[Not Solved] Am I Infected by a virus?

[bester69]

Hi,

Did I get infected by a virus or a troyan?



It's happening from a week or so, sometimes, suddenly The keyboard behave extrange, like with some kind of a lag, the Internet browser start to do some kind blinding and I cant't type properly anymore anywhere. I let the konsole by itself was typing alone that extrange character showed in capture... It happend just when waking up from sleep... It's happend more time (tree times or so) from some weeks ago. It gets fixed when I restart Plasma session..

I dont know what might it be, I dont remember what I might installed cos I have a very controlled and clean installation, I even use rollback btrfs snapshots system to mantain stable system.. but I have updated snapshot system with this virus included, and I cant rollback without getting away of this issue..

I just remember of installing in that period of time:
- jpegoptim, bitwardern (deb), and some snaps

- I was also always using an active(running) downgraded propietary java version (for java sticky app) >> I've just moved to openjdk and updated jdk
- Im not using protection for snaps , neither for Meltdown and Spectre:
GRUB_CMDLINE_LINUX_DEFAULT="apparmor=0 nopti noibrs noibpb"
- Im using an old Opera version for so long (OperaV42) due to performance reasons

I have some few packages retained due to believed performance and other kind of reasons.:

Code: Select all

Los siguientes paquetes se han retenido:
  dbus dbus-user-session dbus-x11 firefox-esr firefox-esr-l10n-es-es firmware-misc-nonfree g
  intel-microcode kde-style-qtcurve-qt4 kde-style-qtcurve-qt5 libdbus-1-3 libdbus-1-3:i386 l
  libudev1:i386 network-manager qtcurve qtcurve-l10n syslinux syslinux-common systemd-sysv u
  xserver-common xserver-xorg-core xserver-xorg-legacy

Any suggestions , thanks

[llivv]

does typing clear in konsole fix anything?

open xterm on your desktop and see if you get the same behavior from it.
If xterm seems fine try reinstalling konsole

If reinstalling doesn't help and you're comfortable gouging out a nice hefty hunk_o_ K
purge knosole and all it's deps
reboot - probably to cli (if I know K at all)
reinstall konsole and all the other K, qt, plasma, etc. etc. packages it took with it ..... difficulty=intermediate to advanced

[bester69]

does typing clear in konsole fix anything?

open xterm on your desktop and see if you get the same behavior from it.
If xterm seems fine try reinstalling konsole

If reinstalling doesn't help and you're comfortable gouging out a nice hefty hunk_o_ K
purge knosole and all it's deps
reboot - probably to cli (if I know K at all)
reinstall konsole and all the other K, qt, plasma, etc. etc. packages it took with it ..... difficulty=intermediate to advanced

Hi, Thanks for answering
It happens typing anywhere (kate, dolphin, browser, etc).. there's some kind of lag when typing fast .. Now erverithing its again working ok for the moment (I restarted session); at first I thought It had to be with Accesibility module, but I think I disabled it and had happend once again..

[Ardouos]

You run a lot of MS apps through PoL/wine and outdated software, so if something were to happen that would likely be the culprit. Linux is not immune to malware though, no OS is.

I would check if anything is running on startup, starting with:
[*]Your bash history,
[*]Your bashrc and profile files, both in your /etc and /home.
[*]Any cronjobs.
[*]Any startup daemons.
[*]Any ports exposed to the internet?
[*]Check any SSH keys are installed.
[*]Your DE's autostart.
[*]Checking logs is good to see if any suspicious activity has been done.

You could try running a clamav scan or Sophos(?).

That's my two cents.

[bester69]

You run a lot of MS apps through PoL/wine and outdated software, so if something were to happen that would likely be the culprit. Linux is not immune to malware though, no OS is.

I would check if anything is running on startup, starting with:
[*]Your bash history,
[*]Your bashrc and profile files, both in your /etc and /home.
[*]Any cronjobs.
[*]Any startup daemons.
[*]Any ports exposed to the internet?
[*]Check any SSH keys are installed.
[*]Your DE's autostart.
[*]Checking logs is good to see if any suspicious activity has been done.

You could try running a clamav scan or Sophos(?).

That's my two cents.

I use a few known wine windows apps of my own, Always the same ones and I run a killexe script I made always after run them.:
killexe.sh

Code: Select all

ps -u user -o pid,cmd|grep "\.exe"|grep -Fv Tomboy|awk '{print $1}'|xargs kill
ps -u user -o pid,cmd|grep "\.EXE"|grep -Fv Tomboy|awk '{print $1}'|xargs kill
sleep 1
ps -u user -o pid,cmd|grep "\.exe"|grep -Fv Tomboy|awk '{print $1}'|xargs kill -9
ps -u user -o pid,cmd|grep "\.EXE"|grep -Fv Tomboy|awk '{print $1}'|xargs kill -9 
killall python
killall wineserver
sleep 1
killall tee tsr grep nc winedbg
sleep 1
killall -9 nc

Ive just runned "debsums -a" (check also configuration files), and everithing is OK; not any packages altered, not any configuration system file altered.. So It must be something in home profile... I guess.

