[Not Solved] Am I Infected by a virus?

[Head_on_a_Stick]

So you think whats going on is about Specte or Meltdown?

I honestly don't know and I am far from expert in this subject but I do think leaving the kernel-based Spectre & Meltdown protections disabled and javascript in the (outdated) browser enabled exposes the user to some serious vulnerabilities and probably should not be tried without good reason.

Have you actually measured any performance differences with the protections enabled?

AFAIUI, the risky speculative execution is only used for certain types of operation, I can't notice much difference on the desktop.

What about firejail --private , what are the risks, what do you suggest?

The security of Firejail is based on the security of the kernel itself, which you have wilfully disabled, so I don't think it will help as much as some suggest.

But I'm no expert

I tested a litle bit firejail, and seem to downgrade a litle bit performance, but It could be bias confused

You *are* confused, Firejail is a containerisation solution and should add no measurable overhead.

Benchmarks are the key here, try them instead of asking me.

For Meltdown and Spectre, I think last opera versions already comes with mitigation measurements

AFAIUI, the browser-level mitigations just restrict the range of potential attacks rather than eliminate them entirely — you need the kernel protections as well.

[bester69]

.. you need the kernel protections as well.

ok,
I will try first with this chrome-flag mitigation
https://blogs.opera.com/security/2018/0 ... abilities/

To improve the protection it is already possible to turn on something called Strict site isolation. This separates sites into different processes which makes it harder to exploit the hardware problem.

thanks Head.

[bester69]

One question, last day ,
When playing in multiplayer server, they managed to open a remote tab with a gift porn video in my opera browser.. How is this so easy possible? What a big hole I must have in my opera internet browser, OMG!!

- I have enabled back gpu-isolation
if not works I will Add
- chrome flag Strict site isolation
if not works I will have to updtate to last opera version or enable kernel protection

[Bulkley]

When playing in multiplayer server, they managed to open a remote tab with a gift porn video in my opera browser..

That's one site I would never return to. The game is bait. The porn is more bait. You don't need the hassle.

What a big hole I must have in my opera internet browser, OMG!!

Frankly, I'd purge that browser and all of its configuration scripts, history and whatever is in your ~/user dot (hidden) files. After doing that installing a fresh install of the latest Opera might be okay. It might be more prudent to use another browser, configure it for security and add NoScript or, at least, uBlock Origin to cut down on bot probes.

The most important tool for security is your own street smarts, that sense that one needs to avoid bad neighbourhoods and if one finds oneself wandering into a bad neighbourhood leaving immediately.

[xepan]

The first thing an exploit should to is announce itself as loud as possible, so the admin doesn't miss it arrived. Making the keyboard go nuts sounds like a good method.

find -exec, otoh is very silent in what it does.

[bester69]

When playing in multiplayer server, they managed to open a remote tab with a gift porn video in my opera browser..

That's one site I would never return to. The game is bait. The porn is more bait. You don't need the hassle.

....

The most important tool for security is your own street smarts, that sense that one needs to avoid bad neighbourhoods and if one finds oneself wandering into a bad neighbourhood leaving immediately.

That's a Swat server game, its just that players or admins can know my ip in log server, and some angry admin was joking me at kicking process by redirecting my browser to that video porn.. Its just I saw that as a worry secuirty hole in my system..

So I installed gufw and blocked incoming process...I guess this should prevent them binding my browser to a new tab url.

[FreewheelinFrank]

All I can see here is a browser using excessive CPU and a character repeating in the terminal.

Keyboard "works quite well doesn't cut it": test it.

There is no evidence of a virus here I can see; a repeating character can be a symptom of high CPU load: see here:

https://github.com/tekezo/Karabiner-Elements/issues/545

First test your keyboard; then find out what is causing your high cpu load, fix that (try another browser if necessary) and see if that fixes the problem.

Viruses don't just cause stuck keys: they connect to malicious sites: where's the evidence of that?

I didnt see hight load when this happening, I almost sure there wasnt, I will check it again. Keyboard devices laptop is working 100% ok,

There was as well some kind of very fast blinding refresh in screen while happening this, like when your'e infected by a virus. In my opinion and with my humble experience, this behavior feels like a malware/virus infection..through the opera browser (Jan-2017 builded >> 2 years old browser)... I think Head here is gonna be right and Javascript browser is being backdoored (Meltdown, other..)

