Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

  1. #11
    Join Date
    Jan 2006
    Location
    Montreal, Quebec, Canada
    Beans
    46
    Distro
    Ubuntu 24.04 Noble Numbat

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    The funniest thing is that I was about to install Chkrootkit because of last week incident lol I will do that now but if I was infected by something, I will delete my old Clonezilla backups and start fresh. For the "last" command I only learned about it like a week ago and I did not think about it. I was away from Linux for a couple of years and before that I never had to review command lines, do an inspection of process or anything alike. I had ClamAV and Chkrootkit installed and everything was always ok

  2. #12
    Join Date
    Jul 2005
    Location
    I think I'm here! Maybe?
    Beans
    Hidden!
    Distro
    Xubuntu 24.04 Noble Numbat

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Why do you believe that you need ClamAV and Chkrootkit installed, and presumably run occasionally?
    I suspect you will find few if any users of a normal desktop version of any of the 'buntu family of OSs would recommend either of them as being necessary though this may be different if you run a mail server supporting users of Windows machines when ClamAv might be considered.

    I have never in my 19 years of using Ubuntu or any of the other 'buntu OSs used ClamAv or Chkrootkit but I admit to never running a WAN server of any kind though I do run a LAN media server to my own smartTV but never over the open network.

  3. #13
    #&thj^% is offline I Ubuntu, Therefore, I Am
    Join Date
    Aug 2016
    Beans
    Hidden!

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Quote Originally Posted by ajgreeny View Post
    Why do you believe that you need ClamAV and Chkrootkit installed, and presumably run occasionally?
    I suspect you will find few if any users of a normal desktop version of any of the 'buntu family of OSs would recommend either of them as being necessary though this may be different if you run a mail server supporting users of Windows machines.

    I have never in my 19 years of using Ubuntu or any of the other 'buntu OSs used ClamAv or Chkrootkit but I admit to never running a WAN server of any kind though I do run a LAN media server to my own smartTV but never over the open network.
    +100, That's not really an audit I would need to run, Nicely put ajgreeny.

    Here are a few of the many many tools:
    Code:
    Suggested packages:
      apt-listbugs  debsums   samhain  fail2ban   gksu             | ktsuss
      debsecan      tripwire  aide     menu-l10n  | kde-cli-tools lynis
    Code:
    apt policy lynis
    lynis:
      Installed: 3.1.1-1
      Candidate: 3.1.1-1
      Version table:
     *** 3.1.1-1 500
            500 http://us.archive.ubuntu.com/ubuntu oracular/universe amd64 Packages
            100 /var/lib/dpkg/status
    Code:
    apt show lynis
    Package: lynis
    Version: 3.1.1-1
    Priority: optional
    Section: universe/utils
    Origin: Ubuntu
    Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
    Original-Maintainer: Marc Dequènes (Duck) <Duck@DuckCorp.org>
    Bugs: https://bugs.launchpad.net/ubuntu/+filebug
    Installed-Size: 1,675 kB
    Depends: e2fsprogs
    Recommends: menu
    Suggests: dnsutils, apt-listbugs, debsecan, debsums, tripwire, samhain, aide, fail2ban
    Homepage: https://cisofy.com/lynis/
    Download-Size: 227 kB
    APT-Manual-Installed: yes
    APT-Sources: http://us.archive.ubuntu.com/ubuntu oracular/universe amd64 Packages
    Description: security auditing tool for Unix based systems
     Lynis is an auditing tool for hardening GNU/Linux and Unix based systems.
     It scans the system configuration and creates an overview of system information
     and security issues usable by professional auditors.
     It can assist in automated audits.
     .
     Lynis can be used in addition to other software, like security
     scanners, system benchmarking and fine-tuning tools.

  4. #14
    currentshaft Guest

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Quote Originally Posted by jeantasse View Post
    Hello to all, hope everyone is having a good week up to now. Starting with the latest kernel updates, 2 weird things happen to me. The first one was last week, I was just watching a video on Instagram when suddenly a window appears and ask my password to perform an operation(see the attached file). I stopped everything and used Clonezilla to return to a backup of the week before . I did not go on my PC before yesterday, so when I connect I do all the security updates(including kernel updates), everything seems fine but later in the evening I was listening to music, my screen closes to save energy, when I come back I move the mouse for the screen to re-appear and there is a window telling me "tls certificate error", I did not have time to take a screenshot and I did not know what to look for in the process list.

    Like I said, last week I used Clonezilla to restore my Ubuntu disk and did the same with Windows disk and just to be sure I re-flashed my bios because after the first incident, each time I was booting and it came to grub, my cpu fan was running abnormally fast like if there was an intense cpu workload.

    I do not want to be paranoid but 2 weird things happening like that after kernel updates is starting to remind me of the "YZ" backdoor problem we had in April. I am not saying that it's that(XZ), but I am wondering if someone did something similar to the kernels.

    Did something like that happen to anyone else in the last 2-3 weeks?

    Should I be posting this in the security section?

    Cheers
    You are being overly cautious. None of the behaviors you described indicate any compromise. Run "sudo lsof -Pni" to check for network listeners, "ps -ef" to see running processes and check /var/log/ for privileged user actions if you want some basic peace of mind though.

  5. #15
    Join Date
    Jan 2006
    Location
    Montreal, Quebec, Canada
    Beans
    46
    Distro
    Ubuntu 24.04 Noble Numbat

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Sorry for the wait, for the last command, my output is similar to you, it's either me, reboot or shutdown all the way from the month of may. Thanks for the suggestion

  6. #16
    Join Date
    Jan 2006
    Location
    Montreal, Quebec, Canada
    Beans
    46
    Distro
    Ubuntu 24.04 Noble Numbat

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Hello currentshaft, thank you for taking time to look at this. I will take note of your suggested command lines and take a look at the results. Yesterday I installed and ran Chkrootkit, the results are in the 2 images that I have attached. But one thing I do not understand is why suddenly my password is asked to perform a task while I am simply watching a video and why I have a tls error window popping out of nowhere. I have use Linux for many years(as a user not a professional) and I have never experience things like that in the 3 different distros I have used.

    Again thanks, I will take a look at that.
    Attached Images Attached Images
    Last edited by jeantasse; July 18th, 2024 at 06:42 PM.

  7. #17
    Join Date
    Jan 2006
    Location
    Montreal, Quebec, Canada
    Beans
    46
    Distro
    Ubuntu 24.04 Noble Numbat

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Hello ajgreeny, thank you for taking time to answer. I did this years ago because I was coming from Windows like a lot of us. I was doing this as prevention to avoid transferring Windows virus infected files that I was receiving and transferring to friends/family or work related. For chkrootkit again I did not understand everything Linux wise years ago. Since with Windows you have an antivirus and some kind of protection for rootkits, I wanted to keep an eye on that. I was not going to use Chkrootkit anymore but because of those weird things happening, I installed it ran some tests and this came out. I know that some of those files are false positive, it happened to me in the past, but still, I wanted to check.
    Attached Images Attached Images

  8. #18
    Join Date
    Jan 2006
    Location
    Montreal, Quebec, Canada
    Beans
    46
    Distro
    Ubuntu 24.04 Noble Numbat

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Thank you for all of those suggestions, I will look into it. And for Chkrootkit and ClamAV, I did this years ago because I was coming from Windows like a lot of us. I was doing this as prevention to avoid transferring Windows virus infected files that I was receiving and transferring to friends/family or work related. For chkrootkit again I did not understand everything Linux wise years ago. Since with Windows you have an antivirus and some kind of protection for rootkits, I wanted to keep an eye on that. I was not going to use Chkrootkit anymore but because of those weird things happening, I installed it ran some tests and this came out. I know that some of those files are false positive, it happened to me in the past, but still, I wanted to check.
    Attached Images Attached Images

  9. #19
    Join Date
    Jan 2006
    Location
    Montreal, Quebec, Canada
    Beans
    46
    Distro
    Ubuntu 24.04 Noble Numbat

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Thanks to everyone for the help. Yesterday I install and ran Chkrootkit, the results are in the 2 images that I have attached. I do not want to be paranoid, but one thing I do not understand is why suddenly my password is asked to perform a task while I was just watching a video and why I have a tls error window popping out of nowhere. I have use Linux for many years(as a user not a professional) and I have never experience things like that in the 3 different distros I have used. I am aware that in those results there is a possibility of false positive, but still here they are.

    So again, thanks to everyone, I have a lot of things to to read and a lot of things to try. If things does not seem to be clear enough for me, I will just re-install from scratch to just be able to go on with my work.

    Thanks to the community!
    Attached Images Attached Images
    Last edited by jeantasse; July 18th, 2024 at 06:50 PM.

  10. #20
    currentshaft Guest

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Quote Originally Posted by jeantasse View Post
    Thanks to everyone for the help. Yesterday I install and ran Chkrootkit, the results are in the 2 images that I have attached.
    There's no indication of compromise in them.

    Quote Originally Posted by jeantasse View Post
    I do not want to be paranoid, but one thing I do not understand is why suddenly my password is asked to perform a task while I was just watching a video
    Could be for a variety of reasons, for example apport trying to submit a diagnostic report about a background service that crashed. Check journalctl output next time you see it. Again, I would not worry about it.

    Quote Originally Posted by jeantasse View Post
    and why I have a tls error window popping out of nowhere.
    Probably due to system time being incorrect. No one knows unless you provide more specific details.

    Quote Originally Posted by jeantasse View Post
    I have use Linux for many years(as a user not a professional) and I have never experience things like that in the 3 different distros I have used. I am aware that in those results there is a possibility of false positive, but still here they are.
    If you're worried about system security, there are better uses of your time and resources.

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •