Yesterday I mistyped a URL in Firefox and ended up redirected to an obviously spam site (unfortunately I don’t have a record of the URL), I killed the tab and thought no more of it. Shortly after I started getting popups telling me I have ‘Trojan virus activated’ and need to update my anti-virus software. The popups multiply to cover the screen, then fade away. This recurs each time I restart firefox, I’m running snort on my server, and last night for the first time this reported ‘WEB-MISC http directory traversal’ and ‘WEB-ATTACKS id command attempt’ to 142.250.178.10 and 142.250.179.234 from my laptop. The snort.org site tells me both those rules have been deleted, with no other explanation.
I have always run Linux and so have no experience at all of dealing with viruses. I guess (and hope!) this is something internal to firefox, javascript based, and will go away if I can fix firefox, but am nervous it may have managed to exfiltrate passwords from firefox or other files from outside .mozilla. For now I have just disconnected the laptop from the internet (very possibly too late) but have no idea where to go from here. It seems odd no-one else is reporting the same problem.
Graham
Moderator edit: Topic title edited to reflect what actually happened. There’s no such thing as a “Firefox based virus”
As suggested, I have a new instance of Firefox running and haven’t seen a recurrence of the problem since. I’ll see what snort reports tomorrow
But for me, something running on my computer to make me think I have a virus IS a virus - there is some code I didn’t install running somewhere which was doing this, If it can generate a popup what else has it done? I don’t know. So I wouldn’t say it is just ‘annoying behaviour’. Especially as there seem to be signs it has tried to communicate with other hosts. I would really prefer to find this code and see what it is; I guess the code is now somewhere in .mozilla.bak, but unsurprisingly there’s nothing obvious.
@Mirdarthos Re passwords: I don’t keep passwords for anything directly financial in Firefox, but virtually every trivial website now needs a login for access, and I do store those. The alternative is going through a password reset/text message each time. Or do you use a big paper file? I don’t have any reason to think that a password manager app is any more secure than the Firefox internal one.
I use KeepassXC. It’s free and open-source, which is cool. There is also a plugin for Firefox (and I imagine Chrome as well) to interface directly with it.)
It saves the password in a database file locally, so it’s not somewhere in the “cloud,” meaning you can easily keep it backed up, synchronised and whatever else you do with a normal file. I use Syncthing to keep it in sync with my tablet for use with KeepassDX.
Edit:
Oh yeah! It’s the one of the only .AppImages I use. And I use it only because of portability. The other is Obsidian. For the sane reason.
I used to use KeepassX years ago, but they changed formats at one point that meant I could no longer read the historic passwords I’d saved in it from my old computers. After that experience I went back to using 19th century paper files for anything important: burglars might steal them but not hackers, and there’s no risk of format obsolescence
I might try KeepassXC for less important stuff - do you think it is safer than Firefox’s own password manager? I export the Firefox csv password file, then encrypt that for backup or syncing manually with other machines.
I remember that. You could convert the old .kdb file to the new .kdbx format, which is exactly what I did way back when I was still a Windows slave.
Now, it KeePassXC. Which is a fork of KeepassX and it opens the .kdbx file flawlessly.
Edit:
About that, I have no real idea. If it connects and stores your password(s) in the “cloud”, then yes, because it’s only kept locally. Otherwise I don’t know.
Edit #2:
Another reason for me choosing the .AppImage is because it’s sel-contained. So even if something happens to my and KeepassXC is removed from the repositories, it’s still working fir me. Also on any 9ooother Linux Distro that I’d care to use.
If the OP uses Firefox Sync and has it configured to sync ‘Login and Passwords’ along with everything else, that’s another potentially exposed vector that Firefox has, and KeepasXC does not; being that it’s stored locally.
If Firefox Sync isn’t used at all, then the security of passwords stored in Firefox simply diminishes to how well does one trust Firefox?!
I actually use firefox to both generate random high quality passwords and save them, I quite often log in to my firefox user on other computers and having access to a password that is “adalnkq2309u2q3¤”#¤RHBGDFG" is pretty nice, but I do realize the extra risk it poses. But i put my trust in firefox for this.
When it comes to email, github etc I use an authenticator app so even if they found my passwords they also have to break into my phone and break the f2a app. Possible yes, but highly unlikely.
My passwords notes and f2a onetime codes etc. are placed in a vault that is ALWAYS encrypted with a very strong password.
If it is some kind of code introduced to your old firefox instance, as stated by other above, firefox runs as your user no? At least your system should be safe unless you let your user change root stuff without using a password.
You could run a clamdscan on your computer to see if it finds anything.
Use clamav in the manjaro repositories.
If you want to find out the website. Do you not have access to your browsing history? Maybe you clear everything out after closing?
In that case, here’s something that should interest you; Steve Gibson’s Perfect Passwords. You could easily lose yourself for a few hours in his site. And also Shields Up to test your security.
Just make sure the plugins run in private sessions, they are set to disabled in that environment as default in firefox.
I don’t really see a reason to use private, all it does is not save the site data when closing, I clear that out when closing firefox anyway.
This is my big hurdle. I clear out all “cookies and site data” when I close firefox. After a while I get lazy and put some websites in the exceptions so the login is automatic (manjaro forum among them).
I KNOW this is a big baddie to do, but I still do it.
My laziness is my biggest enemy here.
The fact that your computer (or router) doesn’t respond to Universal Plug’nPlay requests (probes) is actually a good thing. Gamers, often choose their convenience over security, and leave their computer exposed to several potential attack vectors; uPnP being one of them.
My current system usually gets a true stealth result from Gibson’s Shields Up (common ports scan). One thing that amuses me when testing from Manjaro is the final message ‘Congratulations! Windows is unusually secure’ (or, something similar).
It always amuses me that this is the most general thing and that they can’t really see that anyone would not be using something different. And, to be totally honest, when a website/place/person doesn’t “support” Linux, or is Biased like that it ruffles my feathers and I think “you obviously have no idea what you’re talking about. I’m not going to listen any further.” (Luckily my hearing problems makes that much easier now.)
