Strange behaviour makes me think of a virus.

[snorretik]

Okay so I think I have contracted a virus... in my network as well... I have tried to install clamav to see if it picks up something. However it's still going on. Just now Software Center just disappeared, and in general ubuntu is either really slow... or being weird at log in and shut down. And now the disappearance of Software Center. It was still there a couple of minutes ago and now searching activities it doesn't find anything.

Further more, for a longer time already all my devices have weird window flashes as if something briefly passes by and I got increasingly worried about all of that. Also, sometimes Ubuntu takes a really long time to shut down.

When it was being really weird it reported problems as well and sent the error reports. So it should at least get logged for the developers.

However that's no fix. I did mess with wine for a while before all of this started, because I wanted to be able to read an ebook in Linux however that failed. I don't know if it's related but it said somewhere that that could be a real culprit. Also did some SSH with github but shouldn't have been a problem.

I'm just looking for advice on what I can do if there is a virus present in my network/system. This is because some of the problems have switched to my old laptop with Ubuntu as well. So it did go across to other PC's.

On my main PC it is set up as Dual Boot. But Windows is doing fine as far as I can tell. I've got professional virus software on Windows as well so if it turned up there I would have a place to turn to. However it's not available for Linux and I don't know what to do if it's related to that.

Any suggestions?

[EuclideanCoffee]

Without a virus scan, it's hard to say. There aren't a lot of known malware, but that doesn't mean there isn't any malware.

eBooks have a reputation for carrying malware. I recommend reinstalling your operating system, as that would likely take care of any configurations changed and give you a fresh new operating system.

[snorretik]

I reinstalled my operating system on my laptop already, and the first thing I did with it was install clamav and run it. It appeared as if there was a problem with updating clamAV though, through the GUI clamtk, because the buttons messed up and overlapped eachother. But then I did a "freshclam" and it should have been updated. It didn't find anything.

There was one other thing, on my windows pc a "cd" was found, even if I don't have a cd drive installed in the hardware at all. I tried some stuff on it, scanning, "destroy it" (an option of Avast), didn't work. Then I just ejected it, and it didn't pop up anymore. But I don't know what it does if Ubuntu sees a cd pop up.

I'm giving you all the details in the hope that there might be a lead in it.

However I don't know what more I can do than reinstalling OS and scanning it with clam. And it seems as if it's still present. Or could this disappearance of Software Center just be a bug? Maybe a simple fix?

[TheFu]

I'd assume a hardware failure first. A failing disk or disk controller can cause the behavior you've described. Check that first. Look in the logs (/var/log/*) and use smartctl or Gnome-Disks to check the SMART data for badness.

As for the video issues - a loose cable or failing PSU or failing GPU can cause that. So can improper GPU drivers. Stay with the drivers provided through Canonical's ubuntu-drivers program.

Assuming zero HW issues, which I'm unconvinced about still ...

When you look at your versioned backups, do you see any new files or changes to existing file owners, groups or permissions that don't make sense?

Doubt you have a virus. Sounds more like a rootkit. There are scanners for root kits, but for those to be effective, run them from a flash "try ubuntu" boot device. ClamAV searches for Windows viruses, not Linux. WINE is good enough for some Windows viruses to get in. If you remove WINE or just don't run any WINE programs, that should end any Windows viruses. I'd just move the WINE-PREFIX to a different location while testing that hypothesis.

Jumping to other systems could just be coincidence. Over the last 3 weeks, I've had 3 HDDs failing. They were completely disconnected events, but if I were superstitious, I'd think some relation existed. Yesterday, got a warning about another HDD having SMART errors. Is that connected? Nope. It is just a 6 yr old HDD nearing end of life.

I'm not saying there aren't Linux viruses, but usually those don't happen. A worm or rootkit is much more likely. Linux systems are most useful as C&C (command and control) for huge botnets.

[snorretik]

Okay, I found that a program chkrootkit can check for those. However it appears it's not as simple as "try Ubuntu" and then sudo apt install chkrootkit. Cause it can't find it. Do I have to somehow include it on the USB I'm booting from?

It continues doing all kinds of weird stuff by the way. Now also before logging into Windows.

[deadflowr]

Most likely need to enable the universe repository.
Steps would be

Code:

sudo add-apt-repository universe
sudo apt update
sudo apt install chkrootkit

[snorretik]

Okay thanks, I was able to run both chkrootkit and rkhunter. Now it gave me some results:
- Chkrootkit seems like it hasn't found that much. Two suspicious files/directories, I wrote them down. And at some point it says "Warning: Possible LKM Trojan installed". And nothing deleted it says. However I don't really know what to look for. But it didn't have obvious "infected" flags.
- Rkhunter was also run. It has a system checks summary. It says it checked 142 files. Found 1 suspect file. Then Rootkit checks, checked: 477, possible rootkits: 6.

I copied the whole terminal window. I was told to run cat as well and that displayed the log file I believe. Copied that with it. So I've got the whole record I guess. But I don't know what to look for or how to fix the issues. There's a lot of documentation on it but that's going to take a really long time. If anybody can explain to me clearly what to do with this info or how to actually fix this I would really appreciate it. And prevent this from happening again.

Edit:
@TheFu, I wasn't keeping versioned back ups as far as I know. I had some important files backed up and that was it. When this is over I'll consider doing something like that.

[TheFu]

Try Ubuntu booting uses an overlay file system. This is handy in that the iso cannot be compromised assuming it came from a reputable source and the signature has been cryptographically validated. in 20.04 that happens automatically.

But the environment won't remember anything installed after a reboot. So you'll need to enable a repo, install some root-kit scanners, run those and clean up whatever they find. When you reboot, those installs and repo changes are lost.

i still think there is a HW problem. Did you look at the logs? Did you look at the HDD SMART data?

All the root-kit scanners are known for false positives. The fix is to wipe the disk and restore from backups prior to the issues happening. Daily, automatic, versioned, backups, "pulled" by another system, are the #1 security technique for all Unix-based OSes. Don't use network storage that the client machine can access, since then the infected client can destroy all the backups too. The backup server needs to "pull" the backups and not allow any clients direct access in.

Backups have all sorts of uses. This morning a 20.04 weekly patch went very wrong here and left me without any kernels. After 30 minutes trying to fix it, i gave up and wiped the machine, did a fresh install and restored my backups from last night into it. Took 30 min.

Nobody can tell you how to prevent stuff from happening without knowing what you did. i haven't used AV on any desktop systems since about 2012 when my last contract that mandated professional liability insurance ended.

Update: i don't do high risk behaviors like allowing javascript to run from most websites or allowing any flash or java. Don't use social networks at all. My Windows systems are never used online except to do non-email and non-browser things. Not everyone can make these choices.

[snorretik]

Lol I tried typing it down but I think it became too much information. The first reaction I had is that because I have a relatively new PC I didn't mind reinstalling the OS etc. I had a couple of files that I wanted. And then I did a full factory reinstall.

So actually if I could wipe in the same way you did I would be glad to. Makes it a lot less complicated. But I have heard that there is possible malware that hides on your network. Then I wouldn't know what to do anymore. But as you said it could be a coincidence.

Edit: I didn't check for hardware yet. So I'll do that now.

Edit 2:
There is something going on though. Which I wanted to try and solve with a factory reset. It's a few partitions I can't seem to delete or do anything at all with. And I do remember having tinkered with some online guide in the partitioning when trying to install Ubuntu. Afterwards it was no longer necessary because it recognized the Windows OS and could install next to it. But at first it didn't detect it yet. Yeah there's all kinds of stuff that could've gone wrong now that I think of it... there's other stuff too. Like it freezing my pc until I changed some BIOS settings to legacy.

Anyway, when I go to var log there's crosses there on 3 directories and 3 files. I don't know if that's good. Also when I boot Ubuntu from my USB it does disk checks and it says it finds 1 problem and that "it could result in errors".

[ajgreeny]

The problem found when booting your USB means there is a problem in that USB live system, not necessarily in your installed system, and may have nothing to do with your installed OS, unless, of course, it is the same USB medium you used to install your OS.