Virus?

ceilingFan · 07-23-2007, 05:03 PM

Distribution:
FC6, installed last month

What happened:
I was browsing YouTube.com, and Firefox stops responding. I manage to kill it, and when I try to re-open my connection is dead. Usually I get rid of that problem by logging out, re-setting the modem.

I try to log out: instead of getting the log-in screen, it goes to text mode and this message:

"perth0: something wicked just happened"

gets repeated and fills the screen pretty quick. Keyboard and mouse are useless. I re-set from the button, unplug the network cable, log in as root and delete the user account in which the above happened - it was a browsing only account, nothing lost.

However, now I have lots of worries:
- did I over-react? The message did not look like a debugging message, it sounded childish to me
- if it was a virus - possibly exploiting some Firefox flaw - is there a chance it might have leaked in the rest of the system before I deleted the account?
- in general, are there steps I can take to prevent such mis-haps from affecting the rest of my system?

Thanks!

unSpawn · 07-23-2007, 05:12 PM

Grep -r the kernel source under drivers/net and you'll see a few "Something Wicked happened!" messages. Looks like a network driver error. Post some actual messages from /var/log/messages (there may be other "weird" kernel messages in its vincinity)?

ceilingFan · 07-23-2007, 06:06 PM

Ok, so it may be a debugging message after all..

Here is what I could find unusual in the /var/log/messages :

About one hour before the event - possibly when I logged on YouTube:

Code:

Jul 22 22:55:13 localhost gconfd (tirbushon-26631): starting (version 2.14.0), pid 26631 user 'tirbushon'
Jul 22 22:55:13 localhost gconfd (tirbushon-26631): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0
Jul 22 22:55:13 localhost gconfd (tirbushon-26631): Resolved address "xml:readwrite:/home/tirbushon/.gconf" to a writable configuration source at position 1
Jul 22 22:55:13 localhost gconfd (tirbushon-26631): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
Jul 22 22:55:15 localhost kernel: printk: 214 messages suppressed.
Jul 22 22:55:15 localhost kernel: 4gb seg fixup, process mono (pid 26693), cs:ip 73:0811cd78
Jul 22 22:55:15 localhost last message repeated 3 times
Jul 22 22:55:16 localhost gconfd (tirbushon-26631): Resolved address "xml:readwrite:/home/tirbushon/.gconf" to a writable configuration source at position 0
Jul 22 22:55:17 localhost kernel: printk: 126 messages suppressed.
Jul 22 22:55:17 localhost kernel: 4gb seg fixup, process mono (pid 26693), cs:ip 73:0811cbff
Jul 22 22:55:18 localhost pcscd: winscard.c:219:SCardConnect() Reader E-Gate 0 0 Not Found
Jul 22 22:55:18 localhost last message repeated 2 times
Jul 22 22:55:20 localhost yum-updatesd: error getting update info: Cannot find a valid baseurl for repo: core
Jul 22 22:55:20 localhost pcscd: winscard.c:219:SCardConnect() Reader E-Gate 0 0 Not Found
Jul 22 22:55:21 localhost pcscd: winscard.c:219:SCardConnect() Reader E-Gate 0 0 Not Found
Jul 22 22:55:26 localhost kernel: printk: 87493 messages suppressed.

At the time when it happened:

Code:

Jul 22 23:53:07 localhost pppd[30028]: No response to 3 echo-requests
Jul 22 23:53:07 localhost pppd[30028]: Serial link appears to be disconnected.
Jul 22 23:53:07 localhost pppd[30028]: Connect time 1579.3 minutes.
Jul 22 23:53:07 localhost pppd[30028]: Sent 9900634 bytes, received 168208745 bytes.
Jul 22 23:53:13 localhost pppd[30028]: Connection terminated.
Jul 22 23:53:13 localhost pppd[30028]: Modem hangup
Jul 22 23:53:13 localhost pppoe[30029]: read (asyncReadFromPPP): Session 1372: Input/output error
Jul 22 23:53:13 localhost pppoe[30029]: Sent PADT
Jul 22 23:53:13 localhost pppd[30028]: Exit.
Jul 22 23:53:13 localhost adsl-connect: ADSL connection lost; attempting re-connection.
Jul 22 23:53:17 localhost gconfd (tirbushon-26631): Exiting

<ommited a dozen lines with 'beagle'>

Jul 22 23:53:39 localhost syslogd 1.4.1: restart.
Jul 22 23:53:39 localhost kernel: klogd 1.4.1, log source = /proc/kmsg started.
Jul 22 23:53:39 localhost kernel: Linux version 2.6.18-1.2798.fc6xen (brewbuilder@hs20-bc2-4.build.redhat.com) (gcc version

thloh85 · 07-23-2007, 07:03 PM

Pretty much of the times... It won't harm your PC... Unless you logged in as root...

unSpawn · 07-24-2007, 12:59 AM

Quote:

Originally Posted by ghostdev85

Pretty much of the times... It won't harm your PC... Unless you logged in as root...

Could you then explain in detail how these "Something Wicked happened!" messages harm your computer while being logged in as root account user? TIA.