Humble question: how do you find out if your system has been affected by a malware?
I know that for AUR there was a specific list of affected packages (that I checked, and haven't installed any of them), but I'm interested more in a general way. It could be from AUR, npm, or many other sources. Some malware could break and lock immediately the system, but other could stay there silent for months, so how to find out if there is any?
I haven't run an antivirus since I last used Windows 20 years ago.
In theory, you'd mostly care about exfiltration of data, so watching/actively managing exactly what network connections your computer/network can do, would give you upfront notification when it happens, but of course not earlier. And if your root/hardware somehow is infected, your monitoring/management tools might be affected too, so then you're basically out of luck except with external network gear outside of your computer. But then those could be infected too, and so on.
Ultimately I'd say it depends on your risk profile, but using something to actively approve/deny network connections on your local machine, is a great start that'd defeat most of these simpler "exfiltrate information ASAP" malware that seems popular at the moment.
> you'd mostly care about exfiltration of data, so watching/actively managing exactly what network connections your computer/network can do, would give you upfront notification when it happens
If you have a list of good CLI utilities, you could run them in a bash script (e.g., network-monitor.sh), which would run in the background, and then redirect the output data to another file (e.g., network-monitor.txt). The key concept here is "baseline" -- you need to know what normal baseline network activity looks like, so that you can identify anomalous behavior. The way to establish a baseline is to gather a lot of data from the system.
The following are a few useful command line utilities to use for a host intrusion detection system (HIDS) using a simple network monitoring bash script. However, I am not sure exactly how to tweak the options. Also need to find a way to check for data exfiltration:
-list open ports and processes that own them: netstat -lnp
-show open network ports: lsof -i; netstat -an | grep -i listen; netstat -nap
Then it would be relatively easy to write a python script with regex tools to parse the network-monitor.txt file, establish a baseline, analyze the data for patterns and search for anomalous behavior.
Besides network monitoring, there are other command line utilities you can use to check the system for possible intrusion, which you could run in a separate bash script as part of your Host Intrusion Detection System (e.g., hids-users.sh):
-show members of root group: cat /etc/group | grep root
-show users logged in: w #if you are the only user, you should not see more than one account logged in
-search for all accounts with UID of 0: grep :0: /etc/passwd #ideally there should be only one UID of 0 on the system, but attacker can create more.
-check that daemons who never log in have * or !, meaning no passwd: cat /etc/shadow
-look for orphaned files, possible sign of attacker temp account deleted: find / -nouser -print
-search for new user accounts that are not part of regular build: sort -nk3 -t: /etc/passwd #sort numerically third column (UID), colon delim (-t:)
EDITS: several small changes for clarity and also in response to comment below
> tail your network-monitor.txt file to watch for anomalies in the network connections and check for any strange outflows of data
Don't do that, you can't rely on "watch for anomalies" with your human eyes.
Either you setup something that notifies you after the fact, or you outright block all incoming/outgoing connections until you approve them. Mentioned elsewhere I think in the thread, I think both OpenSnitch, Little Snitch and PiHole can help you with all of these things.
But don't assume you can "watch for anomalies", automation and/or gated access is probably the way to go.
indeed OpenSnitch helps, pihole I'm not so sure (maybe if the c2c servers are in a blocklist...):
https://www.reddit.com/r/linux_gaming/comments/1u34pe3/comme...
I though Pihole could act as a "whitelist-only" DNS server but maybe I'm wrong, that could be an additional layer.
> you can't rely on "watch for anomalies" with your human eyes
Yes, I agree, that's a good call. I would not try to check for anomalies manually with meatware. I would parse the data with python regex tools to establish a baseline and search for anomalous patterns.
I edited my post to reflect the change you suggested.
> Some malware could break and lock immediately the system, but other could stay there silent for months, so how to find out if there is any? > > I haven't run an antivirus since I last used Windows 20 years ago.
That'd be the role of an IDS (Intrusion Detection System). Things like file signatures of your entire system being saved to another machine (for example an offline/airgapped one) beforehand (for example by plugging your main machine's SSD as a secondary drive on the airgapped one).
If you suspect shenanigans, you take your machine offline, you remove its SSD (your BIOS/UEFI is also a concern), plug it to your airgapped machine with the IDS: it compares all the files (binaries, config files, etc.)' checksums with the past ones.
It's a bit of a lost art but it could make a comeback seen what we're facing, now nearly on a weekly basis.
Some distros have a way to check for file integrity as part of the package manager: but you can't trust the infos coming from the machine itself if it's been compromised.
You might start with ClamAV and something like Little Snitch.
Would love to know the rebuttal / why you were downvoted.