LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 09-28-2019, 04:08 AM   #1
The_Dark_Passenger
Member
 
Registered: Apr 2018
Distribution: Slackware64 14.2 & -Current
Posts: 89

Rep: Reputation: Disabled
Chance of getting malware?


Hello,

I'm curious about my use case, and the chance of getting malware that would actually effect my system. I work for a web hosting company, and run Slackware64 -current on my workstation. Pretty stock full install with KDE4 and few addon programs.

Sometimes our clients send us png, jpg, pdf, docx, and eml files regarding issues. I scan these with clamav and virustotal and they come back clean. However, what chances could there be malware that would actually effect my install? Is there really any active Linux malware targeting desktop systems? Eveything I've opened so far as either been in less, Thunderbird, Libreoffice, and Gwenview. Everything is kept up to date. Is there any active in the wild exploits for these applications on Linux?

Additionally, clamav and chkrootkit scans have come back clean. I am now opening files in a VM to be extra safe. I'm just wondering how much of a risk there has been till now. I also never run any scripts and nothing has been opened as root.

Any thoughts and discussions appreciated.
 
Old 09-28-2019, 06:28 AM   #2
greencedar
Senior Member
 
Registered: Sep 2018
Distribution: Linux Mint 19.1 Tessa & 19.3 Tricia
Posts: 1,318
Blog Entries: 1

Rep: Reputation: 125Reputation: 125
With all of the precautions that you have taken, especially with opening files in VM, it sounds like your system is secure and possibly has prevented an malware attack.

The major problem I would perceive is from an individual who would specifically target your system for financial gain, or, an disgruntled employee.

Some hackers specifically target systems for financial gain. And, one disgruntled employee can raise havoc on a system out of spite or revenge. If a disgruntled employee, from any of your clients, knows that you have previous taken concrete steps to prevent a hacker's intervention, and you keep good records, than that disgruntled employee will probably leave your system alone out of fear of getting caught and legal action taken.

So, I think that there has been a possible risk before your numerous steps of malware prevention's (due to numerous clients), and it is a wise step to continue to do so.
 
Old 09-28-2019, 06:38 AM   #3
jsbjsb001
Senior Member
 
Registered: Mar 2009
Location: Earth, unfortunately...
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,827

Rep: Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020
Most Linux based malware targets Linux servers and embedded Linux. It's unlikely that you'll have much to worry about with desktop Linux. If you've also got Windows machines on the same network, then Linux could still become a "distribution point" even if it's not directly affected itself. That would likely be the biggest concern as far as desktop Linux machines are concerned.

ClamAV for one is more designed for things like Linux mail servers rather than desktop Linux, although you can obviously still use ClamAV with desktop Linux. I prefer Sophos AV myself, but that said, it's never found any malware on my desktop system before (I only have Linux installed on it).
 
2 members found this post helpful.
Old 09-28-2019, 08:29 AM   #4
hitest
Guru
 
Registered: Mar 2004
Location: Prince Rupert, B.C., Canada
Distribution: Slackware, Debian, MX, OpenBSD, VMs: Arch, Void
Posts: 6,580

Rep: Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794Reputation: 2794
I've used the following utilities to check for rootkits and trojans.

http://slackbuilds.org/repository/14...earch=rkhunter

http://slackbuilds.org/repository/14...em/chkrootkit/
 
Old 09-28-2019, 10:59 AM   #5
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Debian
Posts: 1,888

Rep: Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137
You seem to be exercising good precautions.

Being a tad cautious is healthy. There are malicious people out there who don't care who they hurt.

I would venture that more than 95% of all malware can be avoided by exercising basic computer hygiene and common sense.

Avoid docx macro viruses by using LibreOffice. Avoid PDF viruses by using a document viewer that does not support JavaSh_t. Open eml files with a text editor. Open image files in an image viewer rather than directly in the email.

Quote:
Is there any active in the wild exploits for these applications on Linux?
There are always zero-day exploits being found. The pace of regular security patches means developers are finding potential exploits too. While Windows remains the popular target, I follow some related security RSS feeds and Linux based systems are targets.

A big cause of compromise is failing to keep systems patched. Another is social engineering tricks. A popular recent focus is sending people emails spoofed from the company CEO, CIO, etc.

Much of the malware these days is designed for financial gain rather than destruction.

A significant modern threat is ransomware. Linux based systems do not escape that effort. Most ransomware is designed to be dormant for hours, days, or weeks before triggering. Delayed execution obfuscates when the ransomware was installed in order to confuse users when to restore files from backups. Ransomware is designed to target network connections.

One possible tool is for the owners at your job to subscribe to a spam blocking service. We do that at work and we seldom see problematic emails.

For myself, I use Thunderbird. I do not use the view pane. When I receive a suspect email, I never open the mail directly. I open the file source using Ctrl+U. After confirming my suspicions I hard-delete the mail with Shift+Delete.

I configure Thunderbird to not automatically connect to any embedded external links. When I receive an email with an embedded link, I always hover the mouse pointer over the link to verify the actual link matches the text string.

I configure Thunderbird to view all mails in plain text and only toggle HTML view when I know the sender.

I use DNS based blocking. Originally I started this practice to avoid ads, but DNS blocking avoids problematic URLs system-wide. I have been doing this for many years with dnsmasq. Through the years my block list has accumulated to 274,048 URLs. Some of the URLS likely are old and no longer valid, but dnsmasq is efficient and fast so I don't bother pruning. I update the list weekly from a cron job and shell script.
 
2 members found this post helpful.
Old 09-28-2019, 12:24 PM   #6
philanc
Member
 
Registered: Jan 2011
Posts: 269

Rep: Reputation: 237Reputation: 237Reputation: 237
Quote:
Originally Posted by upnort View Post

(...) I use DNS based blocking. Originally I started this practice to avoid ads, but DNS blocking avoids problematic URLs system-wide. I have been doing this for many years with dnsmasq. Through the years my block list has accumulated to 274,048 URLs. Some of the URLS likely are old and no longer valid, but dnsmasq is efficient and fast so I don't bother pruning. I update the list weekly from a cron job and shell script.
Do you run it on a distinct or dedicated box? or on your main desktop/laptop?

What source(s) do you use for the weekly updated blocklist?

TIA

Phil
 
Old 09-28-2019, 01:55 PM   #7
enorbet
Senior Member
 
Registered: Jun 2003
Location: Virginia
Distribution: Slackware = Main OpSys
Posts: 3,496

Rep: Reputation: 3391Reputation: 3391Reputation: 3391Reputation: 3391Reputation: 3391Reputation: 3391Reputation: 3391Reputation: 3391Reputation: 3391Reputation: 3391Reputation: 3391
You seem fine, Dark Passenger, but if you still worry you could look into building something like a Raspberry Pi encrypted DNS device that serves your machines.
 
Old 09-28-2019, 02:03 PM   #8
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,633

Rep: Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925
@The_Dark_Passenger

Your VM setup is the modern solution I'd also adopt, given you keep a copy of your clean VM files, dump the "dirty/used" VM files, substitute them with the clean ones and always start/restart your VM clean.
Long (very long - decades) time ago, before VMs, I used tripwire and I believe it was shipped with Slackware by default (can't really remember).
Should you consider such an integrity check system, tripwire is apparently not available on SlackBuilds, but you can build it on your own.
However, you have AIDE:
http://slackbuilds.org/repository/14.2/system/aide/
https://en.wikipedia.org/wiki/Advanc...on_Environment
Comparison:
https://www.upguard.com/articles/tripwire-vs-aide
 
1 members found this post helpful.
Old 09-28-2019, 06:10 PM   #9
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Debian
Posts: 1,888

Rep: Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137Reputation: 1137
Quote:
Do you run it on a distinct or dedicated box? or on your main desktop/laptop?
What source(s) do you use for the weekly updated blocklist?
I run the process on the office desktop, which is a pseudo server for the house network. Once upon a time I had a dedicated server, but after a while I saw no need to burn the additional electricity. I have been using dnsmasq this way for many years, long before pi-hole was developed or became popular.

I use several block lists:

/etc/hosts-blocked (the big list)
/etc/hosts-cryptomining
/etc/hosts-do-not-block (blocking exceptions)
/etc/hosts-fb (farcebook)
/etc/hosts-mozilla (Mozilla phone-home "telemetry" nonsense)
/etc/hosts-ms (Microsoft)

The respective snippets in /etc/dnsmasq.conf:

# A huge generic block file.
addn-hosts=/etc/hosts-blocked
# Block known Facebook URLs.
addn-hosts=/etc/hosts-fb
# Block known Microsoft URLs associated with telemetry and phoning home.
addn-hosts=/etc/hosts-ms
# Block cryptomining web sites.
addn-hosts=/etc/hosts-cryptomining
# Block Mozilla telemetry and phoning home.
addn-hosts=/etc/hosts-mozilla

I use several sources:

http://pgl.yoyo.org/as/serverlist.php?hostformat=hosts;showintro=0"
http://winhelp2002.mvps.org/hosts.txt
https://raw.githubusercontent.com/ho...ster/hosts.txt
https://raw.githubusercontent.com/jm...s/facebook/all

I use my own shell script. The script was one of the first I wrote, some 16-17 years ago. Not one of my better scripts, but the script does the job and I am too lazy to write a new script from scratch.

I update weekly.

Way, way back in the early days, I ran the blocking on my WRT54GL router. Eventually the list got too big for the device's limited memory. When I get around to building a dedicated network gateway/router, I plan to move the blocking to that system.
 
3 members found this post helpful.
Old 09-28-2019, 06:15 PM   #10
philanc
Member
 
Registered: Jan 2011
Posts: 269

Rep: Reputation: 237Reputation: 237Reputation: 237
Quote:
Originally Posted by upnort View Post
I run the process on the office desktop, which is a pseudo server for the house network. Once upon a time I had a dedicated server, but after a while I saw no need to burn the additional electricity. I have been using dnsmasq this way for many years, long before pi-hole was developed or became popular.

I use several block lists:

(...)
Thanks for all the info

Phil
 
Old 09-28-2019, 10:44 PM   #11
The_Dark_Passenger
Member
 
Registered: Apr 2018
Distribution: Slackware64 14.2 & -Current
Posts: 89

Original Poster
Rep: Reputation: Disabled
Thanks everyone for the answers. I'll look into AIDE and setting up like a PI-Hole with security lists. With AIDE, would it be possible to setup the DB on a fresh known clean Slackware64 -current install, and updated fully as my system is? Then, have AIDE check against my workstations system files for changes? The actual system files should be the same, correct? And, the only differences would be additional software I installed?
 
Old 09-29-2019, 05:26 AM   #12
igadoter
Senior Member
 
Registered: Sep 2006
Location: wroclaw, poland
Distribution: many, primary Slackware
Posts: 1,960
Blog Entries: 1

Rep: Reputation: Disabled
Don't go paranoid. This will cause looking for more and more complex solutions which in fact only decrease your system reliability. Keep important data in file with less vulnerable formats: text files. Eg. you can always convert pdf -> text. You can always reinstall system per month routine. You can isolate user by requiring user-only binaries, directories will go under user mirror of /usr. There are many applications which don't have to be installed system-wide. Some pictures can be viewed in framebuffer with links. Use file utility to detect file format. Print file on printer attached to only your computer. Malware also aims other hardware than computers only. Last but not least try to learn about security in general. 100% security is granted if you using computer at all. It is just too complex device to be made secure by some simple set of rules. I would add: buy new computer every three-months.
 
1 members found this post helpful.
Old 09-29-2019, 01:11 PM   #13
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,633

Rep: Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925
Quote:
Originally Posted by The_Dark_Passenger View Post
Thanks everyone for the answers. I'll look into AIDE and setting up like a PI-Hole with security lists. With AIDE, would it be possible to setup the DB on a fresh known clean Slackware64 -current install, and updated fully as my system is? Then, have AIDE check against my workstations system files for changes? The actual system files should be the same, correct? And, the only differences would be additional software I installed?
I don't have experience with AIDE and I couldn't find some proper documentation on their official page, but only some HowTo's on RedHat and OpenSuse:
https://access.redhat.com/documentat...sec-using-aide
https://doc.opensuse.org/documentati.../cha.aide.html

AIDE looks to work pretty much like tripwire, that's creating integrity hashes for the files contained in the targeted/configured folders, saving them in a compressed database and giving the user the ability to check if those files were tampered or not.
You should keep the signatures/hashes database together with the binary utilities for checking on an external drive (USB flash/external ftp) and use them to verify your live system. You'll need to perform updates and on those occasions you'll have to perform an integrity check first, do the updates, regenerate the hashes database after the updates and store it again on the external storage.
This will take some work & time on your side and this is one reason I was in favor of your actual VM setup, it's easier to maintain.