I suspect this began to happend when using hundredts of times youtube-dl within a script I made for downloading youtube playlists.. I will try to move back youtube-dl version if happens again as a try.

I will also try clamav scan or Sophos..

I will report you If it happens again..or any other information.


Thanks, a lot.

[bw123]

I'm using plasma on stretch, turned off the keyboard daemon a long time ago in systemsettings>startup/shutdown>background services. Also purged all of the input stuff, it was loaded down with all kinds of inputmethod apps, tons of unneeded stuff.

Code: Select all

home/user/.config/autostart-scripts/kb.sh                           78/78                100%
#!/bin/sh

# hack to work around kb bug
xset r rate 300 40

I don't know what ver you are using probably something very new? The image link you posted just goes to postimage.org for me.

[Bulkley]

Several years ago I thought my system had a virus. The culprit turned out to be a sick modem which was phoning home to its mama. I replaced the modem and never saw the "virus" again. I don't know whether or not bester69's machine has a virus but don't exclude the possibility that some hardware is acting up.

[FreewheelinFrank]

Have you tried using a different keyboard? Or plugging in an external keyboard if its a laptop?

[bester69]

I'm using plasma on stretch, turned off the keyboard daemon a long time ago in systemsettings>startup/shutdown>background services. Also purged all of the input stuff, it was loaded down with all kinds of inputmethod apps, tons of unneeded stuff.

Code: Select all

home/user/.config/autostart-scripts/kb.sh                           78/78                100%
#!/bin/sh

# hack to work around kb bug
xset r rate 300 40

I don't know what ver you are using probably something very new? The image link you posted just goes to postimage.org for me.

Its working ok, for the moment, we will see if it happens again, but I checked I have disabled keyboard daemon as well.

Ive using for years stretch + Plasma like you, and using btrfs to keep stable tested snapshoots..but I updated last snapshoot without testing it enought time, and now I drag the issue within the snapshot.

Ive done two things:
- updated Java version
- updated youtube-dl (I feel this was the culprit)

[bester69]

Several years ago I thought my system had a virus. The culprit turned out to be a sick modem which was phoning home to its mama. I replaced the modem and never saw the "virus" again. I don't know whether or not bester69's machine has a virus but don't exclude the possibility that some hardware is acting up.

Hi, thanks for answering

Ive no hardware connected to my laptop and the keyboard works quite well.. Now for the moment there's no problem, I think It had to be with youtube-dl... I was opening hundredts of background youtube-dl's sessions, by launching scripts I made for dowloading all thumbnails image of a playlist. But the extrange thing, is that the issue happend just after waking up from sleep state, not while working and executing scripts, what seems very fishy (virus or troyan).

[bester69]

It has happend again!!
Im using:
- Kernel 4.4.167 x86_64
- Stretch + Plasma
- Im not using protection for snaps , neither for Meltdown and Spectre:
GRUB_CMDLINE_LINUX_DEFAULT="apparmor=0 nopti noibrs noibpb"

I think the culprit is the OperaV42 Internet old browser Im using, what Is a chrome based on building from 26-Jan-2017, thought I cant be sure..

I saw I had --disable-gpu-sandbox setting active, I have enabled it back.. I will report if this fix it up.

Code: Select all

#LIBGL_DEBUG=verbose opera.run   --disable-gpu-sandbox  --disable-update &

happy christmas,

[Head_on_a_Stick]

- Im not using protection for snaps , neither for Meltdown and Spectre:
GRUB_CMDLINE_LINUX_DEFAULT="apparmor=0 nopti noibrs noibpb"

I think the culprit is the OperaV42 Internet old browser Im using, what Is a chrome based on building from 26-Jan-2017, thought I cant be sure..

^ This.

Spectre & Meltdown are both exploitable via the browser.

You do have javascript disabled, right?

[FreewheelinFrank]

All I can see here is a browser using excessive CPU and a character repeating in the terminal.

Keyboard "works quite well doesn't cut it": test it.

There is no evidence of a virus here I can see; a repeating character can be a symptom of high CPU load: see here:

https://github.com/tekezo/Karabiner-Elements/issues/545

First test your keyboard; then find out what is causing your high cpu load, fix that (try another browser if necessary) and see if that fixes the problem.

Viruses don't just cause stuck keys: they connect to malicious sites: where's the evidence of that?

