[Not Solved] Am I Infected by a virus?

Kernels & Hardware, configuring network, installing services

Re: Am I Infected by a virus?

Postby Head_on_a_Stick » 2018-12-25 14:06

bester69 wrote:So you think whats going on is about Specte or Meltdown?

I honestly don't know and I am far from expert in this subject but I do think leaving the kernel-based Spectre & Meltdown protections disabled and javascript in the (outdated) browser enabled exposes the user to some serious vulnerabilities and probably should not be tried without good reason.

Have you actually measured any performance differences with the protections enabled?

AFAIUI, the risky speculative execution is only used for certain types of operation, I can't notice much difference on the desktop.

bester69 wrote:What about firejail --private , what are the risks, what do you suggest?

The security of Firejail is based on the security of the kernel itself, which you have wilfully disabled, so I don't think it will help as much as some suggest.

But I'm no expert :)

bester69 wrote:I tested a litle bit firejail, and seem to downgrade a litle bit performance, but It could be bias confused

You *are* confused, Firejail is a containerisation solution and should add no measurable overhead.

Benchmarks are the key here, try them instead of asking me.

bester69 wrote:For Meltdown and Spectre, I think last opera versions already comes with mitigation measurements

AFAIUI, the browser-level mitigations just restrict the range of potential attacks rather than eliminate them entirely — you need the kernel protections as well.
User avatar
Head_on_a_Stick
 
Posts: 10321
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Am I Infected by a virus?

Postby bester69 » 2018-12-25 15:27

Head_on_a_Stick wrote:.. you need the kernel protections as well.

ok,
I will try first with this chrome-flag mitigation
https://blogs.opera.com/security/2018/0 ... abilities/
To improve the protection it is already possible to turn on something called Strict site isolation. This separates sites into different processes which makes it harder to exploit the hardware problem.

thanks Head.
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1413
Joined: 2015-04-02 13:15

Re: Am I Infected by a virus?

Postby bester69 » 2018-12-25 16:21

One question, last day ,
When playing in multiplayer server, they managed to open a remote tab with a gift porn video in my opera browser.. How is this so easy possible? :shock: What a big hole I must have in my opera internet browser, OMG!!

- I have enabled back gpu-isolation
if not works I will Add
- chrome flag Strict site isolation
if not works I will have to updtate to last opera version or enable kernel protection
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1413
Joined: 2015-04-02 13:15

Re: Am I Infected by a virus?

Postby Bulkley » 2018-12-25 17:07

bester69 wrote:When playing in multiplayer server, they managed to open a remote tab with a gift porn video in my opera browser..

That's one site I would never return to. The game is bait. The porn is more bait. You don't need the hassle.

What a big hole I must have in my opera internet browser, OMG!!

Frankly, I'd purge that browser and all of its configuration scripts, history and whatever is in your ~/user dot (hidden) files. After doing that installing a fresh install of the latest Opera might be okay. It might be more prudent to use another browser, configure it for security and add NoScript or, at least, uBlock Origin to cut down on bot probes.

The most important tool for security is your own street smarts, that sense that one needs to avoid bad neighbourhoods and if one finds oneself wandering into a bad neighbourhood leaving immediately.
Bulkley
 
Posts: 5826
Joined: 2006-02-11 18:35

Re: Am I Infected by a virus?

Postby xepan » 2018-12-25 17:20

The first thing an exploit should to is announce itself as loud as possible, so the admin doesn't miss it arrived. Making the keyboard go nuts sounds like a good method.

find -exec, otoh is very silent in what it does.
xepan
 
Posts: 89
Joined: 2018-11-28 06:38

Re: Am I Infected by a virus?

Postby bester69 » 2018-12-25 17:38

Bulkley wrote:
bester69 wrote:When playing in multiplayer server, they managed to open a remote tab with a gift porn video in my opera browser..

That's one site I would never return to. The game is bait. The porn is more bait. You don't need the hassle.

....

The most important tool for security is your own street smarts, that sense that one needs to avoid bad neighbourhoods and if one finds oneself wandering into a bad neighbourhood leaving immediately.


That's a Swat server game, its just that players or admins can know my ip in log server, and some angry admin was joking me at kicking process by redirecting my browser to that video porn.. Its just I saw that as a worry secuirty hole in my system..

So I installed gufw and blocked incoming process...I guess this should prevent them binding my browser to a new tab url.
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1413
Joined: 2015-04-02 13:15

Re: Am I Infected by a virus?

Postby FreewheelinFrank » 2018-12-25 21:20

bester69 wrote:
FreewheelinFrank wrote:All I can see here is a browser using excessive CPU and a character repeating in the terminal.

Keyboard "works quite well doesn't cut it": test it.

There is no evidence of a virus here I can see; a repeating character can be a symptom of high CPU load: see here:

https://github.com/tekezo/Karabiner-Elements/issues/545

First test your keyboard; then find out what is causing your high cpu load, fix that (try another browser if necessary) and see if that fixes the problem.

Viruses don't just cause stuck keys: they connect to malicious sites: where's the evidence of that?

I didnt see hight load when this happening, I almost sure there wasnt, I will check it again. Keyboard devices laptop is working 100% ok,

There was as well some kind of very fast blinding refresh in screen while happening this, like when your'e infected by a virus. In my opinion and with my humble experience, this behavior feels like a malware/virus infection..through the opera browser (Jan-2017 builded >> 2 years old browser)... I think Head here is gonna be right and Javascript browser is being backdoored (Meltdown, other..)


My apologies for reading into your post a meaning that wasn't there. But, we need to be clear then- "blinding"? "binding"? Your browser is stuck at a page, or keeps taking you to a page? What is the URL?

How on earth would this cause repeating characters when typing in the terminal?
User avatar
FreewheelinFrank
 
Posts: 275
Joined: 2010-06-07 16:59

Re: Am I Infected by a virus?

Postby bester69 » 2018-12-25 22:41

FreewheelinFrank wrote:.,,,,,
My apologies for reading into your post a meaning that wasn't there. But, we need to be clear then- "blinding"? "binding"? Your browser is stuck at a page, or keeps taking you to a page? What is the URL?

How on earth would this cause repeating characters when typing in the terminal?

I think I saw some kind of tiny refresh screen blinking (not bliding), once this start happening you can close the browser, and the plasma desktop keeps like infected with discrect blinking and preventing you to type properly anywhere in the desktop .. so you only can restart session to be able to do anything without troubles.
** The browser is able to talk to a page while the problem is on

Ive also disabled all incoming traffic, with gufw firewall.. So now they cant talk to my computer :o
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1413
Joined: 2015-04-02 13:15

Re: Am I Infected by a virus?

Postby FreewheelinFrank » 2018-12-26 08:18

No chance of a screen shot, I suppose? Or a video of this happening?

While it's possible that an exploit malware is crashing your browser and attempting to exploit the OS, it's also possible that the browser is crashing you video driver- something like this, maybe?

https://forums.opera.com/topic/23498/opera-crashes-gnome-shell

Maybe try some of the advice there: "Try disabling hardware acceleration in opera," for a start.

Personally I'd consider that possibility more likely, but if you want to check for malware, try a bootable anti-virus rescue CD:

http://www.techmixer.com/free-bootable- ... load-list/

The Kaspersky disc would be my first try: it's even based on Linux, as I remember.
User avatar
FreewheelinFrank
 
Posts: 275
Joined: 2010-06-07 16:59

Re: Am I Infected by a virus?

Postby Head_on_a_Stick » 2018-12-26 09:25

tripwire is good for the paranoid.
User avatar
Head_on_a_Stick
 
Posts: 10321
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Am I Infected by a virus?

Postby bester69 » 2018-12-26 11:12

FreewheelinFrank wrote:No chance of a screen shot, I suppose? Or a video of this happening?

While it's possible that an exploit malware is crashing your browser and attempting to exploit the OS, it's also possible that the browser is crashing you video driver- something like this, maybe?

https://forums.opera.com/topic/23498/opera-crashes-gnome-shell

Maybe try some of the advice there: "Try disabling hardware acceleration in opera," for a start.

Personally I'd consider that possibility more likely, but if you want to check for malware, try a bootable anti-virus rescue CD:

http://www.techmixer.com/free-bootable- ... load-list/

The Kaspersky disc would be my first try: it's even based on Linux, as I remember.


Hi, everithing is "OK", as my installation is well tested and stable (I use btrfs snapshots to keep stable points),

Ive not changed anything in installation for so long, and nothing to be with the browser or graphical settings has been changed (but perhaps profile opera being hacked)... In fact now everithing is working "well".. I enabled blocking incoming traffing with ufw firewall, and Im waiting for it to happend again.. So its not about drivers or anything like that..I beleive we 're talking here about a malware remote exploit..

Im sure Im no inffected by anything (unless opera profile has been compromised), Im sure the problem is coming through opera's extensions (Ive around twelve active) or javascript browser.. I hope blocking incoming traffic, they cant call up the browser... Im considering to clean profile extensions installation and use a cleaned reset profile on launching browser, So I prevent the home profile to be and keep hacked.

On launching browser, do reset profile.:
Code: Select all
rsycn -aAXv --delete ~/.config/opera.clean/ ~/.config/opera/


I will only try sophos and avclam with opera's profile, but I dont expect to find anything there.
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1413
Joined: 2015-04-02 13:15

Re: Am I Infected by a virus?

Postby bester69 » 2018-12-26 12:00

Sophos Scan
Image

clamav scan
Image
---------------------------

No threats founds in opera profile folder :idea:
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1413
Joined: 2015-04-02 13:15

Re: Am I Infected by a virus?

