[Not Solved] Am I Infected by a virus?

[pcalvert]

These lines caught my attention:

Code: Select all

tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      -                   
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN      -                   
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      -                   

Do you need to have an SSH server running? And I believe that it's probably not necessary to have portmap ("sunrpc") listening on all interfaces. From my notes:

You can configure portmap to listen only on the loopback. Uncomment the line in /etc/default/portmap that looks something like
"OPTIONS= -i 127.0.0.1", and then restart portmapper. That should allow gnome to talk to local RPC and keep remote hosts out.

Phil

[bester69]

These lines caught my attention:

Code: Select all

tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      -                   
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN      -                   
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      -                   

Do you need to have an SSH server running? And I believe that it's probably not necessary to have portmap ("sunrpc") listening on all interfaces. From my notes:

You can configure portmap to listen only on the loopback. Uncomment the line in /etc/default/portmap that looks something like
"OPTIONS= -i 127.0.0.1", and then restart portmapper. That should allow gnome to talk to local RPC and keep remote hosts out.

Phil

Hi Phil,
ssh must be neccesary for kdeconnect, and I dont have that file in my system (/etc/default/portmap)

[bester69]

Solved by blocking incoming traffic with a firewall(gufw)

[bester69]

Hi,

Two months and half later, It has happend again... Im sure this infection arrives through Opera browser and affect system memory, so I guess It comes in through javascript browser such as Its is reported with Spectre or Meltdown.. So I think Im being attacking with Spectre/Meltdown vector security hole... So, I guess somewhere, someone is tracing my IP with listening attack vector Spectre/Meltdown.. wth!!, I didnt thing that was able to happend to an anonymous user like me.

So, Firewall has not been enought to protect me against this vector attack (Im guessing its about Spectre or meltdown) as It has been reported by known sources.

I Guesss, I will have to enable back thoses security pathes in grub, and wait for next time if happend again.

[bester69]

Hi,

Running spectre-meltdown-checker, for CVE-2017-5754 aka 'Variant 3, Meltdown, It says.:

* Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant)

Does this mean only applying this patch has a significat impact in my system (enabling PTI)? ..so I can keep applied the rest of patches but this one?

[stevepusser]

How are you "applying the patch"? Are you just removing the kernel boot flag that disables pti?

You can install stress and run some benchmarks before and after to see if your performance takes a hit.

[Head_on_a_Stick]

I'm sure this infection arrives through Opera browser

+1

Opera is webkit-based and those libraries are massively outdated in Debian stable, you have a gaping hole in your system...

Use either chromium or firefox-esr from the official repositories.

[bester69]

How are you "applying the patch"? Are you just removing the kernel boot flag that disables pti?

You can install stress and run some benchmarks before and after to see if your performance takes a hit.

Yes, Im removing boot flags, Now Ive enabled back spectre_v2 patch and left meltdown (pti disabled >> spectre/meltdown checker says performance impact of PTI will be significant)
My kernel: 4.4.167

Code: Select all

GRUB_CMDLINE_LINUX_DEFAULT="zswap.enabled=0 zswap.zpool=zsmalloc apparmor=0 nopti noibrs noibpb"

When I enable pti to protect againt Meltdown, I noticed internet browser feels slower responsive, for example, vertical scroolbar in some heavy javascript webs becomes laggy. So, I have only left Spectre mitigation on by now.
My laptop, Extensa5230 has vey litle CPU for last Chrome/firefox browsers and for meltdown/spectre Mitgations.. the sytem becomes kind of slow.

[Wheelerof4te]

My laptop, Extensa5230 has vey litle CPU for last Chrome/firefox browsers and for meltdown/spectre Mitgations.. the sytem becomes kind of slow.

Well, you asked for it by running an
1. outdated browser,
2. running an insecure, old kernel,
3. using wine heavily
4. in general being stubborn to switch from bloated, old KDE version that your system can't run fast enough.

If I were you, I would first reinstall Debian Stable with either XFCE4 or learn some window manager. Openbox+tint2 panel is a good start for beginners. Then, I would quit breaking and meddling with my system by creating countless scripts that do who-knows-what. Once you do all that, your system will be safe and you yourself will be less stressful.
As a motivational info, I myself used Openbox+tint2 combo on my old PC with 512MB of RAM, Celleron D CPU and 80 GB of spinning-rust storage. Yours is surelly faster than that.

[bester69]

For the moment, Ive left only spectre_v2 protection enabled.. and meltdown protection disabled (due to impact performance). I will keet outdated Operav42 browser (cant live with last browser versions, not enought cpu to run them properly) and see If it happens again.

I think I will take that risk, every time it happens to reboot computer inmediatlly..Ive read it reads in loaded memory process to steal information, so I dont have usually any other app opened together with the browser, and when that happens Its for very short time, so I dont see any big risk here... furthermore, It seems this attack affect normal keyboard behaviour so I can watch when Im under attack to reboot system.

[bester69]

Right Now, Ive spectre_v2 patch enabled (Not significaive performance penalized)
and firejail with operav42 (outdated browser), and performance is very good.

opera.sh

Code: Select all

#bin/bash
firejail --profile=/home/user/.config/firejail/opera.profile --private=/home/user/operajail/ opera.run  -d  --disable-gpu-sandbox  --disable-update  "$1" &