks ago. It gets fixed when I restart Plasma session..

I dont know what might it be, I dont remember what I might installed cos I have a very controlled and clean installation, I even use rollback btrfs snapshots system to mantain stable system.. but I have updated snapshot system with this virus included, and I cant rollback without getting away of this issue..

I just remember of installing in that period of time:
- jpegoptim, bitwardern (deb), and some snaps

- I was also always using an active(running) downgraded propietary java version (for java sticky app) >> I've just moved to openjdk and updated jdk
- Im not using protection for snaps , neither for Meltdown and Spectre:
GRUB_CMDLINE_LINUX_DEFAULT="apparmor=0 nopti noibrs noibpb"
- Im using an old Opera version for so long (OperaV42) due to performance reasons

I have some few packages retained due to believed performance and other kind of reasons.:
Code: Select all
Los siguientes paquetes se han retenido:
  dbus dbus-user-session dbus-x11 firefox-esr firefox-esr-l10n-es-es firmware-misc-nonfree g
  intel-microcode kde-style-qtcurve-qt4 kde-style-qtcurve-qt5 libdbus-1-3 libdbus-1-3:i386 l
  libudev1:i386 network-manager qtcurve qtcurve-l10n syslinux syslinux-common systemd-sysv u
  xserver-common xserver-xorg-core xserver-xorg-legacy


Any suggestions :? , thanks
Last edited by bester69 on 2019-01-04 14:45, edited 1 time in total.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1265
Joined: 2015-04-02 13:15

Re: Am I Infected by a virus?

Postby llivv » 2018-12-21 09:19

does typing clear in konsole fix anything?

open xterm on your desktop and see if you get the same behavior from it.
If xterm seems fine try reinstalling konsole

If reinstalling doesn't help and you're comfortable gouging out a nice hefty hunk_o_ K
purge knosole and all it's deps
reboot - probably to cli (if I know K at all)
reinstall konsole and all the other K, qt, plasma, etc. etc. packages it took with it ..... difficulty=intermediate to advanced
In memory of Ian Ashley Murdock (1973 - 2015) founder of the Debian project.
User avatar
llivv
 
Posts: 5851
Joined: 2007-02-14 18:10
Location: cold storage

Re: Am I Infected by a virus?

Postby bester69 » 2018-12-21 10:07

llivv wrote:does typing clear in konsole fix anything?

open xterm on your desktop and see if you get the same behavior from it.
If xterm seems fine try reinstalling konsole

If reinstalling doesn't help and you're comfortable gouging out a nice hefty hunk_o_ K
purge knosole and all it's deps
reboot - probably to cli (if I know K at all)
reinstall konsole and all the other K, qt, plasma, etc. etc. packages it took with it ..... difficulty=intermediate to advanced

Hi, Thanks for answering
It happens typing anywhere (kate, dolphin, browser, etc).. there's some kind of lag when typing fast .. Now erverithing its again working ok for the moment (I restarted session); at first I thought It had to be with Accesibility module, but I think I disabled it and had happend once again..
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1265
Joined: 2015-04-02 13:15

Re: Am I Infected by a virus?

Postby Ardouos » 2018-12-21 13:49

You run a lot of MS apps through PoL/wine and outdated software, so if something were to happen that would likely be the culprit. Linux is not immune to malware though, no OS is.

I would check if anything is running on startup, starting with:
[*]Your bash history,
[*]Your bashrc and profile files, both in your /etc and /home.
[*]Any cronjobs.
[*]Any startup daemons.
[*]Any ports exposed to the internet?
[*]Check any SSH keys are installed.
[*]Your DE's autostart.
[*]Checking logs is good to see if any suspicious activity has been done.

You could try running a clamav scan or Sophos(?).

That's my two cents.
User avatar
Ardouos
 
Posts: 1019
Joined: 2013-11-03 00:30
Location: Elicoor II

Re: Am I Infected by a virus?

Postby bester69 » 2018-12-21 15:14

Ardouos wrote:You run a lot of MS apps through PoL/wine and outdated software, so if something were to happen that would likely be the culprit. Linux is not immune to malware though, no OS is.

I would check if anything is running on startup, starting with:
[*]Your bash history,
[*]Your bashrc and profile files, both in your /etc and /home.
[*]Any cronjobs.
[*]Any startup daemons.
[*]Any ports exposed to the internet?
[*]Check any SSH keys are installed.
[*]Your DE's autostart.
[*]Checking logs is good to see if any suspicious activity has been done.

You could try running a clamav scan or Sophos(?).

That's my two cents.

