Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Transfer files from (potentially) infected Linux computer


  • This topic is locked This topic is locked
26 replies to this topic

#1 Enzix

Enzix

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 09 September 2016 - 03:11 PM

This topic might be for "Am I infected?" section but I think its better to Nuke it and start fresh.

If I made a mistake by posting in the wrong section feel free to transfer it.

I apologize

 

TL;DR

 

I suspect that my computer might be infected with a malware and I was wondering what might be the safest way to transfer files to a clean computer?

 

I was thinking about transferring all my documents to Dropbox or Google Drive (docs and PDF files), create a bootable USB with Linux (possible with Gparted or Linux mint), boot it and transfer larger files (GoPro videos, pics etc) to an external hard drive. Later I would delete the partitions completely with Gparted and start over.

 

With a new, clean Linux Mint up and running I was planning to install Windows 10 in a Virtual box, transfer the files there, scan them with AVG and Malwarebytes before storing them on Linux again.
Or since I have dual boot with Win10 and Linux Mint 18 Cinnamon I can scan the files on Win10 but I would like to keep it clean.

 

Long version

 

I'm a curious guy... If I want to know how something works I try it myself, follow various guides and learn online. Recently, I was curious about malware and ransomware. How does it work and what happens "behind the scene"? So I did some research, found various documentation about it but that wasn't enough. Let's take a look at the deepweb, shall we? Bingo! Found a gold mine with PDFs. I was a fool not to install TorBrowser on a VM and browse/download. 

 

There I also found that various documents can contain viruses and malware. Before I though only .exe files can be dangerous. Oh boy, was I wrong... Then my Linux started acting weird.  

One night, while just browsing a news portal, my screen flashed. After reading about how an attacker can take a screenshot of a victims computer with just one command I got paranoid.

 

Fired up wireshark to check for any suspicious traffic and I found out that my computer was sending traffic to computers/servers located in Russia, Slovakia and Republic of Korea. Got a bit more paranoid but I realized that Transmission was running and seeding. I was downloading Antergos by the way (wanted to see how it works).

 

Transmission closed, everything looked OK. But you can never be too careful. 

I ran chkrootkit and lynis - everything clear (I can post the results if you like)

 

Maybe it was nothing, I am just too paranoid, do not want to risk it and its better to start fresh.

 

I'm open to suggestions



BC AdBot (Login to Remove)

 


#2 Al1000

Al1000

  • Global Moderator
  • 8,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:01:24 AM

Posted 09 September 2016 - 03:38 PM

Hi Enzix,

We can't help with Windows malware in the Linux forum, but can certainly deal with using Linux to transfer files.

It sounds as if you already have that part covered; using Linux to move your files to another drive/location, then moving them back again when you have reinstalled Windows.

Apart from the screen "flashing," is there anything else that makes you suspect Linux might be infected? Can you describe what happened when Linux "started acting weird"?

#3 Enzix

Enzix
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 09 September 2016 - 04:04 PM

Hello AI1000,

 

Thank you for your reply.

I might did not express myself correctly.

 

My setup:

Dual Boot - Win10 and Linux Mint 18

 

Win10 is clean, used only for gaming (Steam only) and Adobe CS6 for some video editing.

Adobe is licenced and downloaded from Adobe.com directly.

Scanned Win10 a few times with AVG Ultimate and Malwarebytes (Trial) a few times to make sure it was clean

 

One evening on Linux I was browsing normally (Serbian news portal b92.net) and the screen flashed like I took a screenshot by pressing the Print Screen button.

In the morning, the the internet was cut off so I had to restart the network interface.

 

It is probably nothing, the screen flashing is probably because I am using an ATI card (ATI Radeon 7950).

I had problems before with this card, after every kernel update I could not boot, but that is a different story.

 

Just to be on the safe side, I am planing to transfer the files, delete Linux completely and start over.

My only concert is to transfer the files safely to the external hard drive.

 

Edit: The safest way that I could come up with is to create a bootable USB with Linux, and through it transfer the files from Linux mint (that I have installed on my computer), delete everything with Gparted and start over.

 

If you guys know any safer way please let me know.


Edited by Enzix, 09 September 2016 - 04:13 PM.


#4 Al1000

Al1000

  • Global Moderator
  • 8,033 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:01:24 AM

Posted 09 September 2016 - 04:19 PM

Thanks for the clarification.

A bootable USB should be as safe a method as any to transfer the files.

#5 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:24 PM

Posted 09 September 2016 - 04:46 PM

Thanks for the clarification.

A bootable USB should be as safe a method as any to transfer the files.

agreed, that would be the safest method.

 

and have you tried running chkrootkit -x ? the -x is for an extensive scan basically.

also do you have adblock installed on your browser, if not that could help with roughly 70% of infections just by having adblock.

 and are you using the "microcode processing in the "Additional Drivers" menu. it is proprietary.

same with your video driver, are you using the XORG config or using the proprietary driver?

 

my laptop would freeze until i switched video drivers and enabled microcode, no freezes since!


