Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Best way to check if one is infected with a virus?

Options
  • 26-09-2014 9:59am
    #1
    Wcool
    Registered Users Posts: 631 ✭✭✭


    Lately, I had some unusual glitches on my home server (ubuntu) that i could not pinpoint. I ended up reinstalling.

    With the latest openssh and bash shenanigans I wonder if I might be infected.
    Has anyone anytips on checking if you are infected?

    What tools do you normally use to be sure you are safe?


Comments

  • Options
    #2
    minion35
    Registered Users Posts: 87 ✭✭minion35


    You could check if you are infected by installing ClamAV, this is the main Linux based anti-virus solution that I would recommend. Although I doubt you have been infected by a virus. Another method to run the "top" command in order to see what processes are running on the system and check if any suspicious processes are running.

    When you say glithes what exactly do you mean?


  • Options
    #3
    Tom Dunne
    Registered Users Posts: 23,212 ✭✭✭✭Tom Dunne


    I would say it is extremely unlikely that you are infected with a virus.

    As minion said, use the top command and logs files in /var/log to see what's going on.


  • Options
    #4
    Wcool
    Registered Users Posts: 631 ✭✭✭Wcool


    It looked like the permissions on certain log files in /var/log had changed.

    I can see from auth.log that at least 20 people try to connect to my box over ssh. That is quite normal and I installed fail2ban to ban ip addresses but what I noticed is that a block of certain ip addresses is trying again and again every day. Almost as if a bot had access to my box and now tries to re-establish a connection. Before there were many login attempts too but more from a random range of ip adresses.

    And last week someone used my credit card number somewhere abroad (probably not related, I don't think I have that info on my server).

    Maybe I am just paranoid, but I had installed so many 'try-out' programs over the years - all potential leaks - that I decided to do a fresh install, only took me an hour, keeping the original config files.

    Is ClamAv running all the time? Personally I am not much of a believer of scanning your whole server every day again. It's just no fine-grained enough and can be rigged before the next iteration.

    The problem with the top command is that some processes have names of which I do not know if they are standard linux. If a trojan maker would run a process, it wouldn't be difficult to name it 'kdisk' or something like it and I would not have a clue if it is legit.

    Does anyone use 'rootkit' to find root kits? Or run wireshark to spot weird connections? I just don't know what is typical or convenient?

    Also, I installed ntop to track network use but I find it has a large overhead and because I run a torrent server, it is still difficult to spot an iffy connection because there are so many.

    Another question: I have an entry for root in /etc/passwd:
    root:x:0:0:root:/root:/bin/bash

    is this normal on a box where you normally only sudo in?


  • Options
    #5
    Wcool
    Registered Users Posts: 631 ✭✭✭Wcool


    Is really nobody putting any special effort in securing their home server? The fact that it is Linux doesn't mean it can't be hacked :D
    I'd say Linux becomes a bigger target every day!


  • Options
    #6
    azzeretti
    Registered Users Posts: 1,477 ✭✭✭azzeretti


    You could run rkhunter too to check for root kits.

    Did you check your auth log before the reinstall? It could be the same about of auth attempts were taking place then and now. I know on my servers there's a lot of activity like that, it's normal enough.

    You could, if you're not already:
    1. Make sure you're using key authentication and disable password auth
    2. Better still() install two factor ssh authentication
    2. Move ssh to a different port to avoid common port scans/scripts
    3. Install csf (if your not happy with f2b)

    I wouldn't bother with AV personally. It's very unlikely you're infected.


  • Advertisement
  • Options
    #7
    Wcool
    Registered Users Posts: 631 ✭✭✭Wcool


    Ok thanks, I will have a look at hardening the SSH. Unfortunately I can't change the port as I would not be able to log in from work.


  • Options
    #8
    Kinet1c
    Closed Accounts Posts: 824 ✭✭✭Kinet1c


    Wcool wrote: »
    Ok thanks, I will have a look at hardening the SSH. Unfortunately I can't change the port as I would not be able to log in from work.

    Try sslh for ssh over port 443, it may still work from work for you.


  • Options
    #9
    minion35
    Registered Users Posts: 87 ✭✭minion35


    I run my home server on my home network in a DMZ, which is controlled by eternal router and firewall. I know this is overkill as the only things that I use this server for are application testing and media file storage.

    As for the multiple SSH connections this can be put down to bot applications randomly trying ssh to servers on the net. This happens a good bit but as most of them as using bruteforce attacks it shouldn't be anything to be that worried about.


Advertisement