Urgent help wanted by anyone conversant with computers and rootkits and how to sort virus problem

[fdsa]

22 minutes ago, ozimoron said:

There is a major reason that linux distros aren't affected by viruses in the real world and that is the user doesn't automatically have root permissions unlike in windows and therefore viruses and malware can't install themselves.

You don't need root permissions to steal user data such as online banking login credentials, et cetera.

The majority of Linux malware works perfectly well under user permissions.

 

google:// "LD_PRELOAD malware"

Edited June 16, 2022 by fdsa

[ozimoron]

23 minutes ago, fdsa said:

You don't need root permissions to steal user data such as online banking login credentials, et cetera.

The majority of Linux malware works perfectly well under user permissions.

 

google:// "LD_PRELOAD malware"

rubbish, if it can't install it can't run. this would require login access anyway and there are no accounts of this having ever happened.

Edited June 16, 2022 by ozimoron

[SkyNets]

Have you tried turning it off and on again lol

[fdsa]

2 minutes ago, ozimoron said:

rubbish, if it can't install it can't run.

your knowledge is lacking, preserve on your quest.

[ozimoron]

8 minutes ago, fdsa said:

your knowledge is lacking, preserve on your quest.

Full time linux sysop for the past 8 years here. People who like to pain linux as vulnerable like point to these theoretical vulnerabilities as proof but the simple reality is that such viruses aren't in general circulation. Linux is really only hacked when attackers target particular servers and even then not too often. Windows is far more vulnerable to users installing viruses and malware.

 

So far, there’s no evidence of infections in the wild, only malware samples found online. It’s unlikely this malware is widely active at the moment

 

https://arstechnica.com/information-technology/2022/06/novel-techniques-in-never-before-seen-linux-backdoor-make-it-ultra-stealthy/

Edited June 16, 2022 by ozimoron

[ozimoron]

“When a service tries to use PAM to authenticate a user, the malware checks the provided password against a hardcoded password,” he explained. ” If the password provided is a match, the hooked function returns a success response.”

https://threatpost.com/linux-malware-impossible-detect/179944/

 

I know of no linux servers which permit PAM authentication. Only a fool would allow it. Most servers use encrypted keys without root or password access. Most servers are also protected with Gateway or VPN on LAN subnets as well.

 

 

Edited June 16, 2022 by ozimoron

[RedBackman]

3 hours ago, fdsa said:

your knowledge is lacking, preserve on your quest.

*insults intelligence

*mistakes the word preserve for persevere

???? I'm not saying you're dumb fdsa, both of you seem smart enough, but that's classic.

[fdsa]

8 hours ago, ozimoron said:

Full time linux sysop for the past 8 years here.

...

theoretical vulnerabilities

...

such viruses aren't in general circulation

...

there’s no evidence of infections in the wild

lol, classic. If you don't know something it doesn't mean it does not exists ???? 

 

5 hours ago, RedBackman said:

*insults intelligence

*mistakes the word preserve for persevere

I'm insulting his level of knowledge, not intelligence.

However with such an approach "I have never met *something* so it does not exist" the intelligence seems insult-able too.

 

> preserve

it was a quote from a nice old Japanese game poorly translated to English, "your experience is lacking, preserve on your quest" ©

[cliveshep]

I see the thread has wandered off course, wondering what comes next in it's digressions - someone spills mango rice on their keyboard leading to a discussion of sticky rice versus normal and what type of mango is best?

 

Currently bored, awaiting last of saved files being copied before formatting you lot into oblivion!

[transam]

The free "Norton Power Eraser" is well worth giving a try and IObit Advanced System Care, for starters....  ????

[fdsa]

  

8 hours ago, ozimoron said:

I know of no linux servers which permit PAM authentication

as I said - lack of experience/knowledge ???? (also likely confusing "PAM" with "password authentication").

 

the PAM system is actually useful, for example you could setup TOTP two-factor auth with special PAM module.

 

[fdsa]

8 hours ago, ozimoron said:

https://threatpost.com/linux-malware-impossible-detect/179944/

Quote

“Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine.”

OMGWTF. That's extremely bad practice, no wonder it was detected by the researchers. Preloading into all running processes will inevitably lead to bugs and server crashes.

The LD_PRELOAD is usable only for userland malware.

