<Solved>Suspected RAT on Mint Laptop
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
<Solved>Suspected RAT on Mint Laptop
Hi, how could I remove a Remote Access Trojan from Linux Mint 18.2 Cinnamon 64 bit? My laptop is Dell Inspiron E6410.
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 3 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: RAT on Mint Laptop
Hm. The exact steps depend on which remote access trojan has been installed on your system.whois1230 wrote:Hi, how could I remove a Remote Access Trojan from Linux Mint 18.2 Cinnamon 64 bit?
Any idea which trojan is present on your system?
Any idea how it may have got there?
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 792 days now.
Lifeline
Re: RAT on Mint Laptop
And how do you know you have a trojan on your computer? What malware scanner did you use?
“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan
Re: RAT on Mint Laptop
If you suspect a RAT it's certainly not from the repo so run
If the only thing returned is removed '/tmp/listin' then there is no process running that didn't originate from one of the repos.
cat /var/lib/dpkg/info/*.list > /tmp/listin ; ls -F /proc/*/exe|sed s'/@//1' |xargs -l readlink | grep -vxFf /tmp/listin; rm /tmp/listin
If the only thing returned is removed '/tmp/listin' then there is no process running that didn't originate from one of the repos.
Re: RAT on Mint Laptop
WharfRat wrote:If you suspect a RAT it's certainly not from the repo so run
cat /var/lib/dpkg/info/*.list > /tmp/listin ; ls -F /proc/*/exe|sed s'/@//1' |xargs -l readlink | grep -vxFf /tmp/listin; rm /tmp/listin
If the only thing returned is removed '/tmp/listin' then there is no process running that didn't originate from one of the repos.
Code: Select all
user@user ~ $ cat /var/lib/dpkg/info/*.list > /tmp/listin ; ls -F /proc/*/exe|sed s'/@//1' |xargs -l readlink | grep -vxFf /tmp/listin; rm /tmp/listin
Code: Select all
/usr/bin/xflux
Re: RAT on Mint Laptop
xflux changes monitor color temperature adaptively to ease eye strain .whois1230 wrote:WharfRat wrote:If you suspect a RAT it's certainly not from the repo so run
cat /var/lib/dpkg/info/*.list > /tmp/listin ; ls -F /proc/*/exe|sed s'/@//1' |xargs -l readlink | grep -vxFf /tmp/listin; rm /tmp/listin
If the only thing returned is removed '/tmp/listin' then there is no process running that didn't originate from one of the repos.Code: Select all
user@user ~ $ cat /var/lib/dpkg/info/*.list > /tmp/listin ; ls -F /proc/*/exe|sed s'/@//1' |xargs -l readlink | grep -vxFf /tmp/listin; rm /tmp/listin
This is what was returned.Code: Select all
/usr/bin/xflux
According to arch wiki: https://wiki.archlinux.org/index.php/Backlight#Xflux
Xflux:
Xflux is the f.lux port for the X-Windows system. It fluctuates your screen between blue during the day and yellow or orange at night. This helps you adapt to the time of day and stop staying up late because of your bright computer screen.
Re: RAT on Mint Laptop
The xflux program could be a legitimate application, only not originated from a repo.
If you're sure of the legitimacy of that app then it's probably OK.
The one-liner I provided would have identified any other non-repo process running.
If you're sure of the legitimacy of that app then it's probably OK.
The one-liner I provided would have identified any other non-repo process running.
Re: RAT on Mint Laptop
Could a RAT originate from the BIOS, with Linux Mint as my only operating system? I updated the BIOS to the newest version and then wiped my HDD and installed Mint. My laptop is Dell Latitude E6410.WharfRat wrote:The xflux program could be a legitimate application, only not originated from a repo.
If you're sure of the legitimacy of that app then it's probably OK.
The one-liner I provided would have identified any other non-repo process running.
Re: RAT on Mint Laptop
I really doubt it and you still haven't answered jimallyn's question how do you know or suspect that you have a trojan on your computer?whois1230 wrote:Could a RAT originate from the BIOS, with Linux Mint as my only operating system? I updated the BIOS to the newest version and then wiped my HDD and installed Mint. My laptop is Dell Latitude E6410.
Re: RAT on Mint Laptop
I suspect I have a Remote Access Trojan installed because sometimes my mouse cursor scrolls a bit downwards. I have disabled my touchpad and my mouse is relatively new. It's a 'Loki' gaming mouse.WharfRat wrote:I really doubt it and you still haven't answered jimallyn's question how do you know or suspect that you have a trojan on your computer?whois1230 wrote:Could a RAT originate from the BIOS, with Linux Mint as my only operating system? I updated the BIOS to the newest version and then wiped my HDD and installed Mint. My laptop is Dell Latitude E6410.
