Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello, my laptop is misbehaving and I suspect that I am dealing with a Remote Access Trojan. For example I am browsing in Google Chrome and the browser closes itself without me clicking anything. A symbol appears, which shows my touchpad is disabled, without me clicking anything. I was deleting some files on my USB flash drive and all of a sudden my mouse cursor slows down and starts moving randomly. I have Ubuntu 18.04 Desktop. I installed ClamAV, updated to the latest version and scanned and it found nothing. I changed my router's password, as well as the Wi-Fi network's password. I am using KeePassX as a password manager, where I store all of my passwords. I would appreciate some help with this issue, as I have no experience in removing malware from Linux.
Hello, my laptop is misbehaving and I suspect that I am dealing with a Remote Access Trojan. For example I am browsing in Google Chrome and the browser closes itself without me clicking anything. A symbol appears, which shows my touchpad is disabled, without me clicking anything. I was deleting some files on my USB flash drive and all of a sudden my mouse cursor slows down and starts moving randomly. I have Ubuntu 18.04 Desktop. I installed ClamAV, updated to the latest version and scanned and it found nothing. I changed my router's password, as well as the Wi-Fi network's password. I am using KeePassX as a password manager, where I store all of my passwords. I would appreciate some help with this issue, as I have no experience in removing malware from Linux.
So what makes you think you've got some 'trojan' program, as opposed to (what sounds like) a flaky touchpad?
Beyond that, you claim to have little knowledge of systems and Linux...yet have a system booting FOUR operating systems, one of which being Kali, from just a month ago? https://www.linuxquestions.org/quest...ut-4175690541/
We'll be happy to try to help you, but based on what you posted what do you think we can tell you? You provide no logs, messages, and tell us anti-virus came back clean. ClamAV is probably the 'standard' solution..and if you want to scan for rootkits, rkhunter is available in your software repository, and has ample documentation.
So what makes you think you've got some 'trojan' program, as opposed to (what sounds like) a flaky touchpad?
Beyond that, you claim to have little knowledge of systems and Linux...yet have a system booting FOUR operating systems, one of which being Kali, from just a month ago? https://www.linuxquestions.org/quest...ut-4175690541/
We'll be happy to try to help you, but based on what you posted what do you think we can tell you? You provide no logs, messages, and tell us anti-virus came back clean. ClamAV is probably the 'standard' solution..and if you want to scan for rootkits, rkhunter is available in your software repository, and has ample documentation.
Please go back and read/think about what you posted. You're trying to edit a file...the editor is telling you there's already a .swp file. Typically meaning the editor was closed badly last time. And you also don't show us what you're typing in to get that error. Instead of posting screen-shots, copy and past the text.
And AGAIN, as myself and linux_kidd asked...what makes you think it's a trojan, rather than a flaky touchpad, which seems much more likely??
suspected C2?
this happens only when connected to internet? does the random weird stuff stop when you down the iface that uses internet?
does tcpdump show odd traffic?
why do say 'trojan' ? did you install something shady/questionable? how would a trojan get onto your system?
It happened when I was connected to the internet and shortly after I disconnected, the cursor was still moving randomly. I use an external mouse and keyboard, so I find this behaviour strange. I'm not using the laptop's own keyboard and touchpad. I had only installed Proton VPN recently. I believe it's reputable.
Code:
user@Lenovo-ideapad-110-17IKB:~$ sudo tcpdump -i any -c5 -nn
[sudo] password for user:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
20:27:46.287518 IP6 fe80::7254:25ff:fe74:740e > ff02::1: ICMP6, router advertisement, length 104
20:27:46.299575 IP6 fe80::dc21:c6db:9ebc:a59c > ff02::16: HBH ICMP6, multicast listener report v2, 5 group record(s), length 108
20:27:46.403876 ARP, Request who-has 192.168.0.1 tell 192.168.0.5, length 28
20:27:46.407571 ARP, Reply 192.168.0.1 is-at 70:54:25:74:74:0e, length 28
20:27:46.486757 IP6 fe80::7254:25ff:fe74:740e > 2a02:908:1a5:e9a0::da55: ICMP6, neighbor solicitation, who has 2a02:908:1a5:e9a0::da55, length 32
5 packets captured
6 packets received by filter
0 packets dropped by kernel
It happened when I was connected to the internet and shortly after I disconnected, the cursor was still moving randomly. I use an external mouse and keyboard, so I find this behaviour strange. I'm not using the laptop's own keyboard and touchpad. I had only installed Proton VPN recently. I believe it's reputable.
Code:
user@Lenovo-ideapad-110-17IKB:~$ sudo tcpdump -i any -c5 -nn
[sudo] password for user:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
20:27:46.287518 IP6 fe80::7254:25ff:fe74:740e > ff02::1: ICMP6, router advertisement, length 104
20:27:46.299575 IP6 fe80::dc21:c6db:9ebc:a59c > ff02::16: HBH ICMP6, multicast listener report v2, 5 group record(s), length 108
20:27:46.403876 ARP, Request who-has 192.168.0.1 tell 192.168.0.5, length 28
20:27:46.407571 ARP, Reply 192.168.0.1 is-at 70:54:25:74:74:0e, length 28
20:27:46.486757 IP6 fe80::7254:25ff:fe74:740e > 2a02:908:1a5:e9a0::da55: ICMP6, neighbor solicitation, who has 2a02:908:1a5:e9a0::da55, length 32
5 packets captured
6 packets received by filter
0 packets dropped by kernel
Again: the only 'symptom' points to a flaky touchpad. Whether you're using it or not doesn't mean its not ACTIVE and doing something....if you pressed a key on your laptop keyboard, letters will come up on the screen right?? Same with the touchpad.
Sorry, nothing you're describing or providing will let anyone offer anything. You still haven't addressed the messages for rkhunter. The only thing that I'd disable is the zeitgeist system in Ubuntu, but even that won't do what you're claiming.
Please go back and read/think about what you posted. You're trying to edit a file...the editor is telling you there's already a .swp file. Typically meaning the editor was closed badly last time. And you also don't show us what you're typing in to get that error. Instead of posting screen-shots, copy and past the text.
And AGAIN, as myself and linux_kidd asked...what makes you think it's a trojan, rather than a flaky touchpad, which seems much more likely??
and I pressed "/" like in the guide above. Then I searched for UPDATE_MIRRORS and the value is set to 1, how the guide said it should be. After that I searched for MIRRORS_MODE in order to set the value to 0 and I got this:
Code:
-- INSERT -- W10: Warning: Changing a readonly file
E325: ATTENTION
Found a swap file by the name "/etc/.rkhunter.conf.swp"
owned by: root dated: Mon Mar 8 12:53:50 2021
file name: /etc/rkhunter.conf
modified: YES
user name: root host name: Lenovo-ideapad-110-17IKB
process ID: 30094
While opening file "/etc/rkhunter.conf"
dated: Mon Mar 8 12:48:04 2021
(1) Another program may be editing the same file. If this is the case,
be careful not to end up with two different instances of the same
file when making changes. Quit, or continue with caution.
(2) An edit session for this file crashed.
If this is the case, use ":recover" or "vim -r /etc/rkhunter.conf"
to recover the changes (see ":help recovery").
to recover the changes (see ":help recovery").
If you did this already, delete the swap file "/etc/.rkhunter.conf.swp"
to avoid this message.
E325: ATTENTION
Found a swap file by the name "/var/tmp/rkhunter.conf.swp"
-- More --
and I pressed "/" like in the guide above. Then I searched for UPDATE_MIRRORS and the value is set to 1, how the guide said it should be. After that I searched for MIRRORS_MODE in order to set the value to 0 and I got this:
Code:
-- INSERT -- W10: Warning: Changing a readonly file
E325: ATTENTION
Found a swap file by the name "/etc/.rkhunter.conf.swp"
owned by: root dated: Mon Mar 8 12:53:50 2021
file name: /etc/rkhunter.conf
modified: YES
user name: root host name: Lenovo-ideapad-110-17IKB
process ID: 30094
While opening file "/etc/rkhunter.conf"
dated: Mon Mar 8 12:48:04 2021
(1) Another program may be editing the same file. If this is the case,
be careful not to end up with two different instances of the same
file when making changes. Quit, or continue with caution.
(2) An edit session for this file crashed.
If this is the case, use ":recover" or "vim -r /etc/rkhunter.conf"
to recover the changes (see ":help recovery").
to recover the changes (see ":help recovery").
If you did this already, delete the swap file "/etc/.rkhunter.conf.swp"
to avoid this message.
E325: ATTENTION
Found a swap file by the name "/var/tmp/rkhunter.conf.swp"
-- More --
AGAIN: this is because you either closed the file incorrectly the first time, or don't have permissions to edit it. Did you read/understand the message??? There is ABSOLUTELY NOTHING nefarious with what you posted, at all. Unless you edit the file with root/sudo rights, you can't....unless you save the file correctly, the .swp file for vim will be there...and it even TELLS YOU how to fix that message...did you read/understand those lines??
It happened when I was connected to the internet and shortly after I disconnected, the cursor was still moving randomly. I use an external mouse and keyboard, so I find this behaviour strange. I'm not using the laptop's own keyboard and touchpad. I had only installed Proton VPN recently. I believe it's reputable.
Code:
user@Lenovo-ideapad-110-17IKB:~$ sudo tcpdump -i any -c5 -nn
[sudo] password for user:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
20:27:46.287518 IP6 fe80::7254:25ff:fe74:740e > ff02::1: ICMP6, router advertisement, length 104
20:27:46.299575 IP6 fe80::dc21:c6db:9ebc:a59c > ff02::16: HBH ICMP6, multicast listener report v2, 5 group record(s), length 108
20:27:46.403876 ARP, Request who-has 192.168.0.1 tell 192.168.0.5, length 28
20:27:46.407571 ARP, Reply 192.168.0.1 is-at 70:54:25:74:74:0e, length 28
20:27:46.486757 IP6 fe80::7254:25ff:fe74:740e > 2a02:908:1a5:e9a0::da55: ICMP6, neighbor solicitation, who has 2a02:908:1a5:e9a0::da55, length 32
5 packets captured
6 packets received by filter
0 packets dropped by kernel
Probably have a stuck key either on laptop or your ext stuff. Is the ext stuff wireless or wired?
Boot it with a Slax liveCD, does the random crap still happen (w/ and w/o your ext stuff)? <-- there you will have your answer as to where to look next.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.