[bester69]

- Im not using protection for snaps , neither for Meltdown and Spectre:
GRUB_CMDLINE_LINUX_DEFAULT="apparmor=0 nopti noibrs noibpb"

I think the culprit is the OperaV42 Internet old browser Im using, what Is a chrome based on building from 26-Jan-2017, thought I cant be sure..

^ This.

Spectre & Meltdown are both exploitable via the browser.

You do have javascript disabled, right?

Hi Head, thanks for answering
I need javascript, So you think whats going on is about Specte or Meltdown?
I have thought about resetting a clean browser profile config on launching, but i guess that wont make it

Code: Select all

rsync -aAXv ./config/opera.clean ./config/opera && opera

What about firejail --private , what are the risks, what do you suggest?.. I tested a litle bit firejail, and seem to downgrade a litle bit performance, but It could be bias confused.. In case of using firejail am i risking to be hacked my google/cloud password accounts?

For Meltdown and Spectre, I think last opera versions already comes with mitigation measurements... I think I will sadly have to move on to new opera browser.

[bester69]

All I can see here is a browser using excessive CPU and a character repeating in the terminal.

Keyboard "works quite well doesn't cut it": test it.

There is no evidence of a virus here I can see; a repeating character can be a symptom of high CPU load: see here:

https://github.com/tekezo/Karabiner-Elements/issues/545

First test your keyboard; then find out what is causing your high cpu load, fix that (try another browser if necessary) and see if that fixes the problem.

Viruses don't just cause stuck keys: they connect to malicious sites: where's the evidence of that?

I didnt see hight load when this happening, I almost sure there wasnt, I will check it again. Keyboard devices laptop is working 100% ok,

There was as well some kind of very fast blinding refresh in screen while happening this, like when your'e infected by a virus. In my opinion and with my humble experience, this behavior feels like a malware/virus infection..through the opera browser (Jan-2017 builded >> 2 years old browser)... I think Head here is gonna be right and Javascript browser is being backdoored (Meltdown, other..)

[Head_on_a_Stick]

So you think whats going on is about Specte or Meltdown?

I honestly don't know and I am far from expert in this subject but I do think leaving the kernel-based Spectre & Meltdown protections disabled and javascript in the (outdated) browser enabled exposes the user to some serious vulnerabilities and probably should not be tried without good reason.

Have you actually measured any performance differences with the protections enabled?

AFAIUI, the risky speculative execution is only used for certain types of operation, I can't notice much difference on the desktop.

What about firejail --private , what are the risks, what do you suggest?

The security of Firejail is based on the security of the kernel itself, which you have wilfully disabled, so I don't think it will help as much as some suggest.

But I'm no expert

I tested a litle bit firejail, and seem to downgrade a litle bit performance, but It could be bias confused

You *are* confused, Firejail is a containerisation solution and should add no measurable overhead.

Benchmarks are the key here, try them instead of asking me.

For Meltdown and Spectre, I think last opera versions already comes with mitigation measurements

AFAIUI, the browser-level mitigations just restrict the range of potential attacks rather than eliminate them entirely — you need the kernel protections as well.

[bester69]

.. you need the kernel protections as well.

ok,
I will try first with this chrome-flag mitigation
https://blogs.opera.com/security/2018/0 ... abilities/

To improve the protection it is already possible to turn on something called Strict site isolation. This separates sites into different processes which makes it harder to exploit the hardware problem.

thanks Head.

[bester69]

One question, last day ,
When playing in multiplayer server, they managed to open a remote tab with a gift porn video in my opera browser.. How is this so easy possible? What a big hole I must have in my opera internet browser, OMG!!

- I have enabled back gpu-isolation
if not works I will Add
- chrome flag Strict site isolation
if not works I will have to updtate to last opera version or enable kernel protection

[Bulkley]

When playing in multiplayer server, they managed to open a remote tab with a gift porn video in my opera browser..

That's one site I would never return to. The game is bait. The porn is more bait. You don't need the hassle.

What a big hole I must have in my opera internet browser, OMG!!

Frankly, I'd purge that browser and all of its configuration scripts, history and whatever is in your ~/user dot (hidden) files. After doing that installing a fresh install of the latest Opera might be okay. It might be more prudent to use another browser, configure it for security and add NoScript or, at least, uBlock Origin to cut down on bot probes.

The most important tool for security is your own street smarts, that sense that one needs to avoid bad neighbourhoods and if one finds oneself wandering into a bad neighbourhood leaving immediately.

[xepan]

The first thing an exploit should to is announce itself as loud as possible, so the admin doesn't miss it arrived. Making the keyboard go nuts sounds like a good method.

find -exec, otoh is very silent in what it does.