[RedBackman]

19 hours ago, fdsa said:

> preserve

it was a quote from a nice old Japanese game poorly translated to English, "your experience is lacking, preserve on your quest" ©

Is that just a personal anecdote or are you perhaps misquoting some more popular mistranslated game reference? Search engines are only bringing me back to one result that mistook the words and another time you used it this same way.

[fdsa]

6 hours ago, RedBackman said:

Is that just a personal anecdote or are you perhaps misquoting some more popular mistranslated game reference? Search engines are only bringing me back to one result that mistook the words and another time you used it this same way.

I have downloaded that game and found out that there is a phrase "persevere in", however I'm sure that it was "preserve on" last time I've played it (20-something years ago?).

I think that this mistake was made by the translators of the pirated/cracked version of the game, because I also remember that in the game titles there also were phrases "thankings go to (some ppl in hacker/demo scene)" and "fuсkings go to LSD" which are absent in the version I've found now.

 

Edited June 18, 2022 by fdsa

[RedBackman]

8 hours ago, fdsa said:

I have downloaded that game and found out that there is a phrase "persevere in", however I'm sure that it was "preserve on" last time I've played it (20-something years ago?).

I think that this mistake was made by the translators of the pirated/cracked version of the game, because I also remember that in the game titles there also were phrases "thankings go to (some ppl in hacker/demo scene)" and "fuсkings go to LSD" which are absent in the version I've found now.

 

I've played my fair share of roms with unofficial translations, I'm sure it's out there somewhere. Just it's probably best not to make a joke that references something this obscure because everyone will think you're the one making mistakes. Now I'm off to play some Zeliard.

[gearbox]

On 6/16/2022 at 10:35 PM, cliveshep said:

Right - update. Loaded Avast and let it do a full scan, it ran tghe whole night and was still chugging away this morning. When it finished it announced it had found a rootkit and would quarantine it and I must restart computer.

Great I thought, told it to restart whereupon it started a full pre-boot scan. After another tedious hour it seemed to have frozen so I cancelled it and let the beast boot.

Had to open Avast again and behold - no quarantine with the rootkit. Ran various including full scans during the day, in between I managed to transfer money via Wise (3 seconds!) from the UK, on the basis that this rootkit is unable to escape to the outside world as Avast continously blocks it very noisily so it cannot corrupt my bank. 

During the day it constantly tries to connect and Avast blocks it instantly with a full-volume gonging noise!

Also I have piggy-backed a spare HDD via a caddy and a slow 2.0 USB connection to my laptop and am transferring across my pictures, home videos, folders etc and fresh app downloads. 

Once everything is solidly backed up I will format the machine and as suggested do a complete clean install.

As also suggested it will get rid of all the junk and clutter, the only downside is having to run in circles to get all my banking details reinstalled.

Don't forget to scan the backups after you reformatted the system, or you'll reinfect yourself again. Scan with multiple engines so you don't miss something.

[gearbox]

On 6/17/2022 at 1:34 AM, ozimoron said:

“When a service tries to use PAM to authenticate a user, the malware checks the provided password against a hardcoded password,” he explained. ” If the password provided is a match, the hooked function returns a success response.”

https://threatpost.com/linux-malware-impossible-detect/179944/

 

I know of no linux servers which permit PAM authentication. Only a fool would allow it. Most servers use encrypted keys without root or password access. Most servers are also protected with Gateway or VPN on LAN subnets as well.

 

 

PAM is the core of all sorts authentication on practically every Linux distribution, plus Solaris and others. The most widely used corporate 2FA (RSA securid) uses stacked PAM modules to do its job.

[Roger That]

OP - glad you made the (correct) decision to re-format, it was definitely too far gone.

Have you considered mobile banking going forward? It's pretty convenient and once set up you probably won't need to remember passwords etc., you can use fingerprint or PIN authentication. Also, I would suggest using a password manager to help remember banking details etc. Bitwarden is a decent free one.

[Bruno123]

On 6/17/2022 at 4:08 AM, cliveshep said:

I see the thread has wandered off course, wondering what comes next in it's digressions - someone spills mango rice on their keyboard leading to a discussion of sticky rice versus normal and what type of mango is best?

 

Currently bored, awaiting last of saved files being copied before formatting you lot into oblivion!

Delete all partitions before you format.

