System possibly hijacked by malware (downloadable .rar file)

Hi all,

I’ve recently had a malware experience I need some help with - firstly in terms of dealing with the ‘cleanup’ but also in terms of possible wider security concerns, as I’m quite alarmed at what it was able to exploit without any superuser privilege.

Background:

Recently, in an attempt to get an uncooperative printer running in our home Linux environments, I admittedly took a bit of a risk and purchased some firmware. This was provided as a link to what appeared to be a file hosting service, and what appeared to be a downloadable .rar file (I can provided this link, if appropriate).

Upon attempting to extract it with PeaZip , it asked for a password, but the one provided by the seller was rejected as incorrect. I subsequently reported the sale as fraudulent and had my money refunded

Symptoms:

When booting this machine 3 days later, it was observed to hang mid-boot, shortly after showing GDM service. When I pressed the power button for less then 2 seconds, it shut down, but seemed to output different progress messages than usual - it had different writing font compared to normal.

I subsequently tried rebooting with the router off, and it booted up as normal, allowing me to immediately back up and delete anything I considered important.

I then reconnected the wifi, at which point I noticed a 13.7MB/s outgoing data transfer. Even more alarming, upon opening Terminal I was greeted with an admittedly inventive rendition (in the Terminal window itself) of “Never gonna give you up” culminating in a purple love heart <3 . I disconnected it from wifi again - clearly aware now the machine had been compromised, and when I opened Terminal it was normal again (only with no wifi).

Response:

It’s a given, obviously, that this .rar was malware, and in hindsight it’s a risk I should have been more cautious with - although having exhausted every other trick I knew to get this printer working, and spent my $60, the sunk cost seemed made it seem worth being optimistic…

But, in an effort to turn this into at least a learning experience - not to mention damage control - I’m trying to figure out exactly what’s happened here, specifically:

-Is there any way to figure out just what this attack was, how it worked, and what data has been compromised or uploaded to the attacker?

  • Should I be concerned about the backups of personal data I copied off? Could other seemingly innocuous files (eg PDFs) now be edited to contain malicious code? Is there any way to check?

-Has it possibly propagated through the rest of my home network? How would I check/mitigate if other PCs or potentially even routers/IoT devices have had malware served to them?

  • How did a supposed .rar file even make such wide changes through the system as to change even the boot process? This particularly is quite alarming, that one malicious file can seemingly have such free reign if it tricks the user into opening it. I don’t remember having to enter my own user password at any point so I wouldn’t think any executable would even have permissions to make such changes to the boot process.

I haven’t formatted and reinstalled the operating system onto the laptop as yet, because I’m curious to work out what went wrong, but I wonder if this is possibly a wider vulnerability that needs investigation.

Thanks

Screenshot from 2024-10-09 18-28-14
Screenshot from 2024-10-09 18-31-56

3 Likes

The terminal event was this: GitHub - keroserene/rickrollrc: Rick Astley invades your terminal.

I’m no expert on malware, but as a general note as you investigate - don’t underestimate the power of what can be done with just your basic user access.

The issue booting up that one time might very well have been coincidental, and if it was, then what you’re describing could have been done without prompting for your password to elevate privileges, because it would just require your existing user account’s privileges - e.g. you can edit your own bashrc, so a malicious script could as well. You could upload a file that you have read access to somewhere, so could the script, etc.

To that point, until you can positively identify what actually happened, it’d be safest to act as if any actions that could be taken by you as a user on your home network might have been performed maliciously (e.g. if you can ssh copy files to another device on your network, then you’ll likely need to check those devices too).

I’d guess that early on, you’d want to figure out if “what appeared to be a file hosting service” could have been a malicious site itself, serving some sort of drive-by browser exploit, and then whether the file you downloaded was maliciously crafted in some way to activate upon an attempt to unzip.

5 Likes

Since you have a known malware event the only secure way (and sometimes not even 100% successful) to recover is to do a full wipe of the drive and a new clean install.

There are some malware that is able to modify the bios and remains hidden that way.

What printer was involved (make & model) and what site was the ‘driver’ purchased from?

AFAIK there are no manufacturers that would charge for drivers to set up their printers so that should have been seen as a red flag right there.

Yes, if the files were offloaded after the attack occurred then they may be compromised.

Your image there seems to show the IP address of the system (and is not a normal prompt display). As such it may have modified your PS1 unless you did that deliberately. If that change was not your action then whatever was done by the .rar file certainly has corrupted at least some of the data in your home directory.

2 Likes

It wouldn’t be good if the malware could modify the bios.

The printer is a Toshiba e-studio2505AC
The firmware got wiped accidentally when formatting the hard drive.
Toshiba want $104.50 AUD to provide the firmware, so I chose to buy it from Aliexpress - big mistake.
I’ve never heard of selling firmware - they give drivers for free, but not firmware it seems. (service plan ran out as well).

I didn’t notice it was showing the IP address in terminal, good spotting, that would explain why it was only playing up when it had wifi internet.
I didn’t modify the PS1

Thanks for your thoughts

I guess the question is now, should I keep the laptop in the state it is, to try to diagnose what has happened?
Or
Should I wipe it and not worry about working it out?

Is there a way to diagnose and see how serious the malware attack was?

That is a known weakness for uefi bios. In fact the mokutil app does access the bios and there are know malware attacks that can corrupt your bios. I do not remember the names but they exist.

One related thread.
https://www.reddit.com/r/antivirus/comments/189illw/how_common_are_bios_malware/

As far as your laptop;
I would not take the time to diagnose and attempt a repair.

There are some tool to identify certain known attacks, but not all, and repairs almost always require a full wipe and reinstall. chkrootkit is one that I use occasionally but the main risk of getting malware is, as you already experienced, downloading anything from unknown and untrusted 3rd party sites.

1 Like

From Ask Fedora to The Water Cooler

Added tech-talk

As long as you not can say exactly what is happening, you should not make wrong accusations that the fedora boot chain got compromised.

That is why I changed the title and moved it to the off topic section.

Such investigations, you proposed to do is best, when you hire someone who has the tools and the knowledge to do it at your home, if really needed.

Why on earth would you do something so deliberately obstructive?

I’ve just spent half an hour trying to type a reply to the OP, only to lose the lot because you decided to arbitrarily move the thread. Apparently because of your personal objection to the phrasing of their self-directed troubleshooting efforts?

Why would you suppress someone in genuine need , because you feel the need to gatekeep the troubleshooting language? Moreover, the boot chain arguably has been affected based on the description provided re. failing to load the DM. Frankly, characterising this as a ‘wrong accusation’ and moving the thread out of the main discussion comes across as dismissive and petty at best, and outright retaliatory gaslighting at worst. Not helpful, and certainly not very community-minded.

To the OP:

This is a shortened version of what I originally wrote but you may want to uplad the .rar files to something like VirusTotal and see if it’s identified as already known.

Fedora and linux in general has quite poor sandboxing and security posture, and it’s quite easy to ‘trick’ your way into granting elevated privileges. You cannot assume “viruses don’t work on Linux” as many still do.

If you need to get your computer going, but want to investigate further later, consider making a disc image of the system partition with dd, then a full wipe and format. That way you can mount it later to look at logs and dig at your leisure.

I wouldn’t think you have a BIOS exploit - normally you would see quite an extended flashing routine occur during reboot. BUT - if you’re saying it did hang after that first reboot…it’s possible. It smells like this is ‘script kiddie’ stuff but hard to say without looking.

It may be safest and easiest to simply get a new PC, if this worries you and you’re not confident re-flashing the BIOS yourself.

2 Likes

I haven’t read the whole thread (pretty much stopped at the above quote). But if you think you are about to do something “risky”, I find taking a snapshot of the filesystem(s) is a good practice. I use ZFS, but Fedora Linux’s default Btrfs also supports snapshots and rollbacks. Another neat feature that ZFS has is the ability to “diff” two filesystem snapshots. I don’t know if Btrfs has that feature, but something like that might help to clue you in to exactly what files were changed and how.

1 Like

I am sorry about the time you lost. Next time please have a look in the Profile > Drafts,if you can find your lost text you wrote. Normally, by default discourse is saving them there.

This topic has been open for 3days now, several users answered. And the Title has been written as “click bait”. Panic making.

The OP made a series of silly steps who caused this difficulties.
And also, the topic is not Fedora specific. This could have happened on any Distribution with all this silly mistakes.

Unfortunately we do already have some panic making users who just show up when they have this kind of issues and security preoccupations. So I was taking this topic out of the way, and did put it there where it belongs, in the off topic section.

And, it is also is not really nice for a first topic, from your side @soaring-kettlecorn. Attacking others while they also spend a lot of time to read here and try to keep a bit order.

Unbelievable. Who do you think you are, to hand out labels like ‘silly’ and ‘click bait’? Frankly you’re just doubling down on your own personal prejudices here, and your assumptions (particularly of their gender as “he”) is very telling in its own right…

I wouldn’t call anything the OP wrote as panic-making, click bait, or any such emotive terms, nor did anyone else - it’s a polite, well-explained summary with logical questions, and the original title seems appropriate given the observed changes to boot progress. Labelling them as “some panic making users” makes entirely unjustified and unfair assumptions about their intent. If anything, you’re the one trying to insert agitative language here.

Moreover, they recognise in hindsight what their possible mistakes were, so what is gained from belittling and marginalising them for this? Don’t tell yourself you’re ‘keeping order’ - the discussion was just fine up until you interfered to satisfy yourself.

Everyone is new at some point, and makes mistakes. The sort of condescending attitude you display is what gives the Linux community a reputation as elitist and judgemental. If you can see this that been up for 3 days without much progress, why not try and be helpful?

And this isn’t my first topic - for some reason my account was reset, I think in the transistion from the old Ask Fedora website maybe. But that’s honestly irrelevant and trying to pick on me for my low post count is just another instance petty behaviour on your part.

Be better.

1 Like

Yes such a diff would be really interesting. Will be full of cache and random stuff, but also the important files.

@ilikelinux I agree that this should stay in Ask, but the current title is better

There are no signs that the boot chain is compromised. As soon as you run any command with sudo, it can be likely that that script has placed an alias that catches the sudo password. Then it could infiltrate somethint like the boot files, but why?

The home contains everything you need. You can run code from there, all your files are there, …

We let it in the water cooler, alias off topic as long as we not get logfiles and can clearly say that it is fedora specific.

The release of F41 is close. Lets focus on that. The discussion can also be made where it is.

I dont think dealing with malware has something to do with a release.

You changed the name, now it is just an issue with malware. We dont put things in watercooler because of missing infos.

But yes, logs, files, diffs are needed. But you cannot just boot into a malicious system and get logs, you should turn that off immediately.

@etm19

It is correct that you should

  1. Not boot into that OS
  2. Use dd or clonezilla to clone that system to a separate SSD, then wipe it, then reinstall Fedora
  3. Check your Firmware, is it supported by fwupd? Then good luck, you may have persistent malware. If not, then maybe not.

Clone the system, wipe it, reinstall fedora.

You could also use a Fedora Live medium like the one you use for installation, remove all devices and only log in using that.

Using a USB SSD adapter you could also relay the SSD to a virtual machine easily like I explained a while ago in a howto

The VM can be using GNOME Boxes or virt-manager, and doesnt need any permissions, in virt-manager you can use the QEMU user session.

Please give us

  • ~/.bashrc
  • the .run file
  • exact boot errors

@glb As Fedora Workstation uses BTRFS but doesnt do anything with it, we likely cannot get a diff like that. This is a huge issue, but poorly the state currently


We should really make a wiki entry on how to deal with malware! There is tons of knowledge randomly thrown around here! Like the dangers of mokutil, UEFI, ZFS diffs etc.

For files:

  • you could use dangerzone to clean them
  • best would be to have a backup and compare the files
  • PDFs, office documents, SVGs can all contain malware but this would require processing all the files, opening them up and adding stuff

I can imagine that this is just a joke on the Linux users. Malware exists. There are no indications that the system is really hijacked, but it may be.

1 Like

From The Water Cooler to Ask Fedora

Added file-recovery, malware and removed tech-talk

The OP mentions that the system will " hang mid-boot, shortly after showing GDM service" - presumably this means it’s not loading to the DE, which suggests some aspect of the normal boot process is compromised. Whether this is anything frpm kernel level or just some local user config issue is hard to say.

I think really the critical question here is whether the edits obviously made to bash to get the rickroll going, have also been used to pull off some sort of privilege escalation ( see here for further detail on how this is done: linux - Do sudo and .profile/.bashrc enable trivial privilege escalation? - Information Security Stack Exchange)

@etm19 Since dowloading this file, have you at ANY point for ANY other task, used sudo or otherwise authenticated for privileged actions (this would included entering the current user password in a dialouge box, for example)?

3 Likes

@ilikelinux & @soaring-kettlecorn may I remind both of you about the best practices to achieve constructive discussions & value for everybody (… and on the code of our Discourse).

Constructive discussions seldomly begin with “unbelievable” and “silly”, and blames are not helpful too.

It is correct that the topic title is not optimal, but the user maybe has no experience with the related fields, and it can be stressful to be in a situation in which it is not clear if the own system was compromised. The best thing we can do is to help the user to understand the situation and to evaluate a solution :classic_smiley:

Any TL4 & mod who has read through the issue is free to help in adjusting the topic title if that may support the solving of the topic.

2 Likes