Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

  1. #1
    Join Date
    Jan 2006
    Location
    Montreal, Quebec, Canada
    Beans
    46
    Distro
    Ubuntu 24.04 Noble Numbat

    2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    --
    Edit July 18 13h50 Thanks to everyone for their help and suggestions. The problem is "not solved" per say, but through the suggestions I received, I have enough stuff to read and to try. Thanks to the community!
    --

    Hello to all, hope everyone is having a good week up to now. Starting with the latest kernel updates, 2 weird things happen to me. The first one was last week, I was just watching a video on Instagram when suddenly a window appears and ask my password to perform an operation(see the attached file). I stopped everything and used Clonezilla to return to a backup of the week before . I did not go on my PC before yesterday, so when I connect I do all the security updates(including kernel updates), everything seems fine but later in the evening I was listening to music, my screen closes to save energy, when I come back I move the mouse for the screen to re-appear and there is a window telling me "tls certificate error", I did not have time to take a screenshot and I did not know what to look for in the process list.

    Like I said, last week I used Clonezilla to restore my Ubuntu disk and did the same with Windows disk and just to be sure I re-flashed my bios because after the first incident, each time I was booting and it came to grub, my cpu fan was running abnormally fast like if there was an intense cpu workload.

    I do not want to be paranoid but 2 weird things happening like that after kernel updates is starting to remind me of the "YZ" backdoor problem we had in April. I am not saying that it's that(XZ), but I am wondering if someone did something similar to the kernels.

    Did something like that happen to anyone else in the last 2-3 weeks?

    Should I be posting this in the security section?

    Cheers
    Attached Images Attached Images
    Last edited by jeantasse; July 18th, 2024 at 11:50 PM.

  2. #2
    #&thj^% is offline I Ubuntu, Therefore, I Am
    Join Date
    Aug 2016
    Beans
    Hidden!

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Nothing like that has happened here.

    Just to help with your fear on the XZ, ....only if you used during the 24.04 noble *proposed* xz package at that time.

    But now all is patched.
    My Old eyes can't make out what your screenshot shows...

  3. #3
    Join Date
    Jun 2016
    Beans
    2,930
    Distro
    Xubuntu 22.04 Jammy Jellyfish

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Quote Originally Posted by 1fallen View Post
    My Old eyes can't make out what your screenshot shows...
    1fallen, it shows what looks like a GNOME PolicyKit type password authentication prompt, which says "Authentication is required to perform file operations".

    I was able to produce this (or at least very very similar looking) by navigating to admin:/// in Thunar and then authorizing starting gvfs-admin.

    Never seen this before, certainly hasn't happened spontaneously here.
    Last edited by halogen2; July 17th, 2024 at 06:48 PM.
    Xubuntu 22.04, ArchLinux ♦ System76 hardware, virt-manager/KVM, VirtualBox
    If your questions are resolved to your satisfaction, please use Thread Tools > "Mark this thread as solved..."

  4. #4
    Join Date
    Jan 2006
    Location
    Montreal, Quebec, Canada
    Beans
    46
    Distro
    Ubuntu 24.04 Noble Numbat

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Hello 1fallen thank you for taking time to look into this, I think I messed up with the attached file, but for the "XZ" I did not use any old Ubuntu 24.04 beta or proposed package for the XZ. I was simply saying that I am worried that something similar to this could have infiltrated the kernel, but I am not a security expert.
    sudo.jpg
    Last edited by jeantasse; July 17th, 2024 at 07:35 PM.

  5. #5
    #&thj^% is offline I Ubuntu, Therefore, I Am
    Join Date
    Aug 2016
    Beans
    Hidden!

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Quote Originally Posted by halogen2 View Post

    Never seen this before, certainly hasn't happened spontaneously here.
    Yep I would expect that:
    Code:
    thunar  admin:///
    Thanks halogen2

    I do wonder though if "last" shows anything useful
    Code:
    last
    me       tty7         :0               Wed Jul 17 12:10    gone - no logout
    reboot   system boot  6.8.0-31-generic Wed Jul 17 12:09   still running
    me       tty7         :0               Wed Jul 17 10:04 - 12:08  (02:04)
    reboot   system boot  6.8.0-31-generic Wed Jul 17 10:03 - 12:09  (02:05)
    me       tty7         :0               Tue Jul 16 18:33 - 18:46  (00:12)
    reboot   system boot  6.8.0-31-generic Tue Jul 16 18:33 - 18:46  (00:12)
    me       tty7         :0               Tue Jul 16 18:22 - 18:32  (00:10)
    reboot   system boot  6.8.0-31-generic Tue Jul 16 18:03 - 18:32  (00:29)
    
    wtmp begins Tue Jul 16 18:03:38 2024
    However anything from a browser wanting those permissions is just a plain "NO" here.
    Unless logging in to a trusted site period.

  6. #6
    Join Date
    Jun 2009
    Location
    SW Forida
    Beans
    Hidden!
    Distro
    Kubuntu

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Do you have automatic updates on?
    Some updates are considered as new files & require password.

    I only manually update with script that runs updates & housecleaning, so can see exactly what file is asking for password & that is is part of an update. If file is not part of update then it may be an issue.

    Did you click on some phishing email? Most only run Windows .exe files that do not work in Linux both as Windows exe and as missing password to run.
    UEFI boot install & repair info - Regularly Updated :
    https://ubuntuforums.org/showthread.php?t=2147295
    Please use Thread Tools above first post to change to [Solved] when/if answered completely.

  7. #7
    Join Date
    Jan 2006
    Location
    Montreal, Quebec, Canada
    Beans
    46
    Distro
    Ubuntu 24.04 Noble Numbat

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Hello halogen2, thank you for taking time to look at my case. I never experience something similar in the past with Ubuntu distros or more precisely Ubuntu 22.04, that is why I find it strange and I am a bit worried.
    Here is the screenshot, hopefully I did not messed up this time:
    sudo.jpg

  8. #8
    #&thj^% is offline I Ubuntu, Therefore, I Am
    Join Date
    Aug 2016
    Beans
    Hidden!

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Quote Originally Posted by jeantasse View Post
    Hello 1fallen thank you for taking time to look into this, I think I messed up with the attached file, but for the "XZ" I did not use any old Ubuntu 24.04 beta or proposed package for the XZ. I was simply saying that I am worried that something similar to this could infiltrated the kernel, but I am not a security expert.
    sudo.jpg
    Not here....at times I have to go to the dark web to have a peek, and I've never or would never allow any permissions or unknown logins.

    I suggest you run some system audits, search and you find many ways to scan your system.

    What about the "last" command, anything strange there?

  9. #9
    Join Date
    Jan 2006
    Location
    Montreal, Quebec, Canada
    Beans
    46
    Distro
    Ubuntu 24.04 Noble Numbat

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    It was a legitimate website, I went there before on Linux with the same browser and it never happened, it just happened that "I was doing that" while it happened and of course I said no. But something on my system wanted permission to act on a "super user" level, that is the thing I do not understand. For last week prompt it's too late, but I will try to check that today for yesterday "tls security error", thanks again
    Last edited by jeantasse; July 17th, 2024 at 07:30 PM.

  10. #10
    Join Date
    Jan 2006
    Location
    Montreal, Quebec, Canada
    Beans
    46
    Distro
    Ubuntu 24.04 Noble Numbat

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Hello oldfred, thank you for your time. Ubuntu Pro is enable but I chose when to install the updates, which is everyday right after I login, same with snap.
    The only thing a bit out of the ordinary that I do is that I update packages like for example "file roller" that is fileroller-versionXXX to fileroller-versionXXX-ubuntu-1 that are mention/proposed via "apt" that comes from Ubuntu official repo, that I install in synaptic package manager.

    I do not have the "developer" proposed updates enable since it's my working environment and I want it to stay stable. I do not have flatpak enable, I install only via snap or apt/synaptic.

    As for clicking on a "unknow" email link, I never do that. One thing different that I do is that I have a folder with Firefox inside that cannot be opened unless I unlock a specific container, separate from the official Firefox via snap, that I use only for my emails, Instagram or Facebook, never anything else, and no clicking external links or surfing outside of these specific websites.
    Last edited by jeantasse; July 22nd, 2024 at 09:33 PM.

Page 1 of 3 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •