Discussion:
Did I have a real Linux Virus or extreme Wayland issues?
Add Reply
azigni
2025-01-18 21:54:04 UTC
Reply
Permalink
Graphics Platform: X11
Processors: 20 × 12th Gen Intel® Core™ i7-12700F
Memory: 31.1 GiB of RAM
Graphics Processor: NVIDIA GeForce GTX 1660 SUPER/PCIe/SSE2
Manufacturer: HP
Product Name: HP ENVY TE01-3xxx
SSD hard drive

Did I have a Linux Virus...or serious compatibility issues? I have a
Nvidia card, and I know Wayland and Nvidia are not friends. I don't know
if this was Wayland and NVidia fighting. I do not know how I could have
picked up an extremely rare Linux virus either, fwiw.

I do not wander the Internet going to exotic sites. I visit the same
common sites I have for years, I visit pretty standard places, Yahoo,
Distrowatch, Alltop, etc. I do not trade files with anyone, and no one
uses this computer but me.

I first noticed a problem when I downloaded a .png file using Pan
newsreader. I stopped Pan from downloading as it was taking much too long.
I had 1,747 copies of a unusable *.png in my /home directory, and not
where I told Pan to download to. Next I started having screen freezes.
Followed by dropped connection to the network. These issues started
happening several times every few hours.

I went to do a /home backup, using a script I wrote last year. The script
copied where it was supposed to, then created a new directory, and started
making multiple copies of /home under it. The script also [allegedly]
copied /home to a new folder in my / directory, and locked me out of it.
Said it belonged to root - obviously some other root as I could not open
the directory as root.

I had been playing around with Fedora KDE on a separate drive for a week
or so when all this started happening. The KDE iso passed the sum check,
so I know it was good. At first I blamed all this on Wayland. I deleted
Fedora KDE, and the problems continued. I reinstalled Mint, and the
problems continued.

I changed out SSD's at this time....

On the third re-install attempt, something really strange happened. I was
using a USB stick with Ventoy, which had a few recovery distro's and my
latest ISO copy on it. When I was 'Live' and about to start the install, a
message popped up, "What is the root password...I need do a few things" I
shutdown my computer.

I installed clamav and RkHunter, along with a third Rootkit finder. They
all found something different they said was not right (warning), but those
few references I found said it was a false positive. I did not believe the
articles.

Using, 'clean' usb sticks and a live distro, I did an ISO download,
verified the checksum and installed it on a new USB stick. I shut down my
computer, waited a few minutes, rebooted, ran checks on the system (ram,
network, etc.), everything was good. I booted the clean ISO, zeroed out
the hard drive, turned off the zram swap, and re-installed.

It has been three days now, and everything is working as it should, afaik.
For the near future Wayland is out, no more playing around with it on my
pc. The question is compatability between Wayland and my Nvidia card, but
I did not find any articles describing my issues, and this was be a little
extreme. Have you experienced anything like this?
Mike Easter
2025-01-18 22:08:08 UTC
Reply
Permalink
Post by azigni
I had 1,747 copies of a unusable *.png in my /home directory,
If you have a copy of the .png, why don't you upload it to VT VirusTotal.

https://www.virustotal.com/gui/home/upload

Or any other unexpected files associated w/ the experience.
--
Mike Easter
Paul
2025-01-19 04:13:21 UTC
Reply
Permalink
Post by Mike Easter
Post by azigni
I had 1,747 copies of a unusable *.png in my /home directory,
If you have a copy of the .png, why don't you upload it to VT VirusTotal.
https://www.virustotal.com/gui/home/upload
Or any other unexpected files associated w/ the experience.
Do NOT use any file viewer softwares on those PNG files.

To feed Virustotal, you can run

sha256sum *.png

for the PNG collection and see if they all have the same checksum.
This will reduce the scan time and effort, as long as
they are all the same PNG, you can use the "search" function
and just enter the sha256sum value and see if someone else already
uploaded it for a scan.

I'm not a malware analysis guy, but there were two FOSS libraries in
the past, with unsanitized data handling. Some big companies reused
the libraries, without doing code review or analysis for quality.
The end result of the incident, is the code quality was improved
in the libraries in question.

You would think that something like "pnglib" would also be
subject to analysis and cleanup, but perhaps there was an incident
with pnglib as well. The person who crafted the mal-formed PNG
attachment, could be searching for that old version of the library
to exploit, as there are some strange people running out-of-support
libraries and having no patch clues at all, and they would be
the most vulnerable.

As a general comment, if you see an attachment in a USENET post
for "tits and ass.jpg", just move on to the next post :-) Nobody
wants a steady diet of old JPG exploits for the OS to consume.

The same can go for movies, and Firefox has process isolation as
well as stack smashing detection, right in Firefox itself. If
the movie process dies, Firefox forks another one. Firefox should
NEVER be elevated. Don't run it as root. Don't run your machine
as the root user (some people do stuff like that), and then casually
run Firefox, because if there is an exploit that punches through
Firefox defenses, then the elevation would mean just about
anything could happen to the machine.

There are some exploits for UEFI, that are hard or impossible to
remove. The machine is an accident waiting to happen, and as
users, we have to be on our best behavior regarding every exploit
mechanism we know of on computers. For example, all the AMD machines
here, have received their BIOS update, but one of my cheesy motherboards,
the last needed CVE was not released as a patch, so that (older)
motherboard remains vulnerable. In the past, I would never bother
flashing the BIOS, unless "the CPU did not work". But now, in
this new era, unfortunately the machines have a volatile component
called UEFI that requires maintenance. All a clever scheme to have
us upgrade computers every few years, like they were thousand dollar
smart phones.

Paul
azigni
2025-01-19 04:33:40 UTC
Reply
Permalink
After I posted and spent more time thinking about the situation, there is
one possibility. I have a language student and I give him homework on a
usb stick he copies the homework off of to his laptop.

I suppose it is possible he was on a website(s) from his homeland and
somehow infected his laptop? I will have to follow up on this, and
perhaps change my usb stick to 'read only' before he plugs it in to his
laptop. I don't know of that makes any difference in the larger scheme of
things....
azigni
2025-01-19 04:56:03 UTC
Reply
Permalink
FWIW, I followed up by installing and running RkHunter and CHKRootkit, no
findings. Glad that is behind me.
Edmund
2025-01-19 08:18:57 UTC
Reply
Permalink
Post by azigni
Graphics Platform: X11
Processors: 20 × 12th Gen Intel® Core™ i7-12700F
Memory: 31.1 GiB of RAM
Graphics Processor: NVIDIA GeForce GTX 1660 SUPER/PCIe/SSE2
Manufacturer: HP
Product Name: HP ENVY TE01-3xxx
SSD hard drive
Did I have a Linux Virus...or serious compatibility issues? I have a
Nvidia card, and I know Wayland and Nvidia are not friends. I don't know
if this was Wayland and NVidia fighting. I do not know how I could have
picked up an extremely rare Linux virus either, fwiw.
I do not wander the Internet going to exotic sites. I visit the same
common sites I have for years, I visit pretty standard places, Yahoo,
Distrowatch, Alltop, etc. I do not trade files with anyone, and no one
uses this computer but me.
I first noticed a problem when I downloaded a .png file using Pan
newsreader. I stopped Pan from downloading as it was taking much too long.
I had 1,747 copies of a unusable *.png in my /home directory, and not
where I told Pan to download to. Next I started having screen freezes.
Followed by dropped connection to the network. These issues started
happening several times every few hours.
I went to do a /home backup, using a script I wrote last year. The script
copied where it was supposed to, then created a new directory, and started
making multiple copies of /home under it. The script also [allegedly]
copied /home to a new folder in my / directory, and locked me out of it.
Said it belonged to root - obviously some other root as I could not open
the directory as root.
until here : you are reporting X11 not wayland!
Post by azigni
I had been playing around with Fedora KDE on a separate drive for a week
or so when all this started happening. The KDE iso passed the sum check,
so I know it was good. At first I blamed all this on Wayland. I deleted
Fedora KDE, and the problems continued. I reinstalled Mint, and the
problems continued.
I changed out SSD's at this time....
On the third re-install attempt, something really strange happened. I was
using a USB stick with Ventoy, which had a few recovery distro's and my
latest ISO copy on it. When I was 'Live' and about to start the install, a
message popped up, "What is the root password...I need do a few things" I
shutdown my computer.
I installed clamav and RkHunter, along with a third Rootkit finder. They
all found something different they said was not right (warning), but those
few references I found said it was a false positive. I did not believe the
articles.
Using, 'clean' usb sticks and a live distro, I did an ISO download,
verified the checksum and installed it on a new USB stick. I shut down my
computer, waited a few minutes, rebooted, ran checks on the system (ram,
network, etc.), everything was good. I booted the clean ISO, zeroed out
the hard drive, turned off the zram swap, and re-installed.
It has been three days now, and everything is working as it should, afaik.
For the near future Wayland is out, no more playing around with it on my
pc. The question is compatability between Wayland and my Nvidia card, but
I did not find any articles describing my issues, and this was be a little
extreme. Have you experienced anything like this?
--
-------------

Godspeed for Assange
Amnesty for Snowden
Rehabilitation for heroes

Edmund
Loading...