From owner-freebsd-hackers@FreeBSD.ORG Mon Jun 12 16:50:01 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1047516A418 for ; Mon, 12 Jun 2006 16:50:01 +0000 (UTC) (envelope-from plcplc@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4DE3C43D45 for ; Mon, 12 Jun 2006 16:50:00 +0000 (GMT) (envelope-from plcplc@gmail.com) Received: by nf-out-0910.google.com with SMTP id x29so904024nfb for ; Mon, 12 Jun 2006 09:49:58 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:from:reply-to:to:subject:date:user-agent:mime-version:content-type:content-transfer-encoding:content-disposition:message-id; b=KtyXxigNcmrUsFk7QZf/VYjBvrPd+rIsSqYlOS5DE8LGtwiMC3t3SNMvs5UYSgQcw7sSH8LICsY108iPsa8H2d4IxplD7b/sFJxfKoom52xIfuBwx0/IFEnr6HinzUbMrWFf3zuZBTc2FrbTHzT25uQ3m9/geK0U0CUz48sNCn0= Received: by 10.49.65.12 with SMTP id s12mr5044510nfk; Mon, 12 Jun 2006 09:49:58 -0700 (PDT) Received: from ?10.0.1.254? ( [62.79.82.201]) by mx.gmail.com with ESMTP id p72sm6670526nfc.2006.06.12.09.49.57; Mon, 12 Jun 2006 09:49:57 -0700 (PDT) From: Philip Lykke Carlsen To: freebsd-hackers@freebsd.org Date: Mon, 12 Jun 2006 18:49:43 +0200 User-Agent: KMail/1.9.1 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200606121849.45538.plcplc@gmail.com> Subject: Strange keyboard (viral?) behaviour X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: plcplc@gmail.com List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jun 2006 16:50:01 -0000 Hello all. I don't want to cry wolf, but i think this calls for some sort of attention :-/ Around yesterday my computer suddenly stared acting really strange :s It started typing on its own. and it seemed to be typing things that I had been typing over GAIM a week or so ago, complete with typo's beeing corrected the same way that i had made them originally. At first I thought that i might be some attacker from outside, but after unplugging the network, the typing persisted. I also noted that it was bound to "pressing" the actual buttons on the keyboard, rather than the resulting strings, as it was total nonsense at first (given that I had been using another keyboard layout the day of writing the text, that it was now printing on the screen), but when I changed the layout back i recognised the text as the chat messages that I had been writing a week before in the past. Then I ran ps -ax as root thinking it most probable to be a virus, but I couldn't find anything suspicious. And even more alarming, the typing persisted when I rebooted the machine in singleuser mode, totally distrupting the terminal. But this at least singles out the location of the virus to be on / and not on /usr, since it wasn't mounted at the time because of a filesystem inconsistency. Then I installed both f-prot and clamav, but they have yet to discover anything. f-prot however seems to hang when it scans /libexec/ld-elf.so.1.old, whose origin is unknown to me, though it may have been created when i last recompiled the base system and kernel to upgrade to 6.1. I don't know if this is of any importance however.. it's probably just a bug in f-prot. I tried searching for it on google, but no-one seem to have experienced anything quite like this. Personally it's my first ever virus infection on freebsd, so naturally I wasn't prepared for it at all. As the virus only seems to be outputting old chat messages, it's not actually dangerous but just damn irritating. untill it starts outputting shell commands, which it has yet to do. It appears to me that I may have gotten the virus from Gaim, but this is rather unlikely, as I'm the only one on my contact list running FreeBSD, let alone gaim in the first place. Any help or input would be greatly appreaciated. :-/ -PLC