[SOLVED] ClamAV found an infected file... should I use Darik's Boot and Nuke?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
ClamAV found an infected file... should I use Darik's Boot and Nuke?
ClamAV found an infected file... should I use Darik's Boot and Nuke
Should I post the report I got or is it sensitive information?
Clam Antivirus found an infected file in Firefox folder. I was told by a computer savvy friend that I should use a trusted antivirus to remove any infected files.
Oh and the file seemed to have moved. Also I deleted the standard user account the file was in. I'm using Ubuntu 16.04 LTS. I think I want to just wipe my hard drive with Darik's Boot and Nuke and install Windows 10 and Debian or just Debian. What do you you think?
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
Quote:
Originally Posted by derezion
ClamAV found an infected file... should I use Darik's Boot and Nuke
Should I post the report I got or is it sensitive information?
Clam Antivirus found an infected file in Firefox folder. I was told by a computer savvy friend that I should use a trusted antivirus to remove any infected files.
Oh and the file seemed to have moved. Also I deleted the standard user account the file was in. I'm using Ubuntu 16.04 LTS. I think I want to just wipe my hard drive with Darik's Boot and Nuke and install Windows 10 and Debian or just Debian. What do you you think?
Without the report from ClamAV, it's hard to say what you mean by "infected". It should display the names of the files "infected", which I would not think would be "sensitive information".
Linux isn't Windows, it's much harder for viruses to propagate under a Linux system, because of the user privilege system implemented in Linux/UNIX.
It should be safe to just remove the "infected" file(s), but it would depend on the extent of the "infection".
/home/USERNAME/.cache/mozilla/firefox/icgb9k87.default/cache2/entries/1987E989971C6F72EE5D081641773F7D68471C38: Html.Exploit.CVE_2017_11901-6393372-0 FOUND
The problem is I looked in that folder and found nothing.
I've since deleted that standard user account.
Does that solve my problem?
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
Quote:
Originally Posted by derezion
Here's the report:
Code:
/home/USERNAME/.cache/mozilla/firefox/icgb9k87.default/cache2/entries/1987E989971C6F72EE5D081641773F7D68471C38: Html.Exploit.CVE_2017_11901-6393372-0 FOUND
The problem is I looked in that folder and found nothing.
I've since deleted that standard user account.
Does that solve my problem?
Yes, if that also deleted your user profile folder as well (normally does delete your user profile folder).
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
Quote:
Originally Posted by derezion
The file disappeared before I deleted the user account. Is using Darik's Boot and Nuke a good solution and installing a new OS a good solution?
Have you ran another virus scan?
While yes you could do what you're suggesting, it seems pretty heavy-handed to me. I think given that the detection was in Firefox's browser cache, just clearing the browser cache would have deleted it. Deleting your user account would have almost certainly cleared it, therefore I don't think there's any need for such a heavy-handed approach. It's up to you, but I think what you're suggesting is once again just overkill.
I haven't run another scan. I think I'll try that. Thanks!
I wouldn't mind a heavy handed approach because I don't have anything important on this PC.
Thanks again.
The problem is I looked in that folder and found nothing.
I've since deleted that standard user account.
Does that solve my problem?
No, it does not. What is the problem? Finding nothing, or deleting "nothings"?
Next infection that is found here's what I'd do.
IF it below /home/$USER/.cache/ close the browser(s) and nuke /home/$USER/.cache/ and scan again.
Do not enable Potentially Unwanted Programs in clam-tk (PUPs)
No need to scan anything out of /home/$USER/
Don't need heavy handed anything.
"Nothing on it" is not a reason to go nuclear by deleting "user".
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
Quote:
Originally Posted by derezion
Just delete everything in
/home/$USER/.cache/
I think Habitual is just saying that deleting everything in the /home/$USER/.cache/ folder also deletes whatever apps cache that use that folder for their "cache", rather than using the app concerned (like Firefox) to clear that app's cache. Which is quite correct.
Quote:
And clear the trash bin?
No, if your "trash bin" does not use that folder. On my machine the "trash bin" is actually stored in the /home/james/.local/share/Trash/ folder, which is a different folder again. Therefore in my case deleting the /home/$USER/.cache folder would have no effect on the "trash bin" and would not delete it's contents.
Quote:
How is that different than deleting the account?
Because your "home" folder is only one part of your overall "user profile", your "user account" itself allows you to login and a "user account" could use a different folder to the /home/$USER folder. Also, your "user account" is defined in the /etc/passwd and /etc/shadow files, not in the /home/$USER folder. That's simply a folder dedicated to your "user account", where it can call "home".
/home/USERNAME/.cache/mozilla/firefox/icgb9k87.default/cache2/entries/1987E989971C6F72EE5D081641773F7D68471C38: Html.Exploit.CVE_2017_11901-6393372-0 FOUND
The problem is I looked in that folder and found nothing.
to explain:
something was in your browser's cache.
it disappeared by itself - that could have several harmless reasons. probably because your browser is set up to remove cached files after closing.
what was it then?
thankfully clamav has identified it for you. searching yields one result.
if you, too, visited yahoo finance, that would explain it, but there is no reason that that particular baddie can't be found elsewhere.
did it do any harm to your computer? (i have no answer to that)
what to do?
browsing with an unconfigured browser is like sex with a stranger, without a condom.
you need to be careful which sites you visit, and especially where you allow javascript to be executed (99% of all mal/spy/etc.ware can't get onto your machine if javascript is disabled). i use the noscript addon.
Sorry, I don't mean to waste anyone's time.
Here's the steps I've taken since starting this thread.
1. I've cleared cookies, site data and cached web content using Firefox preferences
2. I've scanned again with ClamAV twice and got a clean report.
3. I Googled "rm -fr ~/.cache/ ; exit" which habitual recommended but I didn't understand what it does (Although it's supposed to start with "rm -rf". I got this link https://askubuntu.com/questions/3683...-from-terminal
I didn't really understand the other codes either.
I didn't visit the result ondoho was talking about because I don't know if clamxav.com is safe.
My friend said to make sure the problem wasn't a rootkit.
He advised reading the manpages for rkhunter if I didn't understand the program.
Wondering what my next steps should be.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.