Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Possible malware problem

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
contrapositive
Posts: 6
Joined: 2012-05-01 18:45
Location: the Otherside

Possible malware problem

#1 Post by contrapositive »

My system went down unexpectedly a couple days ago. I got it up and running again and restored everything from my back-up drive. Interestingly, I noticed that my /tmp partition is now executable along with a number of files throughout the file tree in my /home/user/ directory. I'm relatively ignorant when it comes to security and malware. I'm looking for any and all recommendations as to how I should proceed from here. I would just delete the files and start over but many of them are related work, school, and personal projects.

All I've done so far is followed the directions and comments at 'http://www.debian-administration.org/ar ... executable' for the purposes of making /tmp non-executable. It seemed like a good first step. I'm scanning my filesystem with ClamAV as we speak. But I don't have too much confidence in ant-virus software.

Again, I'm looking for any and all recommendations as to how I should proceed from here. Thanks in advance. I'll pay it forward.
Last edited by contrapositive on 2012-08-20 00:22, edited 1 time in total.

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Security/Malware problem!

#2 Post by bw123 »

There was a time, way back in DOS days and even on early Windows machines, when I knew what every single file on my computer was. I knew what program put it there and what it was for. Can't really say I know that much about the whole Debian os yet I haven't used it that long, but I am getting acquainted with /home/user and I don't like executable files there except scripts that I look through or write myself.

I have noticed that files on fat32/ntfs partition are set executable no matter the type and that follows the copy to ext2fs

About the possible malware thing, I hope you did save /var/log so you can figure out later what happened?
resigned by AI ChatGPT

User avatar
swftech
Posts: 5
Joined: 2012-07-05 14:37
Location: SW Florida

Re: Security/Malware problem!

#3 Post by swftech »

I understand it's strange if your saying these files have had the permissions changed somehow, but curious why you think it's Malware? Malware is very rare on a Linux system as I'm sure you already know. I haven't seen any type of Malware in Linux since I started using it many years ago. I spend my days cleaning up Windows systems (it's one of my jobs) so I am very familiar with files being changed by it, but have never come across it in Linux. I am actually wondering if during your restore process of your backup something might have caused this to happen. It will be interesting to see what ClamAV comes up with when your scan has finished.

vbrummond
Posts: 4432
Joined: 2010-03-02 01:42

Re: Security/Malware problem!

#4 Post by vbrummond »

I am fairly sure (unless things have changed) that clamav is used for finding Windows viruses. Something being executable is usually as a result of the copy and not some kind of malware attack. I remember I used to have text files copied over from a Windows partition that would say "executable text file" and it turns out it was just marked as executable. Just use chmod to remove the executable flag if you are worried about it.
Always on Debian Testing

contrapositive
Posts: 6
Joined: 2012-05-01 18:45
Location: the Otherside

Re: Security/Malware problem!

#5 Post by contrapositive »

Maybe it's not any kind of malware... When I try to scan my home directory with ClamAV, it continuously spews errors of this sort:

LibClamAV Warning: fmap_readpage: pread fail: asked for 4094 bytes @ offset 2, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4092 bytes @ offset 4, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4072 bytes @ offset 24, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4091 bytes @ offset 5, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4094 bytes @ offset 2, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0

Anyways, I'm going through my logs from the old system setup to see if I can figure out what happened. I'll post anything I find.

User avatar
dasein
Posts: 7680
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: Possible malware problem

#6 Post by dasein »

Sounds like a possible HDD failure. Smartmontools tell you anything?

contrapositive
Posts: 6
Joined: 2012-05-01 18:45
Location: the Otherside

Re: Possible malware problem

#7 Post by contrapositive »

I had not heard of smartmontools previously. I just installed it. I'll take a look at my hard drives ASAP. I did a little more reasearch into the error message:
There is a problem with the configuration server. (/usr/lib/libgconf2-4/gconf-sanity-check-2 exited with status256)
Many people have encountered this error. There's a multitude of alleged fixes:

http://ubuntuforums.org/showthread.php?t=1587918

I guess I was rather paranoid in thinking it was malware. I'm a windows refugee; what can I say? Anyways, that doesn't explain why tons of the files in my home directory are now executable. I guess I'll write a shell script to traverse the directories and edit the permissions.

pete1967
Posts: 14
Joined: 2012-04-30 11:03

Re: Possible malware problem

#8 Post by pete1967 »

contrapositive wrote: I guess I'll write a shell script to traverse the directories and edit the permissions.

Code: Select all

chmod -R [target]

User avatar
dasein
Posts: 7680
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: Possible malware problem

#9 Post by dasein »

contrapositive wrote:... guess I'll write a shell script to traverse the directories and edit the permissions.
Hmph. More Windows-think.

All you need is mastery or two commands: find and chmod.

I commend you to their respective man pages.

Post Reply