![[Image: 1screenshot.png]](https://preview.ibb.co/kERhXb/1screenshot.png)
![[Image: 2screenshot.png]](https://preview.ibb.co/kqVWQw/2screenshot.png)
![[Image: 3screenshot.png]](https://preview.ibb.co/dS6udG/3screenshot.png)
![[Image: 4screenshot.png]](https://preview.ibb.co/g3ykkw/4screenshot.png)
![[Image: 5screenshot.png]](https://preview.ibb.co/goJ7yG/5screenshot.png)
![[Image: 6screenshot.png]](https://preview.ibb.co/bK1hXb/6screenshot.png)
![[Image: 7screenshot.png]](https://preview.ibb.co/mEv9Cb/7screenshot.png)
On the forum it is a keylogger used at me, so I begin to look in distro, this is results, I wonder if it is related to this, is false results from both software used, or is another problem /attack altogether ?
LINUX LITE 7.2 FINAL RELEASED - SEE RELEASE ANNOUNCEMENTS SECTION FOR DETAILS
|
Are they false ?
|
 On the forum it is a keylogger used at me, so I begin to look in distro, this is results, I wonder if it is related to this, is false results from both software used, or is another problem /attack altogether ? 
11-09-2017, 05:46 PM
You can try a quick check
Code: users
LL 3.6,2.8
Dell XT2 > Touchscreen Laptop Dell 755 > Desktop Acer 150 > Desktop I am who I am. Your approval is not needed.
Thank You for reply and help.
It is only my username. edit - they make thing of hard drive, I dont understand that stuff, it's gone with the couriers now. 
11-11-2017, 02:09 PM
bitsnpcs
Do not understand where the info/readouts you posted came from. Was that a readout from your router, or from your pc? I installed SOPHOS on my pcs as an extra precaution. Slows responses etc. down a bit but concerned that incoming/outgoing are screened realtime so that I lessen the chances of passing on something bad to work colleagues etc. https://www.sophos.com/en-us/products/fr...linux.aspx https://www.sophos.com/medialibrary/PDFs..._sgeng.pdf A bit tedious to set up, but I persevered and have found it reassuring. Hope this helps.
2006 - HP DC7700p ultraslim Desktop Intel 6300 cpu 4GB Ram LL3.8 64bit.
2007 - Fujitsu Siemens V3405 Laptop 2 GB Ram LL3.6 32bit. Now 32bit Debian 9 + nonfree. 2006 - Fujitsu Siemens Si1520 Laptop Intel T720 cpu 3GB Ram LL5.6 64 Bit 2014 - Fujitsu Siemens Lifebook E754 Intel i7 4712MQ 16GB Ram LL6.6 2003 - RETIRED Toshiba Satellite Pro A10 1 GB RAM LL2.8 32bit 
Here.
https://www.welivesecurity.com/2014/03/1...-campaign/ https://www.welivesecurity.com/2017/10/3...-update-2/ TC
All opinions expressed and all advice given by Trinidad Cruz on this forum are his responsibility alone and do not necessarily reflect the views or methods of the developers of Linux Lite. He is a citizen of the United States where it is acceptable to occasionally be uninformed and inept as long as you pay your taxes.
[member=149]newtusmaximus[/member] the info came from my Linux Lite computer hard drive.
it is the only OS installed on it it is not networked no usb stick/ or disc that ever goes on another computer is attached to it. The only website I visit using that LL computer is this forum The only update method I use is Install Updates (part of LL). LL that is installed was download from the main LL website, and MD5 checked before install. Nobody uses the computer only me, some sit with me some times. That computer has no wifi, it is physically unplugged from ethernet since the results. The results are from chkrootkit, and also from rkhunter (root kit hunter) command line tools as recommended in the security section of the Linux Bible 9th Edition (current edition), followed exactly to the letter. [member=5916]trinidad[/member] thank you for the info and link. Can some members run chkrootkit and rkhunter , (they are in Install/Remove Software, aka Synaptic) and reply back so I know if this is a overall security issue, such as the hosting company servers used by Linux Lite have been infected and are distributing it to the community, or it is one directly targeted at me only on LL.
11-11-2017, 03:29 PM
(This post was last modified: 11-11-2017, 03:31 PM by newtusmaximus.)
Thanks trinidad. Way above my head.
So how vulnerable are we then? Btsnpscs - will do
2006 - HP DC7700p ultraslim Desktop Intel 6300 cpu 4GB Ram LL3.8 64bit.
2007 - Fujitsu Siemens V3405 Laptop 2 GB Ram LL3.6 32bit. Now 32bit Debian 9 + nonfree. 2006 - Fujitsu Siemens Si1520 Laptop Intel T720 cpu 3GB Ram LL5.6 64 Bit 2014 - Fujitsu Siemens Lifebook E754 Intel i7 4712MQ 16GB Ram LL6.6 2003 - RETIRED Toshiba Satellite Pro A10 1 GB RAM LL2.8 32bit
11-11-2017, 03:54 PM
(This post was last modified: 11-11-2017, 04:35 PM by newtusmaximus.)
chkrootkit - No warning reported.
rkhunter --check "System checks summary ===================== File properties checks... Files checked: 150 Suspect files: 1 Rootkit checks... Rootkits checked : 365 Possible rootkits: 0 Applications checks... All checks skipped The system checks took: 1 minute and 56 seconds All results have been written to the log file: /var/log/rkhunter.log One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter.log) /usr/bin/whoami [ OK ] /usr/bin/gawk [ OK ] /usr/bin/lwp-request [ Warning ] /usr/bin/s-nail [ OK ] /usr/bin/x86_64-linux-gnu-size [ OK ] /usr/bin/x86_64-linux-gnu-strings [ OK ] Performing filesystem checks Checking /dev for suspicious file types [ Warning ] Checking for hidden files and directories [ Warning ] Folder for chkrootkit was blank
2006 - HP DC7700p ultraslim Desktop Intel 6300 cpu 4GB Ram LL3.8 64bit.
2007 - Fujitsu Siemens V3405 Laptop 2 GB Ram LL3.6 32bit. Now 32bit Debian 9 + nonfree. 2006 - Fujitsu Siemens Si1520 Laptop Intel T720 cpu 3GB Ram LL5.6 64 Bit 2014 - Fujitsu Siemens Lifebook E754 Intel i7 4712MQ 16GB Ram LL6.6 2003 - RETIRED Toshiba Satellite Pro A10 1 GB RAM LL2.8 32bit
If you got the same result with both rootkit checkers it is usually not a false positive however...
https://bugs.launchpad.net/ubuntu/+sourc...ug/1508248 Also have you received a notification from your ISP? Also this particularly involves ssh and other open port usages. To verify what's up on your system, read the documentation, and check for the presence of the malicious files manually. There are many discussions of this on the WWW. If you have the infection best to zero the drive and reinstall, though it can be repaired manually, that is considerably more time consuming and technical. Newer versions of this seem to be leaking out again. The shared memory SHM references in your rkhunter scan are indicative of the newer version of this infection, however the ones you show are for pulse audio so they are most likely a false postive. The operation Windigo entry is a long time bug in chkrootkit. TC
All opinions expressed and all advice given by Trinidad Cruz on this forum are his responsibility alone and do not necessarily reflect the views or methods of the developers of Linux Lite. He is a citizen of the United States where it is acceptable to occasionally be uninformed and inept as long as you pay your taxes.
11-11-2017, 04:35 PM
(This post was last modified: 11-11-2017, 04:38 PM by newtusmaximus.)
[Highlights from my rkhunter log scan of just now
15:50:21] Info: Found file '/usr/sbin/adduser': it is whitelisted for the 'script replacement' check. [15:50:28] Info: Found file '/usr/bin/ldd': it is whitelisted for the 'script replacement' check. [15:50:34] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script, ASCII text executable [15:50:40] Info: Found file '/bin/egrep': it is whitelisted for the 'script replacement' check. [15:50:40] /bin/fgrep [ OK ] [15:50:41] Info: Found file '/bin/fgrep': it is whitelisted for the 'script replacement' check. [15:50:44] Info: Found file '/bin/which': it is whitelisted for the 'script replacement' check. [15:51:55] Info: Found the 'unhide-tcp' command: /usr/sbin/unhide-tcp [15:51:58] Info: SCAN_MODE_DEV set to 'THOROUGH' [15:52:01] Checking /dev for suspicious file types [ Warning ] [15:52:01] Warning: Suspicious file types found in /dev: [15:52:01] /dev/shm/pulse-shm-331478974: data [15:52:01] /dev/shm/pulse-shm-3524711130: data [15:52:01] /dev/shm/pulse-shm-1543249499: data [15:52:01] /dev/shm/pulse-shm-1019003171: data [15:52:01] /dev/shm/pulse-shm-3173629532: data [15:52:01] /dev/shm/pulse-shm-3776217293: data [15:52:01] /dev/shm/pulse-shm-1763800836: data [15:52:01] Checking for hidden files and directories [ Warning ] [15:52:01] Warning: Hidden directory found: /etc/.java [15:52:07] System checks summary [15:52:07] ===================== [15:52:07] [15:52:07] File properties checks... [15:52:07] Files checked: 150 [15:52:07] Suspect files: 1 [15:52:07] [15:52:07] Rootkit checks... [15:52:07] Rootkits checked : 365 [15:52:07] Possible rootkits: 0 [15:52:07] [15:52:07] Applications checks... [15:52:07] All checks skipped [15:52:07] [15:52:07] The system checks took: 1 minute and 56 seconds [15:52:07] [15:52:07] Info: End date is Sat Nov 11 15:52:07 GMT 2017 No idea what the significance of the above is. help please in laypersons terms .
2006 - HP DC7700p ultraslim Desktop Intel 6300 cpu 4GB Ram LL3.8 64bit.
2007 - Fujitsu Siemens V3405 Laptop 2 GB Ram LL3.6 32bit. Now 32bit Debian 9 + nonfree. 2006 - Fujitsu Siemens Si1520 Laptop Intel T720 cpu 3GB Ram LL5.6 64 Bit 2014 - Fujitsu Siemens Lifebook E754 Intel i7 4712MQ 16GB Ram LL6.6 2003 - RETIRED Toshiba Satellite Pro A10 1 GB RAM LL2.8 32bit |
|
« Next Oldest | Next Newest »
|
Users browsing this thread: 14 Guest(s)