- Fred Barclay
- Level 12
- Posts: 4185
- Joined: Sat Sep 13, 2014 11:12 am
- Location: USA primarily
Re: RAT on Mint Laptop
With the info given, I suspect it's much more likely a slight incompatibility between your mouse and the Linux kernel you have installed.
Re: RAT on Mint Laptop
user@user ~ $ nmap xxx.xxx.xxx.xxxWharfRat wrote:What doesnmap your_ip_address
return
Starting Nmap 7.01 ( https://nmap.org ) at 2017-12-03 22:14 CET
Host is up (0.016s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open http
443/tcp open https
6699/tcp open napster
Nmap done: 1 IP address (1 host up) scanned in 1.62 seconds
Last edited by Anonymous on Sun Dec 03, 2017 6:04 pm, edited 2 times in total.
Reason: Removed second public IP display
Reason: Removed second public IP display
Re: RAT on Mint Laptop
Some mouses "are running" nervously if the surface is smooth and clear.whois1230 wrote: I suspect I have a Remote Access Trojan installed because sometimes my mouse cursor scrolls a bit downwards. I have disabled my touchpad and my mouse is relatively new. It's a 'Loki' gaming mouse.
Re: RAT on Mint Laptop
I removed your public IP from the post. I meant for you to enter your LAN address.
In any event there's nothing nefarious there.
Are you using a router
In any event there's nothing nefarious there.
Are you using a router
Re: RAT on Mint Laptop
I had a similar problem about two months ago with a new install of Linux Mint 18.2 Cinnamon on a brand new desktop (AMD 4000, 8Gb), using a brand new usb wireless keyboard and mouse (Business Series - W1 Multimedia Wireless Keyboard & Mouse).whois1230 wrote: I suspect I have a Remote Access Trojan installed because sometimes my mouse cursor scrolls a bit downwards. I have disabled my touchpad and my mouse is relatively new. It's a 'Loki' gaming mouse.
After fighting with it for a while, I swapped the mouse for a wired model (about 4 years old), which worked perfectly.
I suggest you see if the same thing happens with an older mouse and if not, try installing a later kernel.
Re: RAT on Mint Laptop
Thanks, yes, I'm using a router.WharfRat wrote:I removed your public IP from the post. I meant for you to enter your LAN address.
In any event there's nothing nefarious there.
Are you using a router
- Amii_Leigh
- Level 5
- Posts: 724
- Joined: Fri Mar 25, 2016 10:58 pm
- Location: Somewhere in the middle of nowhere, Missouri
Re: Suspected RAT on Mint Laptop
I had something similar happen when I switched from a heavy maxicrap laser mouse to my present Logitech mouse. That is, I have my keyboard and mouse resting on a tilted table that I can adjust the height on. Until I made a cable holder to keep the mouse cable from pulling the mouse down, I kept seeing my mouse move across the screen, just as soon as I'd let go of it. I did make a holder for that cable, and that behaviour has stopped for the most part.
Just saying, sometimes it's the simple things...
Just saying, sometimes it's the simple things...
नमस्ते = Namaste
I honor the place in you in which the entire universe dwells.
I honor the place in you in which is of love, of truth, of light, and of peace.
When you are in that place in you, and I am in that place in me, we are one.
I honor the place in you in which the entire universe dwells.
I honor the place in you in which is of love, of truth, of light, and of peace.
When you are in that place in you, and I am in that place in me, we are one.
Re: Suspected RAT on Mint Laptop
If it's one of those laser mice with the red laser ... those are notorious for misbehaving, on a variety of surfaces. I've yet to find (or make) something these will work reliably on without squiggling all over the screen when left unattended. I've also had ball mice (PS/2) where the pointer would start moving across the screen ... not a RAT though.
Dell Inspiron 1525 - LM17.3 CE 64-------------------Lenovo T440 - Manjaro KDE with Mint VMs
Toshiba NB250 - Manjaro KDE------------------------Acer Aspire One D255E - LM21.3 Xfce
Acer Aspire E11 ES1-111M - LM18.2 KDE 64 ----… Two ROMS don't make a WRITE …
Toshiba NB250 - Manjaro KDE------------------------Acer Aspire One D255E - LM21.3 Xfce
Acer Aspire E11 ES1-111M - LM18.2 KDE 64 ----… Two ROMS don't make a WRITE …
Re: RAT on Mint Laptop
So, is there any chance this could be a RAT or is it most like to be a mouse problem?WharfRat wrote:I removed your public IP from the post. I meant for you to enter your LAN address.
In any event there's nothing nefarious there.
Are you using a router