Results 1 to 9 of 9

Thread: Malware Check on Fresh Lubuntu Install

  1. #1
    Join Date
    Oct 2008
    Beans
    250

    Malware Check on Fresh Lubuntu Install

    A while ago I had an old laptop running Ubuntu on which i had a ransomware scare as well as an update issue stopping the computer booting at the same time (see original thread here). Long story short; after Chromium stopping me going to a page due to it being "misleading" and before shutting the tab I saw words including "ransomware", upon rebooting I got an error about "Spectre V2 Mitigation" which convinced me I'd been infected by the Spectre ransomware, but I think it was all a coincidence.

    The laptop ran poorly on Ubuntu anyway, so all these things prompted me to install Lubuntu to try and resurect it today. I'm assuming that by installing the new Lubuntu partitian over the old Ubuntu partitian any malicious software would have been destroyed? This wasn't a complete formatting of the drive as the swap partitions were reused, so would this leave room for malicious software to remain on the HDD?

    I'm probably being paranoid, but I don't want to risk anything (especially ransomware) spreading onto my main desktop. Are there any free programs you would recommend running to double check before linking the laptop to my network? Am I just being silly and paranoid over nothing?

  2. #2
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Malware Check on Fresh Lubuntu Install

    Quote Originally Posted by random turnip View Post
    A while ago I had an old laptop running Ubuntu on which i had a ransomware scare as well as an update issue stopping the computer booting at the same time (see original thread here). Long story short; after Chromium stopping me going to a page due to it being "misleading" and before shutting the tab I saw words including "ransomware", upon rebooting I got an error about "Spectre V2 Mitigation" which convinced me I'd been infected by the Spectre ransomware, but I think it was all a coincidence.
    Sounds like a coincidence.

    Quote Originally Posted by random turnip View Post
    The laptop ran poorly on Ubuntu anyway, so all these things prompted me to install Lubuntu to try and resurect it today. I'm assuming that by installing the new Lubuntu partitian over the old Ubuntu partitian any malicious software would have been destroyed? This wasn't a complete formatting of the drive as the swap partitions were reused, so would this leave room for malicious software to remain on the HDD?
    If you didn't format the entire disk after recreating a fresh partition table, bad code could be hiding. Reusing swap shouldn't matter, but just overwriting files on /boot or / won't remove old files that aren't updated. This is a "feature."

    Quote Originally Posted by random turnip View Post
    I'm probably being paranoid, but I don't want to risk anything (especially ransomware) spreading onto my main desktop. Are there any free programs you would recommend running to double check before linking the laptop to my network? Am I just being silly and paranoid over nothing?
    The protection for ransomware is to have daily, automatic, versioned, backups that are "pulled" by another machine that isn't connected to the internet and runs on a different network. If the desktop/laptop has any access to the backup storage, then it is at risk.

    Well, that and
    * not making mistakes when using any internet connected programs,
    * staying patched
    * avoiding high-risk activities
    * not allowing javascript, flash, or other "objects" to be run inside a non-sandboxed browser
    * using an ad-blocker
    * not clicking on shortened links
    * not downloading software outside the Canonical package management systems
    * run high risk programs inside a mini-container - use firejail or some other outside-the-browser solution. Canonical's snaps have a sandbox built-in. If that isn't too much hassle and doesn't break your workflows, it should be an aid for security. That's the hope.

    If anything funny seems to be happening, you have the backup versions which can be used to compare files from day to day. If you didn't download much and see the daily backups are larger than expected, time to check the backup versions. Efficient backups will let you see what changed on a day to day basis. If you only patch on Saturday and a program changed on Tuesday and you don't remember installing it - malware. Paying attention to a little detail like that.

    Use tools like logwatch to get a daily summary of newly installed packages, hack attempts, errors in the log files and other issues. Takes 30 sec a day to review, if that.

    Nobody is perfect. We miss things. We click on things accidentally, but hopefully not all the time.

    Being a little paranoid isn't bad, but relax until there is really a reason to be paranoid.

  3. #3
    Join Date
    Oct 2008
    Beans
    250

    Re: Malware Check on Fresh Lubuntu Install

    Quote Originally Posted by TheFu View Post
    If you didn't format the entire disk after recreating a fresh partition table, bad code could be hiding. Reusing swap shouldn't matter, but just overwriting files on /boot or / won't remove old files that aren't updated. This is a "feature."
    Thanks for all of that, some useful insight.

    Question on formatting; when installing Lubuntu using the standard partition tool, if I selected the old Ubuntu partition to be overwritten by the new Lubuntu one, this isn't as effective at formatting? If not, is there a way to format the hdd in that machine using only that machine? For example, can I use the disk manager and select the whole C drive to be formatted (maybe this is possible using a live dvd)?

    In the mean time I need to make sure I'm backing up more often I guess.
    Last edited by random turnip; November 25th, 2019 at 11:02 AM.

  4. #4
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Malware Check on Fresh Lubuntu Install

    The protection for ransomware is to have daily, automatic, versioned, backups that are "pulled" by another machine that isn't connected to the internet and runs on a different network. If the desktop/laptop has any access to the backup storage, then it is at risk.
    If you aren't doing that, then I think you are ill prepared for malware. Good backup tools will finish the daily backups in 1-20 minutes. It isn't a big deal nor should it take 10 hrs of you do them efficiently. There are lots and lots of different techniques discussed in these forums. I like the LVM-snapshot + rdiff-backup method.

    If you don't format a partition, then it won't be wiped of data without actually, manually, wiping the data. Deleting a running OS will leave things behind, since ... you will be deleting the running OS. Boot from alternate media if you want to wipe a partition that is in-use. If you want to format a disk during install then either "Use Whole Disk" or "Do something Else" options are needed.

  5. #5
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: Malware Check on Fresh Lubuntu Install

    If your /home is mounted from a separate partition from the root filesystem ("/"), then some squirrely things might be hiding there.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  6. #6
    Join Date
    Oct 2008
    Beans
    250

    Re: Malware Check on Fresh Lubuntu Install

    Quote Originally Posted by TheFu View Post
    If you aren't doing that, then I think you are ill prepared for malware. Good backup tools will finish the daily backups in 1-20 minutes. It isn't a big deal nor should it take 10 hrs of you do them efficiently. There are lots and lots of different techniques discussed in these forums. I like the LVM-snapshot + rdiff-backup method.

    If you don't format a partition, then it won't be wiped of data without actually, manually, wiping the data. Deleting a running OS will leave things behind, since ... you will be deleting the running OS. Boot from alternate media if you want to wipe a partition that is in-use. If you want to format a disk during install then either "Use Whole Disk" or "Do something Else" options are needed.
    I see, I wrongly assumed this would effectively format that partition, I think I'll go on the safe side and format the HDD and re-install to ease my mind.
    Quote Originally Posted by SeijiSensei View Post
    If your /home is mounted from a separate partition from the root filesystem ("/"), then some squirrely things might be hiding there.
    Where is the root file system stored by default and how to I check?
    As mentioned, I think I'm going to format the whole drive to be 100% that there's nothing wrong, just because I know I'll be paranoid if I don't.


    Thank you both for the help so far.

  7. #7
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Malware Check on Fresh Lubuntu Install

    Quote Originally Posted by random turnip View Post
    Where is the root file system stored by default and how to I check?
    As mentioned, I think I'm going to format the whole drive to be 100% that there's nothing wrong, just because I know I'll be paranoid if I don't.
    / == the root file system
    /root == root account HOME directory
    /home == normal file system for non-root users' HOMEs. Not mandatory that it be /home/,

    Where is it? It is just a partition on storage, SATA, HDD, or NVMe, somewhere. On the running system, df -Th will show which partition is mounted to which directory.
    You can also use lsblk or parted or fdisk to see the partitions or decipher the /etc/fstab config file entries.

    / is the only file system which must exist. All other file systems on any Unix machine will be mounted somewhere below /. It is like the root of a pine tree. All the branches have to connect to that.

  8. #8
    Join Date
    Oct 2008
    Beans
    250

    Re: Malware Check on Fresh Lubuntu Install

    Quote Originally Posted by TheFu View Post
    / == the root file system
    /root == root account HOME directory
    /home == normal file system for non-root users' HOMEs. Not mandatory that it be /home/,

    Where is it? It is just a partition on storage, SATA, HDD, or NVMe, somewhere. On the running system, df -Th will show which partition is mounted to which directory.
    You can also use lsblk or parted or fdisk to see the partitions or decipher the /etc/fstab config file entries.

    / is the only file system which must exist. All other file systems on any Unix machine will be mounted somewhere below /. It is like the root of a pine tree. All the branches have to connect to that.
    I see.
    It's all just on a single internet hdd.

    I'm currently in the kde partition manager. I can delete the main partition of the drive, but there are 2 more called "extended" and "linuxswap" that it wont let me do anything with for some reason. There are also 2 unknown devices that I dont understand which also seem to have just linux swap partitions on?

    Here's a screenshot...
    https://www.reddit.com/r/Ubuntu/comm...m_source=share

    Edit
    I ran
    Code:
    sudo swapoff -a
    However I'm still not entirely sure whether I should also format the zram0 and zram1 drives. I want to be thorough and nuke the whole drive so I feel like I should, but some forum posts suggest this might not be a good idea, but I cant understand why it could do any damage when my whole aim is to destroy all data on the system.
    Last edited by random turnip; November 27th, 2019 at 09:47 PM.

  9. #9
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Malware Check on Fresh Lubuntu Install

    Deleting a partition, just modifies the partition table and backup copy of it. It doesn't delete any data.
    If you want to actually wipe an entire storage device, then you must boot from other media, like a Try Ubuntu flash drive, then overwrite the entire internal disk using something like /dev/null or /dev/urandom as the source of the data used to be written.

    If I'm keeping the disk, I wouldn't bother with all that. I'd just let the installer use the entire disk, use LVM + encrypt the entire drive. That would overwrite everything with junk/encryption and format everything.

    If I'm selling an old HDD ... well, I don't do that. I drill (6) 3/4 inch holes through all disks and drop them in the recycle bin.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •