This morning I logged onto my desktop. Unusually prompted to enter my password. Did so, upon opening chrome, the browser said my privacy was not secure. Immediately shutdown the machine. Forced to carry out my lessons in Windows 10.
Just rebooted and found my username has been changed and includes ‘desmond’ at the end of it. I have two factor verification setup everywhere.
I can access grub and command line, not too keen to log in again.
This morning I logged onto my desktop. Unusually prompted to enter my password. Did so, upon opening chrome, the browser said my privacy was not secure. Immediately shutdown the machine. Forced to carry out my lessons in Windows 10.
Unless you initiated something that would require root rights, don’t type in your password for random popups.
If you didn’t rename your user, I would suggest you to boot a live ISO, backup your stuff and re-install.
Using a Live Media on your PC might give you more info what had happened. Maybe you disconnect that machine from the internet. Chroot into your installed system and check which logs might give you some clues. Also using journalctl might give you some information.
Try to remember which web sites you had visited, what applications you had installed and which sources you got them from. Linux is normally more secure than Windows. Getting root access is needed to change system wide things. 2FA is good, but do you use that also for logging into your Linux sessions?
Thanks for all the good advice, unfortunately end of the month so quite busy. Will download latest iso shortly. And reinstall later.
Question my desktop contents were stored on a separate drive so if I reinstall and reconnect to that drive does it mean the hacker will be able to take control again? If so is there some software I can install to prevent this. Earlier I was not able to access pamac to check updates or look for extra software.
I would check with Have I Been Pwned if one of your accounts been in data breach.
It also depends what you do with that PC. Was it random or do you have some important stuff on your PC. I see you’re a teacher of some sorts. Maybe exams? Also true hackers don’t change names so a normal user would see it. Only if you should see it …
Yes, I am a self-employed teacher - was logged into Opera yesterday - but I think the built in vpn was disabled at the time - searched for Idioms for a student to prepare for classes. Yesterday saw a pop-up open in the background to a site I clicked and closed it & didn’t think much of it - I was searching for an old episode of a comedy for research and was sent to a torrent site the day before but didn’t finish that research. That may have brought the up the pop-up and so that was why I didn’t think more of it. But if anything that site may have been where my system was compromised or not. It’s hard to say if the hackers have been spying on me for a while but only this morning was apparent that I had been made a user with no admin rights to my system drive. The odd thing I had noticed last night before turning off my machine was the mouse was misbehaving - moving slowly by itself.
Have checked my accounts on the Pwned website - they had previously been breached in the years gone by - but with 2FA in place - they are safe. One hotmail account is constantly, apparently several times yesterday (from all over the world) attacked but again - 2FA prevents the hacker from going any further - will no doubt have to use 2FA for my Linux sessions now too.
My desktop contents (and all other data) were stored on a separate drive so if I reinstall and reconnect to those drives does it mean the hacker will be able to take control again?
If so is there some software I can install to prevent this.
I’m not familiar with what I should be looking for on any drive - what does a typical Linux virus look like?
Thanks - did that - 2FA in place has been for a few years - since they were initially breached - unfortunately the site still reports on old breaches or a culmination of old breaches - last breach was November last year - which in fact was not true - the data was reflecting on a much older breach from before I had installed 2FA.
But Thanks and it’s a site I so use to check in any case.
Agreed - but sometimes when Manjaro does an update - I see the login screen - though very rarely.
It is set to auto login. I don’t remember doing any updates recently but have noticed that MS Teams changed it’s interface recently even though I don’t recall updating it.
Have downloaded latest ISO(signature checked) - but will not run it with the linux system drive connected - I would like to know if there are tell tale signs that I can find on my other data drives that might indicate where the ‘virus’ is or what it looks like. I’ve got myself set up for a long night ahead of me as I need to send some things to my clients.
I also am not a fan of windows but will if need to use the antivirus tool from eset to scan the drives as a last resort - how will that affect my new linux system once installed?
Looks like a clean wipe is in order, starting with resetting the router to manufacturers settings. My Hotmail account has been unsuccessfully signed into according to recent activity logs multiple times a day every day this month and the last few months, I have no idea why I’m just a poor teacher trying to survive. Have a feeling the hackers are reading the forums so afraid to post further updates. Will have to switch to my other Linux machines for a while.
Well I don’t know why you should be a target, but OK. Having 2FA is always good. Maybe add a fingerprint reader or something to your PC if you want to enhance your security. However, if someone gets root access he can change anything on your PC.
