On Fri, 20 Oct 2023 12:00:02 +0100 main-request@lists.alug.org.uk wrote:
Adam,
Thanks for replying!
Have you ever saved or copied a browser cache onto this stick?
No, this is the puzzling thing. I only seem to recall having used it on Debian. I've only used it to put some files on it which I then accessed from my laptop, which is also Debian. So I cannot think where these can have come from. I am wondering if possibly they were on the stick itself when I bought it.
They are not going to be able to do anything in Linux, are they?
I have also checked online and found a couple of similar trojans which MS AV says it detects, so they sound like Windows trojans.
I am thinking now of having clamav run all night on my total Debian hard drive, in recursive mode. That ought to detect them, do you think, if they are on it? Is there anything else you would do?
My laptop is dual boot, windows and Debian, so I will boot to windows and then run the MS AV in windows. I suppose run ClamAV in Debian after that.
What a pain. But in Windows it would probably be a lot more than just a pain.
Peter
This gets even more puzzling. Running clamav now for about two days non stop (lots of timeouts) and I am getting many reports like this:
LibClamAV info: Suspicious link found! LibClamAV info: Real URL: http://www.globalkap.com LibClamAV info: Display URL: https://secure.skype.com
But I can't tell where its finding those links, and don't recall ever visiting them anyway. I am now going through and checking some of them, and often not finding anything odd about them except that the name of the url is different from where the link ends up. And often the Real URL seems to be in the name of a real entity, but one that does not own the domain linked to!
For instance another reported suspicious link, new.egg.com, takes me to Yorkshire Building Society, and seems like the real site of YBS. This is apparently due to YBS having taken over Egg. This really was different, though legit. But globalkap, the Real URL doesn't go anywhere, the Display goes to skype login, as you would expect. And globalkap seems to be a variety of real entities, a pool vendor in Aix en Provence, or a salesforce automation outfit somewhere!
Another one is equally weird:
LibClamAV info: Suspicious link found! LibClamAV info: Real URL: http://smitherfamilykitchen.com LibClamAV info: Display URL: http://www.lloydstsb.com
But actually the display URL doesn't go to what clamav thinks is the real one, but goes to LLoyds TSB as it should. Not that I ever recall having visited them! Then when I try to go to smitherfamilykitchen.com (either just http:// or http://www.) its showing Server Not Found. But SmitherFamilyKitchen seems to be a real place selling hot sauces, based in Texas! Though it apparently (oddly) does not have that domain, and I don't recall having ever heard of it before this. But why is it claiming that the display URL is different from the real one? It does not seem to be.
The most unhelpful thing about clamav, at least run like this, is that it reports suspicion, but gives you no idea what to do about it, and if I wanted to delete these suspicious URLs I have no idea where to find them! Are they in bookmarks someplace? Or history? Who knows?
Anyone have any ideas what to do? Is there any more useful AV to try?
Peter
On Fri, 20 Oct 2023 14:57:34 +0100 Peter Berrie peter.northerly@gmail.com wrote:
On Fri, 20 Oct 2023 12:00:02 +0100 main-request@lists.alug.org.uk wrote:
Adam,
Thanks for replying!
Have you ever saved or copied a browser cache onto this stick?
No, this is the puzzling thing. I only seem to recall having used it on Debian. I've only used it to put some files on it which I then accessed from my laptop, which is also Debian. So I cannot think where these can have come from. I am wondering if possibly they were on the stick itself when I bought it.
They are not going to be able to do anything in Linux, are they?
I have also checked online and found a couple of similar trojans which MS AV says it detects, so they sound like Windows trojans.
I am thinking now of having clamav run all night on my total Debian hard drive, in recursive mode. That ought to detect them, do you think, if they are on it? Is there anything else you would do?
My laptop is dual boot, windows and Debian, so I will boot to windows and then run the MS AV in windows. I suppose run ClamAV in Debian after that.
What a pain. But in Windows it would probably be a lot more than just a pain.
Peter
On Fri, 27 Oct 2023 at 13:51, Peter peter.northerly@gmail.com wrote:
This gets even more puzzling. Running clamav now for about two days non stop (lots of timeouts) and I am getting many reports like this:
LibClamAV info: Suspicious link found! LibClamAV info: Real URL: http://www.globalkap.com LibClamAV info: Display URL: https://secure.skype.com
Would something like this (untested) help at all? Use grep to look through all files, doing a search within the files for this piece of text that's in one of the URLs that Clam reports.
grep -nr "smitherfamilykitchen" /*
It will take a long time to finish, but would look for that in each file on your computer.
Regards, Srdjan