You are not logged in.
- Topics: Active | Unanswered
#1 2023-05-13 06:06:57
- nearing_migration
- Member
- Registered: 2023-04-16
- Posts: 15
Found a potential malware within my system [SOLVED]
Recently I left my computer on (by accident) and when I came back I found at least a dozen torrents downloading on qbittorrent. I also see suspicious sites popping up out of nowhere in my IceWeasel (I got it from the parabola repository and downloaded it on arch using pacman -U) when I check about:networking. The websites "r3.o.lencr.org" and "ocsp.digicert.com" appear in my about:networking page all the time and two quick searches have revealed that they're both malware.
Running lynis audit system has revealed several vulnerabilities within my system.
[+] Boot and services
------------------------------------
- Service Manager [ systemd ]
- Checking UEFI boot [ ENABLED ]
- Checking Secure Boot [ DISABLED ]
- Checking presence GRUB2 [ FOUND ]
- Checking for password protection [ NONE ]
- Check running services (systemctl) [ DONE ]
Result: found 13 running services
- Check enabled services at boot (systemctl) [ DONE ]
Result: found 7 enabled services
- Check startup files (permissions) [ OK ]
egrep: warning: egrep is obsolescent; using grep -E
- Running 'systemd-analyze security'
- NetworkManager.service: [ EXPOSED ]
- alsa-state.service: [ UNSAFE ]
- archlinux-keyring-wkd-sync.service: [ PROTECTED ]
- auditd.service: [ EXPOSED ]
- clamav-daemon.service: [ UNSAFE ]
- dbus.service: [ UNSAFE ]
- dm-event.service: [ UNSAFE ]
- emergency.service: [ UNSAFE ]
- fangfrisch.service: [ UNSAFE ]
- getty@tty1.service: [ UNSAFE ]
- lvm2-lvmpolld.service: [ UNSAFE ]
- polkit.service: [ UNSAFE ]
- rescue.service: [ UNSAFE ]
- sddm.service: [ UNSAFE ]
- shadow.service: [ PROTECTED ]
- systemd-ask-password-console.service: [ UNSAFE ]
- systemd-ask-password-wall.service: [ UNSAFE ]
- systemd-hostnamed.service: [ PROTECTED ]
- systemd-journald.service: [ PROTECTED ]
- systemd-logind.service: [ PROTECTED ]
- systemd-oomd.service: [ PROTECTED ]
- systemd-rfkill.service: [ UNSAFE ]
- systemd-timesyncd.service: [ PROTECTED ]
- systemd-udevd.service: [ MEDIUM ]
- udisks2.service: [ UNSAFE ]
- upower.service: [ PROTECTED ]
- user@1000.service: [ UNSAFE ]Any suggestions/advice or possibles fixes would be appreciated.
Last edited by nearing_migration (2023-05-13 10:14:26)
Offline
#2 2023-05-13 06:28:58
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,318
Re: Found a potential malware within my system [SOLVED]
At least those two domain names are not malware, if you copied them into your post and they are not IDN homograph attacks (which to my knowledge should be impossible to register for .com and .org domains)
lencr.org belongs to letsencrypt: https://letsencrypt.org/docs/lencr.org/
and digicert.com is a well-known certificate authority, the ocsp subdomain is used for OCSP:
https://en.wikipedia.org/wiki/Online_Ce … s_Protocol
https://knowledge.digicert.com/alerts/n … esses.html
Last edited by progandy (2023-05-13 06:45:49)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' | alias ENGLISH='LANG=C.UTF-8 ' |
Offline
#3 2023-05-13 06:57:30
- seth
- Member
- From: Won't reply 2 private help req
- Registered: 2012-09-03
- Posts: 76,337
Re: Found a potential malware within my system [SOLVED]
https://bbs.archlinux.org/viewtopic.php?id=266432 - the "lynis audit" is meaningless BS.
two quick searches have revealed that they're both malware
Is that so?
ocsp.digicert.com locally resolves to an IP that was registered w/ https://en.wikipedia.org/wiki/Edgecast
r3.o.lencr.org resolves to akamai
Both are CDNs - in doubt you visited some porn websites.
What are those "suspicious sites" that "pop up"?
A malicious website could open various links via javascript and depending on the mime handling torrent links could automatically opened by the browser in qtorrent.
Also
Recently I left my computer on (by accident) and when I came back
So you left the system unprotected and exposed to others (co-workers, your brother, …)?
Any suggestions/advice or possibles fixes would be appreciated.
Reboot the system, don't open porn websites, (make sure you open the browser w/ an empty session) and see whether the suspicious patterns re-emerge.
Offline
#4 2023-05-13 07:28:46
- nearing_migration
- Member
- Registered: 2023-04-16
- Posts: 15
Re: Found a potential malware within my system [SOLVED]
https://bbs.archlinux.org/viewtopic.php?id=266432 - the "lynis audit" is meaningless BS.
Both are CDNs - in doubt you visited some porn websites.
What are those "suspicious sites" that "pop up"?
A malicious website could open various links via javascript and depending on the mime handling torrent links could automatically opened by the browser in qtorrent.Also
Recently I left my computer on (by accident) and when I came back
So you left the system unprotected and exposed to others (co-workers, your brother, …)?
Any suggestions/advice or possibles fixes would be appreciated.
Reboot the system, don't open porn websites, (make sure you open the browser w/ an empty session) and see whether the suspicious patterns re-emerge.
I don't open porn sites and I've rebooted and upgraded my system several times since this happened. I keep purging cookies/history/site data and they keep re-emerging. I even removed IceWeasel completely, downloaded Firefox, then I checked about:networking in Firefox and they were there also.
Haven't seen any other suspicious activity, but it's interesting that those two show up on their own even when I don't open anything.
Last edited by nearing_migration (2023-05-13 07:31:33)
Offline
#5 2023-05-13 07:36:18
- seth
- Member
- From: Won't reply 2 private help req
- Registered: 2012-09-03
- Posts: 76,337
Re: Found a potential malware within my system [SOLVED]
As progandy pointed out, the certificate domains aren't suspicous.
What about the "suspicious sites" "popping up" and the torrents?
You've not addressed what those suspicious sites are - and do they and the torrents re-appear?
What about the "I left the system unattended" situation? Did somebody else have access to it?
Also let's be frank, a lot of torrent stuff is of questionable legality and most sources for torrent links are shady.
Do you frequent those? Why is a torrent client running? It's not like warez are less prone than porn to use some popup bombs to spam you with as much affiliate links as possible.
Offline
#6 2023-05-13 07:47:33
- nearing_migration
- Member
- Registered: 2023-04-16
- Posts: 15
Re: Found a potential malware within my system [SOLVED]
The suspicious sites popping up in my about:networking page are the ones I mentioned. The strange torrents (most of which were infomercials, scam software, and video guides) downloading themselves happened once.
I don't think anyone accessed my computer because when I came back everything was the way I left it (except for the flood of new torrents that I never opened). I use qbittorrent often and I usually leave it running even when I'm not downloading anything. The torrent site I always use is rutracker.
This could all very well be a nothingburger. But what steps can I take to secure my system in case it's not?
Last edited by nearing_migration (2023-05-13 07:52:07)
Offline
#7 2023-05-13 07:59:02
- seth
- Member
- From: Won't reply 2 private help req
- Registered: 2012-09-03
- Posts: 76,337
Re: Found a potential malware within my system [SOLVED]
You cannot secure a compromised system.
You wipe it and rebuild it.
That includes you $HOME - every file you restore has to be vetted.
Did you inspect the browser history whether maybe somebody has opened an actually shady url?
Is the browser set up to open torrent links (in qbittorrent)?
Offline
#8 2023-05-13 08:13:58
- nearing_migration
- Member
- Registered: 2023-04-16
- Posts: 15
Re: Found a potential malware within my system [SOLVED]
Did you inspect the browser history whether maybe somebody has opened an actually shady url?
Is the browser set up to open torrent links (in qbittorrent)?
I didn't inspect the browser history. However, while vetting my files, I found all the .torrent files (the names were all the same) that were opened that day. A video I downloaded included a folder that had the user's other torrents (likely for advertisement or as shareware). While I was downloading the video, qbittorrent may have opened them somehow.
My system may not be compromised, but I'd still like to scan it to that end before dismissing the possibility. What's the best way to do that?
Offline
#9 2023-05-13 08:43:12
- seth
- Member
- From: Won't reply 2 private help req
- Registered: 2012-09-03
- Posts: 76,337
Re: Found a potential malware within my system [SOLVED]
1. Offline (live distro)
2. ClamAV/rkhunter
3. They'll yield a stunning amount of false positives
4. You cannot "scan" for tailor-fit malware
5. It's somewhat too late for intrusion detection systems
6. Check all executables owned by your user, user services/timers and cronjobs (assuming there was no chance to reboot the system and later on log in as your user while you where afk)
If somebody wants to attack *your* system and had physical access to the system, that's effectively game over.
I hibernate the system, reboot into a live distro, store etc/shadow, clean it for the next resume, do whatever i want, reboot, log in as your user, open a rootshell, restore the shadow, fix all timestamps and the journal - iff still necessary and disappear.
The only protection against that is an encrypted drive (and me not knowing the password to that)
Last edited by seth (2023-05-13 08:46:30)
Offline
#10 2023-05-13 08:49:08
- nearing_migration
- Member
- Registered: 2023-04-16
- Posts: 15
Re: Found a potential malware within my system [SOLVED]
1. Offline (live distro)
2. ClamAV/rkhunter
3. They'll yield a stunning amount of false positives
4. You cannot "scan" for tailor-fit malware
5. It's somewhat too late for intrusion detection systems
6. Check all executables owned by your user, user services/timers and cronjobs (assuming there was no chance to reboot the system and later on log in as your user while you where afk)If somebody wants to attack *your* system and had physical access to the system, that's effectively game over.
I save the session, reboot into a root shell, store etc/shadow, clean it for the next reboot, do whatever i want, reboot, log in as your user, open a rootshell, restore the shadow, fix all timestamps and the journal and disappear.
The only protection against that is an encrypted drive (and me not knowing the password to that)
Well thanks for dispelling the myths. I'll probably wipe and build my system from scratch when it's convenient. For the time being I don't see any clear danger here.
Does anyone have some final advice before I mark the thread as solved?
Offline
#11 2023-05-13 09:01:17
- seth
- Member
- From: Won't reply 2 private help req
- Registered: 2012-09-03
- Posts: 76,337
Re: Found a potential malware within my system [SOLVED]
Somebody who runs an individual attack is not gonna be caught by silly torrent downloads.
If that's indeed the only symptom, you downloaded a shady magnet link or so and that's all.
Offline
#12 2023-05-13 09:27:22
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,318
Re: Found a potential malware within my system [SOLVED]
A video I downloaded included a folder that had the user's other torrents (likely for advertisement or as shareware). While I was downloading the video, qbittorrent may have opened them somehow.
Make sure you do not have "Automatically add torrent from" to download to the same location form which it automatically opens torrent files.
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' | alias ENGLISH='LANG=C.UTF-8 ' |
Offline