It really depends what valid and important data you have on your PC. Most hackers are about to get information about credit cards and online banking. However, those are 2FA these days also.
Also it depends if the attack happened from outside/internet or locally via USB stick or something else. Regarding your external/second drive: sure, some app can be saved there to regain access to your machine. It also depends what files you store there.
Using a live-session from USB stick with Manjaro won’t risk changing data on your drives. You can even install needed additional software into RAM. So if you’re really certain that you’re hacked, you may think of a new hard drive, or at least sweep it securely.
So it really depends what happened to your machine. Having a new user added you didn’t create is odd and more or less a pointer that some happened to your machine.
Linux in general is secure, but if someone with knowledge gains direct access to your machine normally you don’t detect the entry in the early days. So if the user is given, more or less the hacker wanted to let you know that some is wrong with your PC.
So try to remember what happened the past days/weeks and what can be the entry point for the attack.
Opera is normally good. Vivaldi might be better as browser, but yes. A browser is more or less a second OS and an Anti Virus for Windows can only detect common Viruses or Trojans for Windows on regular files. For Linux you need some other tools.
Manjaro itself is not designed for Security, more for daily usage with latest upstream software. There are other Linux distributions out there, which have a focus on Security:
So thx again for using Manjaro since 2018. Hope you can check your files and find a solution for your problem.
I don’t want to spook you, but it also can go one level higher …
Thanks Philm for all the great tips you provided. Very helpful for many of us.
It’s really hard to understand what happened without proper deep dive.
The very first thing you’ll need to go through are your logs:
Assuming this is not an overly sophisticated attack, most likely there would be evident entries showing at least few indicators, e.g: When usermod was issued? does sshd show suspicious activities? any repeated failed sudo? if you have public-facing services, what do they show in their logs?
(Do note that “publicly facing” doesn’t mean “internet facing”: You can have nginx running on your rig, and if you’re connecting to a public wifi (or any wifi in that regard) that doesn’t employ client-isolation, that is effectively “public facing” and can get you hosed. Just go to any highschool with wifi and “introduction lessons to wordpress” and you’ll see what I mean).
I fail to see how having or not having compromised online accounts (gmail/hotmail/etc) would directly and easily translate to a local system compromise.
As for drive-by compromises, while very much a thing, if you have your system always up-to-date, the chances of getting a drive by are pretty low (though certainly not impossible).
Notice that by what you’re describing, you’re stating two things:
- Attacker was able to run code.
- Attacker managed to get root (AFAIK, changing username is done through usermod, which requires root (assuming usermod -l). Any other method I’m aware of that doesn’t go through usermod most certainly requires root).
Most desktop linux I’ve interfaced are pretty secure from the get go (a mix of up-to-date software, sane patch management and very sane defaults).
But, it’s easy to get yourself in a less-secure state, either by not patching/updating or by not understanding default configuration of certain software (e.g docker daemon).
You didn’t mention other activities you may be doing with your rig: e,g are you developing? running docker? checking student code on your machine?
Each of these may get you compromised under some circumstances (and there are certainly many, many other ways).
I would advise the following:
- Image your disk. This is critical, you should never do any digital forensics on a live system, never ever.
- Mount the image in a container/vm (disconnected from any network!) and start working your way through the logs.
- Look in for temp files (/tmp /var/tmp) and in your home dir for scripts.
- Check the obvious: Did you download and ran anything? did you root-piped something you found on a random site on the internet? etc
We’ll be happy to hear anything interesting you’ll encounter in the logs.
Moving forward, there are a many tools and guides that can assist in hardening your system, e.g Lynis which is an awesome tool and can get you in a pretty lockdown state in a guided and manageable way.
Another tool is traitor (though, be very aware what it does before doing anything with it!).
Both are in the AUR.
There are plenty of tools, guides and general knowledge that can assist you in hardening your rig (no tool, btw, will ever replace common sense, so there’s that too).
Once you’re comftrable and understand what needs to be done on a new system, it’s quite easy to automate the process.
Make it an habit to self-audit your system every once in a while.
Another tip, if you’re doing “risky” things on a daily basis:
I’m using containers (lxc) with ability to run X applications. That enables me to ssh into a container, run FF, do whatever I need to do, and blow away the container.
Pro tip 1: You can snapshot the container and revert once you’re done.
Important: Remember that this method only protects your local machine. Without any modification, your local network will be reachable by the container, if this is or isn’t a problem depends on what you’ve set to do.
And last thing:
Physical access to your machine can and will lead to a breach. Not that it’s easy, but it’s certainly easier to compromise a system if you have physical access to it.
You mentioned (IIUC) auto-login, I personally would refrain of using this feature.
That is certainly spooky and considering what I have been through in the past 24-48 hours, not exactly light reading.
Well here’s an in-depth look at what happened to me - you’ll have to excuse the length. Unfortunately a lot of the info you need is unavailable to me:
I am an English Teacher and scour the internet for resources to use while teaching - usually I do this inside a VM Virtual-box - but over the weekend unfortunately I did not. My usual torrent application ´Deluge’ was not working and I used something called Qbittorent I think with its default settings in place. I only use the package manager from Manjaro to install apps. The things I download are pictures or videos which I cut, edit and paste into presentations - delete what I don´t need later. Now I also do this in Windows, as MS Teams in Windows allows me to share audio easier than in it’s Linux equivalent, so I have a shared download folder on a separate drive.
Both operating systems are on physically separate drives and are never in use at the same time – to be clear on the top of my desktop case is a drive port – I don’t use dual boot. I usually have Manjaro plugged in as I truly trust this OS compared to any others that I have used throughout my life.
Each OS drive has only got the applications installed that are relevant or needed for that OS. I refer to them as my system drives. So if something goes wrong with a system drive then I’m confident that I have not lost any essential data (most weekends I back-up that data to my cloud storage – sometimes I do this straight away – depends on how busy I am)
My Data is located on several hard disks, for example my mail will be on a separate drive to my desktop folder drive, or my download drive, or my teaching resources drive, etc., though I do have some drives partitioned usually for steam games or older backups, and other non-essential items.
Whenever I boot into Windows I don’t allow it access to those other drives, except for the download drive and thus the shared drive that Manjaro accesses too.
I know MSWindows10 leaves a fingerprint or something on my other drives as once it had left me in readonly mode when I tried to access them from Manjaro (further reading revealed that was something to do with fastboot – consequently disabled). However my Windows installation used the default antivirus software and was prevented – by me – from scanning the other drives.
Throughout the pandemic I have been forced to switch back to Windows to use MSTeams to share audio only for classes that needed this, otherwise I was able to use MSTeams in Manjaro for almost 90% of my classes. It’s almost impossible to setup the audio for MSTeams in Manjaro – the sound quality from my end using simultaneous audio is just incoherent for my students to hear – I have read multiple threads on this but not enough information on how to fix this. Have tried and failed – but will continue looking for a solution.
I am usually very careful with passwords and do pay attention each time an update appears. My email passwords are complex and unique – but the one I had decided to use for Manjaro was a simple 4 digit pin I made up just for Manjaro as I often run updates.
As I said before that the night before the incident – the last thing I noticed before I went to shut down my machine was that the mouse moved slowly off certain things while I was reading a guide to a game on a website – in this case it was an online plarium game which had been loaded up as web app through chromium, (we all need downtime and so playing games online is just a good way to unwind). I also did a lot of reading from a variety of websites – my chromium browser is set to load a number of grouped tabs in the background, some personal social media, others for learning whatever aspect of whatever it is I am learning – usually IT stuff – all trusted sites.
Prior to that I believe a video that I had downloaded from a torrent site was the culprit that had left a number of exe files in my download folder on my download drive. But that was on Saturday evening and later on Saturday evening I had booted into Windows10 – which may have triggered the virus to spread to other drives. I booted into Manjaro on Sunday to do my end of the month accounts for my clients with the intention of sending out my invoices on Monday. On Sunday afternoon I also checked for updates from Manjaro, as nearly every Monday morning (for as long as I can remember) I have issues logging into MS Teams, usually sound issues where my students cant hear me or I cant hear them. So that’s all the activity I can recall – at this very moment I am exhausted as since Monday I have had very little sleep.
So on Monday morning being prompted to enter my password, seemed unusual as there had been no updates on Sunday. The screen was my default password login screen with my username displayed, it 7.15am and have a class at 7.55am, Sunday I had prepared some scans from a book to use and was just about to send them to my client and at this point I was logging into my personal account through chromuim and this is when I noticed that the browser said that my internet connection was not secure – if I had not noticed that I would have logged into my business email, luckily I noticed and just instantly shutdown my computer, removed the Manjaro drive and booted into MSWindows10 logged in and went straight to MSTeams. While I was logged in I realized my other drives were still plugged into the computer (should say the side of my case is usually exposed and so pulling cables in an emergency is doable but not when I am running an OS).
During breaks I initially reported the issue on the forum and proceeded to download the latest ISO to prep for a fresh install for Manjaro (KDE), checked the signature using another app I downloaded from the internet (the first I could find) – the signature checked out fine. Later, I turned off my computer and unplugged all the drives, went into my old Manjaro – with no physical internet connection and could see that I was no longer admin and that I could not run a terminal window or access the file manager. Pretty much nothing I could do – was reading the forum advice from my phone (thanks by the way – really appreciated).
Had to log back into MSWindows10 to continue teaching, after that class finished I installed something called Eset antivirus for Windows10 and after rebooting it couldn’t find anything wrong with my Windows installation. Then downloaded the Eset sysdisk rescue tool with the intent to boot off it and scan my other drives. I downloaded it but was not able to burn it onto a usb key – this was odd, no matter what spare usb key – Windows would bleep but not show it as attached. There was a setting in Eset for devices that had not been check-marked, when I checked it I was instructed to reboot. So I rebooted Windows10 only to find that I no longer had access to my keyboard or mouse! I tried various ports but with no luck – read forums too. So at the moment I have no Windows10 OS disk (Well I haven’t fixed it yet) I will leave that for tomorrow.
Monday evening I eventually booted into the latest ISO for Manjaro (KDE) – mentioned before (signature checked) – remember I did this in a potentially infected Windows10 installation or so I believe.
I managed to download the Eset tool and burn it on to a USB key. At this time there were no drives connected. After that I rebooted into the Eset tool with only the infected Manjaro drive installed. The tool allowed me the opportunity to examine the drive to some degree – I could see that most directories existed but their contents were not visible. I could see the grub and examine its contents but not knowing what to look for ie changes was a hopeless task. It seemed too that most files were encrypted and that the owner was definitely not me. I ran the Eset tool to scan it – not an easy tool at all to use and it failed to identify anything seriously wrong – except that many files were inaccessible – permission denied or corrupt – it found 4 windows viruses and deleted them. I then rebooted (without the infected Manjaro disk in place) reconnected my other drive and let the Eset tool scan them in-depth – it took over 4.5 hours to do this but found 55 viruses scattered over my disks. I looked at the files and most of them had a number like 3248.exe or something and they resided in my shared download drive.
I also used the Eset tool to extract some data that I needed and copied it safely to a USB Key (after scanning it twice)
While Eset was doing its thing on Monday night I decided that my router (Compal) needed to be reset to it manufacturers settings. I connected this physically to another linux distro – the name of which I can never recall – it seems that the netbook that it runs on can handle it as it is a really old device – still 64bit but running a dual core atom processor. Connecting to my router was however problematic. Was not able to reset it following the manufacturers advice. And even after it was reset it still accepted my old password – which led me to believe the instructions I was given are either incorrect or something else – I knew I was tired and agitated already – so I reset it online and gave it a new password and then had no luck for ages trying to disable its wi-fi connectivity. (Another thing I found too late was that I had left a USB wi-fi – tiny thing stuck in the back of my desktop, buried under some cables and would explain why the Eset tool said updates were available and flashed up at some point to connect to the internet – but I ignored that and so I believe I was not connected. The router was not physically connected earlier but may still have had wi-fi access). Eventually I turned off the router around 3.30am and went to bed.
During the course of the day my phone also updated (Huawei) it usually updates with Android patches every month or every second month – I let it install even though I was hesitant at first as I knew I had a KDE app on my phone that I once played with to communicate with my desktop. Needless to say, I uninstalled the KDE app.
I had used my phone throughout the day – mostly the authenticator app from Microsoft. As I need this to verify myself when logging into Skype or sometimes MSTeams. I logged into my Microsoft account and disconnected/deleted all my virtual machines that I knew or believed might have been accessible from my Manjaro installation – all the essential work was on Onedrive or backed up in my other cloud storage accounts. A lot of my work is also on a physically separate device. With the authenticator app I can review activity related to my Microsoft account and it seems that the account is constantly being logged into unsuccessfully every few hours from around the world. I don’t think changing my account would make any difference and have accepted that as the norm today no matter what account you have today hackers will keep trying to get to you – so 2FA (with some other methods) is the best way to protect yourself. Even logging into this forum I use 2FA – now how do I do that with my Linux login – that I want to know!)
Tuesday morning woke up at 7am and started the router – reset it as this time it wanted the initial pin password. Again set up some complex passwords (written down in a little black book) not stored anywhere digitally.
Had to use MSTeams through Android for my morning classes. Later managed to install Manjaro KDE again and set up a completely new username and complex password. Managed to get some normal work done. Installed MSTeams snap – it wasn’t that way before. Have tweaked the interface to my liking, but still have doubts about this set-up – like is it normal to have ~ after my username? As that’s how it appears in terminal at the moment. The other drives are not connected at the moment nor will they be for quite some time. Besides I need to save up some cash to buy some new drives. Last night I finally got some sleep – but I have a day ahead of me to fix my Windows10 installation. And I might also shred my current drive and try out another flavour of Manjaro – KDE has been fun and is so pleasant to just look at! I might just stick with it for a while.
I’m not a Windows fan but I need it for 10% of my classes where MSTeams allows me to share audio without issue.
I really wish I could share more here – and I hope others will read this and spot my mistakes – all I can say is don’t download anything you don’t entirely trust unless you are in a virtual environment that has no shared access to your current set-up. Doing so, absentmindedly, might lead you down the same rabbit hole I have only just crawled out of.
I still have questions concerning my current installation – but will scour the internet and forums here to resolve them if I can.
My logs were unfortunately inaccessible I read through your post yesterday and believe it or not - I normally am very careful - just this once for some unknown reason I slipped up - perhaps it’s age. I was used to using QubesOS for a long time until my hardware was no longer compatible.
I only wish I could have found the tools necessary to dissect the disk further and comeback with some more positive or helpful information that would lead to a better understanding of how another user was able to remove my admin rights and eventually take control of my entire computer. The answer may lie in one of my drives - but at this moment - or until I have some time and have restored my energy (as I am utterly physically tired) I will not reconnect these drives as my essential data is stored in the cloud. My Windows installation is also playing up - but I have left a more detailed response above (or below) in this forum.
Thank you very much for your advice - One question I have at the moment is whether there should be a ‘~’ character at the end of my current username in my terminal window?
I’m suspicious about the English teacher part
I’m not here for grammar nuances and games on internet forums - if you like making fun - please continue - I am too tired to respond
At least I read your wall of text which I’m sure not many would do.
From my understanding there is not much we can get from all of this. My random guess would be that the vector of attack, if there was one, was maybe your WIFI connection(s), maybe a neighbor connected to your network and from here could get into your computer, by guessing or brute forcing your password, but without a deep dive into your logs we can speculate all we want we’ll never know what happened to you.
Ich weiß, es kann sehr aufreibend sein, sowas zu erleben. Die Daten finden sich normalerweise im letzten Backup. Aber in so einem Fall möchte mann halt auch wissen wo und wie eingebrochen wurde.
Wenn man das nicht klären kann, bleibt ein ungutes Gefühl (so als ob in die eigene Wohnung eingebrochen wurde) und mann fühlt sich eventuell nicht sicher.
Gegen brute force hilft nur ein langes passwort (muss nicht komplex sein, aber eben nicht aus dem wörterbuch) , oder 2FA. 4 Zeichen als pin(0-9) sind definitiv sehr wenig (=10000 Versuche mit einem Script). Das sollte man nur machen, wenn der Angreifer nach 3 Versuchen rausfliegt.
Manchmal ist es auch eine gute idee /var/log mit ins automatische backup einzuschließen
Den Zugriff auf Laufwerke zu verbieten ist für einen Angreifer mit Systemrechten kein wirkliches Hinderniss. Schwieriger hat er es schon wenn die Dateisysteme nicht passen. Windows=NTFS, Linux=ext4 oder btrfs, gemeinsame Partitionen=fat32.
I know it can be very stressful to experience this. The data can usually be found in the most recent backup. But in such a case you also want to know where and how the break-in took place.
If you cannot clarify this, you will feel uncomfortable (as if your own apartment was broken into) and you may not feel safe.
Only a long password (doesn’t have to be complex, but not from the dictionary) or 2FA helps against brute force. 4 characters as pin (0-9) are definitely very few (= 10000 attempts with a script). You should only do this if the attacker is kicked out after 3 attempts.
Sometimes it is also a good idea to include / var / log in the automatic backup
Forbidding access to drives is not a real obstacle for an attacker with system rights. It is more difficult if the file systems do not fit. Windows = NTFS, Linux = ext4 or btrfs, shared partitions = fat32.