2623
[РЕШЕНО] Вирусы?
Добрый день.
а днях при окрытии файла .doc FreeOffice завис, затем это стало чаще. После стал виснуть virtualbox. Ощущение, что комп словно на издыхании последнем работает (хотя он весьма не слабый). Смена ядер результата не дала. Также результатов никаких не дала установка не свободных видео драйверов.
Проверено систему RkHunter и ниже ее лог только c Warning плюс 4 строки. Выявлено 2 руткита вроде как, 4 файла какие-то не такие и процесс с firefox оказался каким-то троянским.
Знающие люди подскажите пожалуйста на основании лона что именно не так и как устранить, если действительно проблемы.
Лог:
[22:45:30] /usr/bin/egrep [ Warning ]
[22:45:30] Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
[22:45:30] /usr/bin/env [ OK ]
[22:45:30] /usr/bin/fgrep [ Warning ]
[22:45:30] Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
[22:45:30] /usr/bin/file [ OK ]
[22:45:30] /usr/bin/find [ OK ]
[22:45:30] /usr/bin/fsck [ OK ]
[22:45:31] /usr/bin/fuser [ OK ]
— [22:45:34] /usr/bin/ldd [ Warning ]
[22:45:34] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable
[22:45:34] /usr/bin/less [ OK ]
[22:45:34] /usr/bin/logger [ OK ]
[22:45:34] /usr/bin/login [ OK ]
[22:45:35] /usr/bin/ls [ OK ]
— [22:45:56] /usr/bin/vendor_perl/GET [ Warning ]
[22:45:56] Warning: The command '/usr/bin/vendor_perl/GET' has been replaced by a script: /usr/bin/vendor_perl/GET: Perl script text executable
[22:46:08] /usr/lib/systemd/systemd [ OK ]
[22:46:08] /etc/rkhunter.conf [ OK ]
[22:46:18]
[22:46:18] Info: Starting test name 'rootkits'
— [22:47:34] Checking for suspicious (large) shared memory segments [ Warning ]
[22:47:34] Warning: The following suspicious (large) shared memory segments have been found:
[22:47:34] Process: /usr/lib/firefox/firefox PID: 11846 Owner: noname Size: 8,0MB (configured size allowed: 1,0MB)
[22:47:34] Process: /usr/lib/firefox/firefox PID: 11846 Owner: noname Size: 8,0MB (configured size allowed: 1,0MB)
[22:47:34]
[22:47:34] Info: Starting test name 'trojans'
— [22:47:46] Checking for passwd file changes [ Warning ]
[22:47:47] Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
[22:47:47]
[22:47:47] Info: Starting test name 'group_changes'
[22:47:47] Checking for group file changes [ Warning ]
[22:47:47] Warning: Unable to check for group file differences: no copy of the group file exists.
[22:47:47] Checking root account shell history files [ None found ]
[22:47:47]
[22:47:47] Info: Starting test name 'system_configs'
[22:47:47] Performing system configuration file checks
— [22:47:47] Checking if SSH root access is allowed [ Warning ]
[22:47:47] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
[22:47:47] Checking if SSH protocol v1 is allowed [ Warning ]
[22:47:47] Warning: The SSH configuration option 'Protocol' has not been set.
The default value may be '2,1', to allow the use of protocol version 1.
[22:47:47] Checking for other suspicious configuration settings [ None found ]
[22:47:47]
[22:47:47] Info: Starting test name 'system_configs_syslog'
— [22:47:52] Checking for hidden files and directories [ Warning ]
[22:47:52] Warning: Hidden file found: /etc/.updated: ASCII text
[22:47:52] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, max compression, from Unix, truncated
[22:47:52] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, max compression, from Unix, truncated
[22:47:52] Checking for missing log files [ Skipped ]
[22:47:52] Info: No missing log file names configured.
а днях при окрытии файла .doc FreeOffice завис, затем это стало чаще. После стал виснуть virtualbox. Ощущение, что комп словно на издыхании последнем работает (хотя он весьма не слабый). Смена ядер результата не дала. Также результатов никаких не дала установка не свободных видео драйверов.
Проверено систему RkHunter и ниже ее лог только c Warning плюс 4 строки. Выявлено 2 руткита вроде как, 4 файла какие-то не такие и процесс с firefox оказался каким-то троянским.
Знающие люди подскажите пожалуйста на основании лона что именно не так и как устранить, если действительно проблемы.
Лог:
[22:45:30] /usr/bin/egrep [ Warning ]
[22:45:30] Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
[22:45:30] /usr/bin/env [ OK ]
[22:45:30] /usr/bin/fgrep [ Warning ]
[22:45:30] Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
[22:45:30] /usr/bin/file [ OK ]
[22:45:30] /usr/bin/find [ OK ]
[22:45:30] /usr/bin/fsck [ OK ]
[22:45:31] /usr/bin/fuser [ OK ]
— [22:45:34] /usr/bin/ldd [ Warning ]
[22:45:34] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable
[22:45:34] /usr/bin/less [ OK ]
[22:45:34] /usr/bin/logger [ OK ]
[22:45:34] /usr/bin/login [ OK ]
[22:45:35] /usr/bin/ls [ OK ]
— [22:45:56] /usr/bin/vendor_perl/GET [ Warning ]
[22:45:56] Warning: The command '/usr/bin/vendor_perl/GET' has been replaced by a script: /usr/bin/vendor_perl/GET: Perl script text executable
[22:46:08] /usr/lib/systemd/systemd [ OK ]
[22:46:08] /etc/rkhunter.conf [ OK ]
[22:46:18]
[22:46:18] Info: Starting test name 'rootkits'
— [22:47:34] Checking for suspicious (large) shared memory segments [ Warning ]
[22:47:34] Warning: The following suspicious (large) shared memory segments have been found:
[22:47:34] Process: /usr/lib/firefox/firefox PID: 11846 Owner: noname Size: 8,0MB (configured size allowed: 1,0MB)
[22:47:34] Process: /usr/lib/firefox/firefox PID: 11846 Owner: noname Size: 8,0MB (configured size allowed: 1,0MB)
[22:47:34]
[22:47:34] Info: Starting test name 'trojans'
— [22:47:46] Checking for passwd file changes [ Warning ]
[22:47:47] Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
[22:47:47]
[22:47:47] Info: Starting test name 'group_changes'
[22:47:47] Checking for group file changes [ Warning ]
[22:47:47] Warning: Unable to check for group file differences: no copy of the group file exists.
[22:47:47] Checking root account shell history files [ None found ]
[22:47:47]
[22:47:47] Info: Starting test name 'system_configs'
[22:47:47] Performing system configuration file checks
— [22:47:47] Checking if SSH root access is allowed [ Warning ]
[22:47:47] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
[22:47:47] Checking if SSH protocol v1 is allowed [ Warning ]
[22:47:47] Warning: The SSH configuration option 'Protocol' has not been set.
The default value may be '2,1', to allow the use of protocol version 1.
[22:47:47] Checking for other suspicious configuration settings [ None found ]
[22:47:47]
[22:47:47] Info: Starting test name 'system_configs_syslog'
— [22:47:52] Checking for hidden files and directories [ Warning ]
[22:47:52] Warning: Hidden file found: /etc/.updated: ASCII text
[22:47:52] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, max compression, from Unix, truncated
[22:47:52] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, max compression, from Unix, truncated
[22:47:52] Checking for missing log files [ Skipped ]
[22:47:52] Info: No missing log file names configured.
6 комментариев
Выполните:
$ sudo -E hw-probe -all -upload
(hw-probe надо установить)
Потом по сылке: linux-hardware.org/?probe=ХХХХХХХХХ посмотрите сводку по своему оборудованию
ХХХХХХХХХ — вы получите после выполнения команды.
Возможно это даст информацию к размышлению.
bash.org