Postby bester69 » 2018-12-29 08:48

Hi,
It's seems as if the blocking incoming traffic Ive set (firewall gufw) would have solve the security hole.. let's wait some more time and see if not happen back. :)

Im also using a reset sheduled opera browser profile, once a week in crontab.weekly, just in case, to clean up the browser profile.:
#!/bin/sh
#
export bootop=/home/user/LINUXDEBS/browsers/
su user -c "killall opera"
su user -c "rsync -aAXv --delete $bootop/opera.bak/ $bootop/opera/"
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1413
Joined: 2015-04-02 13:15

Re: Am I Infected by a virus?

Postby pcalvert » 2018-12-29 22:54

bester69 wrote:
It's seems as if the blocking incoming traffic Ive set (firewall gufw) would have solve the security hole.. let's wait some more time and see if not happen back. :)

A firewall won't help much if the connection is initiated by a process (like malware) on your computer. You probably already knew that, but many people apparently don't.

Here's something else to try:
Code: Select all
# netstat -tulp |grep LISTEN

That will show you what ports are open and waiting for connections.

Example output:
Code: Select all
# netstat -tulp |grep LISTEN
tcp        0      0 localhost:netbios-ssn   0.0.0.0:*               LISTEN      2698/smbd           
tcp        0      0 localhost:sunrpc        0.0.0.0:*               LISTEN      1439/portmap       
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN      4016/cupsd         
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN      2379/exim4         
tcp        0      0 localhost:microsoft-ds  0.0.0.0:*               LISTEN      2698/smbd           
tcp        0      0 localhost:675           0.0.0.0:*               LISTEN      1771/famd           
tcp6       0      0 ip6-localhost:ipp       [::]:*                  LISTEN      4016/cupsd         
tcp6       0      0 ip6-localhost:smtp      [::]:*                  LISTEN      2379/exim4


Notice that all of the open ports are only available to processes running on the same system (localhost). That's good -- it's what you should aim for (most of the time) on a desktop system.

Phil
“Property is the fruit of labor; property is desirable; it is a positive good
in the world. That some should be rich shows that others may become
rich, and hence is just encouragement to industry and enterprise.”
— Abraham Lincoln
pcalvert
 
Posts: 1841
Joined: 2006-04-21 11:19
Location: Sol Sector

Re: Am I Infected by a virus?

Postby bester69 » 2018-12-30 12:33

pcalvert wrote:A firewall won't help much if the connection is initiated by a process (like malware) on your computer. You probably already knew that, but many people apparently don't.
Phil

Hi, Phil, thanks for answering
I guess my system is clean as I dont intall any apps from unstrusted sources, and most of my apps, but just two or three well known comes from debian's repository.. I think they were using some old opera's extension or the javascript process to rise a backdoor hole, as I suppose they can listening to open computers with theses security holes, and If they get any response of my computer, then they will start/running the remote hacking code .. As Ive recentlly disabled incoming traffic with the firewall, I understand they wont be able to start this talk with my computer (I dont think there's any malware in my system to start outcoming traffic), so they cant explode theses security holes in my outdated internet browser. Thought, I might be wrong here, Im not an expert,.. for the moment, the firewall seems to fixed it up. We will see soon, but I guess its fixed with the firewall, I hope so.

Ok, We will run this command If it happens again whith the firewall on, to see what it shows.
netstat -tulp |grep LISTEN
Code: Select all
 netstat -tulp |grep LISTEN
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 localhost:6341          0.0.0.0:*               LISTEN      10913/megasync     
tcp        0      0 localhost:6342          0.0.0.0:*               LISTEN      10913/megasync     
tcp        0      0 hall.local:6600         0.0.0.0:*               LISTEN      18168/mpd           
tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      -                   
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN      -                   
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 [::]:1739               [::]:*                  LISTEN      2690/kdeconnectd   
tcp6       0      0 [::]:1740               [::]:*                  LISTEN      2690/kdeconnectd   
tcp6       0      0 [::]:1741               [::]:*                  LISTEN      2690/kdeconnectd   
tcp6       0      0 [::]:1742               [::]:*                  LISTEN      2690/kdeconnectd   
tcp6       0      0 [::]:1743               [::]:*                  LISTEN      2690/kdeconnectd   
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN      -                   
tcp6       0      0 [::]:1744               [::]:*                  LISTEN      2690/kdeconnectd   
tcp6       0      0 [::]:1745               [::]:*                  LISTEN      2690/kdeconnectd   
tcp6       0      0 [::]:1746               [::]:*                  LISTEN      2690/kdeconnectd   
tcp6       0      0 [::]:1747               [::]:*                  LISTEN      2690/kdeconnectd   
tcp6       0      0 [::]:1748               [::]:*                  LISTEN      2690/kdeconnectd   
tcp6       0      0 [::]:1716               [::]:*                  LISTEN      2690/kdeconnectd   
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      -                   
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN      -                   
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN      -               
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1413
Joined: 2015-04-02 13:15

PreviousNext

Return to System configuration

Who is online

Users browsing this forum: fender0107401 and 16 guests

fashionable