[Not Solved] Am I Infected by a virus?

[bester69]

When playing in multiplayer server, they managed to open a remote tab with a gift porn video in my opera browser..

That's one site I would never return to. The game is bait. The porn is more bait. You don't need the hassle.

....

The most important tool for security is your own street smarts, that sense that one needs to avoid bad neighbourhoods and if one finds oneself wandering into a bad neighbourhood leaving immediately.

That's a Swat server game, its just that players or admins can know my ip in log server, and some angry admin was joking me at kicking process by redirecting my browser to that video porn.. Its just I saw that as a worry secuirty hole in my system..

So I installed gufw and blocked incoming process...I guess this should prevent them binding my browser to a new tab url.

[FreewheelinFrank]

All I can see here is a browser using excessive CPU and a character repeating in the terminal.

Keyboard "works quite well doesn't cut it": test it.

There is no evidence of a virus here I can see; a repeating character can be a symptom of high CPU load: see here:

https://github.com/tekezo/Karabiner-Elements/issues/545

First test your keyboard; then find out what is causing your high cpu load, fix that (try another browser if necessary) and see if that fixes the problem.

Viruses don't just cause stuck keys: they connect to malicious sites: where's the evidence of that?

I didnt see hight load when this happening, I almost sure there wasnt, I will check it again. Keyboard devices laptop is working 100% ok,

There was as well some kind of very fast blinding refresh in screen while happening this, like when your'e infected by a virus. In my opinion and with my humble experience, this behavior feels like a malware/virus infection..through the opera browser (Jan-2017 builded >> 2 years old browser)... I think Head here is gonna be right and Javascript browser is being backdoored (Meltdown, other..)

My apologies for reading into your post a meaning that wasn't there. But, we need to be clear then- "blinding"? "binding"? Your browser is stuck at a page, or keeps taking you to a page? What is the URL?

How on earth would this cause repeating characters when typing in the terminal?

[bester69]

.,,,,,
My apologies for reading into your post a meaning that wasn't there. But, we need to be clear then- "blinding"? "binding"? Your browser is stuck at a page, or keeps taking you to a page? What is the URL?

How on earth would this cause repeating characters when typing in the terminal?

I think I saw some kind of tiny refresh screen blinking (not bliding), once this start happening you can close the browser, and the plasma desktop keeps like infected with discrect blinking and preventing you to type properly anywhere in the desktop .. so you only can restart session to be able to do anything without troubles.
** The browser is able to talk to a page while the problem is on

Ive also disabled all incoming traffic, with gufw firewall.. So now they cant talk to my computer

[FreewheelinFrank]

No chance of a screen shot, I suppose? Or a video of this happening?

While it's possible that an exploit malware is crashing your browser and attempting to exploit the OS, it's also possible that the browser is crashing you video driver- something like this, maybe?

https://forums.opera.com/topic/23498/op ... nome-shell

Maybe try some of the advice there: "Try disabling hardware acceleration in opera," for a start.

Personally I'd consider that possibility more likely, but if you want to check for malware, try a bootable anti-virus rescue CD:

http://www.techmixer.com/free-bootable- ... load-list/

The Kaspersky disc would be my first try: it's even based on Linux, as I remember.

[Head_on_a_Stick]

tripwire is good for the paranoid.

[bester69]

No chance of a screen shot, I suppose? Or a video of this happening?

While it's possible that an exploit malware is crashing your browser and attempting to exploit the OS, it's also possible that the browser is crashing you video driver- something like this, maybe?

https://forums.opera.com/topic/23498/op ... nome-shell

Maybe try some of the advice there: "Try disabling hardware acceleration in opera," for a start.

Personally I'd consider that possibility more likely, but if you want to check for malware, try a bootable anti-virus rescue CD:

http://www.techmixer.com/free-bootable- ... load-list/

The Kaspersky disc would be my first try: it's even based on Linux, as I remember.

Hi, everithing is "OK", as my installation is well tested and stable (I use btrfs snapshots to keep stable points),

Ive not changed anything in installation for so long, and nothing to be with the browser or graphical settings has been changed (but perhaps profile opera being hacked)... In fact now everithing is working "well".. I enabled blocking incoming traffing with ufw firewall, and Im waiting for it to happend again.. So its not about drivers or anything like that..I beleive we 're talking here about a malware remote exploit..

