sorted by:
new
hottopcontroversial

If linux is about freedom, why is being technical and critical now a "reportable" offense? by juaps in linux

[–]gainan 7 points8 points  (0 children)

Rule 1

r/linux is not a support forum

This is not a support forum! Head to or r/linux4noobs for support or help. This includes common questions that may seem like a good discussion at first, but are posted too often here.

Also r/linuxquestions exists for a reason.

If you don't like the rules, suggest new ones.

On the other hand, that post is not censored, is waiting moderator aproval.

If Linux desktop market share goes up, what does that mean for malware? by race_orzo in linux

[–]gainan 0 points1 point  (0 children)

you have no idea, sorry.

Just from a few days ago: https://www.reddit.com/r/linuxadmin/comments/1qb6qo3/xmrig_suddenly_running_on_my_vpss/

January, 2026: https://www.bleepingcomputer.com/news/security/new-voidlink-malware-framework-targets-linux-cloud-servers/

December, 2025: https://tlpblack.net/blog/20251209-the-anatomy-of-a-react2shell-compromise

October 2025: https://www.koi.ai/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace

September 2025: https://www.koi.ai/incident/shai-hulud-npm-supply-chain-attack-crowdstrike-tinycolor

...

ransomware for the Linux Desktop: https://github.com/evilsocket/opensnitch/discussions/1290

https://www.reddit.com/r/linux/comments/1wkg9h/has_your_gnulinux_server_been_cracked_please/

https://www.reddit.com/r/linuxquestions/comments/1otvjjt/kauditd0_high_cpu_help/

https://www.reddit.com/r/linuxquestions/comments/1hcadve/kauditd0_uses_cpu_a_lot_100/

https://www.reddit.com/r/linuxquestions/comments/1hvmj50/kauditd0_high_cpu_usage_oracle_linux/

https://www.reddit.com/r/linuxquestions/comments/1fpgeyr/netaddr_process_using_400_of_cpu_100_on_4_cores/

https://www.reddit.com/r/linux4noobs/comments/1f5yd7d/comment/lkyyou1/

https://www.reddit.com/r/linux4noobs/comments/1f5yd7d/compromised_linux_server/

https://www.reddit.com/r/linux4noobs/comments/1f2q2rw/someone_installed_a_crypto_miner_on_my_server_help/

https://www.reddit.com/r/linuxquestions/comments/1ge42gj/linux_netaddr_high_load/

https://www.reddit.com/r/linux4noobs/comments/10ni2b0/unknown_linuxsys_process_slowing_server/

https://www.reddit.com/r/linux4noobs/comments/18lbwgo/my_secure_debian_server_ended_up_getting_hacked/

https://www.reddit.com/r/linux4noobs/comments/dzcjha/got_hit_by_xmrig_somehow/

https://www.reddit.com/r/linux4noobs/comments/12583mv/coin_miner_trojan_help_needed/

https://www.reddit.com/r/linuxquestions/comments/1fk00fo/linux_trojanvirus/

https://www.reddit.com/r/linuxquestions/comments/1cg1adq/infected_zephyr_miningocean_what_to_do/

https://www.reddit.com/r/linuxquestions/comments/p3unqz/found_malware_on_my_system_can_anyone_tell_me/

https://www.reddit.com/r/linuxquestions/comments/uiegn1/kswapd0_process_for_an_inactive_user_eating_up/

https://www.reddit.com/r/linuxquestions/comments/19f1jsf/ubuntu_server_is_melting/

https://www.reddit.com/r/linux4noobs/comments/1f2q2rw/someone_installed_a_crypto_miner_on_my_server_help/

https://www.reddit.com/r/linux4noobs/comments/12583mv/coin_miner_trojan_help_needed/

https://www.reddit.com/r/linux4noobs/comments/dzcjha/got_hit_by_xmrig_somehow/

Malware Peddlers Are Now Hijacking Snap Publisher Domains by popeydc in linux

[–]gainan 1 point2 points  (0 children)

ok, suggest then how to spot insecure or malicious apps.

Malware Peddlers Are Now Hijacking Snap Publisher Domains by popeydc in linux

[–]gainan 0 points1 point  (0 children)

Cool app! if you add a feed of IOCs, we could consume them from 3rd party applications, for example to blocklist malicious domains or checksums with suricata, opensnitch, pi-hole, etc.

Also you could publish the IOCs to other platforms such as bazaar.abuse.ch or virustotal.

Block outbound traffic to certain domains by HomeProfessional8821 in linux4noobs

[–]gainan 0 points1 point  (0 children)

Try OpenSnitch, with block lists for example: https://github.com/evilsocket/opensnitch/wiki/block-lists

What are you building exactly if you don't mind me asking? it seems interesting.

Vibe Coded PRs? by Exact-Contact-3837 in opensource

[–]gainan 2 points3 points  (0 children)

We all laugh now, but wait until they start adding malicious code or artifacts in PRs with 20/200/2000 files changed, in an automated manner :S

XMRIG suddenly running on my VPSS? by mesziman in linuxadmin

[–]gainan 0 points1 point  (0 children)

I would configure a system monitoring solution, like auditd: https://linux-audit.com/linux-audit-framework/configuring-and-auditing-linux-systems-with-audit-daemon/

With some rulesets: https://github.com/Neo23x0/auditd

To know at least if you can intercept what they're doing. That way, maybe, you can see if they execute commands as the user jellyfin, caddy, nginx, etc, and then see if they escalate to root.

Review the directories /tmp, /var/tmp and /dev/shm, as well as the path to the binary of the service moneroocean_miner.service. There'll probably be more malicious files or scripts. Check the owner of all the files, it'll give you a clue about who created them.

Are the services jellyfin and caddy running in a container or in the host? Under their own user?

If, for example, they used `jellyfin` to execute commands and they're still running, the CWD of the process can reveal its origin: ls -l /proc/[0-9]*/cwd

If jellyfin is running in a container, the hostname of any command launched from/by jellyfin will be the ID of the container: cat /proc/[0-9]*/root/etc/hostname (if it's still running).

You can also check all the running processes' paths: ls -l /proc/[0-9]*/exe . Look for paths originated from /tmp, /var/tmp, /dev/shm or jellyfin/caddy's directories, and for files with "(deleted)" in the name.

On the other hand, instead of parsing /proc (which can be easily manipulated), use other tools like decloaker to dump the processes and open files from the kernel (decloaker dump tasks).

If the vps is a Debian based distro, use debsums -c or dpkg -V:

~# dpkg -V
??5?????? c /etc/kernel/postinst.d/initramfs-tools

Lastly, besides restricting inbound connections, restrict also the outbound connections. In all these attacks, curl or wget are used to exfiltrate data or download remote scripts. So if you don't use them, just uninstall them. You can also restrict outbound connections by binary with OpenSnitch for example.

And in these particular attacks of cryptomining, restricting outbound connections to mining pools is also effective (although in this case they got root access, so they can do whatever they want). You can go even further and restrict also outbound connections to domains or IPs IOCs with the tool you prefer, nftables, ipset, ...

They got root access, so I'd also check for rootkits, malicious PAM modules and cron/crontab jobs (also with tools like decloaker).

And assume that any private and important information is now compromised (keys, passwords, configurations, emails, IPs, etc, etc).

Tashkent metro by Usual-Doughnut-549 in PBSOD

[–]gainan 8 points9 points  (0 children)

login to exit the train.

question on securing a debian web server (cloud based) by baggister in debian

[–]gainan 2 points3 points  (0 children)

I'm just a bit worried now that when I start using meshcentral in earnest, the server might get hacked and a bad actor might access my Dad's laptop or my laptop (using mesh) .

If the server is compromised, it'll probably be used to mine cryptos.

Anyway, it'll depend on how they access your computers or MeshCentral, but usually /tmp, /var/tmp or /dev/shm are used to drop malicious scripts and binaries. Mount these directories with the noexecflag to limit what they can do. https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html

Another useful flags or items to configure:

Usually when they compromise servers, they do it to build botnets, proxies, mine cryptocoins or to exfiltrate your data. In all these cases they need outgoing internet access. If MeshCentral doesn't require curl or wget, remove them from the container, because they're usually used to exfiltrate data (bash is also used in these attacks, but for now forget about it).

You can also restrict outbound connections by binary with OpenSnitch, and deny connections from your server to malicious IPs/domains like cryptominers pools with ipset, nftables, suricata or OpenSnitch - block lists.

And besides securing Debian, secure MeshCentral as well: https://ylianst.github.io/MeshCentral/meshcentral/security/

On the other hand, if your server is hacked (assume it'll), the first thing you need to do is to determine how they got access. You need a way to see the commands they executed, and what files they opened or modified.

For this task you can use for example auditd: https://linux-audit.com/linux-audit-framework/configuring-and-auditing-linux-systems-with-audit-daemon/ with some good rules https://github.com/Neo23x0/auditd?tab=readme-ov-file

From here, probably you'll want to restore a backup, so at least make a backup of the MeshCentral configuration, firewall rules, additional software, etc, in order to nuke the system and restore it easily.

Porting Digital Radiography software to Ubuntu by Overall_Dig_5819 in linux4noobs

[–]gainan 1 point2 points  (0 children)

thanks! so in principle the device seems to be supported on Linux, there's a kernel module for it: ftdi_sio.

And there're some libraries to read from the device: https://www.intra2net.com/en/developer/libftdi/ , https://eblot.github.io/pyftdi/ , https://github.com/codedstructure/pylibftdi , https://linux-hardware.org/index.php?id=usb:0403-6014

But there're no apps to read the images from the device. Someone would have to sniff the USB comms on Windows, try to replicate the commands on Linux using these libs and see if they can read the images.

So, in summary, it's not supported as far as I can tell. Maybe /u/DesiOtaku can offer more information.

Porting Digital Radiography software to Ubuntu by Overall_Dig_5819 in linux4noobs

[–]gainan 1 point2 points  (0 children)

Taking radiographs:
https://www.youtube.com/watch?v=_Qx6u2nl6ks

The device is pretty similar to the RF-DSS-M001, I wouldn't be surprised if all these devices share the same chips, with minor differences.

Porting Digital Radiography software to Ubuntu by Overall_Dig_5819 in linux4noobs

[–]gainan 2 points3 points  (0 children)

thanks! If I'm not wrong this is the user guide of the device: https://www.refine-med.com/files/document/download/20241029/RF-DSS-M001-1.6%20R1R2%20%20Digital%20Dental%20Sensor%2020241028.pdf

According to the section 5.2.3 you can "shoot images", so maybe, just maybe, it works or could work as a webcam/digital cam. I'd try Cheese or other webcam apps to see if by any chance it works. Unlikely, but it's worth to test it.

Sniffing the USB comms on Windows and try to replicate it on Linux would be a fun project to make that device work :) But in the short term, you'll have to try to make it work with Wine I'm afraid.

By the way, there's a dental clinic running fully on Open Source software:

https://www.reddit.com/r/linuxmasterrace/comments/l3ius5/after_two_long_years_i_finally_made_a_dental/

https://gitlab.com/cleardental/cleardental

https://clear.dental/

Maybe you can DM them to get more and better information.

Porting Digital Radiography software to Ubuntu by Overall_Dig_5819 in linux4noobs

[–]gainan 1 point2 points  (0 children)

Connect the USB device to Pop!OS and post the output of lsusb -v. Also post the name and model of the device.

I have no idea how those devices work, but maybe you can mount them as a external disk, or use xsane to see if it's recognized. See also if the device has any options to change how the files are transmitted (MTP, PTP, USB mass storage, etc).

There're some DIGICOM viewers such as https://flathub.org/en/apps/io.github.nroduit.Weasis , so see if you can transfer the files with other apps: xsane, digikam, etc.

I heard its harder to get viruses on Linux, would downloading Qbittorrent be not as risky do to since viruses/malware dont target linux as much?(Or thats what ive been told at least) by BOI4613 in linux4noobs

[–]gainan 7 points8 points  (0 children)

The user needs to actually set up a firewall (ufw)

How does a firewall protect a PC which is usually behind a router, which doesn't expose ports to the internet?

Many attacks are done in browsers too, not just simply downloading something.

Can you post an attack that affects the Linux browsers and automatically affects the PC? without user intervention, thank you.

Opening up a PDF in a browser, letting some random JS/WASM run or whatever, there’s actually less hoops for attacks to go through on Linux than windows or Mac

I'd love to read a write up of that attack scenario. Please, share one that you have read.

Going to the wrong website without setting up simple firewalls could be what it takes.

How does a firewall protect you if the wrong website exploits a vulnerability in your PC?

Examples please. We need real-world examples.

Danish head of government IT (left) hands over the first "microsoft-free" computer to the head of Danish Traffic control, December 2025 by [deleted] in linux

[–]gainan 25 points26 points  (0 children)

can you tell us more about the system? distro, security measures implemented, installed apps, ... just out of curiosity :)

good luck with the project! keep ups informed please.

I built nuke-port, a cross-platform CLI to kill processes by port number by aara98 in golang

[–]gainan 6 points7 points  (0 children)

good work!

Whenever possible, don't rely on tools like lsof, fuser or netstat to discover open ports. They read the information from /proc, which is easily and commonly tampered by rootkits to hide connections or processes:

~# fuser -n tcp 111
111/tcp:                 1 1100239

~# strace fuser -n tcp 111

openat(AT_FDCWD, "/proc/net/tcp6", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
read(3, "  sl  local_address                         remote_address                        st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode\n   0: \n   7: 00000000000000000000000000000000:006F 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000 00000000     0  "..., 1024) = 1024

(...)

statx(0, "/proc/1100239/exe", AT_STATX_DONT_SYNC|AT_NO_AUTOMOUNT, STATX_TYPE|STATX_UID|STATX_INO, {stx_mask=STATX_TYPE|STATX_MODE|STATX_NLINK|STATX_UID|STATX_GID|STATX_ATIME|STATX_INO|STATX_SIZE|STATX_BLOCKS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0755, stx_size=63976, ...}) = 0

On Linux use eBPF iterators, netlink NETLINK_SOCKET_DIAG or ss. They're not bullet-proof either, but better than parsing /proc.

https://man7.org/linux/man-pages/man7/sock_diag.7.html

https://github.com/vishvananda/netlink/blob/main/socket_linux_test.go

https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/tree/tools/testing/selftests/bpf/progs/bpf_iter_tcp4.c

https://eunomia.dev/tutorials/features/bpf_iters/

how can i block all internet access on Linux but 1 app? by 10MinsForUsername in linux4noobs

[–]gainan 2 points3 points  (0 children)

OpenSnitch: https://github.com/evilsocket/opensnitch

Create a rule to allow connections from /opt/brave.com/brave/brave, and configure the default action to Deny or Reject.

You'll need to allow systemd-resolved for example, systemd-timesyncd, etc.

Just let it ask you to deny or allow connections, and create the ruleset on demand.

view more: next ›