Should I reinstall or check for malware (and how)? -urgent -thanks!
- Inicie sesión o regístrese para enviar comentarios
Hi!
Yesterday I did a stupid thing.
I received a fake email message, allegedly from the registrar I use, saying one of my domains got expired and I had to renew it. I saw it and thought "Oh, that's fishing! Let's see how they did the login webpage of my registrar" and -stupid me- clicked the link provided in the email body.
I saw no login webpage but a redirection to a blank page and quickly realized I should have not clicked on that link (because the attack probably was not about stealing the registrar credentials but about executing some code). I closed everything and shutdown my computer. Got so stressed I did not think of first step was to go offline. Maybe around 25 seconds passed from opening the link to having my Trisquel 11 shut down.
That email message did not look like general fishing, it had some details about me which perhaps could mean it was a targeted attack. I am not sure about it, but got me paranoid.
I found some online tools that told me that the link of that email message was clean, others told me it might contain malware and others told me it was extremely dangerous (at 97% - don't know what that percentage really could mean...)
I had my Abrowser configured with the "Strict" option but sadly I had Javascript enabled. And Abrowser was not running on Firejail, a separate VM or container, but in the same computer where I have everything, including my password manager (which was running at that moment, but locked).
That Trisquel computer has not been online since the incident.
Unfortunately I also saw that my Timeshift snapshots have not been working for the last 4 months.
Right now formatting and reinstalling everything from scratch is the only satisfying plan I have (and anyway I will change some passwords, like Abrowser's master password, the one of the password manager, and the one of the gnulinux user).
Despite I have a backup of important data and can access everything offline if needed, still it's a lot of work for me to reinstall everything I have in there and tune it as it is now. That's why I am here asking if perhaps someone more skilled would do something else that could bring them peace of mind without reinstalling everything?
What would you do?
I thought of looking for modifications happened around that time, but I think there are many and I am not able to look for suspicious ones or distinguish between normal or dangerous ones. Don't know if that would be a trustful solution or if there are others or if they are worth it.
Thank you
Hi Lola,
First off, take a deep breath, You've already taken some smart steps by assessing the situation. It's easy to spiral into worst-case scenarios, but let's focus on what actually happened. Before reinstalling everything, consider checking for suspicious activity. If nothing concrete shows up, a full reinstall might not be necessary. Rational decisions trump fear-driven ones, so take your time to evaluate. You've got this!
Thank you. Your words feel good.
I managed to get this. It's not very accurate in terms of time. I mean some events might happened before or afterwards and be related to other things I did. But I think the incident took place around this period:
root@mybelovedtrisquel:~# find / -type f -newermt "2025-01-03 23:00" ! -newermt "2025-01-04 01:00" -exec stat --format='%y %n' {} \;
2025-01-03 23:15:25.023424954 +0100 /root/.config/falkon/profiles/default/version
2025-01-03 23:15:10.335425182 +0100 /root/.dbus/session-bus/ca21aa6c97ec457db0c129148f4967bf-0
2025-01-03 23:29:47.228016304 +0100 /var/log/timeshift/2025-01-03_23-29-46_gui.log
2025-01-03 23:15:48.247424595 +0100 /var/log/timeshift/2025-01-03_23-15-01_gui.log
2025-01-04 00:00:02.023999764 +0100 /var/log/timeshift/2025-01-04_00-00-01_backup.log
2025-01-03 23:28:29.512017012 +0100 /var/log/dmesg.1.gz
2025-01-03 23:28:48.804016837 +0100 /var/log/cups/access_log.2.gz
2025-01-03 23:28:27.256017033 +0100 /var/log/cups/error_log.2.gz
2025-01-03 23:22:16.467215700 +0100 /var/log/dmesg.2.gz
2025-01-03 23:12:48.683427377 +0100 /var/log/dmesg.3.gz
2025-01-04 00:00:00.083999782 +0100 /var/log/boot.log.2
2025-01-03 23:13:52.567426387 +0100 /var/lib/sddm/.cache/qtshadercache-x86_64-little_endian-lp64/f52891ec97393376257d3023a0361f1ffb68a9bb
