If I suspect that my docking station (USB-C/Thunderbolt) might be infected with malware or used as an attack vector, how can I check for the following in Linux? 1. Could the docking station emulate a keyboard/mouse or inject malicious data? 2. How can I monitor for suspicious activity? 3. What commands help detect anomalies? What kind of security tools or commands are useful for this?

Running ClamAV on my Linux Mint laptop gives /var/lib/clamav/rfxn.yara: Php.Exploit.C99-27 FOUND What does it mean on a laptop (not a server as such)? Is the system infected?

I started using k8s Lens recently. Today I opened my ~/.zsh_history and I see multiple entries like this:

'/Applications/Lens.app/Contents/MacOS/Lens -p "722ad0f7f7e84e2395138633991ed4ed" + JSON.stringify(process.env) + "722ad0f7f7e84e2395138633991ed4ed"

I don't see reason for process.env being concatenated with some random string and passed to Lens app. (Electron) Do you think something is maliciously exploiting Lens on my Mac, or could this be normal behavior ?

I am seeing hundreds of different connections to the same ip and port scrolling by when running nethogs. Occasionally the foreign IP and port will change (not always 80, but sometimes). I've noticed that my router CPU usage jumps to 100% when these huge bursts of connections happen, so I'm fairly certain that this massive spike keeps overloading the router and essentially making my network useless for up to a full 60 seconds. Things I've tried: - sudo netstat -tulpn | grep $whateverip: nothing - sudo netstat --inet -ap | grep $whateverip: nothing - sudo lsof -i | grep $whateverport: by the time this finishes, the port and IP have changed again This may just be paranoia, but I swear it seems like every time I try to dig into more info on the connection, the port and IP change, so my command gives me nothing. Am I dealing with something evil living inside my server? Or is there some more benign explanation that I'm missing in my limited networking knowledge? Also note that this is an Ubuntu server with no UI, so it's not me chasing around someone just browsing reddit.

I am currently reading the "Malware Analyst's Cookbook and DVD". There is a chapter "Dynamic Analysis" and there are also some recipes about hooking and monitoring API calls of process but it is for Windows. I want to do the same thing like recipe 9-10 explains but for Linux. 9-10 is called "Capturing process, Thread, and Image Load Events". In this receipe it is showed "how to implement a driver that alerts you when any events occure on the system while your malware samlpe executes". It uses the API functions of the Windows Driver Kit (WDK) to call a user-defined callback function. It uses the callback functions: - Process creation callback function called PsSetCreateProcessNotifyRoutine(...) - Thread creation callback function called PsSetCreateThreadNotifyRoutine(...) - Image load callback function called PsSetLoadImageNotifyRoutine(...). And when any events occur it will display them as a debug message which can then be viewed in e.g. DebugView. It seems well documented for Windows and it is easy to find information for this, but I have a bit of a problem in finding information for Linux. I've found some general introduction to drivers and a one for hooking, but I still haven't found any that are not so general or at least are a bit more focused on malware analysis. I would be happy for tips for further readings or recommended tutorials on this topic.

ClamScan found a Trojan program called Win.Trojan.Rider_4000_B-1. Where can I find more information about how this malware works?

I have a server box I use to host various web applications and game servers for friends. I recently connected to it to check how it was running, and discovered a program "Opera" trying to use over 3000% of my CPU according to top. I tried to kill it with pkill Opera and pkill then used killall to do the same, which worked initially, but the Opera program came back within a minute or so. I checked through all of my system services and cron jobs and can't find any mention of "Opera" anywhere, and trying to run the command manually ("Opera", not "opera" like the browser) just prompts me to install the opera browser from snap. top only informed me that opera was somehow located at ./Opera. I eventually tracked down the executable by following the symlink in /proc/ and found it in /var/tmp inside a "Documents" folder with some other odd files (a config.json, and several hidden files with strange names and no extensions) the picture I've included does not have the Opera file, as I deleted it. /var/tmp/Documents folder without the Opera executable" class="img-fluid rounded" style="max-width: 100%; height: auto; margin: 10px 0;" loading="lazy"> Deleting the executable seems to have fixed the problem, but I still have no idea what it was caused by or what the Opera executable is, what it was doing, and why it was executing from the /var/tmp folder. I mainly want to know if this is a known virus or trojen, and whether I should purge the user it's executing from. Editing this because I forgot to add my system info. My operating system is Ubuntu 22.04.4 LTS and I use bash as my kernel. my kernel version is Linux 5.15.0-116-generic Any help is appreciated, thanks!

I need to scan Linux systems for viruses/malware, on the entire file system. There are few options to consider. - One is normally what users do: Use antivirus to scan system once a day. - The second option is to find files modified in last one day and give that list to antivirus program. I tested following bash command find on directory with 5 million empty files, and it's extremely efficient. date;find /test/ -type f -ctime -1 1>./find_ctime.out 2>./find.errors;date It takes only about 5 seconds. I am using -ctime option just to overcome some program changing modification time using utility such as touch. Most admins when they talk about a system scan, they talk about having antivirus do the complete scan. Is there a reason why find should not be used to get a list of files modified and scan them? EDIT: I have posted following question which _may_ have an answer to why no antivirus seems to use "find" based incremental approach: https://unix.stackexchange.com/questions/787940/is-there-a-way-to-use-linux-find-and-filter-if-specific-process-was-the-only-o

I seem to have some kind of self-inflicted DOS attack going on. I have some [self-written blog software](https://github.com/Pamblam/fuckit) that I have hosted on a Digital Ocean droplet running Ubuntu 20. Everything worked fine for a long time but recently the server is taking a long time to respond, so I checked the Apache access logs and found that it is requesting this one image from itself several times per second: Snippet from the access log:

134.209.212.156 - - [04/Oct/2024:15:32:55 +0000] "GET / HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:54 +0000] "GET / HTTP/1.1" 200 3976 "-" "-"
127.0.0.1 - - [04/Oct/2024:15:32:56 +0000] "GET / HTTP/1.1" 200 1350 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:56 +0000] "GET / HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:56 +0000] "GET / HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:56 +0000] "GET / HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:57 +0000] "GET / HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:57 +0000] "GET / HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:57 +0000] "GET / HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:54 +0000] "GET / HTTP/1.1" 200 3976 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:58 +0000] "GET / HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:58 +0000] "GET / HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:55 +0000] "GET / HTTP/1.1" 200 3975 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:55 +0000] "GET / HTTP/1.1" 200 3976 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:57 +0000] "GET / HTTP/1.1" 200 3977 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:54 +0000] "GET / HTTP/1.1" 200 3728 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:54 +0000] "GET / HTTP/1.1" 200 3729 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:32:58 +0000] "GET / HTTP/1.1" 200 3975 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:33:00 +0000] "GET / HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:33:00 +0000] "GET / HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:33:00 +0000] "GET / HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:33:00 +0000] "GET / HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:33:00 +0000] "GET / HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:33:00 +0000] "GET / HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:33:00 +0000] "GET / HTTP/1.1" 200 1362 "-" "-"
134.209.212.156 - - [04/Oct/2024:15:33:00 +0000] "GET / HTTP/1.1" 200 1362 "-" "-"

134.209.212.156 is my server's public IP, which my domain, robert-parham.com points to. The website runs fine on my own computer, there are no cron jobs under the root account or the non-root account that I set up. Could this be some kind of malware? What steps can I take or tools can I use to find out what program or piece of code is making these requests? -- Edit 1: Here's a snippet of the output from sudo tcpdump -vv -s0 tcp port 80 and src host 134.209.212.156

