LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-11-2008, 08:01 PM   #1
drachenchen
Member
 
Registered: Feb 2006
Location: Kalamazoo, Michigan, in what used to be the USA
Distribution: (Ex-Ubuntu due to Unity), Debian Squeeze, Bodhi w/ E-17 "Stable", MacPup525, Legacy (TeenPup) Live
Posts: 39

Rep: Reputation: 34
May have contracted malware. Yes, malware. Firefox on Ubuntu Fiesty. Seeking a fix


Howdy.

Me:

Barely post-newbie, came to linux from Mac and then Windows, have been using Ubuntu almost exclusively for just over a year. Good brain for problem-solving, still on the steep side of the Linux learning curve, and a mostly cook-book level of CLI use.

System:

Asus mobo, 1.6GHz, 1.5GB, Intel 32, running Ubuntu Fiesty (7.10), and Firefox w/Adblock, Fasterfox, NoScript, and Ubufox extensions (I think it's version 2.0.0.3, but I'm not sure, and I don't dare open it to check the version, as it will probably mean shutting down the box for ANOTHER hard boot. I have recently had a very occasional BIOS beep code for "video ram or video card problem", but it's an older box, and I've been living with it. I don't think this is related to the current problem.

Problem:

I was tired, chasing down info about HTML, and allowed NoScript temporary permission to run a script on a site that seemed harmless enough, and wasn't loading the content promised. Got an immediate freeze on the page, had to push the big button on the box-front. Cursing ensued. Since then, standard Ubuntu programs I try to use gradually grind to a halt, with the error message that the "(program) is not responding". Waiting doesn't help. I have to "force quit". Firefox is the hardest hit, but I can't even get a Gnome terminal. I have to hit alt-F2, and type in "xterm" to get any terminal at all. At boot, the login system sound repeats, and the screen flashes twice, as though it were loading an extra desktop. Overall performance would also suggest this. The Firefox logo on the application bar above the desktop comes and goes, sometimes replaced by the Opera logo, which is not the default browser. At the last boot attempt, the desktop did not load either of the taskbars. Opera is able (-so far!) to stay up and function normally. Bless Norway.
Also, I haven't backed up the last few days work coding web pages off-site, or even off the computer.

What I've done so far:

Typing in terminal, "ps -AT", and "top", I learned that there was a zombie process running. Found a zombie-hunting code string on the web, posted by someone gobs more knowledgeable than me, and used it. Found a process ID, and typed "kill -9 (process#)". This does not seem to have fixed the problem AT ALL.

I've been all day trying to fix this. I'm not much good at the command line. My web searches just turned up gobs of Windows apps, Windows articles with some passing reference to Linux, and two-year-old happy talk about how Linux is bomb-proof, and you'll never have to worry about malware. The few articles I found that seemed like they might touch on the problem swiftly descended into opaque (-to me!) technical jargon.

This may not be about malware. I'm barely ignorance-deficient enough to realize that I may be reading this entirely wrong. However... It sure as Hel reminds me of when my old Windows partitions would pick up something nasty, before I learned about Spybot S&D, Avast, etc. The behavior of this box is very similar, if you'll pardon the anthropomorphizing. It's not the slowness that I notice so much as the unpredictability. That, and the fact that Opera continues to run fine, leads me to think of malware, targeting the ever-more-popular Firefox.

What I'm really after is some sort of comprehensive approach to detecting and cleaning up whatever the problem is. I've already spent much of the day cursing myself for getting sloppy with NoScript, but if anyone really feels the need to give me more grief on that score, be happy.

Most of my box is backed up, and could be re-loaded. The main thing I want to salvage are the web pages I've been working on for the last week, and my bookmarks. If I could do that, I'd be fine if the fix involves burning down the HDD, re-installing, and then listening to stern admonishments to "Never, EVER do that again!" Any help on this would be greatly appreciated. In particular, if anybody could recommend good Linux malware-killing tools?

One thing just occurred to me. In Ubuntu, is the default password / user setup essentially like "running as root" under Windows? If so, I may have to fix that somehow. Anyway, thanks in advance! Later.

-drachenchen
 
Old 06-11-2008, 08:16 PM   #2
yancek
Senior Member
 
Registered: Apr 2008
Distribution: PCLinux, Ubuntu, Slackware
Posts: 4,553

Rep: Reputation: 711Reputation: 711Reputation: 711Reputation: 711Reputation: 711Reputation: 711Reputation: 711
If you use 'sudo' enter a command, enter your user password you are running as root in ubuntu. Was that your last question?

Here's a link to System Rescue which might be able to help you save some files: http://www.sysresccd.org/Main_Page

Linux can get viruses but the difference is that Linux was designed from the beginning as multiuser and if a person does not run as root except when absolutely necessary the likelihood is seriously diminished. Also, one user getting some malware won't effect another user on the same machine unless permissions allow anyone access.

I have no specific ideas about your problem but if it is affecting Firefox primarily maybe removing and re-installing. I'd wait a while, someone may come along who is more familiar with this sort of problem.
 
Old 06-11-2008, 08:46 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,019
Blog Entries: 54

Rep: Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766
Thanks for the story. First things first. How about you boot your distro's installer CD in rescue mode (or use a Live CD like KNOPPIX or equivalent), find /home, copy it to external media like USB stick or drive or burn to CD/DVD(-RW)?
 
1 members found this post helpful.
Old 06-11-2008, 11:42 PM   #4
internetSurfer
Member
 
Registered: Jan 2008
Location: w3c
Distribution: Slackware 12 Zenwalk 5.2
Posts: 71

Rep: Reputation: 16
Linux is a little more hands on than MAC or Microsoft.
Coming from Windows to Linux explains the Malware theory.

Malware payloads come in the form of javascript and 99% of
the time target Windows to add to the botnet campaign for
spamming. So there is some monetary gain involved.

The new GPcode variant explains this theory.

The last well reported malware for Apple was the DNS trojan changer.
For Linux it is < 0 to see this and would be considered something
"in the wild" or a targeted attack.

So from this it would be a good idea to think there is an error
with the OS or the app while using Linux.

Then create a troubleshooting process with malware at the bottom
of the list for possible causes.

Try reinstalling Firefox from scratch.
 
Old 06-12-2008, 05:12 AM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
I've merged the posts from the duplicate into this thread.
 
Old 06-12-2008, 06:12 AM   #6
GazL
Senior Member
 
Registered: May 2008
Posts: 3,330

Rep: Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884
First, you need a good slapping for still running firefox 2.0.0.3, There's really no excuse for not keeping up with updates, especially for something like a browser. .14 is the latest so you're way behind

Having said that, though you shouldn't rule out malware, I wouldn't assume that is the problem. I've had the Ubuntu desktop setup go a bit funky on me in the past for no apparent reason.

I think Ubuntu has some sort of 'failsafe' gnome environment available on the login screen. It might be worth trying that and seeing if you can fix the issue from there. Maybe create a new user and see if the problems are specific to your current user.

Ubuntu is not my preferred distribution so I'm not in much of a position to add much else here, though if your hardware is bleeping at you, that's never a good sign.
 
Old 06-12-2008, 06:53 AM   #7
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
Open Synaptic, uninstall firefox, copy /home to external media, give yourself a new user with sudo permissions (run visudo in terminal). Reinstall firefox, and let us know how you go. Please don't copy old files from old home to new home!

Let us know if that helps.
 
Old 06-15-2008, 02:52 PM   #8
drachenchen
Member
 
Registered: Feb 2006
Location: Kalamazoo, Michigan, in what used to be the USA
Distribution: (Ex-Ubuntu due to Unity), Debian Squeeze, Bodhi w/ E-17 "Stable", MacPup525, Legacy (TeenPup) Live
Posts: 39

Original Poster
Rep: Reputation: 34
Howdy, everyone, and thanks for all the advice.

Sorry I've been so slow getting back to everyone, but my job burned up all my time until now. First, thanks to unSpawn and internetSurfer for giving me the "Don't Panic!" in big, friendly letters. I have had time to re-think this mess, and tried moving malware to the bottom of the list of likely causes. Also, to GazL, I finally got Firefox to stay open long enough to check, and the version number was actually 2.0.0.14, so you can stop slapping me. I have to cut this short right now, as I just heard thunder, and I need to get off and unplug the computer, but I'll be back on after it passes. Later, and thanks!

-drachenchen
 
Old 06-18-2008, 12:01 PM   #9
drachenchen
Member
 
Registered: Feb 2006
Location: Kalamazoo, Michigan, in what used to be the USA
Distribution: (Ex-Ubuntu due to Unity), Debian Squeeze, Bodhi w/ E-17 "Stable", MacPup525, Legacy (TeenPup) Live
Posts: 39

Original Poster
Rep: Reputation: 34
OK, it's three days later, and I finally have my files backed-up. In the interim, I've tried to make ClamAV for linux work, and failed, and I've used f-prot on everything related to Firefox, and it came back negative.

Also, I said I was running Feisty, when in fact I'm running Gutsy. Oops.

I got a few times when the process "trackerd" was going nuts and eating 98-99.5% of the processor, so of course, I started thinking malware again, until I read up on it, and found out that it's suppossed to occasionally do that, and shut down upon other demands to the CPU. Also found mention of that problem with trackerd when there were a whole lot of files in the home directory. Spent a lot of time cleaning out my home directory, and the problem seems to have lessened slightly. Sometimes.

I finally fired up Synaptic, removed Firefox, and re-installed it, as per Irishbitte's suggestion. During the install I got this message:
"Warning! Something created compreg.dat! Your system was affected by this bug: https://launchpad.net/bugs/30791
compreg.dat has new been removed again, which should fix the problem."

I got exactly one good, fast, start of Firefox before more hangs happened. Read up on the bug, checked out the file in question, found out that two copies of compreg.dat were there in two seperate folders within /.mozilla-firefox, and commented out the "idn" line on both of them. So, compreg.dat was not removed during the install, and commenting out the part related to the mentioned bug didn't change the hang-fires.

Also, I tried to follow unSpawn's advice, and boot from the live CD. I tried to start up in safe graphics mode, and got as far as "Running local boot scripts". Then the display tried to start, and winked back off, six times in a row. I then got this message:

"The display server has been shut down about 6 times in the last 90 seconds. It is likely that something bad is going on. Waiting for two minutes before trying again on display: 0"

I clicked OK. In two minutes, it tried again, same results.

Then I tried loading the fail-safe gnome desktop from the boot screen. It came up blank, just the background colors, no icons, taskbars, or mouse cursor.

Later, I tried checking the driver under Admin: Screens & Graphics Preferences. The driver should be the right one, fglrx. Pressing the "test" button gave me a gray x-windows screen. On "keep current config?", pressing "keep" button returned me to the desktop. Timing out gives me: "Configuration test failed. Please verify the selected devices and config."

Another thing: I occasionally get the taskbar CPU display reading "100% in use", when I'm doing precious little or nothing. Typing "top" in terminal gives me a list of processes, where the tally of all their CPU percentages isn't even close to 100%. It's as though something is eating CPU in secret, sometimes.

Opera continues to run, mostly, and I can still get a terminal through alt-F2, but I get freezes of the desktop, sometimes without toolbars, sometimes with toolbars but no icons, sometimes with no background image.

I'm still not positively convinced that this couldn't be malware. A few of those error messages mentioned above sure kick me in the paranoia. Still, I'm now fairly convinced that the problem is probably related to either the video card, or the x-server. I've remembered that I changed my screen resolution in Preferences a fairly short time before the problem arose. I stumbled onto a thread in a Slackware forum where they mentioned problems they'd had with Debian-based distros needing some tweaking at the x-server level in order to change resolution without causing problems.

There was also the matter of the occasional odd BIOS beep codes, indicating video card or RAM problems. I reseated the AGP card, and haven't had the beep codes since then, but conversely, I still have SOME kind of problem. Also, two recent attempts to download files came back with incorrect md5sums.

So many choices. Malware? Hardware problems? X-server issues? Firefox, still? Gnome-related?

So, do I need to take this to another forum? I still wonder about the malware issue, because this first happened when I allowed a script to run on Firefox, and the "double-desktop" behavior on startup and all, but there are so many symptoms pulling me in different directions. As much as I try to read up on the symptoms, I still don't have a good clue of where to go next.

Anyway, thank you all for your help up to now. Any ideas for my next move? Upgrading to Hardy occurred to me, but if it's a hardware problem, that may just complicate things. Big sigh. I'm going to go for a bike ride, and when I return, the computer will have magically fixed itself, and I won't have to beat my head against a wall, or stay up late, or nothin'! Cheers! Later.
 
Old 06-18-2008, 12:34 PM   #10
tredegar
Guru
 
Registered: May 2003
Location: London, UK
Distribution: Ubuntu 10.04, mostly
Posts: 6,007

Rep: Reputation: 367Reputation: 367Reputation: 367Reputation: 367
My quick 2 cents:

Why are you using 7.04? (k)ubuntu is up to 8.04 now but I am still happily using 6.06 (the one with LTS, Long Term Support - it's supported for another 2 years or so, and is very stable in my experience - I maintain six installations for family & friends with absolutely no calls for OS-related support at all in the last two years )

I tried 7.04 once, and dropped it almost immediately. I prefer stability, security and functionality over eye-candy.

If you decide to install 8.04 (it's pretty, and OpenOffice 2.4 is much better, but some things are stupid (IMHO), or broken in 8.04) then please start by saving your personal files and then make a fresh install, too many people have run into trouble following the "upgrade" path.

I think your concerns about "malware" are probably unjustified, but it is sensible to be a bit paranoid!

As for searching for linux-related problems (your post #1) I find that the URL http://www.google.co.uk/linux tends to avoid the stuff I have no desire to hear about.

Good luck with whichever choice you make.
 
Old 06-18-2008, 03:02 PM   #11
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 114Reputation: 114
Just for fun, I one time had someone I know send me a payload via IM. She warned me it would crash my machine very badly, and I denied the possibility since I am running linux.

The payload she sent did indeed crash X...which actually surprised me...and took down the mouse and keyboard, forcing me to SSH into the machine from another machine to kill and restart X as well as the hotplug service. After doing that, I also had to fsck my root filesystem. It actually had me offline for about 15 minutes, and she was very apologetic (but laughing) when I came back online.

So, the payload actually did some fairly serious damage all things considered, and it is entirely possible that I would have been in worse shape had I hit the big button on the front of the box, rather than repairing the damage with the machine up and running. If nothing else, hitting the big button can leave the filesystem inconsistent and, though journaling fixes that most of the time it doesn't fix it every time.

I suspect that your installation is damaged, or at a minimum your user profile is damaged. If you wipe out the contents of the .kde directory in your /home directory, that will reset your user profile and very well might cause your problems to vanish. Be aware, though, that if you are using Kontact this will also wipe out all your contacts and depending on how your kmail is configured could eliminate it as well.

If you are using gnome, then the .gnome_private and .gnome-desktop directories are the ones to look at. I don't use gnome so I am not sure of all the implications of deleting these; someone else could tell you.

Problems with X suggest a problem with xorg.conf which is in /etc/X11.

You need to do your repairs from a console and not from any graphical environment. Your distro install disk should give you a repair mode that lets you work from a console. You could use a graphical environment if you use a live CD; this way you are not using the system you are trying to repair.

edit: you also need to fsck your filesystems, particularly the root filesystem. You have to do this from a repair installation since you can't have the filesystem mounted when you attempt to repair it. You should force fsck to run (fsck -f) because errors won't always be detected unless you do this.

Last edited by jiml8; 06-18-2008 at 03:06 PM.
 
Old 06-18-2008, 08:09 PM   #12
drachenchen
Member
 
Registered: Feb 2006
Location: Kalamazoo, Michigan, in what used to be the USA
Distribution: (Ex-Ubuntu due to Unity), Debian Squeeze, Bodhi w/ E-17 "Stable", MacPup525, Legacy (TeenPup) Live
Posts: 39

Original Poster
Rep: Reputation: 34
Howdy.

Thanks to tredegar and jim18 for chiming in on this. Tredegar, I corrected myself earlier. I'm not running 7.04, I'm running 7.10 with gnome desktop. I've bookmarked the uk/linux link you sent, too.

Jim18, I've been suspecting that burning down the install might be the best course. I'm sure I would have been all panic and bad decisions if I had received that little "gift" your friend sent you. Reading between the lines, I'm sure you have far more experience with CLI than I do. I'm learning, but still not comfortable enough with it to just start changing things. I'll read up on commands like fsck, and how to re-start various servers, and I may give that a go.

However, I got back from my bike ride, and tried fishing out an old copy of Knoppix 3.1, and it booted where the Ubuntu disk, and Zenwalk, apparently couldn't. Pulled up a terminal, typed "dmesg | more", and there it was down at the bottom, two copies of my video card with different specs. I think I may have actually found the problem, or at least a hot lead to follow. Both are marked "unknown device", although they are correctly identified as ATI cards. The first is "01:00.0 VGA compatible controller", the second listing is "01:00.1 display controller", using different memory locations than the first, but which are marked "memory disabled".

Maybe my video card has gone schizo, and is too busy arguing with itself to display programs and whatnot. I wonder if this has anything to do with either my resolution change, or with the script I let Firefox run.

So, unSpawn, or Win32sux, if you're out there, would it be time to move this problem to another forum? At this point, even a paranoid like me is willing to say OK, not malware. Probably.

I'll let you all know how my next steps turn out. Again, thank you all for your input. Later!

Last edited by drachenchen; 06-18-2008 at 08:12 PM.
 
Old 06-18-2008, 08:44 PM   #13
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by drachenchen View Post
So, unSpawn, or Win32sux, if you're out there, would it be time to move this problem to another forum? At this point, even a paranoid like me is willing to say OK, not malware. Probably.
unSpawn might have a different opinion, but I believe that in this case the best way forward is to leave this here in Security. I say this because even though your security concerns seem to have been quelled, the suspicion which originally made you post makes this well suited in the Security forum. I would instead suggest that you start a new thread for your non-security issue (with your newfound knowledge about the possible video card anomaly, etc.) in the Linux - General forum, and post a link to it here.

Last edited by win32sux; 06-18-2008 at 08:48 PM.
 
Old 06-19-2008, 12:46 AM   #14
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 114Reputation: 114
"Burning down the installation" might be the quickest way to solve the problem, but on another level it is the wrong way.

One of the primary advantages of Linux is that it is open and can be configured and repaired. It is NEVER necessary to blow off an installation and start from scratch, unless the installation has been successfully root kitted; in this case starting fresh is the only way to be sure the compromise is removed.

The effort to repair is also a good learning experience. When you have become sufficiently familiar with Linux, you can usually make the repairs fairly quickly, which saves a LOT of effort, compared to starting over.

On Windows, you often have to start over because Windows hides so much stuff. Linux hides nothing; everything you need is there - you just have to find it.
 
Old 06-19-2008, 07:11 AM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,019
Blog Entries: 54

Rep: Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766
Quote:
Originally Posted by win32sux View Post
I would instead suggest that you start a new thread for your non-security issue (with your newfound knowledge about the possible video card anomaly, etc.) in the Linux - General forum, and post a link to it here.
I agree that would be the most efficient solution.


Quote:
Originally Posted by jiml8 View Post
"Burning down the installation" might be the quickest way to solve the problem, but on another level it is the wrong way.
Exactly! The essence is to not fight perceived symptoms but find the cause.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
May have contracted malware. Yes, malware. Firefox on Ubuntu Fiesty. Seeking a fix drachenchen Linux - Security 1 06-12-2008 05:10 AM
Linux spyware/malware remover flashingcurser Linux - Security 9 11-07-2007 04:53 AM
Privoxy to block malware with ClamAV? make Linux - Networking 0 11-02-2006 08:22 AM
Spyware / Malware Threats? carlosinfl Linux - Security 5 11-24-2005 08:57 AM
Linux malware on the go TigerOC Linux - Networking 3 11-07-2004 02:31 AM


All times are GMT -5. The time now is 05:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration