Results 1 to 8 of 8

Thread: Do I have malware?

  1. #1
    Join Date
    Oct 2010
    Beans
    99

    Do I have malware?

    How do I know if I have malware on my computer? I'm using ubuntu 12.10. My HDD lite is blinking a lot today. Usually it's quiet with an random blink. Today it's acting like my windows load used to always do. Below is what my system log is showing ...

    Code:
    02/13/13 10:51:18 AM	ice-5	dhclient	DHCPREQUEST of 192.168.1.35 on eth0 to 192.168.1.1 port 67
    02/13/13 10:51:19 AM	ice-5	dhclient	DHCPACK of 192.168.1.35 from 192.168.1.1
    02/13/13 10:51:19 AM	ice-5	dhclient	bound to 192.168.1.35 -- renewal in 123 seconds.
    02/13/13 10:51:19 AM	ice-5	NetworkManager[957]	<info> (eth0): DHCPv4 state changed renew -> renew
    02/13/13 10:51:19 AM	ice-5	NetworkManager[957]	<info>   address 192.168.1.35
    02/13/13 10:51:19 AM	ice-5	NetworkManager[957]	<info>   prefix 24 (255.255.255.0)
    02/13/13 10:51:19 AM	ice-5	NetworkManager[957]	<info>   gateway 192.168.1.1
    02/13/13 10:51:19 AM	ice-5	NetworkManager[957]	<info>   nameserver '203.144.206.49'
    02/13/13 10:51:19 AM	ice-5	NetworkManager[957]	<info>   nameserver '203.144.206.29'
    02/13/13 10:51:19 AM	ice-5	dbus[909]	[system] Activating service name='org.freedesktop.nm_dispatcher' (using servicehelper)
    02/13/13 10:51:19 AM	ice-5	dbus[909]	[system] Successfully activated service 'org.freedesktop.nm_dispatcher'
    02/13/13 10:51:20 AM	ice-5	AptDaemon	INFO: Quitting due to inactivity
    02/13/13 10:51:20 AM	ice-5	AptDaemon	INFO: Quitting was requested
    02/13/13 10:51:25 AM	ice-5	anacron[1112]	Job `cron.daily' terminated
    02/13/13 10:51:25 AM	ice-5	anacron[1112]	Job `cron.weekly' started
    02/13/13 10:51:25 AM	ice-5	anacron[4910]	Updated timestamp for job `cron.weekly' to 2013-02-13
    02/13/13 10:51:39 AM	ice-5	anacron[1112]	Job `cron.weekly' terminated
    02/13/13 10:51:39 AM	ice-5	anacron[1112]	Normal exit (2 jobs run)
    02/13/13 10:52:00 AM	ice-5	kernel	[ 2010.867008] forcedeth 0000:00:07.0: eth0: link down
    02/13/13 10:52:00 AM	ice-5	NetworkManager[957]	<info> (eth0): carrier now OFF (device state 100, deferring action for 4 seconds)
    02/13/13 10:52:05 AM	ice-5	NetworkManager[957]	<info> (eth0): device state change: activated -> unavailable (reason 'carrier-changed') [100 20 40]
    02/13/13 10:52:05 AM	ice-5	NetworkManager[957]	<info> (eth0): deactivating device (reason 'carrier-changed') [40]
    02/13/13 10:52:05 AM	ice-5	NetworkManager[957]	<info> (eth0): canceled DHCP transaction, DHCP client pid 1072
    02/13/13 10:52:05 AM	ice-5	kernel	[ 2015.333346] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
    02/13/13 10:52:05 AM	ice-5	dnsmasq[1512]	setting upstream servers from DBus
    02/13/13 10:52:05 AM	ice-5	NetworkManager[957]	<warn> DNS: plugin dnsmasq update failed
    02/13/13 10:52:05 AM	ice-5	NetworkManager[957]	<info> ((null)): removing resolv.conf from /sbin/resolvconf
    02/13/13 10:52:05 AM	ice-5	avahi-daemon[4979]	Found user 'avahi' (UID 111) and group 'avahi' (GID 120).
    02/13/13 10:52:05 AM	ice-5	avahi-daemon[4979]	Successfully dropped root privileges.
    02/13/13 10:52:05 AM	ice-5	avahi-daemon[4979]	avahi-daemon 0.6.31 starting up.
    02/13/13 10:52:05 AM	ice-5	dbus[909]	[system] Activating service name='org.freedesktop.nm_dispatcher' (using servicehelper)
    02/13/13 10:52:05 AM	ice-5	avahi-daemon[4979]	Successfully called chroot().
    02/13/13 10:52:05 AM	ice-5	avahi-daemon[4979]	Successfully dropped remaining capabilities.
    02/13/13 10:52:06 AM	ice-5	avahi-daemon[4979]	Loading service file /services/udisks.service.
    02/13/13 10:52:06 AM	ice-5	avahi-daemon[4979]	Network interface enumeration completed.
    02/13/13 10:52:06 AM	ice-5	avahi-daemon[4979]	Registering HINFO record with values 'I686'/'LINUX'.
    02/13/13 10:52:06 AM	ice-5	avahi-daemon[4979]	Server startup complete. Host name is ice-5.local. Local service cookie is 3079423200.
    02/13/13 10:52:06 AM	ice-5	avahi-daemon[4979]	Service "ice-5" (/services/udisks.service) successfully established.
    02/13/13 10:52:06 AM	ice-5	dbus[909]	[system] Successfully activated service 'org.freedesktop.nm_dispatcher'
    02/13/13 10:53:23 AM	ice-5	NetworkManager[957]	<info> (eth0): carrier now ON (device state 20)
    02/13/13 10:53:23 AM	ice-5	NetworkManager[957]	<info> (eth0): device state change: unavailable -> disconnected (reason 'carrier-changed') [20 30 40]
    02/13/13 10:53:23 AM	ice-5	NetworkManager[957]	<info> Auto-activating connection 'Wired connection 1'.
    02/13/13 10:53:23 AM	ice-5	NetworkManager[957]	<info> Activation (eth0) starting connection 'Wired connection 1'
    02/13/13 10:53:23 AM	ice-5	NetworkManager[957]	<info> (eth0): device state change: disconnected -> prepare (reason 'none') [30 40 0]
    02/13/13 10:53:23 AM	ice-5	NetworkManager[957]	<info> Activation (eth0) Stage 1 of 5 (Device Prepare) scheduled...
    02/13/13 10:53:23 AM	ice-5	NetworkManager[957]	<info> Activation (eth0) Stage 1 of 5 (Device Prepare) started...
    02/13/13 10:53:23 AM	ice-5	NetworkManager[957]	<info> Activation (eth0) Stage 2 of 5 (Device Configure) scheduled...
    02/13/13 10:53:23 AM	ice-5	NetworkManager[957]	<info> Activation (eth0) Stage 1 of 5 (Device Prepare) complete.
    02/13/13 10:53:23 AM	ice-5	NetworkManager[957]	<info> Activation (eth0) Stage 2 of 5 (Device Configure) starting...
    Last edited by CharlesA; February 13th, 2013 at 07:45 AM. Reason: code tags

  2. #2
    Join Date
    Oct 2007
    Beans
    76
    Distro
    Kubuntu 12.10 Quantal Quetzal

    Re: Do I have malware?

    To me the log seems normal. It could be that you are running out of ram, if that is so the system will start to swap, in other words write to the disk. You can see what is writing to the disk with the utility iotop. To install iotop issue the command:
    Code:
    sudo apt-get install iotop
    in a terminal, the program requires sudo rights to run.

    Hope this helps you,
    -lordievader.
    Last edited by lordievader; February 13th, 2013 at 08:38 AM.
    “There is no point in using the word 'impossible' to describe something that has clearly happened.” -Douglas Adams.

  3. #3
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Do I have malware?

    Looks fine to me too.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  4. #4
    Join Date
    May 2006
    Location
    Boston
    Beans
    1,909
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Do I have malware?

    are you downloading any files or using a torrent client? log looks fine to me

    blog
    Donations BTC : 12FwoB7uAM5FnweykpR1AEEDVFaTLTYFkS
    DOUBLEPLUSGOOD!!

  5. #5
    Join Date
    Dec 2012
    Location
    In my head.. I think?
    Beans
    113

    Re: Do I have malware?

    I too see nothing wrong with this. Perhaps if your computer is running slow, you may want to remove old programs. Just a thought. Please correct me if I'm wrong.

  6. #6
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    1,273
    Distro
    Ubuntu 13.10 Saucy Salamander

    Re: Do I have malware?

    Please enclose output in "code" marks before posting. It makes massive outputs far easier to parse. This can be done by highlighting the output and using the hash (#) button at the top of the posting box.

    Re: output

    I don't see anything alarming in your syslog. Syslog is only one of the logs you should be parsing routinely, but learning to read them is something of a black art. There's no easy way to learn because they record your system's low-level functions which are inevitably technical and arcane. I doesn't help that Linux developers often use alarming sounding labels and phrases to denote normal and innocuous processes. I've found that the best way to learn about the logs is to learn about Linux itself. For example, a daemon is simply a process like an app, but it runs unobtrusively in the background doing work that requires no user input or waiting for a specific event. The program that creates syslog itself is a daemon called syslogd. Avahi-daemon is another of your examples. This is a process that publishes and listens for services added to your network, like printers, network attached storage, etc. so that you don't have to specifically invoke a discovery process before seeing them. Some would consider it unnecessary bloat, but it is a part of most modern distros and not malign.

    If you would like to understand more about Linux security, this is a wonderful primer. Please be aware that the first natural reaction to security when starting out tends to be paranoia and false positives. This is not necessarily a bad reaction so long as you step back and remind yourself every now and again that you are probably overreacting. However, we cannot fend off malware unless we stay vigilant. Better your type of reaction than the attitude I see so frequently from Windows migrants whose first question is all too often, "How do I turn off system password requests?"

    That said, if you want to know what is creating all that disk I/O, do:

    Code:
    sudo apt-get install iotop
    and then run iotop to see exactly what processes are hitting your HDD so hard.

    <edit>
    forum admin to the rescue on code tags. Thanks @CharlesA
    </edit>

  7. #7
    Join Date
    May 2006
    Location
    Bangladesh
    Beans
    Hidden!
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: Do I have malware?

    All OK, nothing to worry about.

  8. #8
    Join Date
    Oct 2010
    Beans
    99

    Re: Do I have malware?

    Thanks so much for all the comments. I know just enough to be dangerous! But I also clearly understand that there are bad people trying to screw you. We must be vigilant. I used to spend hundreds of dollars on security software using windows. What a relief to not have that problem any more! I will try to learn more about reading and understanding the log entries. But I'm old enough now that about 50% goes into my memory but never seems to stay. I will install itop. And yes I was downloading torrents so this may have increased the activity altho I don't remember that causing this reaction in the past.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •