Jump to content

Urgent help wanted by anyone conversant with computers and rootkits and how to sort virus problem


cliveshep

Recommended Posts

22 minutes ago, ozimoron said:

There is a major reason that linux distros aren't affected by viruses in the real world and that is the user doesn't automatically have root permissions unlike in windows and therefore viruses and malware can't install themselves.

You don't need root permissions to steal user data such as online banking login credentials, et cetera.

The majority of Linux malware works perfectly well under user permissions.

 

google:// "LD_PRELOAD malware"

Edited by fdsa
Link to comment
Share on other sites

23 minutes ago, fdsa said:

You don't need root permissions to steal user data such as online banking login credentials, et cetera.

The majority of Linux malware works perfectly well under user permissions.

 

google:// "LD_PRELOAD malware"

rubbish, if it can't install it can't run. this would require login access anyway and there are no accounts of this having ever happened.

Edited by ozimoron
Link to comment
Share on other sites

8 minutes ago, fdsa said:

your knowledge is lacking, preserve on your quest.

Full time linux sysop for the past 8 years here. People who like to pain linux as vulnerable like point to these theoretical vulnerabilities as proof but the simple reality is that such viruses aren't in general circulation. Linux is really only hacked when attackers target particular servers and even then not too often. Windows is far more vulnerable to users installing viruses and malware.

 

So far, there’s no evidence of infections in the wild, only malware samples found online. It’s unlikely this malware is widely active at the moment

 

https://arstechnica.com/information-technology/2022/06/novel-techniques-in-never-before-seen-linux-backdoor-make-it-ultra-stealthy/

Edited by ozimoron
  • Like 2
Link to comment
Share on other sites

“When a service tries to use PAM to authenticate a user, the malware checks the provided password against a hardcoded password,” he explained. ” If the password provided is a match, the hooked function returns a success response.”

https://threatpost.com/linux-malware-impossible-detect/179944/

 

I know of no linux servers which permit PAM authentication. Only a fool would allow it. Most servers use encrypted keys without root or password access. Most servers are also protected with Gateway or VPN on LAN subnets as well.

 

 

Edited by ozimoron
Link to comment
Share on other sites

8 hours ago, ozimoron said:

Full time linux sysop for the past 8 years here.

...

theoretical vulnerabilities

...

such viruses aren't in general circulation

...

there’s no evidence of infections in the wild

lol, classic. If you don't know something it doesn't mean it does not exists ???? 

 

5 hours ago, RedBackman said:

*insults intelligence

*mistakes the word preserve for persevere

I'm insulting his level of knowledge, not intelligence.

However with such an approach "I have never met *something* so it does not exist" the intelligence seems insult-able too.

 

> preserve

it was a quote from a nice old Japanese game poorly translated to English, "your experience is lacking, preserve on your quest" ©

Link to comment
Share on other sites

I see the thread has wandered off course, wondering what comes next in it's digressions - someone spills mango rice on their keyboard leading to a discussion of sticky rice versus normal and what type of mango is best?

 

Currently bored, awaiting last of saved files being copied before formatting you lot into oblivion!

  • Like 2
Link to comment
Share on other sites

  

8 hours ago, ozimoron said:

I know of no linux servers which permit PAM authentication

as I said - lack of experience/knowledge ???? (also likely confusing "PAM" with "password authentication").

 

the PAM system is actually useful, for example you could setup TOTP two-factor auth with special PAM module.

 

  • Like 1
Link to comment
Share on other sites

8 hours ago, ozimoron said:
Quote

“Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine.”

OMGWTF. That's extremely bad practice, no wonder it was detected by the researchers. Preloading into all running processes will inevitably lead to bugs and server crashes.

The LD_PRELOAD is usable only for userland malware.

  • Like 1
Link to comment
Share on other sites

19 hours ago, fdsa said:

> preserve

it was a quote from a nice old Japanese game poorly translated to English, "your experience is lacking, preserve on your quest" ©

Is that just a personal anecdote or are you perhaps misquoting some more popular mistranslated game reference? Search engines are only bringing me back to one result that mistook the words and another time you used it this same way.

Link to comment
Share on other sites

6 hours ago, RedBackman said:

Is that just a personal anecdote or are you perhaps misquoting some more popular mistranslated game reference? Search engines are only bringing me back to one result that mistook the words and another time you used it this same way.

I have downloaded that game and found out that there is a phrase "persevere in", however I'm sure that it was "preserve on" last time I've played it (20-something years ago?).

I think that this mistake was made by the translators of the pirated/cracked version of the game, because I also remember that in the game titles there also were phrases "thankings go to (some ppl in hacker/demo scene)" and "fuсkings go to LSD" which are absent in the version I've found now.

 

Screenshot_20220618_120655.png.68ed101136e79da0345b0ce61f930374.png

Edited by fdsa
  • Like 1
Link to comment
Share on other sites

8 hours ago, fdsa said:

I have downloaded that game and found out that there is a phrase "persevere in", however I'm sure that it was "preserve on" last time I've played it (20-something years ago?).

I think that this mistake was made by the translators of the pirated/cracked version of the game, because I also remember that in the game titles there also were phrases "thankings go to (some ppl in hacker/demo scene)" and "fuсkings go to LSD" which are absent in the version I've found now.

 

Screenshot_20220618_120655.png.68ed101136e79da0345b0ce61f930374.png

I've played my fair share of roms with unofficial translations, I'm sure it's out there somewhere. Just it's probably best not to make a joke that references something this obscure because everyone will think you're the one making mistakes. Now I'm off to play some Zeliard.

Link to comment
Share on other sites

On 6/16/2022 at 10:35 PM, cliveshep said:

Right - update. Loaded Avast and let it do a full scan, it ran tghe whole night and was still chugging away this morning. When it finished it announced it had found a rootkit and would quarantine it and I must restart computer.

Great I thought, told it to restart whereupon it started a full pre-boot scan. After another tedious hour it seemed to have frozen so I cancelled it and let the beast boot.

Had to open Avast again and behold - no quarantine with the rootkit. Ran various including full scans during the day, in between I managed to transfer money via Wise (3 seconds!) from the UK, on the basis that this rootkit is unable to escape to the outside world as Avast continously blocks it very noisily so it cannot corrupt my bank. 

During the day it constantly tries to connect and Avast blocks it instantly with a full-volume gonging noise!

Also I have piggy-backed a spare HDD via a caddy and a slow 2.0 USB connection to my laptop and am transferring across my pictures, home videos, folders etc and fresh app downloads. 

Once everything is solidly backed up I will format the machine and as suggested do a complete clean install.

As also suggested it will get rid of all the junk and clutter, the only downside is having to run in circles to get all my banking details reinstalled.

Don't forget to scan the backups after you reformatted the system, or you'll reinfect yourself again. Scan with multiple engines so you don't miss something.

  • Like 1
Link to comment
Share on other sites

On 6/17/2022 at 1:34 AM, ozimoron said:

“When a service tries to use PAM to authenticate a user, the malware checks the provided password against a hardcoded password,” he explained. ” If the password provided is a match, the hooked function returns a success response.”

https://threatpost.com/linux-malware-impossible-detect/179944/

 

I know of no linux servers which permit PAM authentication. Only a fool would allow it. Most servers use encrypted keys without root or password access. Most servers are also protected with Gateway or VPN on LAN subnets as well.

 

 

PAM is the core of all sorts authentication on practically every Linux distribution, plus Solaris and others. The most widely used corporate 2FA (RSA securid) uses stacked PAM modules to do its job.

Link to comment
Share on other sites

OP - glad you made the (correct) decision to re-format, it was definitely too far gone.


Have you considered mobile banking going forward? It's pretty convenient and once set up you probably won't need to remember passwords etc., you can use fingerprint or PIN authentication. Also, I would suggest using a password manager to help remember banking details etc. Bitwarden is a decent free one.

Link to comment
Share on other sites

On 6/17/2022 at 4:08 AM, cliveshep said:

I see the thread has wandered off course, wondering what comes next in it's digressions - someone spills mango rice on their keyboard leading to a discussion of sticky rice versus normal and what type of mango is best?

 

Currently bored, awaiting last of saved files being copied before formatting you lot into oblivion!

Delete all partitions before you format.

Link to comment
Share on other sites

All working good now after a reload, then delete Windows old file, then another reload and delete. It's only time not cost and along the struggle to download missing minor software I picked up a ransomware virus but nothing was lost and I simply reloaded letting Windows isolate everything for me to delete later - which I have. A bit drastic but everything is now working perfectly again. Plus I threw away all my old software and purchased a new copy of Office Pro Plus 21 to go with a new copy of Windows 10. 

 

So it's "yarbles" (yah balls!) to Mr Vladimir Putin's ransom-ware hackers and sundry rootkit providers, may your camels be infertile and your wife strangle you in your sleep!

 

But seriously, thanks for all the advice, in the end the only thing that guaranteed a clean machine was a double reload.

 

If anyone has a USB boot and format utility they can email me to create my own bootable USB format tool for future use which would have saved so much heartbreak I'd be so blessed to receive it. PM me for an email address. Thanks again everyone for all your help.

Link to comment
Share on other sites

5 hours ago, cliveshep said:

So it's "yarbles" (yah balls!) to Mr Vladimir Putin's ransom-ware hackers and sundry rootkit providers, may your camels be infertile and your wife strangle you in your sleep!

mr Vladimir Putin's ransomware hackers are targeted at big corporations and critical industries such as energy or healthcare, not random Joes' personal computers.

Edited by fdsa
Link to comment
Share on other sites

5 hours ago, cliveshep said:

All working good now after a reload, then delete Windows old file, then another reload and delete. It's only time not cost and along the struggle to download missing minor software I picked up a ransomware virus but nothing was lost and I simply reloaded letting Windows isolate everything for me to delete later - which I have. A bit drastic but everything is now working perfectly again. Plus I threw away all my old software and purchased a new copy of Office Pro Plus 21 to go with a new copy of Windows 10. 

 

So it's "yarbles" (yah balls!) to Mr Vladimir Putin's ransom-ware hackers and sundry rootkit providers, may your camels be infertile and your wife strangle you in your sleep!

 

But seriously, thanks for all the advice, in the end the only thing that guaranteed a clean machine was a double reload.

 

If anyone has a USB boot and format utility they can email me to create my own bootable USB format tool for future use which would have saved so much heartbreak I'd be so blessed to receive it. PM me for an email address. Thanks again everyone for all your help.

I think you should rethink where you get/download your software from. There are good sources out there with virus free software. And if you are not sure then obviously you should check the installer files before you install anything. And a USB boot and format utility is also easy to find online. It's not a good idea to just rely on others to send you a link. There are some malicious people out there. And they are successful because too many people believe: click here and all will be fine... 

Link to comment
Share on other sites

5 hours ago, OneMoreFarang said:

I think you should rethink where you get/download your software from. There are good sources out there with virus free software. And if you are not sure then obviously you should check the installer files before you install anything. And a USB boot and format utility is also easy to find online. It's not a good idea to just rely on others to send you a link. There are some malicious people out there. And they are successful because too many people believe: click here and all will be fine... 

lol yes, that's exactly how you get into one of these situations. Trusting one random internet stranger to send you software through email...what could go wrong?

  • Like 2
Link to comment
Share on other sites

14 hours ago, blackshadow said:

HAVE YOU tried norton to solve your problems...

otherwise take to a good computer repair shop

 

 

where are you by the way???

Khlong Sam Wa Tawan Ok

Link to comment
Share on other sites

20 hours ago, fdsa said:

mr Vladimir Putin's ransomware hackers are targeted at big corporations and critical industries such as energy or healthcare, not random Joes' personal computers.

I'm NOT a random Joe, I'm a random Clive and as far as I know Putin's computer death squads stick their poisonous worms on other peoples web-sites to insinuate themselves into who ever visits, not just specific targets but all and sundry. This is the 2nd time, first time was Wanna Cry, but backing up saves the day except this time the back-up hdd failed disastrously.

 

Link to comment
Share on other sites

On 7/1/2022 at 11:50 AM, blackshadow said:

OK GOOD FOR YOU

You don't understand, it is not "ok?" it is Ok as part of the name - Tawan Ok. Not being rude or abrupt at all, you asked for my location, Khlong Sam Wa Tawan Ok is the location, find it on Google maps.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...