Ex has accessed my computer, changed passwords including to my laptop

Status
Not open for further replies.
Goodness gracious, and ditto from me.

Keep your eyes open for a Conversation from me. I'll pen it up and post it once I go for (drum roll) ... more coffee ;)

Chris Turner
wizardfromoz
 


I didn't note where you said what OS/release you're using.. As I use Ubuntu an enquiry will show what package version(s) exist for `clamav` for different releases

Code:
guiverc@d7050-next:~/uwn/issues/777$   rmadison clamav
 clamav | 0.98.1+dfsg-4ubuntu1          | trusty           | source, amd64, arm64, armhf, i386, powerpc, ppc64el
 clamav | 0.99+dfsg-1ubuntu1            | xenial           | source, amd64, arm64, armhf, i386, powerpc, ppc64el, s390x
 clamav | 0.99.4+addedllvm-0ubuntu1     | bionic           | source, amd64, arm64, armhf, i386, ppc64el, s390x
 clamav | 0.100.3+dfsg-0ubuntu0.14.04.1 | trusty-security  | source, amd64, arm64, armhf, i386, powerpc, ppc64el
 clamav | 0.100.3+dfsg-0ubuntu0.14.04.1 | trusty-updates   | source, amd64, arm64, armhf, i386, powerpc, ppc64el
 clamav | 0.102.2+dfsg-2ubuntu1         | focal            | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
 clamav | 0.103.2+dfsg-0ubuntu0.16.04.1 | xenial-security  | source, amd64, arm64, armhf, i386, powerpc, ppc64el, s390x
 clamav | 0.103.2+dfsg-0ubuntu0.16.04.1 | xenial-updates   | source, amd64, arm64, armhf, i386, powerpc, ppc64el, s390x
 clamav | 0.103.5+dfsg-1                | jammy            | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
 clamav | 0.103.6+dfsg-1ubuntu1         | kinetic          | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
 clamav | 0.103.8+dfsg-0ubuntu0.18.04.1 | bionic-security  | source, amd64, arm64, armhf, i386, ppc64el, s390x
 clamav | 0.103.8+dfsg-0ubuntu0.18.04.1 | bionic-updates   | source, amd64, arm64, armhf, i386, ppc64el, s390x
 clamav | 0.103.8+dfsg-0ubuntu0.20.04.1 | focal-security   | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
 clamav | 0.103.8+dfsg-0ubuntu0.20.04.1 | focal-updates    | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
 clamav | 0.103.8+dfsg-0ubuntu0.22.04.1 | jammy-security   | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
 clamav | 0.103.8+dfsg-0ubuntu0.22.04.1 | jammy-updates    | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
 clamav | 0.103.8+dfsg-0ubuntu0.22.10.1 | kinetic-security | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
 clamav | 0.103.8+dfsg-0ubuntu0.22.10.1 | kinetic-updates  | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
 clamav | 0.103.8+dfsg-0ubuntu1         | lunar            | source, amd64, arm64, armhf, ppc64el, riscv64, s390x

(if I wasn't sure of package name, I'd use `apt-cache` & other commands to find it. If however I was using an opensuse, fedora etc. box the commands would differ)

If it was me, and I was exploring a machine that I no longer trusted, I'd not install it on the local machine anyway; but instead boot a live system and run it from there, using the local drive of the installed system as a data drive only.

I'd not expect clamav to find much; whilst yes it'll detect 90%+ of many types of malware system can be infected with, making it one of the best; I'd expect someone with local access to do other things than just install malware.

I'd likely expect to find more via `apt` logs (or equivalent for your unstated OS), but I'd also check the file metadata of those logs to see if I detected someone who tried to cover their tracks by removing their installed packages from those logs. Again I'd use live systems to do the explore; ie. you're using your hardware but a system that should not have been compromised. I'd also check for any added `alias`, changes to your $PATH value, changes in those directories etc... How far I looked would depend on how 'tech savy' the 'perpetrator' is.

My 2c.
 
Last edited:
Another thought...

As stated, I don't recall what OS/release you're using, so I'll talk about Ubuntu products which I know best.

You realize you can re-install Ubuntu Desktop systems non-destructively

(I'd not use the lunar desktop alternate ISO currently though; I had 2x failures with that yesterday with this type of install; so assume I'm talking about released products! I've had two successful installs of this type with the primary desktop ISO (new desktop installer) with lunar in last few days though)

This will cause your base system to be re-installed from the ISO you download, and your manually installed packages to be re-downloaded & installed. As system directories are wiped during this install, all global made configurations are lost; which will include any infections/malicious changes done to your system, however if the changes were made to your directory only, those will survive so you'll still have to hunt for those.

Before doing this, I'd evaluate your sources & remove any that you can't recall adding yourself (check the file metadata before saving/implementing changes for clues).

I have systems here I don't actually perform upgrades on (LTS systems where daily images are still created) & just perform these non-destructive re-installs periodically as my install accomplishes two tasks; my packages are upgraded via re-install (using the daily) AND I confirm the ISO installer is still working (ie. a Quality Assurance or QA test). On reboot I start my non-standard music player & continue my playlist as I confirm the install went perfectly; ie. the music makes me happy but also quickly confirms my chosen non-default player got re-installed & data files still exist given local playlist was found & music played (my terminal checks will confirm the player actually got re-installed & not that no actual install took place so I wasn't using untouched software).

In your case, any changes made to binary packages will be overwritten by new images from the ISO, or if they were manually installed (ie. added post-install by you, like my example music player), they'll be downloaded & re-installed AFTER the system directories are wiped (prior to install).

Maybe worth considering.

(ps: my value of input will still remain 2c worth only!)
 
If you do not have anything of much importance on your machine - you could just reformat the drive and reload the Operating System - you won't have to figure out what the Ex did or did not do that way - it will be clean
 
I like Lord Boltar's approach.

Quick, simple and to the point.

Our Download page is here

Linux Mint remains the most popular, with a huge amount of support.
 
Valued Helpers - just dial back a little on the suggestions for now - I've had a conversation with the OP we'll see where it leads to.

That being said, I commend the suggestions offered by Lord Boltar and Chris Guiver most recently, as well as the other input.

It is always uplifting to see the help that rallies around here when someone is in trouble, you are good people.

Cheers

Chris
 
Valued Helpers - just dial back a little on the suggestions for now - I've had a conversation with the OP we'll see where it leads to.

That being said, I commend the suggestions offered by Lord Boltar and Chris Guiver most recently, as well as the other input.

It is always uplifting to see the help that rallies around here when someone is in trouble, you are good people.

Cheers

Chris
It's worth noting that the OP has already mentioned that she does have significant material on her computer she is concerned to save, and also that post #4 through to post #10 were about re-installing to resolve the issues. Some later posts appeared to miss the context. I hope you can help her to her satisfaction and provide some guidance to protect her IT in the future.
 
Do we have a full and clear understanding of the issues and causes here? I do not.

Without knowing more about what is going on, I would not assume that installing ClamAV is the solution that will find and fix your problems. Provided that it is installed from a trusted source, ClamAV is not likely to cause harm, but it may not find or fix what you are looking for, either.

How to react depends on what is going on, and I am not sure we know enough about the situation to be advising @Coreopsis well. Rather than focus on the solution (ClamAV), we need a better, more complete understanding of the problem first.
  • Who has physical access to the computer?
    • Do you trust them all?
  • Does anyone have remote access or remote control of the computer?
    • Do you suspect that your Ex has remote control of it?
  • Who has access to @Coreopsis' external accounts?
    • That includes email, banking accounts and/or payment cards, healthcare, medical insurance, retail (grocery, Amazon, etc.), messaging, social media, utilities, vehicle registrations and insurance, cell phone accounts, etc.?
If the Ex or someone acting on their behalf has access to the computer, either physically or by installing a hidden remote administration tool (RAT) that lets them see what you type on your keyboard or record your activities, then you do not have privacy and control of your system or your accounts and data.

Before we start jumping to conclusions and solutions, we should have a good assessment of the situation first. If the landlord is your Ex and he is giving a neighbor the key to your apartment to act as an agent on his behalf, then it may be criminal behavior that should be reported to the police. I would also consider changing the lock on my apartment door immediately. Repeating: I do not have a clear picture of what is going on, so I am reluctant to give advice. Your physical safety and security come first.
 
Locking this thread for now - the OP has my contact if she needs it reopened.

Cheers

Wizard
 
Status
Not open for further replies.

Members online


Top