1

Earlier today, my mother opened an email thinking it was from my sister-inlaw, then clicked on the shortened link.

The link loaded a page of fairly nonsensical text. The source of the page had no explicit javascript code, but the text was formatted with a non-standard identifier. NoScript told me there were scripts on the page (but they weren't trusted, so should have been blocked).

The system is Fedora 32, upgraded to this release a few days ago. The browser is Firefox with NoScript installed.

What should I do to confirm the integrity of the system? I'm concerned about the integrity of the Linux system, of course, but I'd also be concerned about any possible transfer of viruses or malware to Windows users my mother emails.

I've done this once before after a similar incident. I'm planning to create a live USB to scan the system for problems (which I did before) using one of the forensic Linux distros designed for this, but I'm pretty sure I did something else last time and can't remember what.

What is necessary to ensure the system's integrity?

I've read Clicked link in faked email and https://security.stackexchange.com/a/17854. https://security.stackexchange.com/a/73660 is fairly scary, though I'm somewhat sceptical of its claims.

I also read various online guides, but had difficulty finding anything specific to Linux and reasonably current. (I think I must be searching the wrong terms because I seem to remember finding this kind of information fairly easily before.)

cfr
  • 111
  • 1
  • 1
    Like that "scary" link says, there's not much you should worry about if everything is up to date. – multithr3at3d Jun 17 '20 at 22:56
  • Unless you went out of your way to disable it, Fedora 32 default uses **SElinux** security measures. Between that and updated Firefox, the chances of click-thru malware are nearly non-existent. Finding such would be *Malware Gold!* . *NoScript* further guilds the already high security. Your referenced links are very dated. As the song says, **"Don't worry, be happy"** – user10216038 Nov 15 '20 at 16:03

2 Answers2

0

Most of the standard security in Linux distributions prevent the worse incidents. I assume your mother does not browse as root. And if your distro has the latest patches applied, most of the time, you'r OK.

There are some integrity checks, like chkrootkit; you must stay of course up-to-date and it will not detect everything.

Further, more extreme measures would be to create a Trusted Computing Base, like they had (have?) on AIX. Store a checksum of every file and from time-to-time check if they are still correct. Be sure to update your signatures after each package upgrade.

You could also create a reference system and compare it with that. That is overkill for a single PC, ofcourse.

And you could look into mounting partitions as read-only. I've seen /usr on a read-only, and that kind of works. Keeping up-to-date with the system is horror though.

Ljm Dullaart
  • 2,007
  • 5
  • 11
0

If you have really been hacked there's no way to make sure you're not running malware and the only way to resolve this is a complete wipe of your system. No, chkrootkit, rkhunter and alike are pretty useless because they are barely maintained, they detect only some well known strains of malware and they don't go beyond that.

This affects not only Linux in Windows though Windows in some ways could be more difficult to hack because not only the boot loader and the NT kernel are signed, pretty much all Windows binaries are signed and you can at least make sure you're running Microsoft binaries (however malware may install itself well outside of everything using the registry, printer spool files, task scheduler tasks, etc. etc. etc. - every day hackers find new way to mask malware such a way it becomes invisible).

In Linux however only the bootloader and the kernel are signed while userspace is not. The kernel will happily run anything you throw at it. There's AIDE which you can install and use but it's useless after the fact and I don't believe it's thorough enough to protect e.g. against rootkits.

Artem S. Tashkinov
  • 2,217
  • 6
  • 17