Linux virus protection

S

SteveEnthusiast

New Member
Joined
Aug 28, 2017
Messages
5
Reaction score
1
Credits
0
Thanks Rob,
I have recently installed Ubuntu 16 and am finding it a brilliant system, so much superior to MS windows. However, the protection from viruses / malware etc. is now uncertain, as Ad-Aware which I have used for years is only operational on windows systems. What is the usual equivalent in Linux?
Since running the system, I have had my web browser Firefox hijacked by some annoying thing called searchisemail. Short of re-installing Ubuntu, is there an effective way of getting rid of this nuisance and ensuring it cannot re-infect? I have no idea how it entered the system, as I have been using only my ordinary email?
Rgds,
SteveEnthusiast
 


Hi Steve, a couple of questions first up -

  1. Which DE (Desktop Environment) of Ubuntu 16.04 are you using? Is it Unity (launcher on left side and Dash at top), MATE. or GNOME?
  2. Since installing, have you enabled your firewall, it is not enabled by default?
If No to the latter, you can go to Terminal (press Ctrl-Alt-t , or start to type Terminal at the dash). Once in Terminal type in and enter

Code: 
sudo ufw enable

It will ask for your password. Enter it (there will be no movement at the insertion point, for security reasons) and press Enter.

You will be rewarded with a message saying that the Uncomplicated Fire Wall has been activated, and it has generated a small script that will enable it at every reboot or startup.

Let us know your progress and we can proceed from there.

Cheers and

avagudweegend

Wizard
 
I've done some searches for searchisemail, but I can't find any references to anybody on Linux being affected by it. I've only seen accounts of Windows users affected by it.

And from the bit of research I've done, it looks like it only seems to affect browsers and their settings. So perhaps you've visited a malicious web-page or clicked a malicious link and it's set your browser up to redirect you to dodgy websites and search engines.

Bearing that in mind I think the first thing to try is completely removing firefox, all of its settings and any cached data from your home directory and then re-install it.
e.g.
Code: 
sudo apt remove --purge firefox
rm ~/.mozilla/ ~/.cache/mozilla/ -rf
sudo apt install firefox

From what I've seen that should get rid of searchisemail and firefox should hopefully work normally.

If you manage to successfully restore firefox to a working state - you might want to consider installing a few add-ons like ABP (and/or ublock), privacy badger, https everywhere, noscript etc. Alongside Wiz's suggestion of enabling your firewall - that might help to prevent this from happening again.

However, in the unlikely event that firefox is still infected after all of the above - it almost certainly means that some kind of malware was also dropped elsewhere on your PC - Not something I've ever seen or heard of happening on Linux before.

In which case, you might want to consider re-installing Ubuntu, or you could try installing and running clamav and chkrootkit to see if they find anything.
 
Thanks for all that good feedback. Sorry I have not responded before this - I have been busy with stuff other than Internet. I shall try the suggestions.
Thanks,
SteveEnthusiast
 
wizardfromoz said:
Hi Steve, a couple of questions first up -

  1. Which DE (Desktop Environment) of Ubuntu 16.04 are you using? Is it Unity (launcher on left side and Dash at top), MATE. or GNOME?
  2. Since installing, have you enabled your firewall, it is not enabled by default?
If No to the latter, you can go to Terminal (press Ctrl-Alt-t , or start to type Terminal at the dash). Once in Terminal type in and enter

Code: 
sudo ufw enable

It will ask for your password. Enter it (there will be no movement at the insertion point, for security reasons) and press Enter.

You will be rewarded with a message saying that the Uncomplicated Fire Wall has been activated, and it has generated a small script that will enable it at every reboot or startup.

Let us know your progress and we can proceed from there.

Cheers and

avagudweegend

Wizard
Click to expand...

Hi Wizard,
Version of Ubuntu is 16.04 LTS (as listed in System settings - Details. Icons to access programs are located on LHS and presumably "DASH" is at the top ('File, Edit, View, History, Bookmarks, Tools, Help) on LHS and (Wifi, bluetooth, battery volume, time/calendar and shutdown etc.) on RHS. I have enabled the firewall as suggested - fine.
The hijacking thing is still present, so I will attempt purging Firefox and re-installing as suggested.
Thanks,
Steve Enthusiast
 
KinJasasis said:
I've done some searches for searchisemail, but I can't find any references to anybody on Linux being affected by it. I've only seen accounts of Windows users affected by it.

And from the bit of research I've done, it looks like it only seems to affect browsers and their settings. So perhaps you've visited a malicious web-page or clicked a malicious link and it's set your browser up to redirect you to dodgy websites and search engines.

Bearing that in mind I think the first thing to try is completely removing firefox, all of its settings and any cached data from your home directory and then re-install it.
e.g.
Code: 
sudo apt remove --purge firefox
rm ~/.mozilla/ ~/.cache/mozilla/ -rf
sudo apt install firefox

From what I've seen that should get rid of searchisemail and firefox should hopefully work normally.

If you manage to successfully restore firefox to a working state - you might want to consider installing a few add-ons like ABP (and/or ublock), privacy badger, https everywhere, noscript etc. Alongside Wiz's suggestion of enabling your firewall - that might help to prevent this from happening again.

However, in the unlikely event that firefox is still infected after all of the above - it almost certainly means that some kind of malware was also dropped elsewhere on your PC - Not something I've ever seen or heard of happening on Linux before.

In which case, you might want to consider re-installing Ubuntu, or you could try installing and running clamav and chkrootkit to see if they find anything.
Click to expand...
Thanks KinJasasis.
I have re-installed Firefox using the code above. However, I entered the code line by line - not sure if that was the intention or to copy it in one block. The 2nd code line
rm ~/.mozilla/ ~/.cache/mozilla/ -rf
produced a warning message about the dangers of recursive commands. I did not understand what that was about, so removed it and succeeded in reinstalling firefox using the 3rd line of code. That is fully successful, the hijacking thing having gone and all the bookmarks are back again. So a good solution. Thank you.
SteveEnthusiast
 
  • Like
Reactions: Rob
SteveEnthusiast said:
Thanks KinJasasis.
I have re-installed Firefox using the code above. However, I entered the code line by line - not sure if that was the intention or to copy it in one block. The 2nd code line
rm ~/.mozilla/ ~/.cache/mozilla/ -rf
produced a warning message about the dangers of recursive commands. I did not understand what that was about, so removed it and succeeded in reinstalling firefox using the 3rd line of code. That is fully successful, the hijacking thing having gone and all the bookmarks are back again. So a good solution. Thank you.
SteveEnthusiast
Click to expand...

Excellent. I'm glad that worked for you Steve!

I'm also glad the infection only affected the browser and not the rest of your system!

As for the warning about the recursive command, it was because I used the rm command with the -rf switches, which can be extremely dangerous and should always be used with EXTREME CARE. If used improperly, using rm with -rf can hose your entire system.

I assure you that the line I posted containing the 'rm' command WAS completely safe. It would only have removed two hidden directories containing cached data from Firefox that were stored in your home folder. Removing those caches would ensure that all of the various settings and data cached by the malware were removed. It would also have got rid of all other data and settings that Firefox had cached. So all of your bookmarks and extensions would also be gone!

When recommending the use of the 'rm' command in forum posts (and when using it in the terminal on my own machine) - I always list paths to the files to delete immediately after the 'rm' command. Then visually verify that the paths to all files are 100% correct before adding the '-rf' switches at the end of the line and pressing enter, or posting!

If you copy/pasted that command it was definitely completely safe. I would NEVER intentionally post a command that would cause damage to another persons system and always go to great pains to ensure that there are no mistakes in any posted code.

However, your caution was well advised. You should ALWAYS be careful when copying/pasting code/commands from the internet. Especially if they contain the 'rm' command - and even moreso if they have the '-rf' switches specified. Some people out there are not as conscientious and will post malicious commands that WILL hose your machine!

But once again - I assure you that the rm command I posted was completely safe:
Code: 
rm ~/.mozilla/ ~/.cache/mozilla/ -rf

However, if I had accidentally (or maliciously) inserted a space between '~/' and one of the directory names, the command would do something completely different:
e.g. DO NOT RUN THIS - THIS IS A BAD USE OF rm:
Code: 
rm ~/.mozilla ~/ .cache/mozilla -rf
Because of the space between '~/' and '.cache/mozilla' - the above would cause rm to recursively remove the hidden ~/.mozilla directory, then your entire home dir (~/) and then the .cache/mozilla dir - which wouldn't exist any more at that point because it would have already been removed when your home dir was recursively removed. o_O :: Eeek! :: :/

As seen above - a simple typo can have disasterous consequences when using 'rm' with '-rf' and is the reason that I am so careful when using or recommending it!

It's also the kind of "mistake" that is deliberately hidden in code posted by malicious posters/trolls on some forums and is definitely something to look out for when copy/pasting terminal commands from the internet.

If I'm ever unsure of commands copied from the internet - I will post them into a plain text file (so they cannot be executed) and will visually check through them for any accidental/deliberate mistakes. And if I'm ever unsure - I simply won't run them!

Finally - the following recursive rm command is basically suicide: NEVER RUN THIS - This is like armageddon for your Linux PC!!!!
Code: 
sudo rm -rf --no-preserve-root /

That would recursively delete every single thing on the file-system, including on the file-systems of all mounted devices. Also, if you have a system which uses UEFI instead of BIOS - it is also possible that it will delete data on the EPROM containing the UEFI settings and completely brick your motherboard/PC - because this is typically mounted too.

Perhaps I should have mentioned some of this in my original post! :/

Either way - I'm glad your problem is sorted!
 
Last edited:
SteveEnthusiast said:
Thanks KinJasasis.
I have re-installed Firefox using the code above. However, I entered the code line by line - not sure if that was the intention or to copy it in one block. The 2nd code line
rm ~/.mozilla/ ~/.cache/mozilla/ -rf
produced a warning message about the dangers of recursive commands. I did not understand what that was about, so removed it and succeeded in reinstalling firefox using the 3rd line of code. That is fully successful, the hijacking thing having gone and all the bookmarks are back again. So a good solution. Thank you.
SteveEnthusiast
Click to expand...

Glad you got squared away Steve! Told you these guys would get you back in shape! :)

Rob
 
You must log in or register to reply here.

Members online

Total: 1,149 (members: 3, guests: 1,146)

Latest posts

Top