Linux malware removal

bruce_moore · 21 August 2020 23:52

I’ve been hacked by the drovorub malware from my firewall, how can I remove or scan for it.

hvacguy · 22 August 2020 00:03

Not shure that is possible
Cant add Kernel module to ipfire. with out replacing Whole Kernel.
And we are on a newer Kernel.
Someone else whom is more knowledgeable than me can certainly chime in here.

pmueller · 22 August 2020 07:06

Hi,

your question does not make sense to me: If you know your system is infected by this malware, how can you possibly lack knowledge to scan for it (i.e. do detect it)?!

Regarding removals, the best way to do so is to re-install the affected system(s) from scratch, after you found out how your network was compromised in first place.

Anyway: Are you even running IPFire? If not: This forum does not cover Linux security issues in general, please go ask elsewhere.

EDIT: In case anyone needs context:

Thanks, and best regards,
Peter Müller

bruce_moore · 22 August 2020 22:47

I don’t think the firewall is affected, I just wanted to let the community know about this.
It was my Debian Buster build and Opensuse 15.2 that was attacked and somehow got thru my firewall.
Is there any rootkit scanner that can scan the green network for malware?

pmueller · 23 August 2020 11:48

Hi,

I don’t think the firewall is affected, I just wanted to let the community know about this.

I still did not understand how do you know which malware your network is infected with exactly.

[…] and somehow got thr[ough] my firewall.

Depending on your firewall ruleset and network configuration, this can be quite easy. Please provide more details regarding both so we at least have a chance to understand what was going on in your case.

Is there any rootkit scanner that can scan the green network for malware?

Again, this is a generic question regarding network security. Since you did not provide details regarding your network, we cannot give you suitable advice at this point.

Network-based rootkit scanners might give poor results depending on how stealthy a rootkit is. Opened ports where you do not expect them might indicate a more simple rootkit, tools like nmap should be sufficient.

Thanks, and best regards,
Peter Müller

pmueller · 25 August 2020 17:34

Hi,

I just stumbled across this article, and since it seems to fit into this topic, I thought you might be interested.

Please excuse the noise if you are not.

Thanks, and best regards,
Peter Müller