My apologies for reading into your post a meaning that wasn't there. But, we need to be clear then- "blinding"? "binding"? Your browser is stuck at a page, or keeps taking you to a page? What is the URL?

How on earth would this cause repeating characters when typing in the terminal?

[bester69]

.,,,,,
My apologies for reading into your post a meaning that wasn't there. But, we need to be clear then- "blinding"? "binding"? Your browser is stuck at a page, or keeps taking you to a page? What is the URL?

How on earth would this cause repeating characters when typing in the terminal?

I think I saw some kind of tiny refresh screen blinking (not bliding), once this start happening you can close the browser, and the plasma desktop keeps like infected with discrect blinking and preventing you to type properly anywhere in the desktop .. so you only can restart session to be able to do anything without troubles.
** The browser is able to talk to a page while the problem is on

Ive also disabled all incoming traffic, with gufw firewall.. So now they cant talk to my computer

[FreewheelinFrank]

No chance of a screen shot, I suppose? Or a video of this happening?

While it's possible that an exploit malware is crashing your browser and attempting to exploit the OS, it's also possible that the browser is crashing you video driver- something like this, maybe?

https://forums.opera.com/topic/23498/op ... nome-shell

Maybe try some of the advice there: "Try disabling hardware acceleration in opera," for a start.

Personally I'd consider that possibility more likely, but if you want to check for malware, try a bootable anti-virus rescue CD:

http://www.techmixer.com/free-bootable- ... load-list/

The Kaspersky disc would be my first try: it's even based on Linux, as I remember.

[Head_on_a_Stick]

tripwire is good for the paranoid.

[bester69]

No chance of a screen shot, I suppose? Or a video of this happening?

While it's possible that an exploit malware is crashing your browser and attempting to exploit the OS, it's also possible that the browser is crashing you video driver- something like this, maybe?

https://forums.opera.com/topic/23498/op ... nome-shell

Maybe try some of the advice there: "Try disabling hardware acceleration in opera," for a start.

Personally I'd consider that possibility more likely, but if you want to check for malware, try a bootable anti-virus rescue CD:

http://www.techmixer.com/free-bootable- ... load-list/

The Kaspersky disc would be my first try: it's even based on Linux, as I remember.

Hi, everithing is "OK", as my installation is well tested and stable (I use btrfs snapshots to keep stable points),

Ive not changed anything in installation for so long, and nothing to be with the browser or graphical settings has been changed (but perhaps profile opera being hacked)... In fact now everithing is working "well".. I enabled blocking incoming traffing with ufw firewall, and Im waiting for it to happend again.. So its not about drivers or anything like that..I beleive we 're talking here about a malware remote exploit..

Im sure Im no inffected by anything (unless opera profile has been compromised), Im sure the problem is coming through opera's extensions (Ive around twelve active) or javascript browser.. I hope blocking incoming traffic, they cant call up the browser... Im considering to clean profile extensions installation and use a cleaned reset profile on launching browser, So I prevent the home profile to be and keep hacked.

On launching browser, do reset profile.:

Code: Select all

rsycn -aAXv --delete ~/.config/opera.clean/ ~/.config/opera/

I will only try sophos and avclam with opera's profile, but I dont expect to find anything there.

[bester69]

Sophos Scan


clamav scan

---------------------------

No threats founds in opera profile folder

[bester69]

Hi,
It's seems as if the blocking incoming traffic Ive set (firewall gufw) would have solve the security hole.. let's wait some more time and see if not happen back.

Im also using a reset sheduled opera browser profile, once a week in crontab.weekly, just in case, to clean up the browser profile.:

#!/bin/sh
#
export bootop=/home/user/LINUXDEBS/browsers/
su user -c "killall opera"
su user -c "rsync -aAXv --delete $bootop/opera.bak/ $bootop/opera/"

[pcalvert]

It's seems as if the blocking incoming traffic Ive set (firewall gufw) would have solve the security hole.. let's wait some more time and see if not happen back.

A firewall won't help much if the connection is initiated by a process (like malware) on your computer. You probably already knew that, but many people apparently don't.

Here's something else to try:

Code: Select all

# netstat -tulp |grep LISTEN

That will show you what ports are open and waiting for connections.

