LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 03-22-2011, 01:32 PM   #1
Stavrowsky
Member
 
Registered: Dec 2010
Posts: 34

Rep: Reputation: 1
Viruses


I am running Debian 5 (Lenny) 64, and have symptoms occurring that I would definitely classify as a malware infection if it were in Windows. I am operating this system not as a server, but as a workstation only. This is a single OS system, not dual boot. I really only use it to surf the web and access email. The installation is just six weeks or so old. All recommended updates have been installed successfully. I ask, because everything I read says Linux is essentially impervious to viruses accept possibly when being used as a server with Windows clients.

Symptoms:
1.) Boot times have increased 5 fold, with an increasing amount of unreadable sectors being reported in my /var and /home directories each boot up.
2.) System locks up, or is EXTREMELY slow.
3.) Icons are randomly disappearing from my desktop, or changing location on the desktop - and may or may not be back next boot up.
4.) About half the time I boot, I get a pop up that tells me: "system is operating with root permissions, though no root password has been entered. This message is not to report an error, but merely to let you know that the condition exists."

I don't know enough about Linux to know if it is possible for these circumstances to occur if my hard disk is going bad (it shouldn't be... it's less than 6 months old), or if some malware is causing the phenomena.

Any ideas?

Last edited by Stavrowsky; 03-22-2011 at 01:33 PM.
 
Old 03-22-2011, 01:34 PM   #2
corp769
Guru
 
Registered: Apr 2005
Posts: 5,814

Rep: Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001
As far as symptom number four, how are you logging in on your system?
 
Old 03-22-2011, 01:35 PM   #3
pljvaldez
Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Squeeze (x86)
Posts: 6,092

Rep: Reputation: 269Reputation: 269Reputation: 269
The unreadable sectors make me think it's a hard disk failure. Age doesn't mean anything for hard drive failures. I would first run fsck on the hard disk (or download the Ultimate Boot CD and run the appropriate hard disk checker for your drive).
 
1 members found this post helpful.
Old 03-22-2011, 01:36 PM   #4
AwesomeMachine
Senior Member
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian jessie/sid; OpenSuSE; Fedora
Posts: 1,593

Rep: Reputation: 162Reputation: 162
It could be a failing drive. Go to the drive mfg website and get their drive repair utility. Run it. Run a clamav scan. Install rkhunter and run it. You might be infected by a rootkit.
 
1 members found this post helpful.
Old 03-22-2011, 02:43 PM   #5
Stavrowsky
Member
 
Registered: Dec 2010
Posts: 34

Original Poster
Rep: Reputation: 1
@Corp769
System is set up to automatically log in and boot to the GUI. I am the only user of the system, so it was convenient to set it up that way.
 
Old 03-22-2011, 05:22 PM   #6
wpeckham
Member
 
Registered: Apr 2010
Location: USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix
Posts: 805

Rep: Reputation: 174Reputation: 174
virii

1). I would take all of the advice above.
You say there are few virii for Linux, and that is true. There are, however, some VERY NASTY players among the few examples of malware that WILL hit Linux. Rootkits are among the worst, they give someone else full control over your machine and attempt to make themselves untraceable and irremovable. When my clients Web server was hit, I opted to reload and recreate instead of trying to clean it.
(Luckly the worm (term for smart monkey with no ethics) got lost in the - seriously non-standard - system and only damaged things easy to replace.)

2). If you have been running without protection, you are likely to have been subject to attacks for some time. Although the attacks aimed at Windows and MAC probably all bounced, more than one may have succeeded. The safest recovery may be to save off your data, totally reload, restore your data, then ADD THE PROTECTION! RKHunter is a favorite of mine, but I recommend using more than one tool. With luck, anything that gets past the first will get caught by the second. I would also schedule daily automated scans using clamav.

3). If the problem is all or part hardware, none of this will nail it. Hardware problems can be MANAGED with software to some extent, but are only RESOLVED when you repair or replace the bad hardware.

4). Good luck! Please let us know what you find, and what happens.
 
1 members found this post helpful.
Old 03-22-2011, 06:48 PM   #7
Stavrowsky
Member
 
Registered: Dec 2010
Posts: 34

Original Poster
Rep: Reputation: 1
@wpeckham

Thanks. I can see this is going to be a recurring problem unless I take certain steps. I think I am going to go a whole different route from what I have been doing. 1.) Lenny is coming out. I'm going to install a completely different hard disk (just in case it IS a hardware problem), take the old disk to a different system, clean it up, and run a full set of diagnostics on it. In the meantime I'll install Squeeze on the replacement drive. Lenny is coming to the end of its service life in another year anyway, so I might as well jump into Squeeze now. I'll install RKHunter and ClamAV (or perhaps a more comprehensive AV program) on Squeeze.

2.) I'm setting the system up as a dual boot system, with Windows Vista on a completely separate drive. I prefer using Linux for my day to day BS (and will set that as the default boot), but I understand the Windows system much better than I understand Linux, and have software that really will keep it pretty safe (even if it operates slower than the Linux and uses more resources). I can install imaging software on the windows system that will allow me to put complete images of both the Squeeze and Vista O/Ss on a third drive, and be able to restore either to their respective drives in a version I am satisfied is not infected and is set up the way I want it in about 15 minutes. Then, if the AV program fails, resetting the whole thing will take minutes, and thereafter will just be a matter of updating from the Debian Libraries.

