unexplained pop-up on KDE desktop
 

I've started getting a pop-up on my KDE desktop. I've attached a screen grab of the display. I have no idea where this comes from and have been unable to resolve the issue described.

I've run the update utility and learn that all packages are up-to-date.
I have tried all sorts of searching to discover anything that might suggest the source of this display. Again, no success.

Can anyone explain: what this is and what to do about it?

Stumped,
~~~ 0;-/ Dan

The red flag that would come to my mind if that were my system is: is my computer infected with malware? Without actually going to any website, it would be good to find out where that "Later" link in the lower right corner of the popup leads to. You might want to do a full backup of your computer and then boot into a known clean configuration (e.g. live CD/DVD) and do a scan for malware.

Apper is a KDE thing no?

Open a terminal and see if it is running when the popul appears.

Kill it and see if the popup goes away.

Well, you could try telling us a bit more about what is going on. I don't know whether that will help, and nor will you, unless you try.

Most importantly, what distro are you using? is it Mint? version? and is KDE the only user interface you have installed, and, if you use several, does the message come up in all or just kde? and what kde version?

(This pop up doesn't look anything like the apper that I have seen, but that could be just config or version differences).

The two possibilities mentioned above - malware and multiple updater apps - seem the ones most obvious for investigation. If you have multiple updaters (apper mentioned), it can be the case that secondary updater isn't configured correctly for all the repos, depending on how good a job your distro has done (apper is a bit generic, and someone has to do the nitty-gritty bits of getting it to work with whatever packaging system your distro uses and I have seen it miss second or third level dependencies, in earlier versions and, if you have added non-standard repos yourself, that could be a factor).

Have you tried finding out what is running at the time that the pop up comes up with, eg, system monitor or top or something (a command line util like top, etc, would probably be best, because you can send the output to a temporary file and compare the results when this pop up happens with the results when it doesn't; that might help)?

I'm running Linux Mint 16 KDE. It is the only installed desktop.

This dialog does not look like anything I've ever seen, and it is not part of the standard KDE notification displays. It appears on screen in the top center. While it has a Later link, it does not have any link or embedded launcher that causes an update to begin.
I don't see a second "update manager". Mint has traditionally done a very effective job of deployment without a lot of end-user tinker.

Sadly, there is so much running as shown by htop or ps that I don't see anything exceptional.

Since I'm running Mint, I've tried mintUpdater and also synaptic looking for available updates. I did not find anything pending.

I've also scanned log files for any indication of what is going on.
Again, no joy.

The above would make me want to scan my system immediately for malware and the way I would do it, is by taking the hard drive out and hooking it up as a slave to a known clean system.

You might want to try this test and if it fails, I would suspect that you almost certainly have malware.

I'll do the things you mentioned and report back.

I've been running some form of Linux since the middle 90's without any scumware or malware troubles -- touch wood. This will be a first if it is in fact malware.

~~~ 0;-{ Dan

Ever since I became aware of the do_brk exploit that affected linux kernels 2.4.23 and earlier, and the manner in which that exploit was created and distributed (i.e. by a very technically inclined Paul (IhaQueR) Starzetz who spent about 10 days creating the exploit and then putting the exploit's C source code file, but not a fix, out on the open web for any tom, fool and script kiddie hacker to run with), I realized that no modern day operating system, no matter how up to date or well constructed it was, would ever be truly safe from malware, as there would always be creeps ready to maliciously find and distribute whatever exploits they could.

I still keep things up to date but also always remain vigilant against the possibility of malware being present. I'm careful where on the web I go and, if the website is not one I regularly visit, I check it against an online malware scanner such as http://sitecheck.sucuri.net/scanner/ before I go there. Further, the least little unexpected "mind of its own" behavior in my system will want me to check for malware immediately.

Other than the scanner link you mentioned, what other "scans" and defensive measures or similar do you perform?

1. Windows VM under VMWare running under linux as a regular user (i.e. not root), with full up to date antivirus running in the windows VM. It's VMWare for the virtual machine software since they have one of the best track records as being resistant to exploits and also have one of the best track records when it comes to patching against exploits. It also turns out that the VMWare barrier between VM and host becomes much stronger if the host is linux and the guest is windows, due to the differences in structure between the two OSes.
2. Do not use samba to network the VM with the linux host. Twice now, I have seen in samba a trivial to use exploit that would result in total compromise of the linux host, where samba would give the windows client to ability to choose the size of a buffer and also how much data to put into that buffer. The first of those exploits affected samba 2.2.8 and earlier and is known as "trans2root." The second one affected samba 3.2.X and earlier and its existence means that the samba team didn't learn anything from "trans2root."
3. slow internet connection (e.g. dial up) which tends to put a crimp on malware. If the internet connection is broadband, VMWare has an option to limit the speed of a virtual network adapter and thus create a slow internet connection there as well.
4. http://www.grc.com "Shields Up" is a good test to make sure that your firewall to the internet is working properly.
5. A good ISP will wipe out any viruses in any email that is sent to you though that ISP.

In general, you want to do anything you can to make it hard (and preferably impossible) for a hacker to attack your computer, and also keep looking for new tools that can make your defense that much better.

Do you use Chrome or Chromium? If yes, could you check and kill every instance of it and see if the popup dissapears?

Assuming you are running X11, when it appears open a terminal and...

...to get the process ID that owns the popup.

Then use ps to see what the process is, the parent(s), etc.

There are other X utils and commands that will provide additional info but I have not used them in so long a time the memory fades... look through the man pages for X maybe?

{off topic}
I love the quote you use as your signature, and offer the following potential clarification.

I believe that "freedom" and "liberty" are different concepts that are often confused.

Absent chains, I'm "free" to swing my arms, but a civilized person does not have "liberty" to do so when another's nose is in the way.

While in the military, I learned "secrets." Since I was not gagged, I was "free" to tell what I knew. However, on my oath and sacred honor, I was not at "liberty" to disclose, confirm or deny what I knew.

Our Founders specifically used the words, "... life, LIBERTY, and pursuit of happiness ..."
Our "liberty" has been and is being stolen. I am not at liberty to hire my neighbor because of the costs associated with all of the regulatory compliance for an enterprise with employees. I am not at liberty to teach what I know because of the mountain of regulations, permits and licenses involved. Of course I am free to pay my neighbor and share my knowledge, but I am at constant risk of prosecution.

Respectfully,
~~~ 0;-Dan
{/off topic}

Bingo!! Bongo!!!
... at last a practical diagnostic suitable for a novice or apprentice.

Thanks,
~~~ 0;-Dan

I did what was suggested and discovered that the pop-up in question belongs to /usr/bin/knotify4.
It gets launched by init (process 1). Based on this, I believe it is legitimate and not malware.
It is so persistent, that I want to get to the bottom.

I searched my log files for any record of notifications. No joy.
A review of the man-page reveals that one does not feed details to knotify on the command line.
A test run reveals that it reads D-bus for information.
I'm running Mint-16 so Apper is not running. mintUpdate.py is running.

When system updates are available, I don't object to a notifier. I'm baffled by the fact that it is an on-screen pop-up and the details are not reflected in the system-tray notifier information.