There are commands that I have not entered in .zhistory

I had installed Manjaro GNOME on my laptop a few months ago, it worked fine until today when I booted it the NetworkManager wasn’t running. I opened the terminal and there was a message in the terminal about creating a .zshrc file and 3 options q, 0 and 1. I choose 0 to create a blank .zshrc. I checked there was no bash history file and .zshrc. I entered the command
systemctl status NetworkManager
and it returned an error NetworkManager.service not found. I checked .zhistory and noticed the following commands that I had not entered
sudo bash
pacman -U firefox
sudo pacman -U firefox
sudo pacman -U
sudo pacman -U firefox-78.8.0esr.tar.bz2
sudo pacman -U /root/Downloads/firefox.tar.gz
sudo pacman -U /root/Downloads/firefox-78.8.0esr.tar.bz2
sudo pacman -U firefox-78.8.0esr.tar.bz2
sudo apt update
sudo update
sudo -h
sudo pacman -Syyn
sudo pacman -Syyu
sudo pacman -R networkmanager
sudo pacman -Ss networkmanager
sudo ipconfig
sudo -h
sudo pacman -h
pacman -h --remove
sudo pacman -R barrier
history -c
history -C
history -h
sudo -h
rm ~/.zshrc
history -p


Now, since the bash history file was removed, there might be a lot more commands run that I didn’t knew about. The .zhistory and .bash_history files in the /root/ folder are empty. The .zshrc in /root/ is also intact.

While my brother was using it a few minutes ago to view some of the files he had stored offline, the terminal flashed very quickly, the only word he could read was firefox.

What should I do now? I could just reinstall Manjaro but I’m afraid it will infect my other laptop to through the Live USB. I know Live USB doesn’t store any data but I don’t know much about it to be sure. Also, how did the virus get into my laptop? My brother installed “Barrier” using pamac yesterday, could this be connected? and is it possible for me to read what other commands were executed?

I tried to search youtube for what to do when your linux system is infected but couldn’t find anything. Most of the videos were too focused on “how to hack” instead of “what to when hacked”. Is there any good resource where I can find help?

I’m just passing by … Your Manjaro installation is not infected with any virus. GNOME has defaulted to .zsh long time ago, hence there is no bash_history, unless you switch to it (to bash) and create those files yourself.

But also someone removed it

Also the networkmanager was removed

That was the issue for not having it running anymore. Also, since someone run

is clear that your user had no longer a working .zsh … Nobody from outside your house hacked into your system.
Restore thefiles for zsh from /etc/skel as your user
cp /etc/skel/* ~/

Provisory start dhcpcd and try to connect to the internet trough your LAN cable and reinstall networkmanager
systemctl start dhcpcd
Wait for a moment after connecting the cable then run:
sudo pacman -Syyu networkmanager


hey, I know gnome uses zsh. The thing is all of the commands I mentioned above were not written by me or my brother and one of those commands was sudo bash. Also, he installed Barrier using pamac the package manager not the command line so why does .zhistory file have the command to remove it. And just now settings wasn’t closing and then I opened terminal, the screen was locked, I entered the password and unlocked it again and then as soon as I pressed any key, it locked again. This happened about 5-6 times. I am sure there is something wrong with my computer. Commands aren’t supposed to run by themselves. And then there’s the sudo apt update. My brother doesn’t know anything about command line and doesn’t use it. I know apt manages packages in Debain based OSs and pacman is for arch based. I didn’t enter it, my brother didn’t enter it, then I think most possibly a payload was executed.

Looks to me like someone tried and failed to install firefox-esr, removed networkmanager and barrier and cleaned up after themselves.

Maybe someone got SSH access to your box?
They atleast knew they where on an Arch based system, since the first package manager command they used was pacman. No idea why they tried apt update. :wink:

In doubt, change your users + root passwords.


yeah, maybe they wrote apt update because they were in a habit of using it. Also, is using a live USB to reinstall Manjaro safe? I checked the pacman logs. sudo bash and pacman -U firefox was executed on 6th and the rest were on 8th. In pacman.logs it also showed a pacman -U networkmanager after pacman -R networkmanager. and when the screen lock strangely behaving today, I was offline. So maybe they installed something other than firefox too. so I’m just going to reinstall Manjaro, is it safe to use live USB? If not then should I use DBAN? Also, Thanks @bogdancovaciu I got my zshrc back, @Strit your idea about ssh gave me the idea to check logs

Thanks. Although, now I’m thinking of reinstalling Manjaro…

  1. To install anything it is required to know the password of the user.
  2. If you have installed your system without password - bad habit.
  3. To let 3rd party install anything it requires remote access - check your router config - reset if necessary.
  4. While it is possible go gain unauthorized access to a system - it usually requires physical access - check your locks.
  5. With physical access it is possible to boot a system using USB - then chroot into the existing system - and it is possible to fiddle with the system - check who has physical access to your system - and has enough computer knowledge to deliberately boot your hardware from USB and knowledge of Linux systems to be able chroot into the system.

Interesting. Using no password sudo, eh?

Sorry, I don’t believe this-the ones who profess this are the ones that sit at a terminal, and type out what they concurrently read on their tablet/phone in their lap…making them even more dangerous than usual. This, coupled with the apparent no password sudo/running as straight root, my gut tells me that this is a case where the perfect storm (or comedy) of errors/mistakes in your use/configuration has bitten you.


Bruh. The password for sudo is the same as the one used for login (but mind you, it’s a strong one) is that a bad practice/error? Also, my brother is not some stupid 10 year old, I can bet you anything that he didn’t enter those commands. And I hate it that I have to tell this again and again but I (AND MY BROTHER) DIDN’T WROTE THOSE COMMANDS! Is that too hard for you to understand? Are you too high on your own hubris to even conceive the possibility that others know what they are talking about?
I have 3 questions

  1. about Live USBs, is it possible that any virus or malware can get transferred from one computer to another if I plug a live usb both of them? because I’ve got some important data on my college computer.
  2. Do you know of any good resource where I can learn more about “what to do when you get a malware on your computer”?(In general also, like this must be called something, is it a subset of cybersecurity? I tried to google it but couldn’t find anything useful)?
  3. given that my me and my brother didn’t wrote those commands and it wasn’t physically accessed by anyone else, can you give any possible explanation about how this happened?

if you can help me, I’ll thank you and if you can’t please don’t ask me to repeat myself again!

  1. I have not installed my system without password but I set the sudo password to be same as the login password, is that a bad practice too?
  2. I’ll check my router for remote access config tho
  3. I’m sure no one else physically accessed my computer

What practice is bad practice is based on what result you expect.

So in terms of computer security what is your expectation?

If you required high security - this implies good habits - especially when you interact with other networks.

You interact with other networks when you connect to the internet - and if you require high security you should imply high standards for the networks you visit using your browser.

If you manage to get a Linux system infected with malware then you have been following very bad practices and if commands has been executed without your immediate knowledge then you have been careless somehow.

If you take a look at /etc/skel/ - including hidden files - you will find no .zhistory file and therefore the history file in your home is created by you when executing commands in a shell or a user knowing your login credentials.

Whether you like it or not - there is no other answer.

No need to continue this topic - further discussion will present no answers.