Hi, I have been told that Linux was safe from viruses and malware. I have been using Ubuntu 16.04 64bit for a couple years with no problems. A couple weeks ago I went to a site to register the warranty for the luggage (ifly.com) and got a pop up saying to do not close this page contact Windows 7 for a maintenance fix. I said Hahahaha, not using Windows this isn't a problem I use Linux. Then my mail client, Claws started having a problem with the certificate. Then Facebook started saying did you log on 2 minutes ago from Texas, I live in New Mexico, "NO" you are locked out until you reset your password. Since then, I have had to reset my password sometimes as much as twice a day. I am using a 20 digit password caps-lower-special characters. My browser is Firefox ver 56.0 64bit.

My question is: Did I get infected? Looking at what is available for Linux, there isn't much out there because "they" don't target Linux. I get my downloads from the Ubuntu Software depository. I changes the certificate in Claws to accept all certificates and so far I haven't had a pop up in Claws "invalid certificate". Any ideas?

Although Linux is fairly safe from viruses (as far as I know, there are no Linux viruses currently in the wild and have not been for years), it is not immune. It is also not safe from other vectors of malware, such as phishing, spoofing, dodgy links in websites and emails, and the like, as well as random port scans. The very fact that you got that stupid Windows pop-up indicates that you visited a website that was either compromised or inherently dodgy.

Here's some questions:

Did you change to default password in your router? The bad guys know the default passwords of most makes of routers--certainly the major ones--and can attack a network through the router.

Did you configure and are you running a firewall?

Have you cleared your browser's cache and history?

Have you installed fail2ban? It's in the repos.

Here's Ubuntu's article on how to check for viruses: https://help.ubuntu.com/community/Antivirus If you choose to install and AV (and I would recommend you do at this point), take the computer off the network--pull the plug or turn off the wireless--to run a scan once the AV is installed and updated,

2 members found this post helpful.

It would appear that someone has misappropriated your login credentials in some way. If you changed the password and you still get notification of successful attempts to use the account, then there's a chance that someone has installed a key-logger.

I would promptly contact the management of the web-site(s) in question, to let them tell you what they're seeing on their end. You might also wish to change the user-id itself, as well as the password, which they can do even if you can't. They might be reporting an unsuccessful attempt to access your account.

You should, as a matter of routine, always use "ad blockers" when you visit any website, because "internet advertisements" are actually software.

No operating system is "immune" from malware – but I do not use "biological terms" such as "immune" or "infect," since these terms do not reflect what is actually going on: someone is attempting to run (or is running ...) a piece of computer software without your knowledge or consent. All operating systems, specifically including Microsoft Windows, contain strong(!) security features which can be used to prevent unauthorized execution of things. (N.B. Windows' "policy-based" scheme is actually quite strong, and offers very fine-grained controls, provided that it is actually used!)

"Security is a process, not a product."

Here is an update. I checked a box in Claws mail to accept all certificates and I don't get the pop up saying their certificate is out of date. Ok, for Facebook, I put in a 20 digit password with upper and lower case letters and special characters. I switched from my Linux desktop to my Linux laptop and so far I have never had another security warning. I have ran the laptop for 2 days without any unauthorized attempted log on (it has Ubuntu 14.04LTS installed). I am thinking my next step is to go back on the Linux desktop and see if I get a security error from Facebook. I have the firewall that ships with Ubuntu turned on but am at a loss as what to use to inspect my system for malware or ad blocker. I am running Ubuntu 16.04, 64bit. Does anyone have a suggestion for malware software or ad ware blocker, bear in mind, I am not a software engineer. Even with the firewall in Ubuntu, I went with the default values. My history and cookies were deleted, that was the first thing I did. I was thinking of upgrading my OS to Ubuntu 17.04, would that clean out any bugs that got into my system or maybe just reinstall 16.04.3. Any ideas??

Thanks for the info, I appreciate it!

I think the most likely explanation is you're allowing Javascript everywhere (not running NoScript), and an ad from somewhere you visited had malware. It didn't want you to close the page because that would have killed it. it could have lived on even after you left Facebook.

Also browser plugins can be appropriated, for example if you use a password manager all your passwords could be lifted.

I run two sets of browsers: Tor Browser, and regular Firefox, the first being preferred and the second only used when I must have all functionality like jobhunting.

Thanks for the info. I got Clamav working and killed all the reported malware. Then re-scanned and it shows virus free. Ran Facebook and within a few minutes I got the warning saying my account was locked and asking if it was me that logged in, well, it wasn't me....again. I had added the noscript and Privacy Badger to Firefox. I downloaded and installed Chromium, uninstalled Firefox and reinstaled Firefox. Made Chromium my browser. Waiting for the next attack. Is Tor better than Chromium, I have used Firefox for years. Maybe I should try Tor.

Do you have clam set for on-access scanning? It isn't really for web browsing, G**gle's supposed to help you with that in Firefox settings, although that's just one of their data mining efforts and I don't trust them. Like that "One More Step" garbage where you have to train G**gle's artificial intelligence to recognize vehicles, road signs, store fronts, etc, before you can get to certain CloudFront websites.

There is some setup in NoScript, as by default it does nothing. I've attached my NoScript preferences file which you can remove .txt from (required by this forum) and import into NoScript's settings. This will get it working like it should.

The principle is, when you visit a site that's new to NoScript it will block all Javascript, and Javascript is the main vector for transmitting most browser malware. It also happens to be how most websites work, so you'd normally whitelist the main site by hitting NoScript|Allow site.com. Over time you whitelist all the sites you go to, and most things work. Some sites call lots of other sites, mainly for tracking, stats, cdn, and other useless functions, but sometimes another site is integral so you have to whitelist that too.

I always add the EFF's HTTPS Everywhere addon and enable its Observatory.

Tor Browser is inconvenient at first, as you train NoScript, RefControl, etc what's acceptable. It's a slight bit slower, but I do enterprise infosec and security matters to me.

Attached Files

FF-NoScriptPrefs.txt (33.0 KB, 643 views)

2 members found this post helpful.

Thanks for the txt file. I will start working not that. I was going to try the https everywhere, one step at a time. Thanks again.

Have you changed your Facebook and possibly other passwords that may have been compromised?

Tor is not a browser.
Asking if it's better than chromium doesn't make sense.
The Tor browser is Firefox, with some settings hardwired.
As to what is Tor itself, better look here.

unsinstalling firefox was probably not enough, you need to remove all the directories used by firefox, like cache, download area, user preferences and ....

1 members found this post helpful.

Thanks pan64, Yes, I noticed that, when I removed Firefox, and reinstalled it I was thinking it would remove ALL of Firefox but did not do that. I am trying to do this one step or piece at a time so I can figure out what the problem is. I know there was a lot of Phishing files that came up during the Clamav scan. I really don't like Google products, I had a Google phone once, everything revolves around Google. I guess I need to find where Firefox stores it's files and start from scratch. Thanks for your input. Thanks to the rest of guys the commented.

Otto, just delete ~/.mozilla . If you want to preserve your bookmarks, first export them to a backup file.

If your OS has a 'purge' function (Debian) use that to deinstall.

FWIW I do this on the first of every month with my ~/.mozilla and ~/.mozilla-tor, just because. I also set aside the following, to preserve my configurations without any tracking or malware, then copy them into the fresh new ~/.mozilla. (Be sure to set permissions)

dirs: bookmarkbackups, sessions, sessionstore-backups
files: formhistory.sqlite, key3.db, key4.db, == logins.json ==, sessionstore.*, and signons.sqlite

This procedure eliminates all kinds of nasties that we don't have control 0over like 'evercookies', 'browser staining', and in fact all cookies.

When you get set up again, go into Preferences|Privacy|History and set Custom. Accept third-party cookies: From visited -- this is so some unrelated site can not set cookies when you're visiting the intended site.


(this place is taking too much of my time)

It's really a very bad idea to run Tor browser if you do not understand what it is. It's also pointless to run Tor from home. Over time your browsing habits will eventually identify you to the tor network servers, and to the sites you visit. You shouldn't log into personally identifying web sites (facebook, twitter, all social media sites, online banking, email, etc) if you are running Tor. Doing so severely defeats the purpose of Tor. Anyway, Tor won't prevent a compromise. It just obfuscates your browsing habits. Tor is a tool that doesn't solve your problem in this case.

As suggested:

• If you want to secure your web browser from man in the middle attacks, use the HTTPS Everywhere extension.
• To prevent Java script cross site scripting attacks, NoScript is great.
• To prevent malicious code running from compromised web advertisements, AdBlock Plus.
• Privacy Badger is great to prevent web sites from tracking you.

Are you certain you are running the latest security patched version of Ubuntu? Update your system if not. No matter what add ons or web browser you use, if you do not practice safe browsing habits, you will be compromised. Plain. Simple.

P.S. If you find it necessary to delete your ~/.mozilla directory in your home folder, you are doing it wrong.