Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If I connect an external hdd (previously connected to a linux os comp where all the current files on the exthdd originated from) to a RAT infected linux os – comp (different computer), and the exthdd “auto-mounted” thus allowing for ‘writing’ privileges, could those files (some or all) be corrupted before opening them, or would I need to click on the files in a “read-write” mode first? Seems fair to say that they could all have become infected with the RAT once I connected the exthdd to the infected comp.
In other words, if I only open them in the future in a ro,noexec mode at all times, are they still safe from becoming corrupted, or not necessarily – the damage may have been done already and likely was, at least for some files in which the RAT infected "AND" corrupted the files before I ever got to them?
Trying to open the files in "read-only" would show if they are in fact corrupted, yes, but there are too many files 1.5T to do that, among other reasons. And how do i know the comp is infected with a RAT? People have gotten on my comp in the past after opening emails or facebook, etc. Trust me, it is infected and likely with Rakshasa as I have no hdd connected to the comp, rather, a liveusb.
Please don't make the focus of this question whether or not there is a RAT on the comp and why I think so, etc.
If I connect an external hdd (previously connected to a linux os comp where all the current files on the exthdd originated from) to a RAT infected linux os – comp (different computer), and the exthdd “auto-mounted” thus allowing for ‘writing’ privileges, could those files (some or all) be corrupted before opening them, or would I need to click on the files in a “read-write” mode first? Seems fair to say that they could all have become infected with the RAT once I connected the exthdd to the infected comp.
In other words, if I only open them in the future in a ro,noexec mode at all times, are they still safe from becoming corrupted, or not necessarily – the damage may have been done already and likely was, at least for some files in which the RAT infected "AND" corrupted the files before I ever got to them?
Trying to open the files in "read-only" would show if they are in fact corrupted, yes, but there are too many files 1.5T to do that, among other reasons. And how do i know the comp is infected with a RAT? People have gotten on my comp in the past after opening emails or facebook, etc. Trust me, it is infected and likely with Rakshasa as I have no hdd connected to the comp, rather, a liveusb.
Please don't make the focus of this question whether or not there is a RAT on the comp and why I think so, etc.
No idea, since you don't tell us what operating system this external HDD came from, what kind of data is on it, filesystem type, or what "linux os" you're talking about. Windows programs don't work on Linux, so any viruses/trojans are probably just not going to work on Linux at all. Same if it was Mac OS files.
If you're worried, perform a Linux install to a USB stick, install clamav on it, and connect your HDD and scan it to see what happens. Since you don't provide many real details (including why you think you got a RAT program that's over five years old and well known), there isn't much we can offer in the way of advice. https://security.stackexchange.com/q...rding-rakshasa
Thanks. I really didn't think it mattered what os the exthdd came from and what kind of os the RAT was on, since they are both linux.
In any case, the exthdd files were coming from another exthdd whereby most of the files there were created in windows, and most of the files (90%) are microsoft "docs" or openoffice docs. There are photos and some videos. The exthdd that received the files, which is the hdd I am concerned about, was connected to the infected computer running ubuntu 1710 on the receiving end and ubuntu on the sending end, (likely ubuntu 16) from what I can see. This desktop was custom made whereby the os where file manager and graphical interface / monitor is debian 9, but in the firewall where tor is, has ubuntu. I don't have enough knowledge to explain that.
Regarding the 5 year old Rakshasa, I've been told that once it infects your firmware, it infects your bios, and even if you clean your hdd of it, it will always be on your computer for life, unless you cold-flash the bios and all firmware at the same time. That info comes from a very knowledgeable source. please feel free to disagree.
question: "If you're worried, perform a Linux install to a USB stick, install clamav on it, and connect your HDD and scan it to see what happens" Can I mount the exthdd as read-only?
question: are you saying that if all of the files on the exthdd that i connected to the infected computer are windows docs/ files, and if there is a Rakshasa RAT on the ubuntu os (infected comp) there, that the RAT coming from a linux os would be useless on files/docs created in windows? Or am I just hoping...? Everything on the exthdd was created in windows.
What other info did I not specify?
thx.
Last edited by jettjett; 03-20-2018 at 02:44 PM.
Reason: clamav question added...and another question...windows files
Thanks. I really didn't think it mattered what os the exthdd came from and what kind of os the RAT was on, since they are both linux.
...which we have no way of knowing, until you TELL US that they're both Linux. For all we knew, this external hard drive was from an old iMac, or Windows Vista. We don't know unless you say.
Quote:
In any case, the exthdd files were coming from another exthdd whereby most of the files there were created in windows, and most of the files (90%) are microsoft "docs" or openoffice docs. There are photos and some videos. The exthdd that received the files, which is the hdd I am concerned about, was connected to the infected computer running ubuntu 1710 on the receiving end and ubuntu on the sending end, (likely ubuntu 16) from what I can see. This desktop was custom made whereby the os where file manager and graphical interface / monitor is debian 9, but in the firewall where tor is, has ubuntu. I don't have enough knowledge to explain that.
So you have office docs, photos and videos. Again Windows programs do not run on Linux. So scan the external hard drive from a Live USB distro to see what's on it.
Quote:
Regarding the 5 year old Rakshasa, I've been told that once it infects your firmware, it infects your bios, and even if you clean your hdd of it, it will always be on your computer for life, unless you cold-flash the bios and all firmware at the same time. That info comes from a very knowledgeable source. please feel free to disagree. What other info did I not specify?
thx.
Please don't use text speak. And if you have this 'knowledgeable source' to assist you, it's odd you're posting here. This is an external hard drive...what 'firmware' is it going to infect? Your files were created on Windows, so if there are any viruses, they're Windows based. And since this particular trojan was based in BIOS...how, exactly, does that BIOS get copied to the files? Then re-flashed up to BIOS on a new machine, with ZERO user intervention? Sorry, no. And even the five year old RAT you're talking about was proof-of-concept only, and involved getting a machine infected via local access FIRST. Did you not read the article I posted before?
If you're concerned, as said, scan the external hard drive as said.
..."what firmware is it going to infect" is in regards to the infected computer that I connected the exthdd to.
... "Your files were created on Windows, so if there are any viruses, they're Windows based."
---------I'm not referring to viruses that the files may have picked up in windows; I'm referring to any viruses that the files may have picked up when the exthdd was connected to the presumably infected laptop.
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,524
Rep:
From what I understand, Rakshasa doesn't infect files or deal with the hdd at all. So, if that's what you have, you don't need to worry about infected files. But you could just scan the drive with clamav.
In the past the malware they sent me infected a lot of files - like every usb I owned to the point that it even caused the computer to shut down after ejecting it correctly. I used to get the message about there being something wrong with the flashdrives - all the time.
When I transferred the files from the usb's to a different exthdd, the exthdd said the same thing. It asked me if I wanted to 'fix the problem' so I didn't lose data in the future. I clicked yes, and it deleted 50GB of data from my other exthdd!!! Not good... But I am going to see if I can recover it - lacie exthdd.
thx.
Last edited by jettjett; 03-20-2018 at 03:59 PM.
Reason: added comments
1... is there malware besides Rakshasa that can infect the firmware/ bios?
3... when the exthdd "auto-mounted", which it never does on my linux desktop computer, ubuntu os I attached it to was from a liveusb. wondering if I had installed ubuntu onto the hdd if the exthdd would still have auto-mounted.
thx.
Last edited by jettjett; 03-20-2018 at 04:33 PM.
Reason: added #3; clamav working
...seems like clamav checks "desktop - documents, etc" but what about the guts of the computer vs documents? Is it going to tell me if the bios or firmware are infected?
correction: checking a lot more now.
HOW RELIABLE IS CLAMAV?
Last edited by jettjett; 03-20-2018 at 05:00 PM.
Reason: correct / question
..."what firmware is it going to infect" is in regards to the infected computer that I connected the exthdd to.
You miss the point entirely. The virus cannot infect the exthdd, because IT HAS NO FIRMWARE TO INFECT. There is no BIOS on it. So the rat stops there...so no matter what you plug it into later, won't matter.
Quote:
... "Your files were created on Windows, so if there are any viruses, they're Windows based."
---------I'm not referring to viruses that the files may have picked up in windows; I'm referring to any viruses that the files may have picked up when the exthdd was connected to the presumably infected laptop.
Again, 'presumably', with a five year old program that was only ever proof-of-concept, which won't get transferred to an external hard drive, which means it won't get passed on, because THERE IS NOTHING TO PASS ON.
Quote:
article: a bit much clamav: working on it..
If you don't want to read an article and learn, there's little point in asking a question; you should then rely on your 'knowledgeable source' for guidance.
Good thing you thanked AwesomeMachine for the exact same advice I gave you earlier, too.
Quote:
Originally Posted by jettjett
1... is there malware besides Rakshasa that can infect the firmware/ bios?
3... when the exthdd "auto-mounted", which it never does on my linux desktop computer, ubuntu os I attached it to was from a liveusb. wondering if I had installed ubuntu onto the hdd if the exthdd would still have auto-mounted.
thx.
...and...
Quote:
...All my windows "docs" and pics open up on my debian9 os. I open them in read-only mode...seems like clamav checks "desktop - documents, etc" but what about the guts of the computer vs documents? Is it going to tell me if the bios or firmware are infected? correction: checking a lot more now. HOW RELIABLE IS CLAMAV?
It is very reliable, and if you want to know about other proof-of-concept security holes, please look them up. No idea what you're saying about the "auto-mounted" stuff above, but it seems like this is an exercise in paranoia. Especially when you start with "don't focus on how I know I'm infected", which seems like a logical starting point.
...when I switched to TAILS, the person could not get on my computer for about a week, but when she learned that I was using TAILS, she sent something to my computer, somewhere on the computer, that gave her access. I thought it was possible that it was Rakshasa. If not, then a linux RAT. But she definitely got on. The hdd was not in the computer. I don't use TAILS anymore.
...when I switched to TAILS, the person could not get on my computer for about a week, but when she learned that I was using TAILS, she sent something to my computer, somewhere on the computer, that gave her access. I thought it was possible that it was Rakshasa. If not, then a linux RAT. But she definitely got on. The hdd was not in the computer. I don't use TAILS anymore.
"You miss the point entirely. The virus cannot infect the exthdd, because IT HAS NO FIRMWARE TO INFECT. There is no BIOS on it. So the rat stops there...so no matter what you plug it into later, won't matter."
-----------
#1) IT'S A HARD DRIVE!! THE HDD ITSELF CAN BE INFECTED LIKE ANY OTHER HDD. YOU missed the point entirely. Your comment says that hdd's can not become infected - beyond ridiculous.
#2) Just like an sd card, it doesn't have to have a bios or firmware - it just needs to have files. What you said is like saying that "the documents" on an sd-card can not get infected. Very wrong. SD-card has no bios, no firmware; the sd-card will not get infected, but the documents on it will.
#3) You need to look-up auto-mounted; if you want to post here, you should be familiar with that term.
#4) You seem less knowledgeable about Rakshasa than myself. "just a proof of concept" - not according to my knowledgeable source.
Get your facts straight before you decide to act the way you did here...not professional.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.