Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Know little about security and have only been on the internet for a few days, so imagine my dismay when I get a dialog box from "Court Security Group", which suddenly appears. The other boxes won't work untill I deal with it.
It has a blue ? and it says that there are indications of virus or malware and I should click OK for a free cleansing. Foolishly, perhaps, I click its 'cancel' button and it is replaced with another one saying: (this time with a red !) that the stuff need to be got rid of soonest.
So shut down the computer.
courtsecurity.com appears to be an unused site that is for sale. "Court Security Group" I cannot find with a cursory search.
Should I panic? It worries me that it was sort of more than a popup - other windows would not respond when it was open.
[it should have been: courtsecuritygroup.com, not courtsecurity.com]
Last edited by lugoteehalt; 11-02-2009 at 02:56 PM.
Reason: mistake
Most of the links were highly suspicious of courtsecuritygroup.
Problem is: when I restarted the computer (or, perhaps merely started a new session, can't recall) and went back to the iceape virtual desktop the dialog boxes were still there. I clicked the close this X on the border and a page appeared with a lot of fast activity on it. Took about 1 second to (apparently) shut this down - but it might have done something to the computer in this period.
This is very paranoia inducing, only been on internet a couple of days. Could they have picked me up because I've been asking security questions?
How to find out if anything has been done to computer?
Last edited by lugoteehalt; 11-02-2009 at 02:18 AM.
Problem is: when I restarted the computer (or, perhaps merely started a new session, can't recall) and went back to the iceape virtual desktop the dialog boxes were still there. I clicked the close this X on the border and a page appeared with a lot of fast activity on it. Took about 1 second to (apparently) shut this down - but it might have done something to the computer in this period.
This is very paranoia inducing, only been on internet a couple of days. Could they have picked me up because I've been asking security questions?
The rest of your message is consistent with a site that gives you pop ups telling you that your installation is corrupt/infected and that they will cure it for you. Mostly this is a ploy to get otherwise uninfected computers (or even people in a technical class that I'll call suckers with already-infected computers) to give them permission to install new malware.
Note that they don't much care whether your computer is already infected and don't check. All that they want is to give you new malware.
Unless you have clicked on something on their site, they probably have not been generous enough to give you new malware (and with things being what they are, their malware installer may well only do anything with Windows).
What is unclear to me is how you ended up at this site: did you go there entirely optionally (ie, you chose to go there) or did something else automatically take you there? The latter case would be worrying, in the former you may not have anything to worry about.
I doubt they have picked on you in any way; they don't much care who they get, provided that they haul people in.
At this point, if you had an intrusion detector I would advise you to give it a run; maybe you want to try root kit hunter, or something?
I run linux only and it tells me it is scanning my C: and D: drives (I don't have C or D drives, just / ), finding viruses and malware (a downright lie!).
Then it gives me a "Windows Security Alert!" and wants me to install and run install.exe which is no doubt some windows trojan / malware.
What is unclear to me is how you ended up at this site: did you go there entirely optionally (ie, you chose to go there) or did something else automatically take you there? The latter case would be worrying, in the former you may not have anything to worry about.
At this point, if you had an intrusion detector I would advise you to give it a run; maybe you want to try root kit hunter, or something?
It was the latter case:
Quote:
The latter case would be worrying
Installed rkhunter and ran it and about half of it was warnings:
Code:
System checks summary
=====================
File properties checks...
Files checked: 133
Suspect files: 104
Rootkit checks...
Rootkits checked : 113
Possible rootkits: 0
Applications checks...
Applications checked: 3
Suspect applications: 0
The system checks took: 1 minute and 44 seconds
All results have been written to the logfile (/var/log/rkhunter.log)
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
{Some typical excerpts from said log}
[20:22:40] /bin/chmod [ Warning ]
[20:22:40] Warning: The file properties have changed:
[20:22:40] File: /bin/chmod
[20:22:40] Current hash: e90f00a3a78b488981af11de5dfc9934eb3c1616
[20:22:40] Stored hash : dd7dbdf5138131e6ddb1f61c1f052a4c
[20:22:47] Warning: The command '/bin/which' has been replaced by a script: /bin/which: POSIX shell script text executable
[20:23:01] /sbin/modprobe [ OK ]
To be frank I'm not much wiser. Perhaps was freaking unnecessarily because of inexperience.
The router keeps a small log on its website.
Tredegar: The dialog boxes said nothing about windows, but what you say is comforting.
Last edited by lugoteehalt; 11-02-2009 at 03:22 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.