Are there really viruses on Archa?

A

artemk1ter2021-05-19 22:00:14

linux

artemk1ter, 2021-05-19 22:00:14

Sobsna, because of my wild paranoia, I’m afraid to leave my computer next to my stepfather (you never know what he’ll do there), and once I left it for literally a minute (forgetting to lock the screen, but she covered the lid) and immediately ran to look for the virus through rkhunter. Here is the log with warnings

[[email protected] ~]$ sudo cat /var/log/rkhunter.log | grep -A5 "\[ Warning \]"
[sudo] пароль для phoenix: 
[21:23:59]   /usr/bin/egrep                                  [ Warning ]
[21:23:59] Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
[21:23:59]   /usr/bin/env                                    [ OK ]
[21:24:00]   /usr/bin/fgrep                                  [ Warning ]
[21:24:00] Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
[21:24:01]   /usr/bin/file                                   [ OK ]
[21:24:01]   /usr/bin/find                                   [ OK ]
[21:24:02]   /usr/bin/fsck                                   [ OK ]
[21:24:02]   /usr/bin/fuser                                  [ OK ]
--
[21:24:12]   /usr/bin/ldd                                    [ Warning ]
[21:24:12] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable
[21:24:13]   /usr/bin/less                                   [ OK ]
[21:24:13]   /usr/bin/logger                                 [ OK ]
[21:24:14]   /usr/bin/login                                  [ OK ]
[21:24:14]   /usr/bin/ls                                     [ OK ]
--
[21:25:18]   /usr/bin/vendor_perl/GET                        [ Warning ]
[21:25:18] Warning: The command '/usr/bin/vendor_perl/GET' has been replaced by a script: /usr/bin/vendor_perl/GET: Perl script text executable
[21:25:53]   /usr/lib/systemd/systemd                        [ OK ]
[21:25:53]   /etc/rkhunter.conf                              [ OK ]
[21:27:50]
[21:27:50] Info: Starting test name 'rootkits'
--
[21:33:11]   Checking for suspicious (large) shared memory segments [ Warning ]
[21:33:11] Warning: The following suspicious (large) shared memory segments have been found:
[21:33:11]          Process: /usr/lib/libreoffice/program/soffice.bin    PID: 2389    Owner: phoenix    Size: 16MB (configured size allowed: 1,0MB)
[21:33:11]          Process: /opt/sublime_text/sublime_text    PID: 1772    Owner: phoenix    Size: 64MB (configured size allowed: 1,0MB)
[21:33:12]
[21:33:12] Info: Starting test name 'trojans'
--
[21:35:14]   Checking for passwd file changes                [ Warning ]
[21:35:14] Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
[21:35:14]
[21:35:14] Info: Starting test name 'group_changes'
[21:35:14]   Checking for group file changes                 [ Warning ]
[21:35:14] Warning: Unable to check for group file differences: no copy of the group file exists.
[21:35:14]   Checking root account shell history files       [ OK ]
[21:35:15]
[21:35:15] Info: Starting test name 'system_configs'
[21:35:15] Performing system configuration file checks
--
[21:35:15]   Checking if SSH root access is allowed          [ Warning ]
[21:35:16] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
           The default value may be 'yes', to allow root access.
[21:35:16]   Checking if SSH protocol v1 is allowed          [ Warning ]
[21:35:16] Warning: The SSH configuration option 'Protocol' has not been set.
           The default value may be '2,1', to allow the use of protocol version 1.
[21:35:16]   Checking for other suspicious configuration settings [ None found ]
[21:35:16]
[21:35:16] Info: Starting test name 'system_configs_syslog'
--
[21:35:36]   Checking for hidden files and directories       [ Warning ]
[21:35:36] Warning: Hidden file found: /etc/.#gshadowdU1eh2: ASCII text
[21:35:36] Warning: Hidden file found: /etc/.updated: ASCII text
[21:35:36] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, max compression, from Unix, truncated
[21:35:37] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, max compression, from Unix, truncated
[21:35:37]   Checking for missing log files                  [ Skipped ]

False positive or go for a reinstall?

(Arch LInux+i3wm)

Reply

Answer the question

In order to leave comments, you need to log in

[[+comments_count]] answer(s)

S

Satisfied IT, 2021-05-19
@artemk1ter

Put the same system on a virtual machine and try to specifically infect this machine with a virus yourself, so purposefully spend a couple of hours for this, and after nothing succeeds, calm down and do not torment the system.

K

ky0, 2021-05-19
@ky0

I envy your stepfather's skill, if he pulled off such a business in a couple of minutes :)

S

Sergei Nazarenko, 2021-05-19
@nazares

paranoia needs to be treated, otherwise it won’t take long to go to the psychiatric hospital

C

CityCat4, 2021-05-20
@CityCat4

"Here it is, here it is, here it is spring
Like paranoia!" (C) Nikolai
Noskov moreover, egrep and fgrep are simple scripts to make sure that they are not viruses - just look at them, yopt

#!/bin/sh
exec /bin/grep -F "[email protected]"

Star virus :)
To do something in a minute , you need to be not just prepared. You need to accurately and clearly understand what and how to do and train hard for this.

V

Valdemar Smorman, 2021-05-19
@smorman

Kill it and forget it!
And do not take out your brain with non-existent problems!

M

mkone112, 2021-05-20
@mkone112

Malicious software can run on any system. But paranoia needs to be treated.