Ubuntu Security :: Using Ubuntu To Remove Trojan From Windows 7
May 31, 2011
I stupidly clicked on a spam link on my roommate's computer (I must have forgotten that I wasn't using Ubuntu and had to be much more careful) and the computer is now infected by a nasty Trojan. (I unfortunately cannot remember the name right now, but it is a Trojan.) Now, her computer will barely start up under the normal Windows 7 without a blue screen of death appearing, with the IRQL_NOT_LESS_OR_EQUAL error message.I stumbled upon this: http://maketecheasier.com/remove-win...ux/2010/02/02/ and I thought I would give it a shot.I don't have a flash-drive, and I'm rather tight on cash at the moment, so instead of creating a USB stick with the OS they recommended, I used my live CD of Ubuntu 10.4. I installed Clam, and ran the update as it says, and it seemed to work alright. When I started the scan, however, (excluding .doc files), the first message that came up was that the software was out of date, but the scan proceeded, and so I figured all was alright. The scan took about an hour 45, and when it was done, it reported that 0 files were infected, and that there were 4 errors. I crossed my fingers and hoped that these errors were the problem and Clam fixed it, but alas, this was not the case. The computer is still just as screwed up.
Does anyone have any suggestions? Maybe the updates couldn't be saved because I was using a live CD instead of a USB? Hopefully this isn't the case, because I really don't want to have to go and buy a flashdrive, but I will if I must. Can a portion of an external harddrive be used as a boot drive?
after compressing one of my sites and downloading it to my Windows PC my Antivirus picked up a trojan horse called "PHP/Rst.AK Trojan" Im still very new to all this and was wondering how i go about removing malware etc from my fedora 8 server. IS there a free virus scaning software i should be using ?
I used my printer without any problems using ubuntu os. As the day went surfing got slower. I lost ability to print. Went into windows os, which I haven't used for a few day, and scanned with superantispyware. A Trojan virus was found. Went back to ubuntu os and found that all printer programs had been removed.
After some time i always see a trojan virus in my ubuntu machines shared folder. It is an exe detected by ClamAv as Trojan.Autokit-77 I thought i was getting it from some windows machine on the network but that isn't the case. I deleted the virus and removed my computer from the network and still the virus comes back. My computer however, is still connected to the internet through an independent mobile broadband usb stick.
So where is the virus coming from and why is it going to my shared folder. I thought ubuntu would not allow the virus to do something like this without me giving it permission. I am running 10.4.
I want to log the user name and password passed through the default telnet client on Fedora (7 to 11) system.I have thought of something like this:(Download Telent client src)->(modify src)->(compile and install)but i am not sure...
Like Jackp27, I am reacting to a transient warning from rkhunter, indicating a possible LKM trojan, which may or may not be a false positive. Running chkrootkit and rkhunter repeatedly, including older versions running under live CDs like INSERT, indicated nothing wrong, but two runs of rkhunter running under the possibly compromised system itself did seem to suggest rkhunter thought it might have found elements of trojan code in RAM.
Like Jackp27, I can't give details right now because I do not currently have access to my logs, but I did find one webpage (can't give link because I do not currently have access to my detailed notes) suggesting that rkhunter may have thought it found a signature of the adore trojan in RAM by looking at /proc/kallsymms which is not a file I ordinary look at. I did look at it very closely yesterday, repeatedly, and it seems to be mostly empty, but occasionaly seems to contain what might be a sequence of calls to various kernel modules--- right now I only recall that some had the form ??_guest_? and that x_tables might be involved.
Can anyone give me a rough indication of what /proc/kallsymms is supposed to do, whether it should normally be empty, and when it is not, what kind of lines are supposed to show up in that "file" when I cat it? I also saw something about ?_logdrop? which may have had something to do with with rotating logs (I rebooted several times) rather than a trojan keylogger. But maybe some trojans rotate logs to try to hide their presence?
I know I am not giving enough information--- I hope to come back later with more details after I have managed to access my logs and notes, so feel free to say what kind of details would be most helpful in helping me decide whether or not this was a false positive.
I just pulled the MS Removal Tool executable off a Windows 7 machine. Is there a way I can view the code on my Ubuntu machine? I am curious how they block the "real" av software from running. I did get rid of it, pretty simple.
If I leave the computer running for a few minutes without doing anything on it, this screen appears demanding that I enter my password, otherwise I can't get back to Fedora. I understand the necessity for this security feature in a work environment, but I'm just a home user and this security screen is just a nagging problem I don't know how to get rid of.
PartedMagic live linux can load to memory and run clamav on a windows drive to check for and remove viruses. However, I need to also find and remove trojans and worms on a windows drive which clamav can not find. Is there any worm and trojan removers for linux or do you need to install WINE and run the windows trojan and worm removers.
Can a virus survive a reformat, running bootrec /fixmbr (both from the install CD), and then installing Ubuntu? Reformat meaning from the windows disk recovery console, using the format command for all partitions. Likewise, would a virus be capable of surviving just the first two steps alone without installing Ubuntu, just re-installing windows?
If one were to have an MBR virus on Windows or Linux, how abouts would you find or remove it without doing an entire disk wipe? And before someone goes "Linux is immune" take into consideration vulnerabilities on the user end.
