Page 3 of 3 FirstFirst 123
Results 21 to 24 of 24

Thread: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

  1. #21
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    If you are compromised, running tools on the same system using the same installed OS is never a way to know. Boot from an ISO, install any rootkit detector, if you feel strongly about this and have it scan the connected storage. I doubt anything will be found. Most of the rootkit search tools have many false positives, so plan to look up each report and see what the false positives for it look like.

    My #1 security tool is versioned backups. If I thought a system were compromised recently, I'd compare all the files on the current system with all the files from prior "known clean" backup. Any files that are different, are suspect. Most of the time, I'll recognize any files that have changed recently, especially programs. I don't allow patching daily, so any updates that happened since the most recent patch day, including snaps, would be highly suspect. I only allow snap updates to happen on early Saturday mornings. The logs show snap updates happening a few minutes after midnight on Saturday mornings. Anyway, with versioned backups, comparisons are possible.

    Of course, before doing the comparisons, boot from a new ISO. Wouldn't want to connect to the backup storage for the comparisons on a system with active malware/cryptoware or just a nasty virus.

    So, ensure you have a flash drive to boot from available and ready, always.

    The last time I had a virus was over 20 yrs ago and my versioned backups made determining what they'd tried to accomplish and where they'd dropped their temporary files pretty easy. My laptop was hacked at a security conference a few years ago. I'd wiped the system completely and did a fresh install, applied all patches the day before leaving. However, I didn't disable bluetooth and during the king of the hill contest, one of the other teams was hacking all their competition. They got into my laptop. I don't use BT and hadn't in a fewyears prior to then, but the default Ubuntu desktop install enabled it. I forgot to disable it. Sigh.

  2. #22
    Join Date
    Jan 2006
    Location
    Montreal, Quebec, Canada
    Beans
    46
    Distro
    Ubuntu 24.04 Noble Numbat

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Thank you very much TheFu for taking the time to give me good advice. I wanted to boot with my Ubuntu 24.04 USB key but since my USB key is not "read only", I did not know (in case my system was really infected) if there was a chance that it could get infected and decided to just try what the community recommended to me. Before, I was only on Linux but as a simple user and never experience anything similar to that. Also, Ubuntu 24.04 is new and could still have some bugs like any new distro. I am back to Linux because of Windows 11 and since the present "threats" to Linux are different from past ones, I purchased some books about Linux security, system hardening (got them from Humble Bundle). I know what to do an what not to do on a Windows PC, but not on a Linux one. This way I will have a better understanding of a modern Linux system and be ready for when I'll need to check on some stuff.

    Again, thank you very much TheFu 👍

  3. #23
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    If you boot off the USB, then it is extremely unlikely that any infection will move into that OS or storage. That isn't how viruses work. If the code used for booting isn't infected, then you won't have any security issues. Of course, if you create the flash drive using the suspect computer, that isn't good, but I've never heard of any attack going after the ISO "burn" process for any Linux ISO being placed onto a flash drive. Perhaps someone else has and can enlighten us. Plus, ISO files are read-only, so when they are placed onto the flash storage, they remain read-only unless you do something extra. I usually use the cp command to put the ISO file onto a flash drive. Much easier for me than trying to use some complex tool just for 1 purpose. To each their own.

    Foundational books for Unix/Linux are great. They teach ideas, but not specifics that are current. Keep that in mind. By the time most computer books are printed, they are nearly out of date. If the edition of the book was printed 2 yrs ago, use the ideas, but don't expect specific commands to work, unless they are 20+ yr old Unix commands. Of course, sometimes we get lucky.

  4. #24
    Join Date
    Jan 2006
    Location
    Montreal, Quebec, Canada
    Beans
    46
    Distro
    Ubuntu 24.04 Noble Numbat

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Hello currentshaft, sorry for the time it took to try those commands. All looks good from what I can see. I will not go any further in this post, I already flagged it as "Solved" but I still wanted to thank you for your help. I will most likely see this as a "new distro" bug since that is the case for Ubuntu 24.04 and just downgrade to Ubuntu 22.04 for a couple of months. Have a good week.

Page 3 of 3 FirstFirst 123

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •