Recommendations for full malware check please!

Quick to answer questions about finding your way around Linux Mint as a new user.
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Piers66
Level 3
Level 3
Posts: 134
Joined: Fri Dec 25, 2015 2:17 pm
Location: London, UK

Recommendations for full malware check please!

Post by Piers66 »

Hello,

I've been using Linux Mint for years, and never worried much about malware / viruses / etc. because, well, it's Linux, and I'm not in the habit of installing stuff outside the official repositories.

I've been getting masses of spam emails recently, and amongst them are the usual "You've been watching <violates forum rules> and we've recorded you on the webcam, send us all your bitcoin" ones. No problem, I don't even have a webcam!

Today I got one of these that said "One of your passwords is xxxxxxxxxxx, and we've installed a keylogger". The password they quoted is in fact one of mine, it's the basic one I use for non-critical forums like this one!

I'm 99% sure they got it by hacking some other site, but I'd like to do a check of my machine for malware (especially keyloggers). Can anyone recommend the best way to do this?

Thanks,

Piers.
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Main: Dell E6410 - 8GB RAM / 500GB HDD - Dual Boot Mint 21.2 Cinnamon 64-bit / Win 10
Backup: iMac 5.1 - 3GB RAM / 240GB HDD - Dual Boot Mint 19.1 Cinnamon 64-bit / OSX 10.5.8
User avatar
it-place
Level 3
Level 3
Posts: 187
Joined: Thu Jul 05, 2018 4:42 am

Re: Recommendations for full malware check please!

Post by it-place »

Hi Piers66,

I've installed rkhunter on several Ubuntu servers and it's running quite well. I've seen the package is also available in the Mint repo so you can give it a try.

At work we have to use Sophos Antivirus on our systems. Perhaps it's not the best one but I've installed the free version on Sophos on many Linux Mint systems without any trouble. I've configured the on access scan just to take care of my /home dir and the dirs where media will be mounted on e.g /cdrom, /media, ...

Regards - Olli
User avatar
Moem
Level 22
Level 22
Posts: 16193
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Recommendations for full malware check please!

Post by Moem »

I would take a different approach and put the email address that you use for forums like this one into https://haveibeenpwned.com . You may very well see some sites pop up... unfortunately including this one.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
newlyminted7
Level 5
Level 5
Posts: 563
Joined: Sat Jan 02, 2021 4:44 pm

Re: Recommendations for full malware check please!

Post by newlyminted7 »

First of all: Update to the latest LM. Any reason you're still on LM19? LM updates do include security updates, so I would do that.

Consider using a different web browser like Ungoogled Chromium with the uBlock Origin extension and configure it to block third party resources (see this post to set it up this way: viewtopic.php?p=2020789#p2020789 - I highly advise you to read the uBlock Extension User Guide link in that post to set up third-party script blocking and learn how to use it) Also reconsider what websites you visit...

Change all your passwords everywhere. Yes, a hassle, but probably essential for you at this point. Use something like a paper notebook or KeePassXC (in the Software Manager) to record your passwords. Use strong passwords.

Also consider changing your email address to another provider entirely (a more "privacy-friendly" one, if you can, I'd advise). Sounds like you've had it for awhile.

I would also seriously consider wiping your hard drive, re-installing Mint and keeping it up to date from then on out. Hand-pick your personal files when you move them onto your new installation and be as sure as possible they are clean. Have a backup system.

You could even go so far as running some anti-virus software (Clam AV? Others might have other, better suggestions for Linux AV software) and even root kit checkers (Chkrootkit in the Software Manager, etc, there's also rkhunter but not on the Software Manager I don't think). Root kits are like nasty viruses/malware on steroids that can be extremely difficult to find.

Be more careful about what you files and software that you download and run, especially if you're using Wine, etc (stop using it if you can, go find Linux alternatives to those applications).

This is just a basic set of things to consider doing, and is just a start. It may not be as bad as you think, heck, it could just be that you got spam email with a password that they got from a hacked forum you were on (be more choosy of which forums you participate in), but it could be much worse. As a famous movie character once said, "Do you feel lucky?"
gittiest personITW
Level 12
Level 12
Posts: 4287
Joined: Tue May 28, 2019 4:27 pm

Re: Recommendations for full malware check please!

Post by gittiest personITW »

Why would they tell you they've installed a keylogger?
If they had, by the time they told you, your bank account would have been emptied and you wouldn't have access to any of your emails or Netflix account.
Piers66
Level 3
Level 3
Posts: 134
Joined: Fri Dec 25, 2015 2:17 pm
Location: London, UK

Re: Recommendations for full malware check please!

Post by Piers66 »

Moem wrote: Wed Jun 16, 2021 3:54 pm I would take a different approach and put the email address that you use for forums like this one into https://haveibeenpwned.com . You may very well see some sites pop up... unfortunately including this one.
Thanks for the suggestion. I still want to check the computer, but in the mean time I ran my email address and it found "Pwned in 8 data breaches and found 1 paste", including Linux Mint!

Piers.
Main: Dell E6410 - 8GB RAM / 500GB HDD - Dual Boot Mint 21.2 Cinnamon 64-bit / Win 10
Backup: iMac 5.1 - 3GB RAM / 240GB HDD - Dual Boot Mint 19.1 Cinnamon 64-bit / OSX 10.5.8
Piers66
Level 3
Level 3
Posts: 134
Joined: Fri Dec 25, 2015 2:17 pm
Location: London, UK

Re: Recommendations for full malware check please!

Post by Piers66 »

gittiest personITW wrote: Wed Jun 16, 2021 4:02 pm Why would they tell you they've installed a keylogger?
If they had, by the time they told you, your bank account would have been emptied and you wouldn't have access to any of your emails or Netflix account.
As I said, 99% sure it's from a data breach, not a keylogger, but want to do the belt & braces thing.
Main: Dell E6410 - 8GB RAM / 500GB HDD - Dual Boot Mint 21.2 Cinnamon 64-bit / Win 10
Backup: iMac 5.1 - 3GB RAM / 240GB HDD - Dual Boot Mint 19.1 Cinnamon 64-bit / OSX 10.5.8
sleeper12
Level 21
Level 21
Posts: 14317
Joined: Thu May 25, 2017 3:22 pm

Re: Recommendations for full malware check please!

Post by sleeper12 »

newlyminted7 wrote: Wed Jun 16, 2021 3:57 pm First of all: Update to the latest LM. Any reason you're still on LM19?...
Nothing wrong with LM 19, it's supported until April 2023.
Piers66
Level 3
Level 3
Posts: 134
Joined: Fri Dec 25, 2015 2:17 pm
Location: London, UK

Re: Recommendations for full malware check please!

Post by Piers66 »

newlyminted7 wrote: Wed Jun 16, 2021 3:57 pm First of all: Update to the latest LM. Any reason you're still on LM19? LM updates do include security updates, so I would do that.

Consider using a different web browser like Ungoogled Chromium with the uBlock Origin extension and configure it to block third party resources (see this post to set it up this way: viewtopic.php?p=2020789#p2020789 - I highly advise you to read the uBlock Extension User Guide link in that post to set up third-party script blocking and learn how to use it) Also reconsider what websites you visit...

Change all your passwords everywhere. Yes, a hassle, but probably essential for you at this point. Use something like a paper notebook or KeePassXC (in the Software Manager) to record your passwords. Use strong passwords.

Also consider changing your email address to another provider entirely (a more "privacy-friendly" one, if you can, I'd advise). Sounds like you've had it for awhile.

I would also seriously consider wiping your hard drive, re-installing Mint and keeping it up to date from then on out. Hand-pick your personal files when you move them onto your new installation and be as sure as possible they are clean. Have a backup system.

You could even go so far as running some anti-virus software (Clam AV? Others might have other, better suggestions for Linux AV software) and even root kit checkers (Chkrootkit in the Software Manager, etc, there's also rkhunter but not on the Software Manager I don't think). Root kits are like nasty viruses/malware on steroids that can be extremely difficult to find.

Be more careful about what you files and software that you download and run, especially if you're using Wine, etc (stop using it if you can, go find Linux alternatives to those applications).

This is just a basic set of things to consider doing, and is just a start. It may not be as bad as you think, heck, it could just be that you got spam email with a password that they got from a hacked forum you were on (be more choosy of which forums you participate in), but it could be much worse. As a famous movie character once said, "Do you feel lucky?"
Thanks for the comprehensive reply.

I'm on LM19 because I have an older, somewhat underpowered laptop, and assume that later versions will be more processor hungry, but I have been considering upgrading. Is the security significantly better with an up to date version?

At the moment I use Firefox, with uBlock origin. Most of the Firefox security settings are on the stricter side. I'll investigate uBlock in a bit more depth.

Yes, time to change all passwords, some of which haven't changed in years... :-( I keep a file with all my passwords in but (don't panic!) in a form that will remind me what ones I've used rather than listing them explicitly (the 'key' is in my head).

The email address is, I'm sorry to admit, a gmail one. But, it's been in use for a decade and changing it would be very painful (I helped my mother change hers a while back, and well over a year later her friends are still complaining that the old one doesn't work!).

If I upgrade Mint I will do a clean install anyway. As for being sure that personal files are clean, that's the reason to ask about checking for malware. I'll check out the a-v ones you've suggested.

I don't use Wine, and, I think, probably have less installed software than many. The vast majority of what I do involves the basic software that comes with every Mint install. Can't actually think of anything that wasn't installed via the Software Manager.

Piers.
Main: Dell E6410 - 8GB RAM / 500GB HDD - Dual Boot Mint 21.2 Cinnamon 64-bit / Win 10
Backup: iMac 5.1 - 3GB RAM / 240GB HDD - Dual Boot Mint 19.1 Cinnamon 64-bit / OSX 10.5.8
revmacian
Level 5
Level 5
Posts: 554
Joined: Wed May 27, 2020 1:50 pm
Location: United States

Re: Recommendations for full malware check please!

Post by revmacian »

Piers66 wrote: Wed Jun 16, 2021 4:03 pm
gittiest personITW wrote: Wed Jun 16, 2021 4:02 pm Why would they tell you they've installed a keylogger?
If they had, by the time they told you, your bank account would have been emptied and you wouldn't have access to any of your emails or Netflix account.
As I said, 99% sure it's from a data breach, not a keylogger, but want to do the belt & braces thing.
It's called "scare tactics", I'm pretty sure they didn't install a keylogger. Telling me "we installed a keylogger" would immediately prompt a full clean install of the system.. only an idiot would say they installed a keylogger. Perhaps they assume you're as stupid as they are.
Give a man a fish and you'll feed him for a day. Teach a man to fish and you'll feed him for a lifetime.
US Navy, NEC HM8404
User avatar
Moem
Level 22
Level 22
Posts: 16193
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Recommendations for full malware check please!

Post by Moem »

newlyminted7 wrote: Wed Jun 16, 2021 3:57 pm heck, it could just be that you got spam email with a password that they got from a hacked forum you were on
That seems utterly likely to me. Especially since that same email address and password were used on breached sites.

I would at the very, very least stop reusing passwords! That's really the worst thing you can do. Even if you have to write them down on paper, that is safer than using the same one on several sites... the paper would only be accessible to someone who can physically get to it.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
Piers66
Level 3
Level 3
Posts: 134
Joined: Fri Dec 25, 2015 2:17 pm
Location: London, UK

Re: Recommendations for full malware check please!

Post by Piers66 »

Moem wrote: Wed Jun 16, 2021 4:33 pm
newlyminted7 wrote: Wed Jun 16, 2021 3:57 pm heck, it could just be that you got spam email with a password that they got from a hacked forum you were on
That seems utterly likely to me. Especially since that same email address and password were used on breached sites.

I would at the very, very least stop reusing passwords! That's really the worst thing you can do. Even if you have to write them down on paper, that is safer than using the same one on several sites... the paper would only be accessible to someone who can physically get to it.
First one changed (this forum), 120 to go!

Using a new PW creation scheme that will make them all different but relatively easy for me to remember... (he says, confidently! :D )
Main: Dell E6410 - 8GB RAM / 500GB HDD - Dual Boot Mint 21.2 Cinnamon 64-bit / Win 10
Backup: iMac 5.1 - 3GB RAM / 240GB HDD - Dual Boot Mint 19.1 Cinnamon 64-bit / OSX 10.5.8
gittiest personITW
Level 12
Level 12
Posts: 4287
Joined: Tue May 28, 2019 4:27 pm

Re: Recommendations for full malware check please!

Post by gittiest personITW »

I recommend, as would lots of others, not to use a scheme.
If it is easy for you to remember then it is not much harder for someone who is that way inclined to figure out the pattern.

Try KeepassXC or something similar. It has a neat little password generator on it that you can configure very easily.

For instance, in the old days passwords were something like (for example)
111111

Then, we were told to add a letter
a111111 or 111111a

Then, we were told to add a minimum of 1 upper case letter
A111111 or 111111A

Then, we were told that we need to start getting serious about our passwords and it is time to add punctuation
A111111. or 111111A. or .A111111 or .111111A (you get the picture).

I can just see many " :oops: "
User avatar
MartyMint
Level 7
Level 7
Posts: 1732
Joined: Thu Dec 27, 2012 10:50 pm

Re: Recommendations for full malware check please!

Post by MartyMint »

I keep all my passwords in a text file, that is then encrypted with a robust master password. The individual passwords can be as complicated as I'd like.
It is easier to move that encrypted file around to any device I need. Much easier than juggling Post-It notes.
emmalfal
Level 2
Level 2
Posts: 70
Joined: Fri Jan 03, 2020 3:27 pm

Re: Recommendations for full malware check please!

Post by emmalfal »

Have you considered a password manager? I came to Bitwarden from Lastpass and man, I love it. Makes it real easy to use complicated passwords and keep track of everything. Easy to use, too.
newlyminted7
Level 5
Level 5
Posts: 563
Joined: Sat Jan 02, 2021 4:44 pm

Re: Recommendations for full malware check please!

Post by newlyminted7 »

Piers66 wrote: Wed Jun 16, 2021 4:27 pm Thanks for the comprehensive reply.

I'm on LM19 because I have an older, somewhat underpowered laptop, and assume that later versions will be more processor hungry, but I have been considering upgrading. Is the security significantly better with an up to date version?

At the moment I use Firefox, with uBlock origin. Most of the Firefox security settings are on the stricter side. I'll investigate uBlock in a bit more depth.

Yes, time to change all passwords, some of which haven't changed in years... :-( I keep a file with all my passwords in but (don't panic!) in a form that will remind me what ones I've used rather than listing them explicitly (the 'key' is in my head).

The email address is, I'm sorry to admit, a gmail one. But, it's been in use for a decade and changing it would be very painful (I helped my mother change hers a while back, and well over a year later her friends are still complaining that the old one doesn't work!).

If I upgrade Mint I will do a clean install anyway. As for being sure that personal files are clean, that's the reason to ask about checking for malware. I'll check out the a-v ones you've suggested.

I don't use Wine, and, I think, probably have less installed software than many. The vast majority of what I do involves the basic software that comes with every Mint install. Can't actually think of anything that wasn't installed via the Software Manager.

Piers.
You're welcome. It sounds like you have a level head about this, I'm sure you'll be fine. I agree with you that it's most likely just a hacked forum where they got your email and password. As others have pointed out, it's unlikely that competent hackers would tell you they installed a keylogger until it was far too late. But, unfortunately, they may have gotten your email and password somewhere else and your machine might be compromised. Frustrating, I know, and I'm sorry it happened to you.

Internet forums are unfortunately only as secure as the people who administer them and the forum software they use, a lot of which isn't perfect, either. I'd wager that many forums are insecure and should be avoided altogether. Many people think modern technology and the internet are "magic", secure, trustworthy, and darn well should be trusted. Unfortunately, it is very distinctly the other way around. It is actually quite insane. People just assume all this tech can be trusted. A lot of it simply can't be trusted, and as we're finding out, many businesses can't, either (even the ones we assumed were trustworthy, like your current email provider *cough*cough*).

