My system went down unexpectedly a couple days ago. I got it up and running again and restored everything from my back-up drive. Interestingly, I noticed that my /tmp partition is now executable along with a number of files throughout the file tree in my /home/user/ directory. I'm relatively ignorant when it comes to security and malware. I'm looking for any and all recommendations as to how I should proceed from here. I would just delete the files and start over but many of them are related work, school, and personal projects.
All I've done so far is followed the directions and comments at 'http://www.debian-administration.org/ar ... executable' for the purposes of making /tmp non-executable. It seemed like a good first step. I'm scanning my filesystem with ClamAV as we speak. But I don't have too much confidence in ant-virus software.
Again, I'm looking for any and all recommendations as to how I should proceed from here. Thanks in advance. I'll pay it forward.
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Possible malware problem
-
- Posts: 6
- Joined: 2012-05-01 18:45
- Location: the Otherside
Re: Security/Malware problem!
There was a time, way back in DOS days and even on early Windows machines, when I knew what every single file on my computer was. I knew what program put it there and what it was for. Can't really say I know that much about the whole Debian os yet I haven't used it that long, but I am getting acquainted with /home/user and I don't like executable files there except scripts that I look through or write myself.
I have noticed that files on fat32/ntfs partition are set executable no matter the type and that follows the copy to ext2fs
About the possible malware thing, I hope you did save /var/log so you can figure out later what happened?
I have noticed that files on fat32/ntfs partition are set executable no matter the type and that follows the copy to ext2fs
About the possible malware thing, I hope you did save /var/log so you can figure out later what happened?
resigned by AI ChatGPT
Re: Security/Malware problem!
I understand it's strange if your saying these files have had the permissions changed somehow, but curious why you think it's Malware? Malware is very rare on a Linux system as I'm sure you already know. I haven't seen any type of Malware in Linux since I started using it many years ago. I spend my days cleaning up Windows systems (it's one of my jobs) so I am very familiar with files being changed by it, but have never come across it in Linux. I am actually wondering if during your restore process of your backup something might have caused this to happen. It will be interesting to see what ClamAV comes up with when your scan has finished.
Re: Security/Malware problem!
I am fairly sure (unless things have changed) that clamav is used for finding Windows viruses. Something being executable is usually as a result of the copy and not some kind of malware attack. I remember I used to have text files copied over from a Windows partition that would say "executable text file" and it turns out it was just marked as executable. Just use chmod to remove the executable flag if you are worried about it.
Always on Debian Testing
-
- Posts: 6
- Joined: 2012-05-01 18:45
- Location: the Otherside
Re: Security/Malware problem!
Maybe it's not any kind of malware... When I try to scan my home directory with ClamAV, it continuously spews errors of this sort:
LibClamAV Warning: fmap_readpage: pread fail: asked for 4094 bytes @ offset 2, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4092 bytes @ offset 4, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4072 bytes @ offset 24, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4091 bytes @ offset 5, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4094 bytes @ offset 2, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
Anyways, I'm going through my logs from the old system setup to see if I can figure out what happened. I'll post anything I find.
LibClamAV Warning: fmap_readpage: pread fail: asked for 4094 bytes @ offset 2, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4092 bytes @ offset 4, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4072 bytes @ offset 24, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4091 bytes @ offset 5, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4094 bytes @ offset 2, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
Anyways, I'm going through my logs from the old system setup to see if I can figure out what happened. I'll post anything I find.
-
- Posts: 6
- Joined: 2012-05-01 18:45
- Location: the Otherside
Re: Possible malware problem
I had not heard of smartmontools previously. I just installed it. I'll take a look at my hard drives ASAP. I did a little more reasearch into the error message:
http://ubuntuforums.org/showthread.php?t=1587918
I guess I was rather paranoid in thinking it was malware. I'm a windows refugee; what can I say? Anyways, that doesn't explain why tons of the files in my home directory are now executable. I guess I'll write a shell script to traverse the directories and edit the permissions.
Many people have encountered this error. There's a multitude of alleged fixes:There is a problem with the configuration server. (/usr/lib/libgconf2-4/gconf-sanity-check-2 exited with status256)
http://ubuntuforums.org/showthread.php?t=1587918
I guess I was rather paranoid in thinking it was malware. I'm a windows refugee; what can I say? Anyways, that doesn't explain why tons of the files in my home directory are now executable. I guess I'll write a shell script to traverse the directories and edit the permissions.
Re: Possible malware problem
contrapositive wrote: I guess I'll write a shell script to traverse the directories and edit the permissions.
Code: Select all
chmod -R [target]
Re: Possible malware problem
Hmph. More Windows-think.contrapositive wrote:... guess I'll write a shell script to traverse the directories and edit the permissions.
All you need is mastery or two commands: find and chmod.
I commend you to their respective man pages.