Last edited by Stavrowsky; 03-22-2011 at 06:49 PM.
 
Old 03-22-2011, 07:33 PM   #8
pljvaldez
Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Squeeze (x86)
Posts: 6,092

Rep: Reputation: 269Reputation: 269Reputation: 269
You might want to download a Squeeze netinstall with the non-free firmware already added. Lots of people are having problems installing Squeeze because they didn't read about Debian splitting out the non-free firmware blobs.
 
Old 03-23-2011, 01:25 AM   #9
Stavrowsky
Member
 
Registered: Dec 2010
Posts: 34

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by pljvaldez View Post
You might want to download a Squeeze netinstall with the non-free firmware already added. Lots of people are having problems installing Squeeze because they didn't read about Debian splitting out the non-free firmware blobs.
Thanks for the advice. I'll be installing from a 6 DVD purchased installation set. If that doesn't seem to set up easily, I'll come back and do it off the Internet per your suggested link.
 
Old 03-23-2011, 01:33 AM   #10
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,998
Blog Entries: 11

Rep: Reputation: 880Reputation: 880Reputation: 880Reputation: 880Reputation: 880Reputation: 880Reputation: 880
Moved: This thread is more suitable in <LQ - Sec> and has been moved accordingly to help your thread/question get the exposure it deserves.
 
1 members found this post helpful.
Old 03-23-2011, 06:07 AM   #11
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,915

Rep: Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777
Quote:
Originally Posted by Stavrowsky View Post
...
4.) About half the time I boot, I get a pop up that tells me: "system is operating with root permissions, though no root password has been entered. This message is not to report an error, but merely to let you know that the condition exists."
...and...

Quote:
System is set up to automatically log in and boot to the GUI.
If you are doing your day-to-day work as root (not clear), stop it immediately! That does make it more likely that an exploit attempt can get the permissions that it needs to do its evil work.

Quote:
...install a completely different hard disk (just in case it IS a hardware problem)
It does seem plausible that you have a failing disk. I wouldn't say that this is proven, or necessarily the only bad thing going on here (it would explain slowness and unreadable sectors), but it would certainly be useful to get that possibility out of the way.
 
1 members found this post helpful.
Old 03-24-2011, 08:16 AM   #12
Stavrowsky
Member
 
Registered: Dec 2010
Posts: 34

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by salasi View Post
...and...



If you are doing your day-to-day work as root (not clear), stop it immediately! That does make it more likely that an exploit attempt can get the permissions that it needs to do its evil work.
What alarmed me (made me think malware was at work) about the message that the system was operating with root permissions though no root password had been entered, is that I definitely am NOT operating as root for my daily ops. The system had apparently decided to grant access to all sorts of operations (which would include the ability to manage partitions, and to delete or add files) without my ever having given it permission to do so.

What I don't know is if this was by someone's design (malware), or if a failing hard disk just left me short of some bit of code necessary to controlling access to the root system. What seems obvious to me is that if a failing hard disk could have that effect, the same effect could be generated intentionally if there was a way of gaining access to the root system at all. That, of course occurs any time I unpack a program or file using a root terminal (as, for example, when I unpacked the RKHunter tarball for installation).

The Debian packages are no doubt safe, but though they have thousands of programs available, I seem to actually need programs they don't offer (and have to go elsewhere to find) more often than need what they have.
 
Old 03-24-2011, 08:50 AM   #13
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Have you verified that your ID is the one that is configured to perform automatic login and have you verified the permissions associated with that user?

I find it hard to believe that a failing hard drive would cause it alter the permissions such that you were operating with root privilege. The permissions are on a per-file basis and a failing hard drive would have some amount of randomness to it, making the probability of missing just those bits statistically negligible.

I think the previous advice is spot on: replace the HD with a new one and perform a clean install. Then put the old HD in a different system, preferably mounted as read only, and perform a detailed analysis of it, comparing your binary files against the known ones in the repository and look for any files owned by root with the SETUID/SETGUID set. If it comes up clean, consider sending it back to the manufacturer to verify whether or not it has failed. I would even mention that you would like it analyzed to eliminate it as a cause of problems in the hopes of getting them to really look at it instead of just putting it in a pile and sending you a form letter. If you find that there is no problem with it, you definitely need to evaluate your situation and reconsider where your downloaded programs from.
 
1 members found this post helpful.
  


Reply

Tags
malware, viruses


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
viruses someone Awesome Ubuntu 2 05-23-2009 05:30 PM
When it comes to Viruses......??? unixfreak Linux - Security 3 08-27-2004 04:51 AM
viruses devit Programming 4 04-13-2004 06:01 PM
Viruses nick_krym Linux - Newbie 6 04-02-2004 09:00 AM
Viruses teyesahr Linux - Newbie 2 09-09-2003 12:55 PM


All times are GMT -5. The time now is 04:05 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration