11-09-2017, 03:30 PM
![[Image: 1screenshot.png]](https://preview.ibb.co/kERhXb/1screenshot.png)
![[Image: 2screenshot.png]](https://preview.ibb.co/kqVWQw/2screenshot.png)
![[Image: 3screenshot.png]](https://preview.ibb.co/dS6udG/3screenshot.png)
![[Image: 4screenshot.png]](https://preview.ibb.co/g3ykkw/4screenshot.png)
![[Image: 5screenshot.png]](https://preview.ibb.co/goJ7yG/5screenshot.png)
![[Image: 6screenshot.png]](https://preview.ibb.co/bK1hXb/6screenshot.png)
![[Image: 7screenshot.png]](https://preview.ibb.co/mEv9Cb/7screenshot.png)
On the forum it is a keylogger used at me, so I begin to look in distro, this is results, I wonder if it is related to this, is false results from both software used, or is another problem /attack altogether ?
On the forum it is a keylogger used at me, so I begin to look in distro, this is results, I wonder if it is related to this, is false results from both software used, or is another problem /attack altogether ?
11-09-2017, 05:46 PM
You can try a quick check
Code:
users11-09-2017, 08:08 PM
Thank You for reply and help.
It is only my username.
edit -
they make thing of hard drive, I dont understand that stuff, it's gone with the couriers now.
It is only my username.
edit -
they make thing of hard drive, I dont understand that stuff, it's gone with the couriers now.
11-11-2017, 02:09 PM
bitsnpcs
Do not understand where the info/readouts you posted came from. Was that a readout from your router, or from your pc?
I installed SOPHOS on my pcs as an extra precaution. Slows responses etc. down a bit but concerned that incoming/outgoing are screened realtime so that I lessen the chances of passing on something bad to work colleagues etc.
https://www.sophos.com/en-us/products/fr...linux.aspx
https://www.sophos.com/medialibrary/PDFs..._sgeng.pdf
A bit tedious to set up, but I persevered and have found it reassuring.
Hope this helps.
Do not understand where the info/readouts you posted came from. Was that a readout from your router, or from your pc?
I installed SOPHOS on my pcs as an extra precaution. Slows responses etc. down a bit but concerned that incoming/outgoing are screened realtime so that I lessen the chances of passing on something bad to work colleagues etc.
https://www.sophos.com/en-us/products/fr...linux.aspx
https://www.sophos.com/medialibrary/PDFs..._sgeng.pdf
A bit tedious to set up, but I persevered and have found it reassuring.
Hope this helps.
11-11-2017, 02:17 PM
11-11-2017, 03:19 PM
[member=149]newtusmaximus[/member] the info came from my Linux Lite computer hard drive.
it is the only OS installed on it
it is not networked
no usb stick/ or disc that ever goes on another computer is attached to it.
The only website I visit using that LL computer is this forum
The only update method I use is Install Updates (part of LL).
LL that is installed was download from the main LL website, and MD5 checked before install.
Nobody uses the computer only me, some sit with me some times.
That computer has no wifi, it is physically unplugged from ethernet since the results.
The results are from chkrootkit, and also from rkhunter (root kit hunter) command line tools as recommended in the security section of the Linux Bible 9th Edition (current edition), followed exactly to the letter.
[member=5916]trinidad[/member] thank you for the info and link.
Can some members run chkrootkit and rkhunter , (they are in Install/Remove Software, aka Synaptic) and reply back so I know if this is a overall security issue, such as the hosting company servers used by Linux Lite have been infected and are distributing it to the community, or it is one directly targeted at me only on LL.
it is the only OS installed on it
it is not networked
no usb stick/ or disc that ever goes on another computer is attached to it.
The only website I visit using that LL computer is this forum
The only update method I use is Install Updates (part of LL).
LL that is installed was download from the main LL website, and MD5 checked before install.
Nobody uses the computer only me, some sit with me some times.
That computer has no wifi, it is physically unplugged from ethernet since the results.