The only VM system I'm more experienced with is VMware and with VMware the image storage is dynamic, the VM image files size corresponds approximately to the actual storage used by the OS running in the VM. I have a Slackware 14.2 image that is less than 10GB big and I keep a safe (&clean) copy of it in a backup folder. Before a VM start I delete the "used/dirty" VM Slackware image files and put the clean ones in place - it takes a minute or so to copy them. When I perform an update, again I start with the clean image files, update the system, exit the VM and save the new image as the clean one. It's easier & safer. The only downside for this approach is maybe putting more stress on the storage (HardDrive) and shortening its lifespan, but then HardDrives are pretty resilient and you need to change them anyways every few years.

@igadoter
It looks attributed to John Lennon - "Paranoia is just a heightened sense of awareness."
 
Old 09-29-2019, 02:06 PM   #14
mralk3
Senior Member
 
Registered: May 2015
Distribution: Slackware, OpenBSD
Posts: 1,547

Rep: Reputation: 869Reputation: 869Reputation: 869Reputation: 869Reputation: 869Reputation: 869Reputation: 869
You can install apparmor MAC. It's fairly easy to configure on Slackware. You do not need to have a application profile for everything. I generally make a profile for dhcpd/dhclient, avahi, sshd, any other system daemons configured to listen on the network, and common system utilities. (netstat, ping, traceroute, ftp/lftp, nmap, less, more, to name a few) The only con is that you will have to rebuild your kernel to support apparmor on Slackware.

As previously mentioned, AIDE is great, but on -current, it's a hassle to continually update the database. If you are running Slackware stable, it definitely makes sense to run aide. Be sure to store your aide database on an external media (usb stick) and only mount it read only in the event you suspect intrusion.

It may benefit you to also run Suricata as an intrusion protection system. Snort is another option.

apparmor - https://slackbuilds.org/repository/1...stem/apparmor/
suricata - https://slackbuilds.org/repository/1...work/suricata/

if you are REALLY paranoid, you can add psad: https://slackbuilds.org/repository/14.2/network/psad/
 
Old 09-29-2019, 10:45 PM   #15
The_Dark_Passenger
Member
 
Registered: Apr 2018
Distribution: Slackware64 14.2 & -Current
Posts: 89

Original Poster
Rep: Reputation: Disabled
Thanks for the replies. I don't really have any services listening on the network, not even sshd. And, drop all input short of established connections from my system in iptables.

We do get some eml files from time to time. Has there been any Linux malware spread through these files? Does Thunderbird currently have exploits exploitable by these files? I usually always open eml in less, however one time I did open one in Thunderbird. It appeared blank, but opening it in less I saw a block of base64 encoded code. Manually decoding it appeared to just be the plsin text headers of the email we requested from the customer. As the eml file only contained the base64 code block, and didn't say what it was, could Thunderbird have even read it? Again Thunderbird displayed it as blank, and no attachments.

Would it have had to show an attachment, then download that before anything malicious could happen? My Thunderbird is set to not automatically download external elements.

Also, I do full system updates at least weekly, sometimes more.

Last edited by The_Dark_Passenger; 09-29-2019 at 10:47 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Facing issue with 'jQuery Malware' and 'JS Malware' virus attack taru.tarak Linux - Security 2 11-09-2017 11:18 PM
[SOLVED] May have contracted malware. Yes, malware. Firefox on Ubuntu Fiesty. Seeking a fix drachenchen Linux - Security 22 08-17-2008 01:05 PM
May have contracted malware. Yes, malware. Firefox on Ubuntu Fiesty. Seeking a fix drachenchen Linux - Security 1 06-12-2008 05:10 AM
LXer: With Vista's View Getting Dimmer, Should You Give Linux A Chance? LXer Syndicated Linux News 0 04-16-2008 04:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 01:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration