From owner-freebsd-hackers@FreeBSD.ORG Mon Jun 12 18:42:20 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D45A16A41A for ; Mon, 12 Jun 2006 18:42:20 +0000 (UTC) (envelope-from plcplc@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 93F0943D49 for ; Mon, 12 Jun 2006 18:42:19 +0000 (GMT) (envelope-from plcplc@gmail.com) Received: by nf-out-0910.google.com with SMTP id k27so706994nfc for ; Mon, 12 Jun 2006 11:42:18 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:from:reply-to:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id; b=WKK8JwTATjlg3IUGXTNahXdM9J10Xk+AzC7ka/x3AOuVHKCuDxnI3qRPfmdG7XReeieJqsczwtuxnwaL1dhXMA1jSFX7HOXMjs5XQbnZwe4N6ist01CI+wd4bkos8n4bOoklP4wUBo/R35N5NRifsExj3l1uVqYHQ3zqBA4zifc= Received: by 10.49.9.20 with SMTP id m20mr5047171nfi; Mon, 12 Jun 2006 11:42:17 -0700 (PDT) Received: from ?10.0.1.254? ( [62.79.82.201]) by mx.gmail.com with ESMTP id r33sm6694886nfc.2006.06.12.11.42.16; Mon, 12 Jun 2006 11:42:16 -0700 (PDT) From: Philip Lykke Carlsen To: freebsd-hackers@freebsd.org Date: Mon, 12 Jun 2006 20:41:54 +0200 User-Agent: KMail/1.9.1 References: <200606121849.45538.plcplc@gmail.com> In-Reply-To: <200606121849.45538.plcplc@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200606122042.00928.plcplc@gmail.com> Subject: Re: Strange keyboard (viral?) behaviour X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: plcplc@gmail.com List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jun 2006 18:42:20 -0000 Hm. A little more research seems to have narrowed it down a bit. Apparently the text come from my sisters windows pc and is transmitted realtime to my freebsd machine, peculiar as it may sound. but at least now I have the means to look at the problem more carefully. But I am still at a loss as to explain how it continued typing even after I unplugged the network card (it's a laptop..), and how it was able to continue even in singleuser mode before the network had been properly set up (let alone plugged in at all). mandag 12 juni 2006 18:49 skrev Philip Lykke Carlsen: > Hello all. > > I don't want to cry wolf, but i think this calls for some sort of > attention :-/ > > Around yesterday my computer suddenly stared acting really strange :s > It started typing on its own. > and it seemed to be typing things that I had been typing over GAIM a week > or so ago, complete with typo's beeing corrected the same way that i had > made them originally. > > At first I thought that i might be some attacker from outside, but after > unplugging the network, the typing persisted. > > I also noted that it was bound to "pressing" the actual buttons on the > keyboard, rather than the resulting strings, as it was total nonsense at > first (given that I had been using another keyboard layout the day of > writing the text, that it was now printing on the screen), but when I > changed the layout back i recognised the text as the chat messages that I > had been writing a week before in the past. > > Then I ran ps -ax as root thinking it most probable to be a virus, but I > couldn't find anything suspicious. > > And even more alarming, the typing persisted when I rebooted the machine in > singleuser mode, totally distrupting the terminal. > > But this at least singles out the location of the virus to be on / and not > on /usr, since it wasn't mounted at the time because of a filesystem > inconsistency. > > Then I installed both f-prot and clamav, but they have yet to discover > anything. f-prot however seems to hang when it > scans /libexec/ld-elf.so.1.old, whose origin is unknown to me, though it > may have been created when i last recompiled the base system and kernel to > upgrade to 6.1. I don't know if this is of any importance however.. it's > probably just a bug in f-prot. > > I tried searching for it on google, but no-one seem to have experienced > anything quite like this. > Personally it's my first ever virus infection on freebsd, so naturally I > wasn't prepared for it at all. > > As the virus only seems to be outputting old chat messages, it's not > actually dangerous but just damn irritating. untill it starts outputting > shell commands, which it has yet to do. > > It appears to me that I may have gotten the virus from Gaim, but this is > rather unlikely, as I'm the only one on my contact list running FreeBSD, > let alone gaim in the first place. > > Any help or input would be greatly appreaciated. :-/ > > -PLC