2025-01-03 23:13:52.555426387 +0100 /var/lib/sddm/.cache/mesa_shader_cache/0b/8b4db58b1d301a19855c71500f8273132c3e38
2025-01-03 23:13:52.567426387 +0100 /var/lib/sddm/.cache/mesa_shader_cache/f4/b6c98a47208554e512d7ea074cbec3f95d2043
2025-01-03 23:13:52.567426387 +0100 /var/lib/sddm/.cache/mesa_shader_cache/11/be659aa071dd8cb51f7a91f194ae82a68140b7
2025-01-03 23:13:52.583426387 +0100 /var/lib/sddm/.cache/mesa_shader_cache/9f/019db304d44dbbb0925a34f96455f2fe67fe33
2025-01-04 00:00:00.119999782 +0100 /mnt/openWD500/timeshift/snapshots/2025-01-04_22-00-02/localhost/var/cache/cups/job.cache.O
2025-01-03 23:13:52.567426387 +0100 /mnt/openWD500/timeshift/snapshots/2025-01-04_22-00-02/localhost/var/lib/sddm/.cache/qtshadercache-x86_64-little_endian-lp64/f52891ec97393376257d3023a0361f1ffb68a9bb
2025-01-03 23:13:52.583426387 +0100 /mnt/openWD500/timeshift/snapshots/2025-01-04_22-00-02/localhost/var/lib/sddm/.cache/mesa_shader_cache/9f/019db304d44dbbb0925a34f96455f2fe67fe33
2025-01-03 23:13:52.555426387 +0100 /mnt/openWD500/timeshift/snapshots/2025-01-04_22-00-02/localhost/var/lib/sddm/.cache/mesa_shader_cache/0b/8b4db58b1d301a19855c71500f8273132c3e38
2025-01-03 23:13:52.567426387 +0100 /mnt/openWD500/timeshift/snapshots/2025-01-04_22-00-02/localhost/var/lib/sddm/.cache/mesa_shader_cache/11/be659aa071dd8cb51f7a91f194ae82a68140b7
2025-01-03 23:13:52.567426387 +0100 /mnt/openWD500/timeshift/snapshots/2025-01-04_22-00-02/localhost/var/lib/sddm/.cache/mesa_shader_cache/f4/b6c98a47208554e512d7ea074cbec3f95d2043
2025-01-04 00:00:00.023051000 +0100 /mnt/openWD500/timeshift/snapshots/2025-01-04_22-00-02/localhost/var/lib/systemd/timers/stamp-logrotate.timer
2025-01-04 00:00:00.171999781 +0100 /mnt/openWD500/timeshift/snapshots/2025-01-04_22-00-02/localhost/var/lib/logrotate/status
2025-01-03 23:28:29.512017012 +0100 /mnt/openWD500/timeshift/snapshots/2025-01-04_22-00-02/localhost/var/log/dmesg.0
2025-01-03 23:12:48.683427377 +0100 /mnt/openWD500/timeshift/snapshots/2025-01-04_22-00-02/localhost/var/log/dmesg.2.gz
2025-01-03 23:28:48.804016837 +0100 /mnt/openWD500/timeshift/snapshots/2025-01-04_22-00-02/localhost/var/log/cups/access_log.1
2025-01-03 23:28:27.256017033 +0100 /mnt/openWD500/timeshift/snapshots/2025-01-04_22-00-02/localhost/var/log/cups/error_log.1
2025-01-04 00:00:00.083999782 +0100 /mnt/openWD500/timeshift/snapshots/2025-01-04_22-00-02/localhost/var/log/boot.log.1
2025-01-03 23:22:16.467215700 +0100 /mnt/openWD500/timeshift/snapshots/2025-01-04_22-00-02/localhost/var/log/dmesg.1.gz
find: ‘/proc/2427/task/2427/fdinfo/6’: No such file or directory
find: ‘/proc/2427/fdinfo/5’: No such file or directory
find: ‘/run/user/1000/doc’: Permission denied
2025-01-03 23:29:36.844016399 +0100 /home/lola/.config/session/dolphin_dolphin_dolphin
2025-01-03 23:28:47.708016847 +0100 /home/lola/.config/kactivitymanagerd-switcher
2025-01-04 00:34:14.051981062 +0100 /home/lola/.config/pulse/ca21aa6c97ec457db0c129148f4967bf-stream-volumes.tdb
2025-01-03 23:42:17.484009466 +0100 /home/lola/.config/libaccounts-glib/accounts.db-wal
2025-01-04 00:34:14.423981059 +0100 /home/lola/.config/plasmanotifyrc
2025-01-03 23:25:00.695213505 +0100 /home/lola/.config/Nextcloud/cookies0.db
2025-01-03 23:14:43.611425596 +0100 /home/lola/.cache/thumbnails/normal/cad4573c5330cb6dc6258ee8339ffeca.png
2025-01-03 23:49:41.448005420 +0100 /home/lola/.cache/icedove/epy09bzu.default-release/cache2/entries/F95ED702891864C03A18CD38DB7B9384FD769141
2025-01-04 00:48:45.667998080 +0100 /home/lola/.cache/keepassxc/keepassxc.ini
2025-01-04 00:45:42.923999746 +0100 /home/lola/.cache/mozilla/abrowser/bfbdcpqe.default-release/cache2/index
2025-01-04 00:45:49.939999682 +0100 /home/lola/.cache/mozilla/abrowser/bfbdcpqe.default-release/cache2/entries/EE0D0FA80927650B677DA26EBDBF883C352728EB
2025-01-04 00:45:56.727999620 +0100 /home/lola/.cache/mozilla/abrowser/bfbdcpqe.default-release/startupCache/scriptCache-child-current.bin
2025-01-04 00:45:56.531999622 +0100 /home/lola/.cache/mozilla/abrowser/bfbdcpqe.default-release/startupCache/urlCache-current.bin
2025-01-04 00:45:56.723999620 +0100 /home/lola/.cache/mozilla/abrowser/bfbdcpqe.default-release/startupCache/scriptCache-current.bin
2025-01-03 23:49:39.772005435 +0100 /home/lola/.icedove/epy09bzu.default-release/extensions.json