    IT Auditor & Security Professional

hQBT2G3.png


#6 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:24 AM

Posted 09 September 2016 - 06:50 PM

If you are truly worried about an infection (and on a Linux machine it's highly unlikely that you are actually infected), you should only transfer data file types (pics, videos, tunes, text files, etc), and not transfer any executable file types, which could potentially execute malicious code on the machine you transfer them to.  Remember macro file types can also execute code, so are also a potential risk if you transfer them.



#7 Enzix

Enzix
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 09 September 2016 - 07:23 PM

Thanks for the info

 

I have adblock installed, can't live without it :)

 

chkrootkit -x     #not infected

 

About the graphics card, I am using Microcode, "intel-microcode" version 3.20151106.1 and XORG config.

Tried the drivers from ATI website but I can't boot when I install these drivers.

 

Everything works fine with open source drivers and a freshly installed OS.

But as soon there is a kernel update (eg. 4.4.0-21-generic to 4.4.0-31-generic) disaster strikes.

 

I'll try again with with Microcode and proprietary drivers again when I transfer the files and re-install the OS.

 

Once again, thank you for the info and fast response :)



#8 SuperSapien64

SuperSapien64

  • Members
  • 1,020 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 PM

Posted 09 September 2016 - 10:13 PM

You should also use Firejail its a application sandbox it can help prevent infections, that and enabling the firewall and surfing the web only from a non-admin account.



#9 Enzix

Enzix
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 10 September 2016 - 08:06 AM

I'll look into Freejail, thanks :)



#10 Trikein

Trikein

  • Members
  • 1,321 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, US
  • Local time:08:24 PM

Posted 10 September 2016 - 09:07 AM

Im impressed you even found malware that can infect Mint. Any idea what it is? 



#11 Enzix

Enzix
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 10 September 2016 - 09:27 AM

Honestly, everything looks clean but I am just suspecting its infected.

 

Its probably nothing but I wan't to be on the safe side.

At the moment I am backing up my files but I can post a scan report (or any additional info).

 

Just tell me what you need.



#12 SuperSapien64

SuperSapien64

  • Members
  • 1,020 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 PM

Posted 12 September 2016 - 12:13 AM

To sandbox Firefox with Firejail enter the command firejail firefox or for Chromium firejail chromium-browser.



#13 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:24 PM

Posted 14 September 2016 - 02:14 PM

To sandbox Firefox with Firejail enter the command firejail firefox or for Chromium firejail chromium-browser.

 

That's all one has to do to sandbox these browsers? Does 'sudo' need to precede these commands?

 

Sounds like a great way to protect one's self with ease. :)

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#14 SuperSapien64

SuperSapien64

  • Members
  • 1,020 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 PM

Posted 14 September 2016 - 05:44 PM

 

To sandbox Firefox with Firejail enter the command firejail firefox or for Chromium firejail chromium-browser.

 

That's all one has to do to sandbox these browsers? Does 'sudo' need to precede these commands?

 


Cat

 

No. But if your installing it on a Debian/Ubuntu distro I recommend using the terminal  sudo dpkg -i firejail_X.Y_1_amd64.deb for example

sudo dpkg -i firejail_0.9.42_1_amd64.deb for the current version of Firejail. Link: https://firejail.wordpress.com/download-2/

And if you want extra security try the Private Home feature firejail --private-home=.mozilla firefox nothing is saved in PH so its kind of like Sandboxie. :)



#15 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:24 PM

Posted 17 September 2016 - 04:49 AM

SuperSapien, thanks for this advice, will bookmark the page for future reference. :)

 

Because there's no such thing as 'too much security' with a browser. Arguably, many seems to feel that Linux doesn't need security as far as the OS goes, yet your suggestion would most certainly apply to a browser. While it likely wouldn't matter if only one were on the network alone, if there are one or more Windows users on there at the same time, this practice may very well protect those users from malicious code while sharing the same connection. :thumbup2:

 

Or with cable based ISP's, possibly one's immediate neighbors also. I base this upon the Windows 10 agreement for updates, which can fetch updates from anyone in the area (within reach) if not turned off for best protection. Not a smart thing in allowing updates to be fed through possibly sick computers to ours (what amounts to a massive Microsoft botnet), which is why I have this disabled. I want my updates to come straight from Windows servers, and if needed, will obtain monitoring software to trace the connection. This may also be the reason why some upgrades ruins an otherwise prior near perfect install, fetching updates from computers that may be dual booting with XP. 

 

Speaking of the browser, this is where they went wrong 10 years back, because back then, it could be sandboxed for best protection. Now it can't, because updates aren't delivered through IE. As far as Linux goes, updates has never came from the browser for as long as I can recall, nor is shared with other computers to update as many as possible 'en masse'. Whereas we can see our update status in real time if performed via Terminal on Linux, the connection to one's preferred server & back, we don't see this with Windows, because there's no widely published or known option to update via cmd. If there were, I'd use it instead & so would many others. 

 

Again, thanks for sharing this valuable tip that can protect many, not simply the Linux user alone. :)

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users