I use a few known wine windows apps of my own, Always the same ones and I run a killexe script I made always after run them.:
killexe.sh
Code: Select all
ps -u user -o pid,cmd|grep "\.exe"|grep -Fv Tomboy|awk '{print $1}'|xargs kill
ps -u user -o pid,cmd|grep "\.EXE"|grep -Fv Tomboy|awk '{print $1}'|xargs kill
sleep 1
ps -u user -o pid,cmd|grep "\.exe"|grep -Fv Tomboy|awk '{print $1}'|xargs kill -9
ps -u user -o pid,cmd|grep "\.EXE"|grep -Fv Tomboy|awk '{print $1}'|xargs kill -9
killall python
killall wineserver
sleep 1
killall tee tsr grep nc winedbg
sleep 1
killall -9 nc


Ive just runned "debsums -a" (check also configuration files), and everithing is OK; not any packages altered, not any configuration system file altered.. So It must be something in home profile... I guess.

I suspect this began to happend when using hundredts of times youtube-dl within a script I made for downloading youtube playlists.. I will try to move back youtube-dl version if happens again as a try.

I will also try clamav scan or Sophos..

I will report you If it happens again..or any other information.


Thanks, a lot.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1265
Joined: 2015-04-02 13:15

Re: Am I Infected by a virus?

Postby bw123 » 2018-12-21 15:22

I'm using plasma on stretch, turned off the keyboard daemon a long time ago in systemsettings>startup/shutdown>background services. Also purged all of the input stuff, it was loaded down with all kinds of inputmethod apps, tons of unneeded stuff.

Code: Select all
home/user/.config/autostart-scripts/kb.sh                           78/78                100%
#!/bin/sh

# hack to work around kb bug
xset r rate 300 40


I don't know what ver you are using probably something very new? The image link you posted just goes to postimage.org for me.
User avatar
bw123
 
Posts: 3678
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Am I Infected by a virus?

Postby Bulkley » 2018-12-21 15:39

Several years ago I thought my system had a virus. The culprit turned out to be a sick modem which was phoning home to its mama. I replaced the modem and never saw the "virus" again. I don't know whether or not bester69's machine has a virus but don't exclude the possibility that some hardware is acting up.
Bulkley
 
Posts: 5704
Joined: 2006-02-11 18:35

Re: Am I Infected by a virus?

Postby FreewheelinFrank » 2018-12-21 16:52

Have you tried using a different keyboard? Or plugging in an external keyboard if its a laptop?
User avatar
FreewheelinFrank
 
Posts: 262
Joined: 2010-06-07 16:59

Re: Am I Infected by a virus?

Postby bester69 » 2018-12-21 20:09

bw123 wrote:I'm using plasma on stretch, turned off the keyboard daemon a long time ago in systemsettings>startup/shutdown>background services. Also purged all of the input stuff, it was loaded down with all kinds of inputmethod apps, tons of unneeded stuff.

Code: Select all
home/user/.config/autostart-scripts/kb.sh                           78/78                100%
#!/bin/sh

# hack to work around kb bug
xset r rate 300 40


I don't know what ver you are using probably something very new? The image link you posted just goes to postimage.org for me.

Its working ok, for the moment, we will see if it happens again, but I checked I have disabled keyboard daemon as well.

Ive using for years stretch + Plasma like you, and using btrfs to keep stable tested snapshoots..but I updated last snapshoot without testing it enought time, and now I drag the issue within the snapshot.

Ive done two things:
- updated Java version
- updated youtube-dl (I feel this was the culprit)
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1265
Joined: 2015-04-02 13:15

Re: Am I Infected by a virus?

Postby bester69 » 2018-12-21 20:18

Bulkley wrote:Several years ago I thought my system had a virus. The culprit turned out to be a sick modem which was phoning home to its mama. I replaced the modem and never saw the "virus" again. I don't know whether or not bester69's machine has a virus but don't exclude the possibility that some hardware is acting up.

Hi, thanks for answering

Ive no hardware connected to my laptop and the keyboard works quite well.. Now for the moment there's no problem, I think It had to be with youtube-dl... I was opening hundredts of background youtube-dl's sessions, by launching scripts I made for dowloading all thumbnails image of a playlist. But the extrange thing, is that the issue happend just after waking up from sleep state, not while working and executing scripts, what seems very fishy (virus or troyan).
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1265
Joined: 2015-04-02 13:15

Re: Am I Infected by a virus?

Postby bester69 » 2018-12-25 11:15

It has happend again!! :?
Im using:
- Kernel 4.4.167 x86_64
- Stretch + Plasma
- Im not using protection for snaps , neither for Meltdown and Spectre:
GRUB_CMDLINE_LINUX_DEFAULT="apparmor=0 nopti noibrs noibpb"

I think the culprit is the OperaV42 Internet old browser Im using, what Is a chrome based on building from 26-Jan-2017, thought I cant be sure..

I saw I had --disable-gpu-sandbox setting active, I have enabled it back.. I will report if this fix it up.
Code: Select all
#LIBGL_DEBUG=verbose opera.run   --disable-gpu-sandbox  --disable-update &



happy christmas, :)
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1265
Joined: 2015-04-02 13:15

Re: Am I Infected by a virus?

Postby Head_on_a_Stick » 2018-12-25 11:17

bester69 wrote:- Im not using protection for snaps , neither for Meltdown and Spectre:
GRUB_CMDLINE_LINUX_DEFAULT="apparmor=0 nopti noibrs noibpb"

I think the culprit is the OperaV42 Internet old browser Im using, what Is a chrome based on building from 26-Jan-2017, thought I cant be sure..

^ This.

Spectre & Meltdown are both exploitable via the browser.

You do have javascript disabled, right? :roll:
"French riots get results! U lot are instagram zzzombies" — graffiti over Euston underpass
User avatar
Head_on_a_Stick
 
Posts: 8590
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Am I Infected by a virus?

Postby FreewheelinFrank » 2018-12-25 13:32

All I can see here is a browser using excessive CPU and a character repeating in the terminal.

Keyboard "works quite well doesn't cut it": test it.

There is no evidence of a virus here I can see; a repeating character can be a symptom of high CPU load: see here:

https://github.com/tekezo/Karabiner-Elements/issues/545

First test your keyboard; then find out what is causing your high cpu load, fix that (try another browser if necessary) and see if that fixes the problem.

Viruses don't just cause stuck keys: they connect to malicious sites: where's the evidence of that?
User avatar
FreewheelinFrank
 
Posts: 262
Joined: 2010-06-07 16:59

Re: Am I Infected by a virus?

Postby bester69 » 2018-12-25 13:41

Head_on_a_Stick wrote:
bester69 wrote:- Im not using protection for snaps , neither for Meltdown and Spectre:
GRUB_CMDLINE_LINUX_DEFAULT="apparmor=0 nopti noibrs noibpb"

I think the culprit is the OperaV42 Internet old browser Im using, what Is a chrome based on building from 26-Jan-2017, thought I cant be sure..

^ This.

Spectre & Meltdown are both exploitable via the browser.

You do have javascript disabled, right? :roll:

Hi Head, thanks for answering
I need javascript, So you think whats going on is about Specte or Meltdown?
I have thought about resetting a clean browser profile config on launching, but i guess that wont make it
Code: Select all
rsync -aAXv ./config/opera.clean ./config/opera && opera


What about firejail --private , what are the risks, what do you suggest?.. I tested a litle bit firejail, and seem to downgrade a litle bit performance, but It could be bias confused.. In case of using firejail am i risking to be hacked my google/cloud password accounts?

For Meltdown and Spectre, I think last opera versions already comes with mitigation measurements... I think I will sadly have to move on to new opera browser.
Last edited by bester69 on 2018-12-25 13:50, edited 1 time in total.
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1265
Joined: 2015-04-02 13:15

Re: Am I Infected by a virus?

Postby bester69 » 2018-12-25 13:46

FreewheelinFrank wrote:All I can see here is a browser using excessive CPU and a character repeating in the terminal.

Keyboard "works quite well doesn't cut it": test it.

There is no evidence of a virus here I can see; a repeating character can be a symptom of high CPU load: see here:

https://github.com/tekezo/Karabiner-Elements/issues/545

First test your keyboard; then find out what is causing your high cpu load, fix that (try another browser if necessary) and see if that fixes the problem.

Viruses don't just cause stuck keys: they connect to malicious sites: where's the evidence of that?

I didnt see hight load when this happening, I almost sure there wasnt, I will check it again. Keyboard devices laptop is working 100% ok,

There was as well some kind of very fast blinding refresh in screen while happening this, like when your'e infected by a virus. In my opinion and with my humble experience, this behavior feels like a malware/virus infection..through the opera browser (Jan-2017 builded >> 2 years old browser)... I think Head here is gonna be right and Javascript browser is being backdoored (Meltdown, other..)
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
User avatar
bester69
 
Posts: 1265
Joined: 2015-04-02 13:15

Next

Return to System configuration

Who is online

Users browsing this forum: No registered users and 12 guests

fashionable