LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
  Search this Thread
Old 07-29-2016, 02:56 AM   #1
galien8
LQ Newbie
 
Registered: Jul 2016
Posts: 14

Rep: Reputation: Disabled
I have 4 to 5 viruses every day under UBUNTU / FIREFOX says ClamTK


NO FIREFOX TABS OPEN
TIME VIRUS CLEAN 2016-07-18 19:56

LATER ONLY TABS OPEN:
Google
Facebook
Gmail

TIME VIRUS CHECK 2016-07-19 2:28
VIRUSES (ClamTK Home Directory 10,095 Files scanned):
PUA.Doc.Tool.LibreOfficeMacro-1

Seems to not come from the sites, but through the ports, like that famous worm in the early 00's

Is new for me: not in the Mozilla subdirectories but in the LibreOffice subdirectory, usually have 4 to 5 viruses per day in Mozilla subdirectories
 
Old 07-29-2016, 06:12 AM   #2
Michael Uplawski
Senior Member
 
Registered: Dec 2015
Location: Apples
Distribution: Apple-selling shops, markets and direct marketing
Posts: 1,118
Blog Entries: 29

Rep: Reputation: 637Reputation: 637Reputation: 637Reputation: 637Reputation: 637Reputation: 637
Quote:
Originally Posted by galien8 View Post
PUA.Doc.Tool.LibreOfficeMacro-1
I've heard about Basic on Linux. Probably kind of a technological progress or something... It's this or the candlestick.
 
Old 07-29-2016, 06:32 AM   #3
galien8
LQ Newbie
 
Registered: Jul 2016
Posts: 14

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Michael Uplawski View Post
I've heard about Basic on Linux. Probably kind of a technological progress or something... It's this or the candlestick.
Yes could be a visual basic macro

Can't find anything useful with "candlestick hack" or "candlestick virus" with google, what do you mean?

CLAMTK sometimes scans more files than othertimes, could be that this time he scanned the most, and alleged virus is a false positive

former scan 9,000 files
last scan 10,000 files

I don't know CLAMTK very well, but now the same installation also scans sometimes only 4,000, 5,000 or 6,000 files in home directory, I scan several times a day, so I noticed this in the reports

Last edited by galien8; 07-29-2016 at 07:28 AM.
 
Old 07-29-2016, 08:16 AM   #4
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
PUA is not enabled by default. Don't, or
Code:
clamscan -ir $HOME
 
Old 07-29-2016, 08:41 AM   #5
galien8
LQ Newbie
 
Registered: Jul 2016
Posts: 14

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Habitual View Post
PUA is not enabled by default. Don't, or
Code:
clamscan -ir $HOME
OK

I do CLAMTK GUI most of the time

if there are viruses found by CLAMTK also: clamscan --remove -r /

also funny first scan only SSD any consecutive scan with same command it suddenly does whole computer (SSD, PHOTO CAMERA USB Stick, harddisk) takes forever ( > 4 hours) 1 Tb
 
Old 07-29-2016, 10:24 AM   #6
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
You don't need to scan /
Warning: And I certainly cannot advise any arbitrary "--remove" action.

clamav doesn't clean anything. Have you noticed?
Remove and quarantine. you really want to trash your system for a false-positive
because clam-tk with PUA enabled, scanning / gave you the --remove "option"?
Do you think there's a reason to consider what I'm saying?

Worry about your stuff is my advice and you have that command.
Don't waste your time scanning anything that is not "your stuff". Linux can take of itself.

IF PUA.Doc.Tool.LibreOfficeMacro-1 showed up in "your stuff", upload the suspect file to virustotal.com
Clear your browser's cache once in awhile.

Code:
clamscan -ir $HOME
man clamscan shows -i is for "infected" and -r is for "report".
Nice and tidy short list of how many, and what/where infection of "your stuff".

clam-tk is just lipstick on the pig.
Don't trust your system to a lipstick wearing pig.
 
1 members found this post helpful.
Old 07-29-2016, 11:05 AM   #7
galien8
LQ Newbie
 
Registered: Jul 2016
Posts: 14

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Habitual View Post
You don't need to scan /

Code:
clamscan -ir $HOME
man clamscan shows -i is for "infected" and -r is for "report".
Than I would do:
Code:
clamscan --remove -ir -r $HOME
I want recursive scan and get rid of the viruses, I delete in CLAMTK never quarantine, however if I can help the anti virus movement and must therefore quarantine in order to be able to send them by email to virustotal.com or upload or whatever, I would do that

Do you mean I get a list of viruses and locations, with

Code:
clamscan -ir $HOME
I must than upload them to virustotal.com, and manually delete the files? A bit laborious but I'm willing to help

Last edited by galien8; 07-29-2016 at 11:13 AM.
 
Old 07-29-2016, 12:55 PM   #8
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
What is "laborious" is scanning / unnecessarily.
Uploading to virustotal.com of a suspect file is just good Linux Admin 101.

Any monkey can delete stuph without investigating. Don't trash your system.
  1. dont' scan /
  2. Don't scan with PUA
  3. Verify backup of your $HOME ("your stuff")
  4. clamscan -ir $HOME --remove

Do what you want.

Last edited by unSpawn; 07-30-2016 at 03:52 AM. Reason: //mind the others plz
 
Old 07-29-2016, 01:46 PM   #9
galien8
LQ Newbie
 
Registered: Jul 2016
Posts: 14

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Habitual View Post
What is "laborious" is scanning / unnecessarily.
Uploading to virustotal.com of a suspect file is just good Linux Admin 101.

Any monkey can delete stuph without investigating. Don't trash your system.
  1. dont' scan /
  2. Don't scan with PUA
  3. Verify backup of your $HOME ("your stuff")
  4. clamscan -ir $HOME --remove

Do what you want.
OK Thanks

How do I upload to virustotal.com? From quarantine directory or so? Would be nice if I first quarantined and from that uploaded, then I am already rid of the viruses. Moreover I have then a archive of the infections.

Last edited by unSpawn; 07-30-2016 at 03:52 AM. Reason: //quote fix
 
Old 07-29-2016, 03:46 PM   #10
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by galien8 View Post
OK Thanks

How do I upload to virustotal.com? From quarantine directory or so? Would be nice if I first quarantined and from that uploaded, then I am already rid of the viruses. Moreover I have then a archive of the infections.
Uh, the "Choose File" button at virustotal.com?
Forget virustotal.
Trash your system, I don't care.

All I intended to say is
don't scan /
don't scan with PUA
delete if you want after independent verification at virustotal.com

Am I not making it clear?
Quarantine? You're using the --remove option.
Stop using the gui, it's useless to you.

Code:
sudo apt-get remove --purge clamtk
Good Luck.

Last edited by Habitual; 07-29-2016 at 03:49 PM.
 
Old 07-29-2016, 04:37 PM   #11
galien8
LQ Newbie
 
Registered: Jul 2016
Posts: 14

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Habitual View Post

don't scan with PUA
CLAMTK up to now only found PUA, with PUA's viruses system slows down to the point screen gets gray scale and freezes, no LINUX UBUNTU menu anymore, only mouse movement, no functionality

reboot, clamtk scan, delete 4 to 5 PUA's, system behaves normally for a couple of hours, then the next day the whole cycle over again

PUA's like:
html.trojan.agent.37075
html.exploit.cve_2015_1692-1
win.trojan.xored-1

Are these harmless HABITUAL?

Last edited by galien8; 07-29-2016 at 04:45 PM.
 
Old 07-30-2016, 01:27 AM   #12
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,585

Rep: Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351
I think you're falling into the trap of thinking that Linux is Windows and that ClamAV is picking up Linux viruses. What you are seeing are false positives because you're using a virus scanner mainly meant to pick up Windows viruses on a Linux server to prevent it serving those to Windows machines which may become infected.
Take a step back and explain what it is you are trying to do here. I think it's highly unlikely (though not impossible) that you'll have a virus slowing down your Linux system.
 
Old 07-30-2016, 01:57 AM   #13
galien8
LQ Newbie
 
Registered: Jul 2016
Posts: 14

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by 273 View Post
I think you're falling into the trap of thinking that Linux is Windows and that ClamAV is picking up Linux viruses. What you are seeing are false positives because you're using a virus scanner mainly meant to pick up Windows viruses on a Linux server to prevent it serving those to Windows machines which may become infected.
Take a step back and explain what it is you are trying to do here. I think it's highly unlikely (though not impossible) that you'll have a virus slowing down your Linux system.
From my experience it helps to remove these PUA viruses, system becomes responsive for a couple of hours again, maybe your right, all I know is that something or someone is messing with my UBUNTU system, could coincidently correlate with the amount of "Windows" viruses, could be intended too to make me think that the cause is these PUA viruses, the fog of war
 
Old 07-30-2016, 02:10 AM   #14
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,585

Rep: Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351
They're not viruses though.
It's typical when Windows runs slow to think "Oh, no, I must have a virus!" and do a virus scan because that can often be the case in Windows (sometimes it's not the case there either) but under Linux viruses are extremely rare. I could go on about a virus that slows down a system is pointless as it won't make money and a load of other things but the bottom line is that a slow system does not automatically mean that you have a virus (even under Windows).
Take a step back and look at what's happening when your system becomes unresponsive and in what way it is unresponsive. I suspect something like badly-scripted web pages full of rubbish are filling RAM and taking far too many processor cycles.
 
Old 07-30-2016, 03:03 AM   #15
galien8
LQ Newbie
 
Registered: Jul 2016
Posts: 14

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by 273 View Post
They're not viruses though.
It's typical when Windows runs slow to think "Oh, no, I must have a virus!" and do a virus scan because that can often be the case in Windows (sometimes it's not the case there either) but under Linux viruses are extremely rare. I could go on about a virus that slows down a system is pointless as it won't make money and a load of other things but the bottom line is that a slow system does not automatically mean that you have a virus (even under Windows).
Take a step back and look at what's happening when your system becomes unresponsive and in what way it is unresponsive. I suspect something like badly-scripted web pages full of rubbish are filling RAM and taking far too many processor cycles.
what is the "candlestick" Uplawski is talking about?
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Clamtk PUA Firefox actinide Linux - Newbie 2 01-11-2016 06:24 AM
LXer: How to scan for viruses with ClamAV on Ubuntu LXer Syndicated Linux News 0 07-30-2015 11:40 AM
8 Viruses found in Ubuntu 9.10 by ClamTk, but where? brianpbarnes Linux - Software 1 05-17-2010 10:51 AM
LXer: Ubuntu 10.04 - one day before (and now one day after) Lucid release, things are LXer Syndicated Linux News 0 05-01-2010 01:02 AM
A Hack A Day Keeps the Viruses Away rubadub Programming 15 08-02-2008 12:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration