Mysterious installation of ClamAv on my popos system
-
I don't remember installing it, everything about it seems "legitimate"
grepping through the logs the installation date seems to be 21st January.
There was always some slow down when I initially started firefox and today I had HTOP open just to see what was happening and Clamav and ClamAV freshclam process was there. How do I check if it is compromised or which user if any installed it?SSH is disabled.
-
System shared this topic on
-
I don't remember installing it, everything about it seems "legitimate"
grepping through the logs the installation date seems to be 21st January.
There was always some slow down when I initially started firefox and today I had HTOP open just to see what was happening and Clamav and ClamAV freshclam process was there. How do I check if it is compromised or which user if any installed it?SSH is disabled.
As a start, you can use opensnitch to see what internet connections it makes.
-
I don't remember installing it, everything about it seems "legitimate"
grepping through the logs the installation date seems to be 21st January.
There was always some slow down when I initially started firefox and today I had HTOP open just to see what was happening and Clamav and ClamAV freshclam process was there. How do I check if it is compromised or which user if any installed it?SSH is disabled.
Was anything else installed on the 21st? Might have been pulled down as a dependency of something.
-
Was anything else installed on the 21st? Might have been pulled down as a dependency of something.
Or as a way for someone putting malware on the system to keep other malware away...
-
I don't remember installing it, everything about it seems "legitimate"
grepping through the logs the installation date seems to be 21st January.
There was always some slow down when I initially started firefox and today I had HTOP open just to see what was happening and Clamav and ClamAV freshclam process was there. How do I check if it is compromised or which user if any installed it?SSH is disabled.
ClamAV
But on a serious note, no, I have no idea why that would happen.
-
As a start, you can use opensnitch to see what internet connections it makes.
-
Was anything else installed on the 21st? Might have been pulled down as a dependency of something.
to answer this question: if you're on a dpkg-based system, check
/var/log/dpkg.log(or/var/log/dpkg.log.2.gzto get logs from January, if your system rotates them once a month). -
System shared this topic on
