Possible malware problem

If none of the more specific forums is the right place to ask

Possible malware problem

Postby contrapositive » 2012-08-15 23:52

My system went down unexpectedly a couple days ago. I got it up and running again and restored everything from my back-up drive. Interestingly, I noticed that my /tmp partition is now executable along with a number of files throughout the file tree in my /home/user/ directory. I'm relatively ignorant when it comes to security and malware. I'm looking for any and all recommendations as to how I should proceed from here. I would just delete the files and start over but many of them are related work, school, and personal projects.

All I've done so far is followed the directions and comments at 'http://www.debian-administration.org/article/Making_/tmp_non-executable' for the purposes of making /tmp non-executable. It seemed like a good first step. I'm scanning my filesystem with ClamAV as we speak. But I don't have too much confidence in ant-virus software.

Again, I'm looking for any and all recommendations as to how I should proceed from here. Thanks in advance. I'll pay it forward.
Last edited by contrapositive on 2012-08-20 00:22, edited 1 time in total.
contrapositive
 
Posts: 6
Joined: 2012-05-01 18:45
Location: the Otherside

Re: Security/Malware problem!

Postby bw123 » 2012-08-16 12:29

There was a time, way back in DOS days and even on early Windows machines, when I knew what every single file on my computer was. I knew what program put it there and what it was for. Can't really say I know that much about the whole Debian os yet I haven't used it that long, but I am getting acquainted with /home/user and I don't like executable files there except scripts that I look through or write myself.

I have noticed that files on fat32/ntfs partition are set executable no matter the type and that follows the copy to ext2fs

About the possible malware thing, I hope you did save /var/log so you can figure out later what happened?
wheezy/fluxbox, GNU/Linux 3.10-0.bpo.3-amd64
User avatar
bw123
 
Posts: 1826
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Security/Malware problem!

Postby swftech » 2012-08-16 23:26

I understand it's strange if your saying these files have had the permissions changed somehow, but curious why you think it's Malware? Malware is very rare on a Linux system as I'm sure you already know. I haven't seen any type of Malware in Linux since I started using it many years ago. I spend my days cleaning up Windows systems (it's one of my jobs) so I am very familiar with files being changed by it, but have never come across it in Linux. I am actually wondering if during your restore process of your backup something might have caused this to happen. It will be interesting to see what ClamAV comes up with when your scan has finished.
User avatar
swftech
 
Posts: 5
Joined: 2012-07-05 14:37
Location: SW Florida

Re: Security/Malware problem!

Postby vbrummond » 2012-08-16 23:34

I am fairly sure (unless things have changed) that clamav is used for finding Windows viruses. Something being executable is usually as a result of the copy and not some kind of malware attack. I remember I used to have text files copied over from a Windows partition that would say "executable text file" and it turns out it was just marked as executable. Just use chmod to remove the executable flag if you are worried about it.
vbrummond
 
Posts: 4114
Joined: 2010-03-02 01:42
Location: USA

Re: Security/Malware problem!

Postby contrapositive » 2012-08-20 00:20

Maybe it's not any kind of malware... When I try to scan my home directory with ClamAV, it continuously spews errors of this sort:

LibClamAV Warning: fmap_readpage: pread fail: asked for 4094 bytes @ offset 2, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4092 bytes @ offset 4, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4072 bytes @ offset 24, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4091 bytes @ offset 5, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4094 bytes @ offset 2, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0

Anyways, I'm going through my logs from the old system setup to see if I can figure out what happened. I'll post anything I find.
contrapositive
 
Posts: 6
Joined: 2012-05-01 18:45
Location: the Otherside

Re: Possible malware problem

Postby dasein » 2012-08-20 03:57

Sounds like a possible HDD failure. Smartmontools tell you anything?
Carl Sagan wrote:In the fabric of space and in the nature of matter, as in a great work of art, there is, written small, the artist's signature.
I wish real life came with an "ignore list."
TFM: Debian Reference
User avatar
dasein
 
Posts: 4418
Joined: 2011-03-04 01:06

Re: Possible malware problem

Postby contrapositive » 2012-08-31 01:08

I had not heard of smartmontools previously. I just installed it. I'll take a look at my hard drives ASAP. I did a little more reasearch into the error message:

There is a problem with the configuration server. (/usr/lib/libgconf2-4/gconf-sanity-check-2 exited with status256)


Many people have encountered this error. There's a multitude of alleged fixes:

http://ubuntuforums.org/showthread.php?t=1587918

I guess I was rather paranoid in thinking it was malware. I'm a windows refugee; what can I say? Anyways, that doesn't explain why tons of the files in my home directory are now executable. I guess I'll write a shell script to traverse the directories and edit the permissions.
contrapositive
 
Posts: 6
Joined: 2012-05-01 18:45
Location: the Otherside

Re: Possible malware problem

Postby pete1967 » 2012-08-31 05:01

contrapositive wrote:I guess I'll write a shell script to traverse the directories and edit the permissions.

Code: Select all
chmod -R [target]
pete1967
 
Posts: 14
Joined: 2012-04-30 11:03

Re: Possible malware problem

Postby dasein » 2012-08-31 05:14

contrapositive wrote:... guess I'll write a shell script to traverse the directories and edit the permissions.

Hmph. More Windows-think.

All you need is mastery or two commands: find and chmod.

I commend you to their respective man pages.
Carl Sagan wrote:In the fabric of space and in the nature of matter, as in a great work of art, there is, written small, the artist's signature.
I wish real life came with an "ignore list."
TFM: Debian Reference
User avatar
dasein
 
Posts: 4418
Joined: 2011-03-04 01:06


Return to General Questions

Who is online

Users browsing this forum: cutepuff, PhilGil and 21 guests

fashionable