Potentially Infected (java driveby) - GNU/Linux

Users browsing this thread: 5 Guest(s)
gurhush
Long time nixers
So, I'm potentially infected by a java driveby. I accessed a webpage in iceweasel containing the malicious code without running noscript. To the best of my knowledge, if the skid who owned the website configured it to target GNU/Linux, it could very effectively, but he only had it configured to target Windows.

How can I check to make sure I am secure and not infected? I purged sun-java6-jre and installed NoScript in case I was lucky, but how can I be sure? What areas of my system should I be concerned about? For what it's worth, I was running ghostery and betterprivacy when page in question was accessed.
gurhush
Long time nixers
No.

I don't think it needs to be run as root to compromise your system. It has to do with vulnerable versions of java.
FreeBSD
Long time nixers
Yes but if it wasn't run as root then whatever was in the drive by (rat/keylogger etc) will not have permissions to do anything fatal
I do Byte
gurhush
Long time nixers
I'm pretty sure the security hole in older versions of java (Debian ftw!) allows the malicious code to circumvent that.

Basically, I just want a list of everything I'd need to monitor to see if a careless skid was up to something and perhaps the names of some packages which do that. That's it. I want to check for myself.
D9u
Long time nixers
I agree with NeoTerra. Nuke and pave.
BSD is what you get when a bunch of Unix hackers sit down to try to port a Unix system to the PC.
Linux is what you get when a bunch of PC hackers sit down and try to write a Unix system for the PC.
Robby
Long time nixers
I once tried to access the popular matrix private runescape server when I used debian, it erased my home directory. This was via the web browser and on windows it ran perfectly. I have no idea why this happened but it was the official server and not some java drive by, I should really report it but I can't be bothered.
simon
Long time nixers
check ss and netstat.
I dont know much about virusish
jolia
Long time nixers
Yup Simon!

Or as Neo told you, reinstall.

It's always the best choice :)
Red
Long time nixers
Install firestarter and have a look at the events and use the terminal to find out what application is causing it and if there is one you never authorize. Then you know.
Javadriveby does not need root privileges to harm your system. If java is old then well it will run. Normally you know by how much resources your browser is using. If the windows starts dimming down and web pages slow down then chances are its done something to you. Wireshark is ideal for spotting exactly what is going in and out of your computer so maybe look in to that if it happens again.
CrossFold
Long time nixers
htop to see if there are any weird processes.Also do netstat when all the connections you initiated are closed so you know what exactly is going in and out. ss also is a great utility. what more, get a firewall up and running. I would prefer a gui if it was for me since its annoying to handle the cli at such times. but up to you. And keep a track of what services are added to the startup. Just a few common steps towards confirmation
gurhush
Long time nixers
(14-12-2012, 03:11 PM)NeoTerra Wrote: I would just nuke and pave, no point in getting all worried/paranoid.

This is a really old post; Red went gravedigging.