Im sure Im no inffected by anything (unless opera profile has been compromised), Im sure the problem is coming through opera's extensions (Ive around twelve active) or javascript browser.. I hope blocking incoming traffic, they cant call up the browser... Im considering to clean profile extensions installation and use a cleaned reset profile on launching browser, So I prevent the home profile to be and keep hacked.

On launching browser, do reset profile.:

Code: Select all

rsycn -aAXv --delete ~/.config/opera.clean/ ~/.config/opera/

I will only try sophos and avclam with opera's profile, but I dont expect to find anything there.

[bester69]

Sophos Scan


clamav scan

---------------------------

No threats founds in opera profile folder

[bester69]

Hi,
It's seems as if the blocking incoming traffic Ive set (firewall gufw) would have solve the security hole.. let's wait some more time and see if not happen back.

Im also using a reset sheduled opera browser profile, once a week in crontab.weekly, just in case, to clean up the browser profile.:

#!/bin/sh
#
export bootop=/home/user/LINUXDEBS/browsers/
su user -c "killall opera"
su user -c "rsync -aAXv --delete $bootop/opera.bak/ $bootop/opera/"

[pcalvert]

It's seems as if the blocking incoming traffic Ive set (firewall gufw) would have solve the security hole.. let's wait some more time and see if not happen back.

A firewall won't help much if the connection is initiated by a process (like malware) on your computer. You probably already knew that, but many people apparently don't.

Here's something else to try:

Code: Select all

# netstat -tulp |grep LISTEN

That will show you what ports are open and waiting for connections.

Example output:

Code: Select all

# netstat -tulp |grep LISTEN
tcp        0      0 localhost:netbios-ssn   0.0.0.0:*               LISTEN      2698/smbd           
tcp        0      0 localhost:sunrpc        0.0.0.0:*               LISTEN      1439/portmap        
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN      4016/cupsd          
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN      2379/exim4          
tcp        0      0 localhost:microsoft-ds  0.0.0.0:*               LISTEN      2698/smbd           
tcp        0      0 localhost:675           0.0.0.0:*               LISTEN      1771/famd           
tcp6       0      0 ip6-localhost:ipp       [::]:*                  LISTEN      4016/cupsd          
tcp6       0      0 ip6-localhost:smtp      [::]:*                  LISTEN      2379/exim4

Notice that all of the open ports are only available to processes running on the same system (localhost). That's good -- it's what you should aim for (most of the time) on a desktop system.

Phil

[bester69]

A firewall won't help much if the connection is initiated by a process (like malware) on your computer. You probably already knew that, but many people apparently don't.
Phil

Hi, Phil, thanks for answering
I guess my system is clean as I dont intall any apps from unstrusted sources, and most of my apps, but just two or three well known comes from debian's repository.. I think they were using some old opera's extension or the javascript process to rise a backdoor hole, as I suppose they can listening to open computers with theses security holes, and If they get any response of my computer, then they will start/running the remote hacking code .. As Ive recentlly disabled incoming traffic with the firewall, I understand they wont be able to start this talk with my computer (I dont think there's any malware in my system to start outcoming traffic), so they cant explode theses security holes in my outdated internet browser. Thought, I might be wrong here, Im not an expert,.. for the moment, the firewall seems to fixed it up. We will see soon, but I guess its fixed with the firewall, I hope so.

Ok, We will run this command If it happens again whith the firewall on, to see what it shows.
netstat -tulp |grep LISTEN

Code: Select all

 netstat -tulp |grep LISTEN
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 localhost:6341          0.0.0.0:*               LISTEN      10913/megasync      
tcp        0      0 localhost:6342          0.0.0.0:*               LISTEN      10913/megasync      
tcp        0      0 hall.local:6600         0.0.0.0:*               LISTEN      18168/mpd           
tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      -                   
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN      -                   
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 [::]:1739               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:1740               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:1741               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:1742               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:1743               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN      -                   
tcp6       0      0 [::]:1744               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:1745               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:1746               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:1747               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:1748               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:1716               [::]:*                  LISTEN      2690/kdeconnectd    
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      -                   
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN      -                   
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN      -               

[pcalvert]

These lines caught my attention:

Code: Select all

tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      -                   
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN      -                   
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      -                   

Do you need to have an SSH server running? And I believe that it's probably not necessary to have portmap ("sunrpc") listening on all interfaces. From my notes:

You can configure portmap to listen only on the loopback. Uncomment the line in /etc/default/portmap that looks something like
"OPTIONS= -i 127.0.0.1", and then restart portmapper. That should allow gnome to talk to local RPC and keep remote hosts out.