Successful hacks are the ones we don't hear about and don't show up on sites like "https://haveibeenpwned.com". Some forums don't even encrypt or hash passwords when stored, and, worse yet, others are honeypots that intentionally don't encrypt/hash their passwords in order to sell them or share them with bad guys, or are directly run by bad guys.

In my personal opinion it takes around ten years of average use before an email address needs to be replaced due to reasons similar to what you've experienced. If you don't already, consider using email aliases and ditch them when you need to. Only share your main email address with friends and family and create an alias for every other activity you do online (without any elements of your personal name in the alias, either). I'm in the same situation where I'm trying to get off of a "popular" email provider and migrate to a more (supposedly) privacy-friendly one, but I keep putting it off, as well, so I can't really blame you. It's a hassle.

As for Mint's performance on your older hardware, I'd suggest looking into a diffferent window manager than Cinnamon (Xfce or Mate versions of Linux Mint), since it isn't the version of the software that is going to slow you down, but the graphically intensive elements of the UI. If I were you I would upgrade to 20.1 (to get all the bugfixes and security patches) and use Mate or Xfce for better performance. Xfce is the fastest / most lightweight.

Another thing you might want to do is install OpenSnitch (https://github.com/evilsocket/opensnitch). It will alert you if and when any applications try to phone home (including Linux Mint things like unscrupulous panel applets, etc - I'm looking at you, Redshift!). For me it is more just for peace of mind and understanding what certain applications are up to on your computer, but it is pretty handy to spot if malware is trying to phone home, as well.
User avatar
ricardogroetaers
Level 6
Level 6
Posts: 1368
Joined: Sat Oct 27, 2018 3:06 am
Location: Rio de Janeiro, Brasil

Re: Recommendations for full malware check please!

Post by ricardogroetaers »

Piers66 wrote: Wed Jun 16, 2021 3:31 pm Today I got one of these that said "One of your passwords is xxxxxxxxxxx, and we've installed a keylogger". The password they quoted is in fact one of mine, it's the basic one I use for non-critical forums like this one! .....
Sorry for the pragmatism.
Email passes to everyone and someone passes their email to someone else, who passes it to someone else, that ......

Who guarantees that non-critical places (websites, forums, internet stores, others) don't know your password and don't share it with others?

Save passwords to Google (or similar)? Tie dog with sausage, which has the same effect.

As for a "scan" on the computer, no exaggeration and occasionally I use "Comodo antivirus".
It's not just Linux we use and our removable storage devices (and others' devices) are inserted into many computers, including our computer.
Piers66
Level 3
Level 3
Posts: 134
Joined: Fri Dec 25, 2015 2:17 pm
Location: London, UK

Re: Recommendations for full malware check please!

Post by Piers66 »

Hello,

OK, so I installed rkhunter and ran it. The only warnings it produced were one file property error, a bunch of overly large memory segments and one hidden directory:

Code: Select all

[11:50:13]   /usr/bin/lwp-request                            [ Warning ]
[11:50:13] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable

[11:57:27]   Checking for suspicious (large) shared memory segments [ Warning ]
[11:57:27] Warning: The following suspicious (large) shared memory segments have been found:
[11:57:27]          Process: /usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-background    PID: 1599    Owner: piers    Size: 64MB (configured size allowed: 1.0MB)
[11:57:27]          Process: /usr/bin/nemo-desktop    PID: 2007    Owner: piers    Size: 4.0MB (configured size allowed: 1.0MB)
[11:57:27]          Process: /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1    PID: 1756    Owner: piers    Size: 4.0MB (configured size allowed: 1.0MB)
[11:57:27]          Process: /usr/bin/cinnamon    PID: 1713    Owner: piers    Size: 2.0MB (configured size allowed: 1.0MB)
[11:57:27]          Process: /usr/lib/firefox/firefox    PID: 26586    Owner: piers    Size: 4.7MB (configured size allowed: 1.0MB)
[11:57:27]          Process: /usr/lib/gnome-terminal/gnome-terminal-server    PID: 26540    Owner: piers    Size: 4.0MB (configured size allowed: 1.0MB)
[11:57:27]          Process: /usr/lib/firefox/firefox    PID: 26586    Owner: piers    Size: 4.7MB (configured size allowed: 1.0MB)
[11:57:27]          Process: /usr/bin/nemo    PID: 27004    Owner: piers    Size: 4.0MB (configured size allowed: 1.0MB)
[11:57:27]          Process: /usr/bin/nemo    PID: 27004    Owner: piers    Size: 4.0MB (configured size allowed: 1.0MB)
[11:57:27]          Process: /usr/bin/xed    PID: 27022    Owner: piers    Size: 4.0MB (configured size allowed: 1.0MB)
[11:57:27]          Process: /usr/bin/nemo    PID: 32286    Owner: root    Size: 4.0MB (configured size allowed: 1.0MB)

[11:57:39]   Checking for hidden files and directories       [ Warning ]
[11:57:39] Warning: Hidden directory found: /etc/.java
From doing a bit of searching online and finding other people who have had the same warnings, I think I can ignore all of the above as false positives.

At this point is it safe to go with my first assumption (my PC is fine, it was an external data breach)?

Piers.
Main: Dell E6410 - 8GB RAM / 500GB HDD - Dual Boot Mint 21.2 Cinnamon 64-bit / Win 10
Backup: iMac 5.1 - 3GB RAM / 240GB HDD - Dual Boot Mint 19.1 Cinnamon 64-bit / OSX 10.5.8
User avatar
it-place
Level 3
Level 3
Posts: 187
Joined: Thu Jul 05, 2018 4:42 am

Re: Recommendations for full malware check please!

Post by it-place »

Hi Piers66,
in rkhunter you have to do some fine tuning:
  1. rkhunter needs to know what package manager you are using. Edit /etc/rkhunter.conf add the following line:
    PKGMGR=DPKG
    This way, rkhunter will know to expect those executables to be scripts, and not flag the false positive.
  2. I think it's better to run rkhunter without running to much other programs e.g. firefox, nemo... (warning "shared memory segments ").
  3. You also can exclude the hidden dir /etc/.java in /etc/rkhunter.conf to supress this warning.
Regards - Oliver
revmacian
Level 5
Level 5
Posts: 554
Joined: Wed May 27, 2020 1:50 pm
Location: United States

Re: Recommendations for full malware check please!

Post by revmacian »

Piers66 wrote: Wed Jun 16, 2021 3:31 pm Hello,

I've been using Linux Mint for years, and never worried much about malware / viruses / etc. because, well, it's Linux, and I'm not in the habit of installing stuff outside the official repositories.

I've been getting masses of spam emails recently, and amongst them are the usual "You've been watching **** and we've recorded you on the webcam, send us all your bitcoin" ones. No problem, I don't even have a webcam!

Today I got one of these that said "One of your passwords is xxxxxxxxxxx, and we've installed a keylogger". The password they quoted is in fact one of mine, it's the basic one I use for non-critical forums like this one!

I'm 99% sure they got it by hacking some other site, but I'd like to do a check of my machine for malware (especially keyloggers). Can anyone recommend the best way to do this?

Thanks,

Piers.
I'd like to comment on that keylogger they say they've installed. When you download an executable file in Linux the executable flag is stripped. If the user wants to execute that file, they must go into the terminal and restore that executable flag. Then, the user must manually execute that file. Anyone who has been learning while using Linux know that you can download every virus known to man.. but none of them will ever run without user intervention. This is just one of the many reasons I choose *nix over other operating systems - it's also why almost no one wastes their time writing viruses for Linux. So, exactly how did they install a keylogger? They didn't, making such a grandiose statement is nothing more than a testament to their own ignorance.
Give a man a fish and you'll feed him for a day. Teach a man to fish and you'll feed him for a lifetime.
US Navy, NEC HM8404
Locked

Return to “Beginner Questions”