17:05:18.015144 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.https > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0x575a), seq 2203077905, ack 1, win 64240, options [mss 1460], length 0
17:05:31.839148 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.http > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0x2b82), seq 2445306852, ack 1, win 64240, options [mss 1460], length 0
17:05:34.400019 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.https > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0x575a), seq 2203077905, ack 1, win 64240, options [mss 1460], length 0
17:05:49.535001 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.http > 185.224.128.82.41528: Flags [S.], cksum 0x95bf (incorrect -> 0x0637), seq 899153806, ack 2088086825, win 64240, options [mss 1460], length 0
17:06:55.622040 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.https > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0xdebe), seq 3967376515, ack 1, win 64240, options [mss 1460], length 0
17:06:56.639166 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.https > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0xdebe), seq 3967376515, ack 1, win 64240, options [mss 1460], length 0
17:06:58.687124 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.https > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0xdebe), seq 3967376515, ack 1, win 64240, options [mss 1460], length 0
17:07:02.453575 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.https > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0xdebe), seq 3967376515, ack 1, win 64240, options [mss 1460], length 0
17:07:04.527413 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.https > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0xdebe), seq 3967376515, ack 1, win 64240, options [mss 1460], length 0
17:07:08.543172 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.https > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0xdebe), seq 3967376515, ack 1, win 64240, options [mss 1460], length 0
17:07:16.799356 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.https > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0xdebe), seq 3967376515, ack 1, win 64240, options [mss 1460], length 0
17:07:33.183150 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    robert-parham.com.https > vmi1563824.contaboserver.net.http: Flags [S.], cksum 0x737c (incorrect -> 0xdebe), seq 3967376515, ack 1, win 64240, options [mss 1460], length 0

According to www.abuseipdb.com, both vmi1563824.contaboserver.net as well as 185.224.128.82 have high confident ratings for abuse, so I'm pretty confident it's some kind of malware at this point.

I have a linux server with my projects, docker and postgresql. A few days ago I saw that server's CPU is overloaded. Using the htop I saw that: The process runned by command /proc/216916/fd/7 us using 97% of my CPU. After killing that process with PID, it runs again with another PID. The directory /proc/{PID} is not exsists. Are there any solutions other than reinstalling of OS?

We have been experiencing high load issues on our Linux server recently. Upon checking with the top command, we noticed an unknown process with a garbled command name (as shown in following images; notice that the command name would change after rebooting). This process is consuming a significant amount of CPU resources. 89cdb92b, run by root, as taking 25,369% CPU with 23.0g virtual memory at uptime 4399:12" class="img-fluid rounded" style="max-width: 100%; height: auto; margin: 10px 0;" loading="lazy"> ac1e4262, run by root, as taking 22,528% CPU with 23.0g virtual memory at uptime 958:07" class="img-fluid rounded" style="max-width: 100%; height: auto; margin: 10px 0;" loading="lazy"> We attempted to locate the executable path of this suspicious process, and the server returned the result shown below. The path indicates that the executable file has been deleted: /proc/4747/exe -> '/ac1e4262 (deleted)' From what I understand, this could mean that the process is still running even though its executable file has been removed. This situation might be indicative of a trojan or other malicious activity. My questions: 1. Is this high CPU usage by an unknown process with a garbled command name likely caused by a trojan or some other form of malware? 2. What steps should I take to investigate and resolve this issue to ensure the security and stability of our server?

Can ClamAV help detect malicious files (ie malware, rootkits, etc) for a MySQL/MariaDB server, specifically the /var/lib/mysql data folder? The database server is a single role and locked down both by firewall and MariaDB user host restriction.

For past couple of days I have been observing weird processes in one of our server. Most of the time I see multiple instances of executable 10 and sometimes 4 and takes a lot of cpu resources. When examined this I have been seeing the process is started by cron right after starting a process with executable cpu_hu. Which is apparently foreign to my system and simple search did not resolve to anything. Then examined the cpu_hu process, examined exe location then removed accordingly (location in the image points to a venv for a small project our team is working on) even though I removed the binary, after reboot it appeared in a different location and the executables 10, 4 started from memory (no physical executable location) I deleted cpu_hu binary from all the locations of the system stopped the process and rebooted, but after some time cpu_hu binary appears elsewhere. For now i have stopped crond and killed the respective processes. Which seemed to have stopped the process from starting again. At this point I am pretty sure its malicious. How can I get rid of this or rather find the starting point of this malware to prevent it from starting.

I downloaded the Kali Linux 64 bit from TechSpot, and I know that it has a 100% safe download. But I ran it though Windows Security and it found 77 threats. Most of them I know are just part of Linux because there classified as Hack Tool. But there are several Trojan Horses and ransomware. I just want to be sure it's safe to use before I remove Windows and install it as the OS on my second laptop

So a few days ago, I've noticed the new pattern with PC fan speeds on my Fedora workstation. Every now and then some of the fans will start spinning slightly faster than usual and will continue to do so for about 30 second to one minute. This happens in very light PC usage scenarios such as web browsing, pdf reading... I've noticed, because I had never been able to actually hear fans in my PC in such light usage scenarios before. Anyway, this could be caused by myriad of things but as a basic sanity check, I wanted to rule out malware. So I did a following: - check lmsensors and there are indeed small spikes (~100-150rpm) in both CPU and GPU fans - run clamscan - check process tree for suspicious entries with ps and top - check open tcp/udp ports for suspicious entries with netstat - check cron/anacron files and nothing suspicious came out. What are some other basic things I can check to rule out malware? Should I maybe use some other applications for open port or running process listing? Again this is basic sanity check more than anything. I don't think there is a high chance of my PC actually being infected - I haven't installed anything that is not in official repositories (apart from some GoG games), I always check web pages with Virustotal before visiting them for the first time, I always browse in private mode so caches are cleared on shutdown and I use uBlock Origin with all included filters on.

I have a flash drive of 256GB with two partitions containing some important data.  Today I had to connect my flash drive to my university's Windows computer to copy some files... but after connecting, all my data on both partitions were gone, and there are two files named **version.dll** and **USB driver.exe**... and also an **unnamed folder**... in each partition.  I'm using Fedora 38.  How can I now recover my data?

Let's assume I have connected a Linux computer to my local network. There is one login to this computer with a strong password that only I know. 1) Can ransomware that has infiltrated my network (via another computer) gain access to the data on the Linux computer? 2) Can the ransomware change data on the Linux computer? I read that ransomware is good at steeling credentials.

My VPS have been infected by the [kdevtmpfsi malware](https://stackoverflow.com/questions/60151640/kdevtmpfsi-using-the-entire-cpu) , twice. That's the problem, because I've taken every possible precaution after being infected for the first time, and I have no idea how I'm being infected again this time. Both cases are because of the postgres docker container. After being infected first time, - I'm using a 20-chars strongest POSTGRES_PASSWORD to start the official postgres docker image, - and I've removed the port mapping from docker container to the host. The postgres can only be accessed by another docker container (not even by the host), using a docker network I created myself. Such docker container was started from cosmtrek/air, a Go based live building environment, and my Go web application is super simple, which doesn't even serve the / root. The Go air docker container is the only one having its port mapping from docker container to the host, thus expose to the world. Yet, the postgres docker container was infected again, under the condition that I deemed impossible. Any hints please. thx. PS. I'm going to start the official postgres docker image again as before, but no Go web this time, to prove the infection has nothing to do with my Go app. Let's see...

When trying to log into my vserver the password **only** works at the 3rd attempt! (Using the **same** & **correct** password from clipboard) **Is the system breached?!** Interestingly when using my password manager which types the pw char by char in a matter of ~0.5sec it works right away.. **Q:** How can I find out what's going on here? --- Sidenotes - CentOS 8 - Not using root - Login using a private key - SSH root login disabled - sudo commands inside a session isn't working either (except if using a password manager)

Malicious code has been found and deleted later from 3 AUR packages acroread, blaz and minergate (e,g: acroread PKGBUILD detail ). It was found in a commit released by a malicious user by changing the owner of the orphaned AUR package and including a malicious curl command. The curl command will download the main bash script x then the second script u (u.sh) in order to create a systemd service and using a function to collect some system data (non sensitive data) but the scripts can be modified by the attacker to be uploaded sequentially. In practice not all users have the ability to check the PKGBUILD before building any package on their systems for some reasons (require some knowledge , take more time etc...). To understand how it work I have downloaded and uploaded the 2 bash scripts on this pastbin page . What is the easiest way to check an AUR package for malicious code? naked security : Another Linux community with malware woes Malicious Software Packages Found On Arch Linux User Repository