seem to have a malware on my sisters kubuntu

Discussion in 'all things UNIX' started by boredog, Jul 18, 2016.

  1. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,164
    a few years ago I installed kubuntu on my sisters computer since xp took a dump. today she came knocking on my door with an issue. when I looked at it the first thing I noticed was a popup saying her computer was infected. something about a script. it had 15.04 but along the way was updated to 16.04
    I really know nothing about kubuntu but am redownloading 16.04 again now. I install it from a usb stick to the hard drive. my question is should I reformat and reload kubuntu or is there a good free AV I could use to clean it?

    thanks
     
  2. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,164
    update:

    tried to do new security updates and it just hung. did a hard shut down now mouse or keyboard don't work.
     
  3. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,957
    Location:
    Brasil
    Most AV's detect primarily Windows viruses, and the ones that do detect Linux viruses with a good rate are always paid. So yeah, the easiest and cheapest way is to "reload".

    However, you first could try one thing: open a Terminal and type "sudo dolphin". This will open the file manager as root.
    Now, go to her /home folder, press the combination "Alt + ." (will reveal hidden files/folders) and post a screenshot of that here, if possible (if it doesn't interfere with her privacy).
    Usually the user doesn't have access to anything besides his/her home folder, so it's unlikely that any infection would cause damage to the system itself, and so deleting everything but keeping a few folders should do the trick.

    Deleting every hidden folder/file SHOULD do no harm. She will obviously lose her Firefox/Chrome/Chromium profiles and pretty much every configuration she did, but you can keep things you're sure aren't part of the problem.
     
  4. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,164
    well I n all the years I have used windows and did security I am pretty sure this is a facebook malware just for Linux.
    going to redo ...

    sorry cant do as you say because I can not use mouse or keyboard.
    the popup before all failed was your banking info might be compromised. and everything hung.
    I am guessing I messed things up when I tried to do the latest security updates and that hung so I did a hard reboot and lost mouse and keyboard.
     
  5. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,957
    Location:
    Brasil
    Ummm, interesting. I guess we'll just have to wait and see if such malware actually is out there, because if there's one thing the media loves doing is making a Linux malware go viral, literally :D

    No mouse and Keyboard after a hard reset that was done while updating? Sounds like corrupt files. You could install the older versions of files, or just boot the LiveCD and remove the hidden files/folders to see if that helps with the configuration, but I guess the easiest thing is just to re-install.

    IMO this is just a browser-hijacker, not a virus or ransomware. Your lack of mouse/keyboard could be due to the hard reset while updating.
     
  6. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,164
    When I made the usb stick I had the options to boot and run kubuntu from usb or install to hard drive. I chose to install because my 67 year old sister never realy go the hang of windows let alone Linux. since I installed her kubuntu I have reused the usb for many other thing. and so right now I still have the old version 15.04 but had issues with no sound till I updated along the way. now I am going to try the latest release of 16.04 in the morning. after all I mowed her whiole yard today and don't feel like dealing with it today lol

    I think you are right about the browser hijack from facebook. in any event the update failed so going to redo. she really only goes to Hotmail and facebook.
    and so there is something out there that is messing with firefox using kubuntu and for the old timer using face book with firefox it is all downhill from there.
     
  7. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    Check her browser extensions, its probably one of them causing this, remove it, reset browser and cache. Unless she has sudo right, installing malware is virtually impossible in Linux.
     
  8. zorro zorrito

    zorro zorrito Registered Member

    Joined:
    Feb 19, 2006
    Posts:
    149
    The malware could be maybe because is installed wine and some windows programs like the IE browser.
     
  9. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,164
    "Check her browser extensions, its probably one of them causing this, remove it, reset browser and cache. Unless she has sudo right, installing malware is virtually impossible in Linux."

    if I would have done that at first I would have been ok but I clicked to install updates, the updates hung and so I did a hard reset. after that I lost mouse and keyboard. early this morning I reinstalled 5.04 from scratch and she is back in buianess;)
     
  10. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,164
    update:
    sister was informed to use chromium. yesterday she got hit with the fake encryption page that locked up her computer, she used firefox, so I deleted it and told her to use chromium, she instead used Vivaldi and go the fake alert again. so hopefully she will now only use chromium. she was on facebook every time.
    and so even the new Vivaldi is not immune to the web page hacks.

    funny thing is this time it was a fake windows warning and she is using kubuntu.
     
  11. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,437
    Install adblock plus in your browser.

    Keeps scumware off when surfing the web.
     
  12. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,164
    "Install adblock plus in your browser."

    I think that is what I had as an add on for FF.
     
  13. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    Even more effective than adblock plus, install ublockO and set to enhanced easy mode.
     
  14. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    836
    Location:
    Québec, Canada
    Thanks for the tip!
     
  15. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,164
    "Even more effective than adblock plus, install ublockO and set to enhanced easy mode. "

    would I need this with chromium?
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    Need or nice to have... either way it wouldn't hurt.

    you're welcome.
     
  17. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,957
    Location:
    Brasil
    She got hit again? I'd (confidently) say she's not being cautious enough or just is terrible at web browsing :argh:
     
  18. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591

    Time to install a sandbox (firejail??) or move workspace to a VM. Firejail would be perfect because the session activity always goes away when she is finished. Would that work for her?
     
  19. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,164
    "She got hit again? I'd (confidently) say she's not being cautious enough or just is terrible at web browsing :argh:"

    yup she was gone visiting her kids for a week and when she came back she for some reason, ( old timers disease ) forgot not to use FF. so I deleted it and left her with chromium. then she got hit again. I had to force shutdown to get control back. she only goes to facebook and has been informed NOT to clink on any other links. point I was trying to make is she was using chromium when last hit. the other times it was the fake encryption page, this time it was the fake windows lock page, which is strange since she is using Linux. ;)

    BTW she just turned 67.
     
  20. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    @boredog,

    any chance you can pm a link?
     
  21. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,957
    Location:
    Brasil
    Not always, though. The user must specify the "--private" switch. If he/she just runs "firejail firefox" then the changes are not deleted. However, the browser has access only to it's own folder and the "~/Downloads" folder, so damage is minimal (not to mention because all the caps disabled).

    I think she could use "firejail --private=/home/Documents/Others/Firefox". This folder would be created and all changes remain in it.

    But to be completely honest, I think the solution is far more complicated than a Sandbox, because if she keeps getting hit with ransomware then there's something very wrong, either on her browsing habits or the network/HD/MBR, whatever.
    I would definitely consider that the modem/router could have been compromised and is redirecting the traffic to malware domains.
     
  22. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,510
    Location:
    USA - Back in a real State in time for a real Pres
    I think it's 1 specific site. Free online gaming or free something.
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    And here I respectfully disagree and feel it's likely a very easy solution with or similar to the ublockO suggestion in my post #13. Of course I can't be sure, which is why I was hoping for a link to test.

    Let's not forget the sandboxing of Chromium in Linux is a robust one in itself. Firejail will, of course, provide another sandbox layer, although more of a "nice to have" one, rather than out of necessity.

    That could very well be it.
     
  24. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,164
    "I would definitely consider that the modem/router could have been compromised and is redirecting the traffic to malware domains."

    I can look at the traffic in my router and see if I notice anything not right. my router only shows the current day though and cannot go back. might have to install another firewall. for the past 4 years been only using the windows fw. does kubuntu have a form of firewall logging.

    it seems last few days when forcing her to use chromium she has been ok but would be nice to view some fw logs for which ever day she gets hit.
     
    Last edited: Sep 10, 2016
  25. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,957
    Location:
    Brasil
    I too respectfully disagree :) because she'd be limiting the damage with Firejail but would not prevent it completely. Either the router, the HD, the DVD/CD install, her browsing habits, something is wrong and using a Sandbox in this case is like trying to stop the sun with a strainer :)
     
    Last edited: Sep 10, 2016
Loading...