Example output:

Code: Select all

# netstat -tulp |grep LISTEN
tcp        0      0 localhost:netbios-ssn   0.0.0.0:*               LISTEN      2698/smbd           
tcp        0      0 localhost:sunrpc        0.0.0.0:*               LISTEN      1439/portmap        
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN      4016/cupsd          
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN      2379/exim4          
tcp        0      0 localhost:microsoft-ds  0.0.0.0:*               LISTEN      2698/smbd           
tcp        0      0 localhost:675           0.0.0.0:*               LISTEN      1771/famd           
tcp6       0      0 ip6-localhost:ipp       [::]:*                  LISTEN      4016/cupsd          
tcp6       0      0 ip6-localhost:smtp      [::]:*                  LISTEN      2379/exim4

Notice that all of the open ports are only available to processes running on the same system (localhost). That's good -- it's what you should aim for (most of the time) on a desktop system.

Phil

[bester69]

A firewall won't help much if the connection is initiated by a process (like malware) on your computer. You probably already knew that, but many people apparently don't.
Phil

Hi, Phil, thanks for answering
I guess my system is clean as I dont intall any apps from unstrusted sources, and most of my apps, but just two or three well known comes from debian's repository.. I think they were using some old opera's extension or the javascript process to rise a backdoor hole, as I suppose they can listening to open computers with theses security holes, and If they get any response of my computer, then they will start/running the remote hacking code .. As Ive recentlly disabled incoming traffic with the firewall, I understand they wont be able to start this talk with my computer (I dont think there's any malware in my system to start outcoming traffic), so they cant explode theses security holes in my outdated internet browser. Thought, I might be wrong here, Im not an expert,.. for the moment, the firewall seems to fixed it up. We will see soon, but I guess its fixed with the firewall, I hope so.

Ok, We will run this command If it happens again whith the firewall on, to see what it shows.
netstat -tulp |grep LISTEN

Code: Select all

 netstat -tulp |grep LISTEN
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 localhost:6341          0.0.0.0:*               LISTEN      10913/megasync      
tcp        0      0 localhost:6342          0.0.0.0:*               LISTEN      10913/megasync      
tcp        0      0 hall.local:6600         0.0.0.0:*               LISTEN      18168/mpd           
tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      -                   
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN      -                   
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 [::]:1739               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:1740               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:1741               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:1742               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:1743               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN      -                   
tcp6       0      0 [::]:1744               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:1745               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:1746               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:1747               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:1748               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:1716               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      -                   
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN      -                   
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN      -               

[pcalvert]

These lines caught my attention:

Code: Select all

tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      -                   
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN      -                   
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      -                   

Do you need to have an SSH server running? And I believe that it's probably not necessary to have portmap ("sunrpc") listening on all interfaces. From my notes:

You can configure portmap to listen only on the loopback. Uncomment the line in /etc/default/portmap that looks something like
"OPTIONS= -i 127.0.0.1", and then restart portmapper. That should allow gnome to talk to local RPC and keep remote hosts out.

Phil

[bester69]

These lines caught my attention:

Code: Select all

tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      -                   
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN      -                   
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      -                   

Do you need to have an SSH server running? And I believe that it's probably not necessary to have portmap ("sunrpc") listening on all interfaces. From my notes:

You can configure portmap to listen only on the loopback. Uncomment the line in /etc/default/portmap that looks something like
"OPTIONS= -i 127.0.0.1", and then restart portmapper. That should allow gnome to talk to local RPC and keep remote hosts out.

Phil

Hi Phil,
ssh must be neccesary for kdeconnect, and I dont have that file in my system (/etc/default/portmap)

[bester69]

Solved by blocking incoming traffic with a firewall(gufw)

[bester69]

Hi,

Two months and half later, It has happend again... Im sure this infection arrives through Opera browser and affect system memory, so I guess It comes in through javascript browser such as Its is reported with Spectre or Meltdown.. So I think Im being attacking with Spectre/Meltdown vector security hole... So, I guess somewhere, someone is tracing my IP with listening attack vector Spectre/Meltdown.. wth!!, I didnt thing that was able to happend to an anonymous user like me.

So, Firewall has not been enought to protect me against this vector attack (Im guessing its about Spectre or meltdown) as It has been reported by known sources.

I Guesss, I will have to enable back thoses security pathes in grub, and wait for next time if happend again.

[bester69]

Hi,

Running spectre-meltdown-checker, for CVE-2017-5754 aka 'Variant 3, Meltdown, It says.:

* Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant)

Does this mean only applying this patch has a significat impact in my system (enabling PTI)? ..so I can keep applied the rest of patches but this one?