Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

Hybrid View

  1. #1
    Join Date
    Jan 2006
    Location
    Montreal, Quebec, Canada
    Beans
    46
    Distro
    Ubuntu 24.04 Noble Numbat

    2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    --
    Edit July 18 13h50 Thanks to everyone for their help and suggestions. The problem is "not solved" per say, but through the suggestions I received, I have enough stuff to read and to try. Thanks to the community!
    --

    Hello to all, hope everyone is having a good week up to now. Starting with the latest kernel updates, 2 weird things happen to me. The first one was last week, I was just watching a video on Instagram when suddenly a window appears and ask my password to perform an operation(see the attached file). I stopped everything and used Clonezilla to return to a backup of the week before . I did not go on my PC before yesterday, so when I connect I do all the security updates(including kernel updates), everything seems fine but later in the evening I was listening to music, my screen closes to save energy, when I come back I move the mouse for the screen to re-appear and there is a window telling me "tls certificate error", I did not have time to take a screenshot and I did not know what to look for in the process list.

    Like I said, last week I used Clonezilla to restore my Ubuntu disk and did the same with Windows disk and just to be sure I re-flashed my bios because after the first incident, each time I was booting and it came to grub, my cpu fan was running abnormally fast like if there was an intense cpu workload.

    I do not want to be paranoid but 2 weird things happening like that after kernel updates is starting to remind me of the "YZ" backdoor problem we had in April. I am not saying that it's that(XZ), but I am wondering if someone did something similar to the kernels.

    Did something like that happen to anyone else in the last 2-3 weeks?

    Should I be posting this in the security section?

    Cheers
    Attached Images Attached Images
    Last edited by jeantasse; July 18th, 2024 at 11:50 PM.

  2. #2
    #&thj^% is offline I Ubuntu, Therefore, I Am
    Join Date
    Aug 2016
    Beans
    Hidden!

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Nothing like that has happened here.

    Just to help with your fear on the XZ, ....only if you used during the 24.04 noble *proposed* xz package at that time.

    But now all is patched.
    My Old eyes can't make out what your screenshot shows...

  3. #3
    Join Date
    Jun 2016
    Beans
    Hidden!

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Quote Originally Posted by 1fallen View Post
    My Old eyes can't make out what your screenshot shows...
    1fallen, it shows what looks like a GNOME PolicyKit type password authentication prompt, which says "Authentication is required to perform file operations".

    I was able to produce this (or at least very very similar looking) by navigating to admin:/// in Thunar and then authorizing starting gvfs-admin.

    Never seen this before, certainly hasn't happened spontaneously here.
    Last edited by &KyT$0P#; July 17th, 2024 at 06:48 PM.

  4. #4
    #&thj^% is offline I Ubuntu, Therefore, I Am
    Join Date
    Aug 2016
    Beans
    Hidden!

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Quote Originally Posted by halogen2 View Post

    Never seen this before, certainly hasn't happened spontaneously here.
    Yep I would expect that:
    Code:
    thunar  admin:///
    Thanks halogen2

    I do wonder though if "last" shows anything useful
    Code:
    last
    me       tty7         :0               Wed Jul 17 12:10    gone - no logout
    reboot   system boot  6.8.0-31-generic Wed Jul 17 12:09   still running
    me       tty7         :0               Wed Jul 17 10:04 - 12:08  (02:04)
    reboot   system boot  6.8.0-31-generic Wed Jul 17 10:03 - 12:09  (02:05)
    me       tty7         :0               Tue Jul 16 18:33 - 18:46  (00:12)
    reboot   system boot  6.8.0-31-generic Tue Jul 16 18:33 - 18:46  (00:12)
    me       tty7         :0               Tue Jul 16 18:22 - 18:32  (00:10)
    reboot   system boot  6.8.0-31-generic Tue Jul 16 18:03 - 18:32  (00:29)
    
    wtmp begins Tue Jul 16 18:03:38 2024
    However anything from a browser wanting those permissions is just a plain "NO" here.
    Unless logging in to a trusted site period.

  5. #5
    Join Date
    Jan 2006
    Location
    Montreal, Quebec, Canada
    Beans
    46
    Distro
    Ubuntu 24.04 Noble Numbat

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    It was a legitimate website, I went there before on Linux with the same browser and it never happened, it just happened that "I was doing that" while it happened and of course I said no. But something on my system wanted permission to act on a "super user" level, that is the thing I do not understand. For last week prompt it's too late, but I will try to check that today for yesterday "tls security error", thanks again
    Last edited by jeantasse; July 17th, 2024 at 07:30 PM.

  6. #6
    Join Date
    Jan 2006
    Location
    Montreal, Quebec, Canada
    Beans
    46
    Distro
    Ubuntu 24.04 Noble Numbat

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Sorry for the wait, for the last command, my output is similar to you, it's either me, reboot or shutdown all the way from the month of may. Thanks for the suggestion

  7. #7
    Join Date
    Jan 2006
    Location
    Montreal, Quebec, Canada
    Beans
    46
    Distro
    Ubuntu 24.04 Noble Numbat

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Hello halogen2, thank you for taking time to look at my case. I never experience something similar in the past with Ubuntu distros or more precisely Ubuntu 22.04, that is why I find it strange and I am a bit worried.
    Here is the screenshot, hopefully I did not messed up this time:
    sudo.jpg

  8. #8
    Join Date
    Jan 2006
    Location
    Montreal, Quebec, Canada
    Beans
    46
    Distro
    Ubuntu 24.04 Noble Numbat

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Hello 1fallen thank you for taking time to look into this, I think I messed up with the attached file, but for the "XZ" I did not use any old Ubuntu 24.04 beta or proposed package for the XZ. I was simply saying that I am worried that something similar to this could have infiltrated the kernel, but I am not a security expert.
    sudo.jpg
    Last edited by jeantasse; July 17th, 2024 at 07:35 PM.

  9. #9
    #&thj^% is offline I Ubuntu, Therefore, I Am
    Join Date
    Aug 2016
    Beans
    Hidden!

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    Quote Originally Posted by jeantasse View Post
    Hello 1fallen thank you for taking time to look into this, I think I messed up with the attached file, but for the "XZ" I did not use any old Ubuntu 24.04 beta or proposed package for the XZ. I was simply saying that I am worried that something similar to this could infiltrated the kernel, but I am not a security expert.
    sudo.jpg
    Not here....at times I have to go to the dark web to have a peek, and I've never or would never allow any permissions or unknown logins.

    I suggest you run some system audits, search and you find many ways to scan your system.

    What about the "last" command, anything strange there?

  10. #10
    Join Date
    Jan 2006
    Location
    Montreal, Quebec, Canada
    Beans
    46
    Distro
    Ubuntu 24.04 Noble Numbat

    Re: 2 times possible intrusion/infection after latest kernel updates? - Ubuntu 24.04

    The funniest thing is that I was about to install Chkrootkit because of last week incident lol I will do that now but if I was infected by something, I will delete my old Clonezilla backups and start fresh. For the "last" command I only learned about it like a week ago and I did not think about it. I was away from Linux for a couple of years and before that I never had to review command lines, do an inspection of process or anything alike. I had ClamAV and Chkrootkit installed and everything was always ok

Page 1 of 3 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •