Potentially Infected (java driveby) - Printable Version
+- nixers (
+-- Forum: Operating Systems & Administration (
+--- Forum: GNU/Linux (
+--- Thread: Potentially Infected (java driveby) (/Thread-Potentially-Infected-java-driveby)

Potentially Infected (java driveby) - gurhush - 08-09-2012

So, I'm potentially infected by a java driveby. I accessed a webpage in iceweasel containing the malicious code without running noscript. To the best of my knowledge, if the skid who owned the website configured it to target GNU/Linux, it could very effectively, but he only had it configured to target Windows.

How can I check to make sure I am secure and not infected? I purged sun-java6-jre and installed NoScript in case I was lucky, but how can I be sure? What areas of my system should I be concerned about? For what it's worth, I was running ghostery and betterprivacy when page in question was accessed.

RE: Potentially Infected (java driveby) - gurhush - 08-09-2012


I don't think it needs to be run as root to compromise your system. It has to do with vulnerable versions of java.

RE: Potentially Infected (java driveby) - FreeBSD - 08-09-2012

Yes but if it wasn't run as root then whatever was in the drive by (rat/keylogger etc) will not have permissions to do anything fatal

RE: Potentially Infected (java driveby) - gurhush - 08-09-2012

I'm pretty sure the security hole in older versions of java (Debian ftw!) allows the malicious code to circumvent that.

Basically, I just want a list of everything I'd need to monitor to see if a careless skid was up to something and perhaps the names of some packages which do that. That's it. I want to check for myself.

RE: Potentially Infected (java driveby) - D9u - 09-09-2012

I agree with NeoTerra. Nuke and pave.

RE: Potentially Infected (java driveby) - Robby - 09-09-2012

I once tried to access the popular matrix private runescape server when I used debian, it erased my home directory. This was via the web browser and on windows it ran perfectly. I have no idea why this happened but it was the official server and not some java drive by, I should really report it but I can't be bothered.

RE: Potentially Infected (java driveby) - simon - 20-09-2012

check ss and netstat.
I dont know much about virusish

RE: Potentially Infected (java driveby) - jolia - 21-09-2012

Yup Simon!

Or as Neo told you, reinstall.

It's always the best choice :)

RE: Potentially Infected (java driveby) - Red - 13-12-2012

Install firestarter and have a look at the events and use the terminal to find out what application is causing it and if there is one you never authorize. Then you know.
Javadriveby does not need root privileges to harm your system. If java is old then well it will run. Normally you know by how much resources your browser is using. If the windows starts dimming down and web pages slow down then chances are its done something to you. Wireshark is ideal for spotting exactly what is going in and out of your computer so maybe look in to that if it happens again.

RE: Potentially Infected (java driveby) - CrossFold - 14-12-2012

htop to see if there are any weird processes.Also do netstat when all the connections you initiated are closed so you know what exactly is going in and out. ss also is a great utility. what more, get a firewall up and running. I would prefer a gui if it was for me since its annoying to handle the cli at such times. but up to you. And keep a track of what services are added to the startup. Just a few common steps towards confirmation

RE: Potentially Infected (java driveby) - gurhush - 14-12-2012

(14-12-2012, 03:11 PM)NeoTerra Wrote: I would just nuke and pave, no point in getting all worried/paranoid.

This is a really old post; Red went gravedigging.