[cliveshep]

All working good now after a reload, then delete Windows old file, then another reload and delete. It's only time not cost and along the struggle to download missing minor software I picked up a ransomware virus but nothing was lost and I simply reloaded letting Windows isolate everything for me to delete later - which I have. A bit drastic but everything is now working perfectly again. Plus I threw away all my old software and purchased a new copy of Office Pro Plus 21 to go with a new copy of Windows 10. 

 

So it's "yarbles" (yah balls!) to Mr Vladimir Putin's ransom-ware hackers and sundry rootkit providers, may your camels be infertile and your wife strangle you in your sleep!

 

But seriously, thanks for all the advice, in the end the only thing that guaranteed a clean machine was a double reload.

 

If anyone has a USB boot and format utility they can email me to create my own bootable USB format tool for future use which would have saved so much heartbreak I'd be so blessed to receive it. PM me for an email address. Thanks again everyone for all your help.

[fdsa]

5 hours ago, cliveshep said:

So it's "yarbles" (yah balls!) to Mr Vladimir Putin's ransom-ware hackers and sundry rootkit providers, may your camels be infertile and your wife strangle you in your sleep!

mr Vladimir Putin's ransomware hackers are targeted at big corporations and critical industries such as energy or healthcare, not random Joes' personal computers.

Edited June 30, 2022 by fdsa

[OneMoreFarang]

5 hours ago, cliveshep said:

All working good now after a reload, then delete Windows old file, then another reload and delete. It's only time not cost and along the struggle to download missing minor software I picked up a ransomware virus but nothing was lost and I simply reloaded letting Windows isolate everything for me to delete later - which I have. A bit drastic but everything is now working perfectly again. Plus I threw away all my old software and purchased a new copy of Office Pro Plus 21 to go with a new copy of Windows 10. 

 

So it's "yarbles" (yah balls!) to Mr Vladimir Putin's ransom-ware hackers and sundry rootkit providers, may your camels be infertile and your wife strangle you in your sleep!

 

But seriously, thanks for all the advice, in the end the only thing that guaranteed a clean machine was a double reload.

 

If anyone has a USB boot and format utility they can email me to create my own bootable USB format tool for future use which would have saved so much heartbreak I'd be so blessed to receive it. PM me for an email address. Thanks again everyone for all your help.

I think you should rethink where you get/download your software from. There are good sources out there with virus free software. And if you are not sure then obviously you should check the installer files before you install anything. And a USB boot and format utility is also easy to find online. It's not a good idea to just rely on others to send you a link. There are some malicious people out there. And they are successful because too many people believe: click here and all will be fine... 

[RedBackman]

5 hours ago, OneMoreFarang said:

I think you should rethink where you get/download your software from. There are good sources out there with virus free software. And if you are not sure then obviously you should check the installer files before you install anything. And a USB boot and format utility is also easy to find online. It's not a good idea to just rely on others to send you a link. There are some malicious people out there. And they are successful because too many people believe: click here and all will be fine... 

lol yes, that's exactly how you get into one of these situations. Trusting one random internet stranger to send you software through email...what could go wrong?

[blackshadow]

HAVE YOU tried norton to solve your problems...

otherwise take to a good computer repair shop

 

 

where are you by the way???

[cliveshep]

14 hours ago, blackshadow said:

HAVE YOU tried norton to solve your problems...

otherwise take to a good computer repair shop

 

 

where are you by the way???

Khlong Sam Wa Tawan Ok

[cliveshep]

20 hours ago, fdsa said:

mr Vladimir Putin's ransomware hackers are targeted at big corporations and critical industries such as energy or healthcare, not random Joes' personal computers.

I'm NOT a random Joe, I'm a random Clive and as far as I know Putin's computer death squads stick their poisonous worms on other peoples web-sites to insinuate themselves into who ever visits, not just specific targets but all and sundry. This is the 2nd time, first time was Wanna Cry, but backing up saves the day except this time the back-up hdd failed disastrously.

 

[blackshadow]

1 hour ago, cliveshep said:

Khlong Sam Wa Tawan Ok

OK GOOD FOR YOU

[cliveshep]

On 7/1/2022 at 11:50 AM, blackshadow said:

OK GOOD FOR YOU

You don't understand, it is not "ok?" it is Ok as part of the name - Tawan Ok. Not being rude or abrupt at all, you asked for my location, Khlong Sam Wa Tawan Ok is the location, find it on Google maps.