Potential malware encounter after accidently visiting typosquatting page

Yesterday I mistyped a URL in Firefox and ended up redirected to an obviously spam site (unfortunately I don’t have a record of the URL), I killed the tab and thought no more of it. Shortly after I started getting popups telling me I have ‘Trojan virus activated’ and need to update my anti-virus software. The popups multiply to cover the screen, then fade away. This recurs each time I restart firefox, I’m running snort on my server, and last night for the first time this reported ‘WEB-MISC http directory traversal’ and ‘WEB-ATTACKS id command attempt’ to and from my laptop. The snort.org site tells me both those rules have been deleted, with no other explanation.

I have always run Linux and so have no experience at all of dealing with viruses. I guess (and hope!) this is something internal to firefox, javascript based, and will go away if I can fix firefox, but am nervous it may have managed to exfiltrate passwords from firefox or other files from outside .mozilla. For now I have just disconnected the laptop from the internet (very possibly too late) but have no idea where to go from here. It seems odd no-one else is reporting the same problem.


Moderator edit: Topic title edited to reflect what actually happened. There’s no such thing as a “Firefox based virus”

annoying behaviour - but that is probably all
close firefox
move the .mozilla folder as mozilla.bak
start firefox fresh


I also think so. I think the website is designed/built to make you think you have a virus when you don’t, really.

I suggest the same as @linux-aarhus, with 1 addition:

Change your passwords.

Or even better, don’t save 'em with you browser…

1 Like

As suggested, I have a new instance of Firefox running and haven’t seen a recurrence of the problem since. I’ll see what snort reports tomorrow

But for me, something running on my computer to make me think I have a virus IS a virus - there is some code I didn’t install running somewhere which was doing this, If it can generate a popup what else has it done? I don’t know. So I wouldn’t say it is just ‘annoying behaviour’. Especially as there seem to be signs it has tried to communicate with other hosts. I would really prefer to find this code and see what it is; I guess the code is now somewhere in .mozilla.bak, but unsurprisingly there’s nothing obvious.

@Mirdarthos Re passwords: I don’t keep passwords for anything directly financial in Firefox, but virtually every trivial website now needs a login for access, and I do store those. The alternative is going through a password reset/text message each time. Or do you use a big paper file? I don’t have any reason to think that a password manager app is any more secure than the Firefox internal one.

Paper is so last decade! :roll_eyes:


I use KeepassXC. It’s free and open-source, which is cool. There is also a plugin for Firefox (and I imagine Chrome as well) to interface directly with it.)

It saves the password in a database file locally, so it’s not somewhere in the “cloud,” meaning you can easily keep it backed up, synchronised and whatever else you do with a normal file. I use Syncthing to keep it in sync with my tablet for use with KeepassDX.


Oh yeah! It’s the one of the only .AppImages I use. And I use it only because of portability. The other is Obsidian. For the sane reason.

1 Like

I used to use KeepassX years ago, but they changed formats at one point that meant I could no longer read the historic passwords I’d saved in it from my old computers. After that experience I went back to using 19th century paper files for anything important: burglars might steal them but not hackers, and there’s no risk of format obsolescence :slight_smile:

I might try KeepassXC for less important stuff - do you think it is safer than Firefox’s own password manager? I export the Firefox csv password file, then encrypt that for backup or syncing manually with other machines.

I remember that. You could convert the old .kdb file to the new .kdbx format, which is exactly what I did way back when I was still a Windows slave.

Now, it KeePassXC. Which is a fork of KeepassX and it opens the .kdbx file flawlessly.


About that, I have no real idea. If it connects and stores your password(s) in the “cloud”, then yes, because it’s only kept locally. Otherwise I don’t know.

Edit #2:

Another reason for me choosing the .AppImage is because it’s sel-contained. So even if something happens to my and KeepassXC is removed from the repositories, it’s still working fir me. Also on any 9ooother Linux Distro that I’d care to use.

If the OP uses Firefox Sync and has it configured to sync ‘Login and Passwords’ along with everything else, that’s another potentially exposed vector that Firefox has, and KeepasXC does not; being that it’s stored locally.

If Firefox Sync isn’t used at all, then the security of passwords stored in Firefox simply diminishes to how well does one trust Firefox?!

1 Like

maybe this can prevent it next time:

it’s a bit annoying but worth it.


I actually use firefox to both generate random high quality passwords and save them, I quite often log in to my firefox user on other computers and having access to a password that is “adalnkq2309u2q3¤”#¤RHBGDFG" is pretty nice, but I do realize the extra risk it poses. But i put my trust in firefox for this.

When it comes to email, github etc I use an authenticator app so even if they found my passwords they also have to break into my phone and break the f2a app. Possible yes, but highly unlikely.
My passwords notes and f2a onetime codes etc. are placed in a vault that is ALWAYS encrypted with a very strong password.

If it is some kind of code introduced to your old firefox instance, as stated by other above, firefox runs as your user no? At least your system should be safe unless you let your user change root stuff without using a password.

You could run a clamdscan on your computer to see if it finds anything.
Use clamav in the manjaro repositories.

If you want to find out the website. Do you not have access to your browsing history? Maybe you clear everything out after closing?

In that case, here’s something that should interest you; Steve Gibson’s Perfect Passwords. You could easily lose yourself for a few hours in his site. :wink: And also Shields Up to test your security.


My passwords typically has this kind of rating:


I use NoScript and ublock Origins… both protects you from popups, java and malware.

Also use Firefox Privat Sessions and never save passworts/login’s in Firefox…

What is not saved… can’t be stolen… only when your PC is infected already.


Have you ever looked into pass?

Can integrate into FF (also qutebrowser, which I use) pretty seamlessly.

Just make sure the plugins run in private sessions, they are set to disabled in that environment as default in firefox.
I don’t really see a reason to use private, all it does is not save the site data when closing, I clear that out when closing firefox anyway.

This is my big hurdle. I clear out all “cookies and site data” when I close firefox. After a while I get lazy and put some websites in the exceptions so the login is automatic (manjaro forum among them).
I KNOW this is a big baddie to do, but I still do it. :frowning:
My laziness is my biggest enemy here.

I use the Bitwarden browser extension, but there are others that are just as good.

The fact that your computer (or router) doesn’t respond to Universal Plug’nPlay requests (probes) is actually a good thing. Gamers, often choose their convenience over security, and leave their computer exposed to several potential attack vectors; uPnP being one of them.

My current system usually gets a true stealth result from Gibson’s Shields Up (common ports scan). One thing that amuses me when testing from Manjaro is the final message ‘Congratulations! Windows is unusually secure’ (or, something similar).


Just ONE paper to remind you of one or two gatekeeper passwords is the most I ever needed…

Password managers and authentication do the rest.

For TRIVIAL websites, then just go with a duckduckgo password@duck.com (forwards to your regular email account).

I think some of them are working per default in Private session. But you right, there are a few that won’t run in this mode without activation.

Tracking/Privacy but that also can lead to stolen other information…

It always amuses me that this is the most general thing and that they can’t really see that anyone would not be using something different. And, to be totally honest, when a website/place/person doesn’t “support” Linux, or is Biased like that it ruffles my feathers and I think “you obviously have no idea what you’re talking about. I’m not going to listen any further.” (Luckily my hearing problems makes that much easier now.)