[Not Solved] Am I Infected by a virus?

Kernels & Hardware, configuring network, installing services

Re: Am I Infected by a virus?

Postby pcalvert » 2018-12-31 00:25

These lines caught my attention:
bester69 wrote:
Code: Select all
tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      -                   
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN      -                   
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      -                   


Do you need to have an SSH server running? And I believe that it's probably not necessary to have portmap ("sunrpc") listening on all interfaces. From my notes:

You can configure portmap to listen only on the loopback. Uncomment the line in /etc/default/portmap that looks something like
"OPTIONS= -i 127.0.0.1", and then restart portmapper. That should allow gnome to talk to local RPC and keep remote hosts out.


Phil
“Property is the fruit of labor; property is desirable; it is a positive good
in the world. That some should be rich shows that others may become
rich, and hence is just encouragement to industry and enterprise.”
— Abraham Lincoln
pcalvert
 
Posts: 1842
Joined: 2006-04-21 11:19
Location: Sol Sector

Re: Am I Infected by a virus?

Postby bester69 » 2018-12-31 09:50

pcalvert wrote:These lines caught my attention:
bester69 wrote:
Code: Select all
tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      -                   
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN      -                   
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      -                   


Do you need to have an SSH server running? And I believe that it's probably not necessary to have portmap ("sunrpc") listening on all interfaces. From my notes:

You can configure portmap to listen only on the loopback. Uncomment the line in /etc/default/portmap that looks something like
"OPTIONS= -i 127.0.0.1", and then restart portmapper. That should allow gnome to talk to local RPC and keep remote hosts out.


Phil

Hi Phil,
ssh must be neccesary for kdeconnect, and I dont have that file in my system (/etc/default/portmap)
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1413
Joined: 2015-04-02 13:15

Re: [Solved] Am I Infected by a virus?

Postby bester69 » 2019-01-04 14:46

Solved by blocking incoming traffic with a firewall(gufw)
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1413
Joined: 2015-04-02 13:15

Re: [Not Solved] Am I Infected by a virus?

Postby bester69 » 2019-03-11 22:37

Hi,

Two months and half later, It has happend again... Im sure this infection arrives through Opera browser and affect system memory, so I guess It comes in through javascript browser such as Its is reported with Spectre or Meltdown.. So I think Im being attacking with Spectre/Meltdown vector security hole... So, I guess somewhere, someone is tracing my IP with listening attack vector Spectre/Meltdown.. wth!!, I didnt thing that was able to happend to an anonymous user like me.

So, Firewall has not been enought to protect me against this vector attack (Im guessing its about Spectre or meltdown) as It has been reported by known sources.

I Guesss, I will have to enable back thoses security pathes in grub, and wait for next time if happend again.
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1413
Joined: 2015-04-02 13:15

Re: [Not Solved] Am I Infected by a virus?

Postby bester69 » 2019-03-12 00:29

Hi,

Running spectre-meltdown-checker, for CVE-2017-5754 aka 'Variant 3, Meltdown, It says.:
* Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant)


Does this mean only applying this patch has a significat impact in my system (enabling PTI)? ..so I can keep applied the rest of patches but this one?
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1413
Joined: 2015-04-02 13:15

Re: [Not Solved] Am I Infected by a virus?

Postby stevepusser » 2019-03-12 02:47

How are you "applying the patch"? Are you just removing the kernel boot flag that disables pti?

You can install stress and run some benchmarks before and after to see if your performance takes a hit.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: Foliate 1.5.3, Minitube 3.1, wine-staging 4.12, Virtual Box 5.2.32 & 6.0.10, Pale Moon 28.6.1, Waterfox 56.2.12
User avatar
stevepusser
 
Posts: 11022
Joined: 2009-10-06 05:53

Re: [Not Solved] Am I Infected by a virus?

Postby Head_on_a_Stick » 2019-03-12 07:18

bester69 wrote:I'm sure this infection arrives through Opera browser

+1

Opera is webkit-based and those libraries are massively outdated in Debian stable, you have a gaping hole in your system...

Use either chromium or firefox-esr from the official repositories.
User avatar
Head_on_a_Stick
 
Posts: 10346
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: [Not Solved] Am I Infected by a virus?

Postby bester69 » 2019-03-12 13:33

stevepusser wrote:How are you "applying the patch"? Are you just removing the kernel boot flag that disables pti?

You can install stress and run some benchmarks before and after to see if your performance takes a hit.

Yes, Im removing boot flags, Now Ive enabled back spectre_v2 patch and left meltdown (pti disabled >> spectre/meltdown checker says performance impact of PTI will be significant)
My kernel: 4.4.167
Code: Select all
GRUB_CMDLINE_LINUX_DEFAULT="zswap.enabled=0 zswap.zpool=zsmalloc apparmor=0 nopti noibrs noibpb"


When I enable pti to protect againt Meltdown, I noticed internet browser feels slower responsive, for example, vertical scroolbar in some heavy javascript webs becomes laggy. So, I have only left Spectre mitigation on by now.
My laptop, Extensa5230 has vey litle CPU for last Chrome/firefox browsers and for meltdown/spectre Mitgations.. the sytem becomes kind of slow.
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1413
Joined: 2015-04-02 13:15

Re: [Not Solved] Am I Infected by a virus?

Postby Wheelerof4te » 2019-03-12 18:13

bester69 wrote:My laptop, Extensa5230 has vey litle CPU for last Chrome/firefox browsers and for meltdown/spectre Mitgations.. the sytem becomes kind of slow.

Well, you asked for it by running an
1. outdated browser,
2. running an insecure, old kernel,
3. using wine heavily
4. in general being stubborn to switch from bloated, old KDE version that your system can't run fast enough.

If I were you, I would first reinstall Debian Stable with either XFCE4 or learn some window manager. Openbox+tint2 panel is a good start for beginners. Then, I would quit breaking and meddling with my system by creating countless scripts that do who-knows-what. Once you do all that, your system will be safe and you yourself will be less stressful.
As a motivational info, I myself used Openbox+tint2 combo on my old PC with 512MB of RAM, Celleron D CPU and 80 GB of spinning-rust storage. Yours is surelly faster than that.
Wheelerof4te
 
Posts: 1421
Joined: 2015-08-30 20:14

Re: [Not Solved] Am I Infected by a virus?

Postby bester69 » 2019-03-12 18:32

For the moment, Ive left only spectre_v2 protection enabled.. and meltdown protection disabled (due to impact performance). I will keet outdated Operav42 browser (cant live with last browser versions, not enought cpu to run them properly) and see If it happens again.

I think I will take that risk, every time it happens to reboot computer inmediatlly..Ive read it reads in loaded memory process to steal information, so I dont have usually any other app opened together with the browser, and when that happens Its for very short time, so I dont see any big risk here... furthermore, It seems this attack affect normal keyboard behaviour so I can watch when Im under attack to reboot system.
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1413
Joined: 2015-04-02 13:15

Re: [Not Solved] Am I Infected by a virus?

Postby bester69 » 2019-03-13 18:07

Right Now, Ive spectre_v2 patch enabled (Not significaive performance penalized)
and firejail with operav42 (outdated browser), and performance is very good.

opera.sh
Code: Select all
#bin/bash
firejail --profile=/home/user/.config/firejail/opera.profile --private=/home/user/operajail/ opera.run  -d  --disable-gpu-sandbox  --disable-update  "$1" &
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1413
Joined: 2015-04-02 13:15

Previous

Return to System configuration

Who is online

Users browsing this forum: No registered users and 9 guests

fashionable