Phil

[bester69]

These lines caught my attention:

Code: Select all

tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      -                   
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN      -                   
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      -                   

Do you need to have an SSH server running? And I believe that it's probably not necessary to have portmap ("sunrpc") listening on all interfaces. From my notes:

You can configure portmap to listen only on the loopback. Uncomment the line in /etc/default/portmap that looks something like
"OPTIONS= -i 127.0.0.1", and then restart portmapper. That should allow gnome to talk to local RPC and keep remote hosts out.

Phil

Hi Phil,
ssh must be neccesary for kdeconnect, and I dont have that file in my system (/etc/default/portmap)

[bester69]

Solved by blocking incoming traffic with a firewall(gufw)

[bester69]

Hi,

Two months and half later, It has happend again... Im sure this infection arrives through Opera browser and affect system memory, so I guess It comes in through javascript browser such as Its is reported with Spectre or Meltdown.. So I think Im being attacking with Spectre/Meltdown vector security hole... So, I guess somewhere, someone is tracing my IP with listening attack vector Spectre/Meltdown.. wth!!, I didnt thing that was able to happend to an anonymous user like me.

So, Firewall has not been enought to protect me against this vector attack (Im guessing its about Spectre or meltdown) as It has been reported by known sources.

I Guesss, I will have to enable back thoses security pathes in grub, and wait for next time if happend again.

[bester69]

Hi,

Running spectre-meltdown-checker, for CVE-2017-5754 aka 'Variant 3, Meltdown, It says.:

* Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant)

Does this mean only applying this patch has a significat impact in my system (enabling PTI)? ..so I can keep applied the rest of patches but this one?

[stevepusser]

How are you "applying the patch"? Are you just removing the kernel boot flag that disables pti?

You can install stress and run some benchmarks before and after to see if your performance takes a hit.

[Head_on_a_Stick]

I'm sure this infection arrives through Opera browser

+1

Opera is webkit-based and those libraries are massively outdated in Debian stable, you have a gaping hole in your system...

Use either chromium or firefox-esr from the official repositories.

[bester69]

How are you "applying the patch"? Are you just removing the kernel boot flag that disables pti?

You can install stress and run some benchmarks before and after to see if your performance takes a hit.

Yes, Im removing boot flags, Now Ive enabled back spectre_v2 patch and left meltdown (pti disabled >> spectre/meltdown checker says performance impact of PTI will be significant)
My kernel: 4.4.167

Code: Select all

GRUB_CMDLINE_LINUX_DEFAULT="zswap.enabled=0 zswap.zpool=zsmalloc apparmor=0 nopti noibrs noibpb"

When I enable pti to protect againt Meltdown, I noticed internet browser feels slower responsive, for example, vertical scroolbar in some heavy javascript webs becomes laggy. So, I have only left Spectre mitigation on by now.
My laptop, Extensa5230 has vey litle CPU for last Chrome/firefox browsers and for meltdown/spectre Mitgations.. the sytem becomes kind of slow.

[Wheelerof4te]

My laptop, Extensa5230 has vey litle CPU for last Chrome/firefox browsers and for meltdown/spectre Mitgations.. the sytem becomes kind of slow.

Well, you asked for it by running an
1. outdated browser,
2. running an insecure, old kernel,
3. using wine heavily
4. in general being stubborn to switch from bloated, old KDE version that your system can't run fast enough.

If I were you, I would first reinstall Debian Stable with either XFCE4 or learn some window manager. Openbox+tint2 panel is a good start for beginners. Then, I would quit breaking and meddling with my system by creating countless scripts that do who-knows-what. Once you do all that, your system will be safe and you yourself will be less stressful.
As a motivational info, I myself used Openbox+tint2 combo on my old PC with 512MB of RAM, Celleron D CPU and 80 GB of spinning-rust storage. Yours is surelly faster than that.

[bester69]

For the moment, Ive left only spectre_v2 protection enabled.. and meltdown protection disabled (due to impact performance). I will keet outdated Operav42 browser (cant live with last browser versions, not enought cpu to run them properly) and see If it happens again.

I think I will take that risk, every time it happens to reboot computer inmediatlly..Ive read it reads in loaded memory process to steal information, so I dont have usually any other app opened together with the browser, and when that happens Its for very short time, so I dont see any big risk here... furthermore, It seems this attack affect normal keyboard behaviour so I can watch when Im under attack to reboot system.