<Solved>Suspected RAT on Mint Laptop

[whois1230]

Hi, how could I remove a Remote Access Trojan from Linux Mint 18.2 Cinnamon 64 bit? My laptop is Dell Inspiron E6410.

[karlchen]

Hi, how could I remove a Remote Access Trojan from Linux Mint 18.2 Cinnamon 64 bit?

Hm. The exact steps depend on which remote access trojan has been installed on your system.
Any idea which trojan is present on your system?
Any idea how it may have got there?

[jimallyn]

And how do you know you have a trojan on your computer? What malware scanner did you use?

[WharfRat]

If you suspect a RAT it's certainly not from the repo so run

cat /var/lib/dpkg/info/*.list > /tmp/listin ; ls -F /proc/*/exe|sed s'/@//1' |xargs -l readlink | grep -vxFf /tmp/listin; rm /tmp/listin

If the only thing returned is removed '/tmp/listin' then there is no process running that didn't originate from one of the repos.

[whois1230]

If you suspect a RAT it's certainly not from the repo so run

cat /var/lib/dpkg/info/*.list > /tmp/listin ; ls -F /proc/*/exe|sed s'/@//1' |xargs -l readlink | grep -vxFf /tmp/listin; rm /tmp/listin

If the only thing returned is removed '/tmp/listin' then there is no process running that didn't originate from one of the repos.

Code: Select all

user@user ~ $ cat /var/lib/dpkg/info/*.list > /tmp/listin ; ls -F /proc/*/exe|sed s'/@//1' |xargs -l readlink | grep -vxFf /tmp/listin; rm /tmp/listin

Code: Select all

/usr/bin/xflux

This is what was returned.

[dark]

If you suspect a RAT it's certainly not from the repo so run

cat /var/lib/dpkg/info/*.list > /tmp/listin ; ls -F /proc/*/exe|sed s'/@//1' |xargs -l readlink | grep -vxFf /tmp/listin; rm /tmp/listin

If the only thing returned is removed '/tmp/listin' then there is no process running that didn't originate from one of the repos.

Code: Select all

user@user ~ $ cat /var/lib/dpkg/info/*.list > /tmp/listin ; ls -F /proc/*/exe|sed s'/@//1' |xargs -l readlink | grep -vxFf /tmp/listin; rm /tmp/listin

Code: Select all

/usr/bin/xflux

This is what was returned.

xflux changes monitor color temperature adaptively to ease eye strain .

According to arch wiki: https://wiki.archlinux.org/index.php/Backlight#Xflux
Xflux:
Xflux is the f.lux port for the X-Windows system. It fluctuates your screen between blue during the day and yellow or orange at night. This helps you adapt to the time of day and stop staying up late because of your bright computer screen.

[WharfRat]

The xflux program could be a legitimate application, only not originated from a repo.

If you're sure of the legitimacy of that app then it's probably OK.

The one-liner I provided would have identified any other non-repo process running.

[whois1230]

The xflux program could be a legitimate application, only not originated from a repo.

If you're sure of the legitimacy of that app then it's probably OK.

The one-liner I provided would have identified any other non-repo process running.

Could a RAT originate from the BIOS, with Linux Mint as my only operating system? I updated the BIOS to the newest version and then wiped my HDD and installed Mint. My laptop is Dell Latitude E6410.

[WharfRat]

Could a RAT originate from the BIOS, with Linux Mint as my only operating system? I updated the BIOS to the newest version and then wiped my HDD and installed Mint. My laptop is Dell Latitude E6410.

I really doubt it and you still haven't answered jimallyn's question how do you know or suspect that you have a trojan on your computer?

[whois1230]

Could a RAT originate from the BIOS, with Linux Mint as my only operating system? I updated the BIOS to the newest version and then wiped my HDD and installed Mint. My laptop is Dell Latitude E6410.

I really doubt it and you still haven't answered jimallyn's question how do you know or suspect that you have a trojan on your computer?

I suspect I have a Remote Access Trojan installed because sometimes my mouse cursor scrolls a bit downwards. I have disabled my touchpad and my mouse is relatively new. It's a 'Loki' gaming mouse.

[Fred Barclay]

With the info given, I suspect it's much more likely a slight incompatibility between your mouse and the Linux kernel you have installed.

[WharfRat]

What does nmap your_ip_address return

[whois1230]

What does nmap your_ip_address return

user@user ~ $ nmap xxx.xxx.xxx.xxx

Starting Nmap 7.01 ( https://nmap.org ) at 2017-12-03 22:14 CET
Host is up (0.016s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open http
443/tcp open https
6699/tcp open napster

Nmap done: 1 IP address (1 host up) scanned in 1.62 seconds

[kukamuumuka]

I suspect I have a Remote Access Trojan installed because sometimes my mouse cursor scrolls a bit downwards. I have disabled my touchpad and my mouse is relatively new. It's a 'Loki' gaming mouse.

Some mouses "are running" nervously if the surface is smooth and clear.

[WharfRat]

I removed your public IP from the post. I meant for you to enter your LAN address.

In any event there's nothing nefarious there.

Are you using a router

[NChewie]

I suspect I have a Remote Access Trojan installed because sometimes my mouse cursor scrolls a bit downwards. I have disabled my touchpad and my mouse is relatively new. It's a 'Loki' gaming mouse.

I had a similar problem about two months ago with a new install of Linux Mint 18.2 Cinnamon on a brand new desktop (AMD 4000, 8Gb), using a brand new usb wireless keyboard and mouse (Business Series - W1 Multimedia Wireless Keyboard & Mouse).
After fighting with it for a while, I swapped the mouse for a wired model (about 4 years old), which worked perfectly.

I suggest you see if the same thing happens with an older mouse and if not, try installing a later kernel.

[whois1230]

I removed your public IP from the post. I meant for you to enter your LAN address.

In any event there's nothing nefarious there.

Are you using a router

Thanks, yes, I'm using a router.

[Amii_Leigh]

I had something similar happen when I switched from a heavy maxicrap laser mouse to my present Logitech mouse. That is, I have my keyboard and mouse resting on a tilted table that I can adjust the height on. Until I made a cable holder to keep the mouse cable from pulling the mouse down, I kept seeing my mouse move across the screen, just as soon as I'd let go of it. I did make a holder for that cable, and that behaviour has stopped for the most part.
Just saying, sometimes it's the simple things...

[BG405]

If it's one of those laser mice with the red laser ... those are notorious for misbehaving, on a variety of surfaces. I've yet to find (or make) something these will work reliably on without squiggling all over the screen when left unattended. I've also had ball mice (PS/2) where the pointer would start moving across the screen ... not a RAT though.

[whois1230]

I removed your public IP from the post. I meant for you to enter your LAN address.

In any event there's nothing nefarious there.

Are you using a router

So, is there any chance this could be a RAT or is it most like to be a mouse problem?