May my computer be infected?

Yesterday, when I closed the lid of my laptop and went to bed it soon became real hot and unresponsive out of the blue. Cooling fans were spinning like crazy. I had to hard-shut it with a power button.

Today I noticed network usage going up to 4MB/sec download speed, and available space on my SSD shrinked in seconds. In went from 700 MB to just 195 MB available really fast. To my knowledge, nothing was downloading.

When the data was downloading, I ran tcpdump. Here are some logs. Many connections to the mentioned domain, uploading data to and downloading from.

13:12:25.974901 IP ████████.48366 > server-3-164-230-108.arn53.r.cloudfront.net.https: Flags [.], ack 64037232, win 13361, options [nop,nop,TS val 2716116908 ecr 364845516,nop,nop,sack 3 {64055796:64317120}{64047228:64054368}{64042944:64045800}], length 0
13:12:25.974908 IP ████████.48366 > server-3-164-230-108.arn53.r.cloudfront.net.https: Flags [.], ack 64037232, win 13361, options [nop,nop,TS val 2716116908 ecr 364845516,nop,nop,sack 3 {64055796:64318548}{64047228:64054368}{64042944:64045800}], length 0
13:12:25.975198 IP server-3-164-230-108.arn53.r.cloudfront.net.https > ████████.48366: Flags [P.], seq 64318548:64319976, ack 421, win 133, options [nop,nop,TS val 364845517 ecr 2716116832], length 1428

A few days ago a dishonest and stalkerish person had direct access to my computer when I wasn’t present. She had an opportunity to upload a virus she may have downloaded from the Internet: in her mind a spyware, in reality also a miner.

I would use tools like

  • ps ( for example ps aux --sort=-%mem | head)
  • pstree -p
  • top or htop
  • sudo lsof -i (for root owned processes: sudo lsof -u root | less)
  • sudo ausearch -ua 0
  • sudo find / -user root -perm -4000 -exec ls -ld {} \;

to check on the suspicious processes that are consuming CPU time and memory…

network connections: sudo netstat -tulnp or sudo ss -tulnp

1 Like

I’d start with sudo ss -tapn (avoid netstat it’s deprecated and very slow).

I would firstly do what augenauf said.

But I would also do the following on top of them though:

  • Check the ~/.ssh/authorized_keys for all the users with a home.
  • Run sudo ausearch -m USER_AUTH and look for strange logins, and other things like that.
  • I would run sudo getcap -r / to check for binaries with interesting capabilities.
  • Check /etc/passwd for odd accounts, other super users, service accounts with shells, and also /etc/shadow for any accounts with passwords.
  • Check /etc/profile.d, /etc/profile, /etc/bashrc, etc, basically any shell rc files including my own ~/.bashrc, or equivalent for anything strange.
  • Check the system-wide crontab /etc/crontab, along with all the users (including system users) crontabs.
  • Probably check for strange systemd services sudo systemctl.
  • And finally I’d use some tool like chkrootkit to look for rootkits.

And after all of this I still wasn’t sure, or felt unsafe with the idea, I would just reinstall after backing up only the most important data.

3 Likes

If you’ve setup btrfs snapshots, you could backup anything you’ve done since then and revert to a snapshot point before.