The results are from chkrootkit, and also from rkhunter (root kit hunter) command line tools as recommended in the security section of the Linux Bible 9th Edition (current edition), followed exactly to the letter.
[member=5916]trinidad[/member] thank you for the info and link.
Can some members run chkrootkit and rkhunter , (they are in Install/Remove Software, aka Synaptic) and reply back so I know if this is a overall security issue, such as the hosting company servers used by Linux Lite have been infected and are distributing it to the community, or it is one directly targeted at me only on LL.
11-11-2017, 03:29 PM
Thanks trinidad. Way above my head.
So how vulnerable are we then?
Btsnpscs - will do
So how vulnerable are we then?
Btsnpscs - will do
11-11-2017, 03:54 PM
chkrootkit - No warning reported.
rkhunter --check
"System checks summary
=====================
File properties checks...
Files checked: 150
Suspect files: 1
Rootkit checks...
Rootkits checked : 365
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 1 minute and 56 seconds
All results have been written to the log file: /var/log/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
/usr/bin/whoami [ OK ]
/usr/bin/gawk [ OK ]
/usr/bin/lwp-request [ Warning ]
/usr/bin/s-nail [ OK ]
/usr/bin/x86_64-linux-gnu-size [ OK ]
/usr/bin/x86_64-linux-gnu-strings [ OK ]
Performing filesystem checks
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ Warning ]
Folder for chkrootkit was blank
rkhunter --check
"System checks summary
=====================
File properties checks...
Files checked: 150
Suspect files: 1
Rootkit checks...
Rootkits checked : 365
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 1 minute and 56 seconds
All results have been written to the log file: /var/log/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
/usr/bin/whoami [ OK ]
/usr/bin/gawk [ OK ]
/usr/bin/lwp-request [ Warning ]
/usr/bin/s-nail [ OK ]
/usr/bin/x86_64-linux-gnu-size [ OK ]
/usr/bin/x86_64-linux-gnu-strings [ OK ]
Performing filesystem checks
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ Warning ]
Folder for chkrootkit was blank
11-11-2017, 04:14 PM
If you got the same result with both rootkit checkers it is usually not a false positive however...
https://bugs.launchpad.net/ubuntu/+sourc...ug/1508248
Also have you received a notification from your ISP? Also this particularly involves ssh and other open port usages. To verify what's up on your system, read the documentation, and check for the presence of the malicious files manually. There are many discussions of this on the WWW. If you have the infection best to zero the drive and reinstall, though it can be repaired manually, that is considerably more time consuming and technical. Newer versions of this seem to be leaking out again. The shared memory SHM references in your rkhunter scan are indicative of the newer version of this infection, however the ones you show are for pulse audio so they are most likely a false postive. The operation Windigo entry is a long time bug in chkrootkit.
TC
https://bugs.launchpad.net/ubuntu/+sourc...ug/1508248
Also have you received a notification from your ISP? Also this particularly involves ssh and other open port usages. To verify what's up on your system, read the documentation, and check for the presence of the malicious files manually. There are many discussions of this on the WWW. If you have the infection best to zero the drive and reinstall, though it can be repaired manually, that is considerably more time consuming and technical. Newer versions of this seem to be leaking out again. The shared memory SHM references in your rkhunter scan are indicative of the newer version of this infection, however the ones you show are for pulse audio so they are most likely a false postive. The operation Windigo entry is a long time bug in chkrootkit.
TC
11-11-2017, 04:35 PM
[Highlights from my rkhunter log scan of just now
15:50:21] Info: Found file '/usr/sbin/adduser': it is whitelisted for the 'script replacement' check.
[15:50:28] Info: Found file '/usr/bin/ldd': it is whitelisted for the 'script replacement' check.
[15:50:34] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script, ASCII text executable
[15:50:40] Info: Found file '/bin/egrep': it is whitelisted for the 'script replacement' check.
[15:50:40] /bin/fgrep [ OK ]
[15:50:41] Info: Found file '/bin/fgrep': it is whitelisted for the 'script replacement' check.
[15:50:44] Info: Found file '/bin/which': it is whitelisted for the 'script replacement' check.
[15:51:55] Info: Found the 'unhide-tcp' command: /usr/sbin/unhide-tcp
[15:51:58] Info: SCAN_MODE_DEV set to 'THOROUGH'
[15:52:01] Checking /dev for suspicious file types [ Warning ]
[15:52:01] Warning: Suspicious file types found in /dev:
[15:52:01] /dev/shm/pulse-shm-331478974: data
[15:52:01] /dev/shm/pulse-shm-3524711130: data
[15:52:01] /dev/shm/pulse-shm-1543249499: data
[15:52:01] /dev/shm/pulse-shm-1019003171: data
[15:52:01] /dev/shm/pulse-shm-3173629532: data
[15:52:01] /dev/shm/pulse-shm-3776217293: data
[15:52:01] /dev/shm/pulse-shm-1763800836: data
[15:52:01] Checking for hidden files and directories [ Warning ]
[15:52:01] Warning: Hidden directory found: /etc/.java
[15:52:07] System checks summary
[15:52:07] =====================
[15:52:07]
[15:52:07] File properties checks...
[15:52:07] Files checked: 150
[15:52:07] Suspect files: 1
[15:52:07]
[15:52:07] Rootkit checks...
[15:52:07] Rootkits checked : 365
[15:52:07] Possible rootkits: 0
[15:52:07]
[15:52:07] Applications checks...
[15:52:07] All checks skipped
[15:52:07]
[15:52:07] The system checks took: 1 minute and 56 seconds
[15:52:07]
[15:52:07] Info: End date is Sat Nov 11 15:52:07 GMT 2017
No idea what the significance of the above is. help please in laypersons terms .
15:50:21] Info: Found file '/usr/sbin/adduser': it is whitelisted for the 'script replacement' check.
[15:50:28] Info: Found file '/usr/bin/ldd': it is whitelisted for the 'script replacement' check.
[15:50:34] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script, ASCII text executable
[15:50:40] Info: Found file '/bin/egrep': it is whitelisted for the 'script replacement' check.
[15:50:40] /bin/fgrep [ OK ]
[15:50:41] Info: Found file '/bin/fgrep': it is whitelisted for the 'script replacement' check.
[15:50:44] Info: Found file '/bin/which': it is whitelisted for the 'script replacement' check.
[15:51:55] Info: Found the 'unhide-tcp' command: /usr/sbin/unhide-tcp
[15:51:58] Info: SCAN_MODE_DEV set to 'THOROUGH'
[15:52:01] Checking /dev for suspicious file types [ Warning ]
[15:52:01] Warning: Suspicious file types found in /dev:
[15:52:01] /dev/shm/pulse-shm-331478974: data
[15:52:01] /dev/shm/pulse-shm-3524711130: data
[15:52:01] /dev/shm/pulse-shm-1543249499: data
[15:52:01] /dev/shm/pulse-shm-1019003171: data
[15:52:01] /dev/shm/pulse-shm-3173629532: data
[15:52:01] /dev/shm/pulse-shm-3776217293: data
[15:52:01] /dev/shm/pulse-shm-1763800836: data
[15:52:01] Checking for hidden files and directories [ Warning ]
[15:52:01] Warning: Hidden directory found: /etc/.java
[15:52:07] System checks summary
[15:52:07] =====================
[15:52:07]
[15:52:07] File properties checks...
[15:52:07] Files checked: 150
[15:52:07] Suspect files: 1
[15:52:07]
[15:52:07] Rootkit checks...
[15:52:07] Rootkits checked : 365
[15:52:07] Possible rootkits: 0
[15:52:07]
[15:52:07] Applications checks...
[15:52:07] All checks skipped
[15:52:07]
[15:52:07] The system checks took: 1 minute and 56 seconds
[15:52:07]
[15:52:07] Info: End date is Sat Nov 11 15:52:07 GMT 2017
No idea what the significance of the above is. help please in laypersons terms .