The officially official Devuan Forum!

You are not logged in.

#1 2024-06-11 16:06:32

devur
Member
From: Denmark
Registered: 2017-05-29
Posts: 73  

the right procedure ?

the right procedure?
I have once again failed to protect my desktop from viruses and trojans.  I have scanned with clamkt and on one of the two user account I find 25 viruses and Trojans in the .Mozilla folder.  the situation is that I have two users, one created during installation and who has sudo and is the account I use for administration, through this account firewall, fail2ban, firejail are installed.  the other account is a default adduser account.  it is here on the other account that I find viruses, I use the account as an internet account, firejail Firefox and without any Login, I am trying to learn some 'html' programming via 3wschool.  I have deleted the viruses found, so the question is what do I do now, should I reinstall Firefox and delete account number two, and then create a new use two
and what can I do in the future to avoid these viruses.


Laptop lenovo
Desktop XFCE
Os Devuan GNU/Linux

Offline

#2 2024-06-11 18:24:57

delgado
Member
Registered: 2022-07-14
Posts: 211  

Re: the right procedure ?

Not allowing java script by default can help.
I usually have the extensions "ublock origin" and "umatrix" running with firefox.

Offline

#3 2024-06-12 07:29:47

stargate-sg1-cheyenne-mtn
Member
Registered: 2023-11-27
Posts: 189  

Re: the right procedure ?

check these out for web browsers:
https everywhere
minerblock
noscript
privacybadger
snowflake
ublockorigin
uboscope
umatrix
--

check these out for hosts file blocking:

blocklists sources:
ttps://someonewhocares.org
ttps://www.spamhaus.org
ttps://filterlists.com
ttps://github.com/hagezi/dns-blocklists
ttps://github.com/badmojr/1Hosts

also one website/list not being frequently updated(last 20210306):
ttps://winhelp2002.mvps.org/hosts.txt
(still good for reference)


Be Excellent to each other and Party On!
https://www.youtube.com/watch?v=rph_1DODXDU
https://en.wikipedia.org/wiki/Bill_%26_Ted%27s_Excellent_Adventure
Do unto others as you would have them do instantaneously back to you!

Offline

#4 2024-06-12 09:16:00

soren
Member
Registered: 2023-04-30
Posts: 142  

Re: the right procedure ?

Are you sure they are viruses? What were the names of the viruses and can you share what web sites you think might have given you viruses or are these websites NSFW?

In any case, as a matter of privacy and security i use the arkenfox user.js and fiddle with a user-overrides.js config.

https://github.com/arkenfox/user.js/

as stargate mentions, use ublock-origin and tick as many filter lists boxes that apply and also use filter lists from filterlists.com.

The filter lists from anti-corp (no-google in filterlists.com) are great if you want to try to completely block google, just saying.

https://github.com/nickspaargaren/no-google

Last edited by soren (2024-06-12 09:18:33)

Offline

#5 2024-06-12 10:27:16

devur
Member
From: Denmark
Registered: 2017-05-29
Posts: 73  

Re: the right procedure ?

Yes you can see the virus List.
And the only action on these pc w3

ClamTk, v6.07
Tue Jun 11 17:04:30 2024
ClamAV Signatures: 8710280
Directories Scanned:

Found 0 possible threats (4 files scanned).

No threats found.
---------------------------------------------

ClamTk, v6.07
Tue Jun 11 17:20:05 2024
ClamAV Signatures: 8710280
Directories Scanned:
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries

Found 25 possible threats (58531 files scanned).

/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/1231DD2EA9FCAEAD544000B2C42978033720B3F3      PUA.Win.Exploit.CVE_2012_1461-1     
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/BDCC87EE344E20D465A1A939BB259ED33DCB37FA      PUA.Win.Trojan.Xored-1              
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/B925469B00E39A393DA96976DC2BCCC47341C595      PUA.Win.Trojan.Xored-1              
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/BA08D5E9D857B7AC9C99FEB3B2B4BFD983CFC754      PUA.Win.Exploit.CVE_2012_1461-1     
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/DF42EAB2E87062092AAD4C969EAEEA511E0CA610      PUA.Win.Exploit.CVE_2012_1461-1     
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/3EDB8FF08D388E71BABA2694A8FE95E537EFFEF9      PUA.Win.Trojan.Xored-1              
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/B67A87B9957498FF0DECE6550E9852A338E2D96D      PUA.Win.Trojan.Xored-1              
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/A0DF9F80C099D12857FBB5F80A97BEBB97EFEDA1      PUA.Win.Trojan.Xored-1              
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/28200FEE743D8A88FC050ACB35C95AA9B000037C      PUA.Win.Exploit.CVE_2012_1461-1     
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/A922BEDD3229F0BFF5652A7FF975D68EE52D133E      PUA.Win.Exploit.CVE_2012_1461-1     
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/1C4038F316498439FBB4808F7D7CD82EE32B68FD      PUA.Win.Trojan.Xored-1              
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/3EEE453E76E2CE763DFB313F5CE2D067E036B95E      PUA.Win.Exploit.CVE_2012_1461-1     
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/C825FDD50D1349BBAE185BA58FB6639213962633      PUA.Win.Exploit.CVE_2012_1461-1     
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/D86D41F5976E38E5DED9FEF99AE4B7D7A29B78EB      PUA.Win.Trojan.Xored-1              
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/D6FAE84D27C79C66291F17E9FF4F20E228950157      PUA.Win.Trojan.Xored-1              
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/E89BF141CDE9063624EE6D5BE6F90AE378303E28      PUA.Win.Exploit.CVE_2012_1461-1     
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/C6437DF9DCFAE9833749D321E621EC079A11DA1D      PUA.Win.Trojan.Xored-1              
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/00A2EEB79D840DEA619FFAB8AEE00AE4DFA782C9      PUA.Win.Trojan.Xored-1              
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/F6B8F755EFE9F6903824ED6888C029BB8C0B0876      PUA.Win.Exploit.CVE_2012_1461-1     
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/8FF38A09CDDB798688671E5C8A473A201D78F066      PUA.Win.Trojan.Xored-1              
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/963B4624DDF84378163EB0FFFA408FE6F5FECEA7      PUA.Win.Exploit.CVE_2012_1461-1     
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/F769C5DCDD6D0ED9009B2DB63111C83E4F67E8B8      PUA.Win.Trojan.Xored-1              
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/5E7F2843EBB750CDA86FC638453B893B24DDBBB5      PUA.Win.Trojan.Xored-1              
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/48ADD0A5F5D9453FC7537A6956C9F57DC9604F25      PUA.Win.Exploit.CVE_2012_1461-1     
/home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/80E3C62564962F770C8A3CE1B855CEE812903949      PUA.Win.Exploit.CVE_2012_1461-1     
--------------------------------------------------------------------------------------------------------------------------------------------------------------

Laptop lenovo
Desktop XFCE
Os Devuan GNU/Linux

Offline

#6 2024-06-12 10:38:59

aluma
Member
Registered: 2022-10-26
Posts: 646  

Re: the right procedure ?

If there is enough RAM (4 GB or more), the browser cache can be located in it.
Add a line to /etc/fstab like this

tmpfs     /home/usre2/.cache/mozilla/firefox  tmpfs  nosuid,nodev,noatime,user,uid=1000  0  0

"uid=1000" - specify your user specifically.

Last edited by aluma (2024-06-12 10:55:28)

Offline

#7 2024-06-12 16:06:40

chris2be8
Member
Registered: 2018-08-11
Posts: 306  

Re: the right procedure ?

From the description those look like malware aimed at Windows systems that your browser cached. So probably not a threat to a Linux system.

Put CVE_2012_1461 into your favourite search engine for more details. Or the full name of the vulnerabilities.

You could also look at what's in /home/usre2/.cache/mozilla/firefox/r6a038wc.default-esr/cache2/entries/ (how big are the files, what does file say they are, etc).

Offline

#8 2024-06-12 16:58:00

fanderal
Member
Registered: 2017-01-14
Posts: 80  

Re: the right procedure ?

A quick search for PUA.Win.Trojan.Xored-1 in quotes finds this, posted years ago: https://askubuntu.com/questions/1006237 … ns#1006252

UA.Win.Exploit.CVE_2012_1461-1

* PUA means "potential unwanted application".  PUA are not virusses, those are claims by clamav that there is an application they consider "unwanted" because that file or extension have been proven to be abused in Windows
* Win as 2nd part means it is a Windows related notice.
* clamav has an option to not scan for PUA's.
(snipped for length)

Clamav identifies them as Win exploits and trojans. As @chris2be8 noted, it means they need a Win filesystem to run, and are incompatible with any Linux filesystem.

@aluma's suggestion is one way to deal with it. Another is a small script to delete stored data inside the directories in ~/.cache/mozilla/firefox/xxxxxx.default-esr/ or wherever they're stored.

Offline

#9 2024-06-12 17:10:21

devur
Member
From: Denmark
Registered: 2017-05-29
Posts: 73  

Re: the right procedure ?

I have added extension to Firefox, and added tmpfs to /etc/fstmp and it has gone well.  but there is no longer any archive 'r6a038wc.default-esr/cache2/' it does not exist.


Laptop lenovo
Desktop XFCE
Os Devuan GNU/Linux

Offline

#10 2024-06-12 17:15:10

devur
Member
From: Denmark
Registered: 2017-05-29
Posts: 73  

Re: the right procedure ?

and for fanderal there is something in what you point to, I am however unsure whether I want that type of files on my system.


Laptop lenovo
Desktop XFCE
Os Devuan GNU/Linux

Offline

#11 2024-06-12 21:28:42

fanderal
Member
Registered: 2017-01-14
Posts: 80  

Re: the right procedure ?

devur wrote:

unsure whether I want that type of files on my system.

Like all browsers, Firefox is not 100% secure. Vulnerabilities are found and exploited. Clamav is also for Windows so it finds PUAs. PAUs require an NTFS/NTFS+ filesystem as well as the Win OS to run. They cannot run on Linux filesystems or work with a Linux OS. They're useless and take up HD space.

Suggestion: In Firefox > Settings > Privacy and Security > History, is 'Clear history when Firefox closes' checked? In History > Settings, are all of them checked? If the PUAs still get through, find where they're stored and write a script you can click on on the desktop to delete them.

Another way is an icon on the desktop to start Firefox, with a <script> to delete the PUAs executed when Firefox processes end.

#!/bin/bash
firefox && <script>

Offline

#12 2024-06-13 05:02:59

aluma
Member
Registered: 2022-10-26
Posts: 646  

Re: the right procedure ?

@devur

но архива 'r6a038wc.default-esr/cache2/' больше не существует.

Just look at its contents after launch Firefox.
In RAM, the cache will be created when Firefox is launched in a new session and, naturally, will disappear when the computer is turned off. In addition, it improves browser performanceь and reduces the number of rewrites of SSD drives..

Last edited by aluma (2024-06-13 05:23:47)

Offline

Board footer