2025-01-03 23:50:38.368004901 +0100 /home/lola/.icedove/epy09bzu.default-release/folderCache.json
2025-01-03 23:49:35.140005478 +0100 /home/lola/.icedove/epy09bzu.default-release/sessionCheckpoints.json
2025-01-03 23:52:51.568003687 +0100 /home/lola/.icedove/epy09bzu.default-release/places.sqlite-wal
2025-01-03 23:49:38.492005447 +0100 /home/lola/.icedove/epy09bzu.default-release/abook.sqlite-wal
2025-01-03 23:49:38.496005447 +0100 /home/lola/.icedove/epy09bzu.default-release/history.sqlite-wal
2025-01-03 23:52:51.560003688 +0100 /home/lola/.icedove/epy09bzu.default-release/storage.sqlite
2025-01-03 23:49:38.488005447 +0100 /home/lola/.icedove/epy09bzu.default-release/abook-2.sqlite-wal
2025-01-03 23:49:38.880005444 +0100 /home/lola/.icedove/epy09bzu.default-release/favicons.sqlite-wal
2025-01-03 23:49:38.492005447 +0100 /home/lola/.icedove/epy09bzu.default-release/abook-1.sqlite-wal
2025-01-03 23:54:39.956002700 +0100 /home/lola/.icedove/epy09bzu.default-release/session.json
2025-01-03 23:49:33.828005490 +0100 /home/lola/.icedove/epy09bzu.default-release/.parentlock
2025-01-03 23:49:35.252005477 +0100 /home/lola/.icedove/epy09bzu.default-release/cookies.sqlite-wal
2025-01-03 23:49:41.224005422 +0100 /home/lola/.icedove/epy09bzu.default-release/addonStartup.json.lz4
2025-01-03 23:29:12.112016624 +0100 /home/lola/Nextcloud3/.sync_9cb25bf998d5.db-wal
2025-01-04 00:46:14.955999454 +0100 /home/lola/.mozilla/abrowser/bfbdcpqe.default-release/sessionstore-backups/recovery.baklz4
2025-01-04 00:46:06.487999531 +0100 /home/lola/.mozilla/abrowser/bfbdcpqe.default-release/storage/default/https+++my.ionos.es/.metadata-v2
2025-01-04 00:45:46.051999717 +0100 /home/lola/.mozilla/abrowser/bfbdcpqe.default-release/protections.sqlite
2025-01-04 00:45:46.455999713 +0100 /home/lola/.mozilla/abrowser/bfbdcpqe.default-release/search.json.mozlz4
2025-01-03 23:25:01.091213500 +0100 /home/lola/.local/share/kactivitymanagerd/resources/database
2025-01-03 23:29:36.852016399 +0100 /home/lola/.local/share/dolphin/dolphinstaterc
2025-01-04 00:45:19.759999957 +0100 /home/lola/.local/share/kscreen/83e6c5441d1b490e4d82b730a91acc56
2025-01-04 00:45:19.759999957 +0100 /home/lola/.local/share/kscreen/outputs/f980932aea9a2e73091c649d63db8b74
root@mybelovedtrisquel:~#
It all says nothing to me.
Don't know if anyone could tell me whether there might be anything suspicious on any of those file modifications. Then I could check the file contents.
I see two "No such file or directory" and a "Permission denied" I don't understand.
Don't know how to monitor my computer for suspicious activity (unless I see an intensive use of resources). I guess I could install a Host IDS (Intrusion Detection System). Don't know if there is any Free Software HIDS for gnulinux I could install and if anyone would recommend one. Don't know how helpful they could be for a targeted attack, or how they work. I have never used one.
It all seems unlikely to me. This isn't Windows, where random programs can easily wreak havoc. GNU/Linux has robust security: root access, file permissions, and other safeguards all stand in the way. Unless there's concrete evidence of compromise, the system’s defenses likely held strong.
Was Ionos your registrar? I found this, https://postmaster-contact.ionos.com/help/email/validate
I did some searching for 'expired domain scams'
https://www.phishingbox.com/news/post/phishing-alert-the-domain-name-renewal-scam, for example says, "The goal of this scam is to trick people into involuntarily switching domain registration companies and/or to steal sensitive payment information from consumers." Since you didn't even come close to giving up information, I would believe your probably safe. I don't imagine you received any malware. Victims have to fill out information to be harmed.
This site gives a lot of details re one such scam.
https://blogs.quickheal.com/phishing-scam-alert-domain-name-expiration-notices-stealing-data-through-phishing-site/
A report to https://reportfraud.ftc.gov/#/assistant?orgcode=SCAMDET might be recommended.
There is clamav to scan for virus signatures. I have used clamtk. Also keeping your hosts file up to date is helpful - https://github.com/StevenBlack/hosts
Cheers Trisquel Belover :)
Yes! Thank you both very much for your quick support. I was panicking :) Your helpful interaction and valuable information made me achieve peace of mind!