Mysterious installation of ClamAv on my popos system
from Artemis_Mystique@lemmy.ml to linux@lemmy.ml on 19 Mar 16:40
https://lemmy.ml/post/27407407

I don’t remember installing it, everything about it seems “legitimate” grepping through the logs the installation date seems to be 21st January. There was always some slow down when I initially started firefox and today I had HTOP open just to see what was happening and Clamav and ClamAV freshclam process was there. How do I check if it is compromised or which user if any installed it?

SSH is disabled.

#linux

threaded - newest

[deleted] on 19 Mar 17:34 next collapse

.

iii@mander.xyz on 19 Mar 18:29 next collapse

As a start, you can use opensnitch to see what connections it makes.

TorJansen@sh.itjust.works on 20 Mar 16:15 collapse

Or Wireshark

savvywolf@pawb.social on 19 Mar 18:41 next collapse

Was anything else installed on the 21st? Might have been pulled down as a dependency of something.

signalsayge@lemm.ee on 19 Mar 20:35 next collapse

Or as a way for someone putting malware on the system to keep other malware away…

cypherpunks@lemmy.ml on 20 Mar 17:16 collapse

to answer this question: if you’re on a dpkg-based system, check /var/log/dpkg.log (or /var/log/dpkg.log.2.gz to get logs from January, if your system rotates them once a month).

Veraxis@lemmy.world on 19 Mar 22:46 collapse

ClamAV

<img alt="" src="https://lemmy.world/pictrs/image/7369e28c-e10f-417f-b539-85dd84cf5f44.gif">

But on a serious note, no, I have no idea why that would happen.