I have a dual-boot with windows and linux. Sometimes if I reboot from windows into linux, I notice that when X is starting up before the login screen comes up it will flash a screenshot from Windows. Has anyone ever noticed this?
I have a Ubuntu file server with a mix of 30+ users ( mix of windows and linux ).All are members of the same group. All need read write create access. I want to prevent deletion of certain key folders. How can I achieve this ? sudo chmod -R nnnn ??
I found LKL on my computer. I need to remove it. It isn't showing up in synaptic and i can't figure out how to remove it. SUDO apt-get remove lkl tells me this. E: Couldn't find package lkl. i can't find it with the search and with google.
When I installed, I selected the option to encrypt my home folder. I believe this is causing constant crashes now, since error message is user id/password related. Is there a way to remove the encryption?
I've installed Ubuntu via UNetbootin from USB on my child's computer. It comes by default with the sudo command which I find really annoying to work with. I'd rather have my su command.
Now, while googling for a removal instruction, I've read that the sudo command is tied to system functions on some Ubuntu live systems and can't be removed easily. Does anyone know if this applies to the 10.04 live version used by UNetbootin and how to work around this problem?
If not, is it simply enough to remove 'sudo' via the software center? I find many tutorials on how to switch from su to sudo but not much about the other way around.
I've got a samba share on a linux server, connecting to it with a windows 2k3 server via tools > map network drive. The goal is to be able to use windows to change the security of the samba share. The good news is it works! The bad news is it's not QUITE perfect:
The share is called /company. I started with the following to give everyone access to everything, set the owner of the share to administrator (my domain admin on the Windows domain), and set the group owner to domain users (group that everyone on the domain is part of):
I then mapped the drive as a regular user, and of course, can access/modify/delete/rename/create anything I want. Then I picked a folder to lock down. Let's call it /company/myFolder. I did this on the Windows server by mapping the drive as administrator (the owner), right click > properties > security tab > advanced > highlight "domain users" and "everyone" and click edit > clear all (i.e. remove all access). Go back to Linux and
[Code]..
The only issue that remains is that I am able to rename/delete "myFolder" as a regular user. I thought this was coming from the "acl map full control = true" parameter in smb.conf, but I changed it to false and verified the change and it still happens. If I remove group and world write access to /company, I am no longer allowed to rename/delete myFolder, but then I can't create a new folder. If I add group write access back in I can create files but can also rename/delete folders within /company that have --- specified for group access. Any ideas what I need to tweak to make this right?
I installed Ubuntu 9.10 netbook remix on my Acer Aspire One D250 computer. The broadcom wireless NIC succeeds in connecting to the network but only if I remove the WPA-PSK security in the Netgear router settings. What do I need to change in order to be able to secure my network?
I've been reading a lot of articles on Xorg XWindow System having the ability to allow 6600/tcp for remote screen connections and I've been trying to find a way to remove the functionality without having to just dump XWindow and settle for CLI on my server. I heard it was disabled by default, but I just want to get rid of that ability completely by cutting it out of it's code and yes, I'm feeling very, very paranoid.
Do to the last thread I posted got way off topic do to my bad doing , I will post it again to get the thread back on topic.I try it one last time hopefully these myths will be cleared up and this thread will stay on topic an not derail like last one.The myths going around on the internet.
1.Less than 1% use Linux and 10% use Mac Os X it is not that they are so much better but market share .The Malware makers are going windows where the market shares are.
2.Windows have more security but most people don't use it.
3.Mac OS X security is not that good , windows is better.
4.windows it has more gradual permission level than a ON and OFF like Linux or Mac OS X
As Linux gains in popularity, (as I believe it will), do you think that Linux will ever become the target of as many virus and worm threats as Windows has faced? If so, do you think that the threats will have much success?
I have a dual boot system with Win XP and Ubuntu 9.10.My problem is, that I am not able to start Ubuntu anymore, it fails to boot. Actually I don't intend to repair it, instead I would like to remove it and free up the space used by the ubuntu partition on my hard drive.i want to save some of my files kept in the linux filesystem, but I can live without them if that is not possible.
I've searched the forum, but nothing answers my question. We know the security risk posed by suid, sgid.I'm looking to remove the suid bits from all programs that do not absolutely need it.
This command: find / -type f ( -perm -04000 -o -perm -02000 ) -exec ls -lg {} ; gave the list below.
For which of these programs can I safely remove the suid bit? I don't want to break my system by modifying a program that the system needs.
-r-sr-xr-x 1 bin 502172 Jan 10 12:36 /usr/local/bin/dccproc -r-sr-xr-x 1 bin 186683 Jan 10 12:36 /usr/local/bin/cdcc -r-s--x--x 1 root 23980 Nov 17 00:27 /usr/lib/virtualbox/VBoxNetDHCP -r-s--x--x 1 root 9896 Nov 17 00:27 /usr/lib/virtualbox/VBoxNetAdpCtl -r-s--x--x 1 root 23976 Nov 17 00:27 /usr/lib/virtualbox/VBoxSDL
I say to remove access to MOST of these SUID binaries? do they all need this power? what i want to do is minimize access just incase one of them gets an exploit(as ive already done for apache SuEXEC)
