[Users] Hi, need advice on possible linux virus in an email

zentara zzmiloschxx at gmail.com
Sat Mar 6 12:41:14 CET 2021


On Fri, 05 Mar 2021 21:34:39 -0800
lists <lists at lazygranch.com> wrote:

Hello, thanks to all who responded.
Let me try to answer many of the various points
made in this one email.

First the kernel issue and INTEL processor
backdoors. 
I use an AMD processor with the various patches 
provided by the kernel developers applied as
provided by a plain vanilla download of the
5.8 kernel.

Second, the issue of an X lockup probably
is not as crucial as the fact that upon killing
X, a pid with the name /usr/local/bin/claws-mail
is left with root priviledges and flags Rs shown in
a ps listing.
A clue which did flash by my screen, which
I cannot replicate is some message about
"socket not closed".

I'm not going to sweat this too much, but I will
be checking my ps output alot more often, and
will be closing claws-mail when not actually
using it.
My only hope now, is that this defucnt process
did not alter a system library before I could kill it.

Thanks to all, and if anything, maybe it will
keep users more vigilant about attacks thru email.

Thank you all,
Joe


>I'm not touching what you attached. ;-) 
>
>Send it to virustotal.com. 
>
>
>
>
>
>
>	  Original Message  	
>
>
>From: zzmiloschxx at gmail.com
>Sent: March 5, 2021 8:40 PM
>To: users at lists.claws-mail.org
>Subject: [Users] Hi, need advice on possible linux virus in an email
>
>
>Hi,
>I have been a longtime users of claws-mail and
>this is the first time I've encountered a bug or virus
>like this. Especially worrisome on linux.
>
>I'm not sure what is going on, so I ask here for
>guidance and pointers.
>
>This is what happened.
>
>I send a friend an email, he replies, when I try
>to replay back, my keyboard locks up when focus
>is in the claws reply message box.
>
>When I try to close up the claws program, I get a corrupted
>screen, and a complete X-server lockup.
>
>What is even more worrisome is after the X-server is killed
>with a Cntl-Alt-Backspace, I get 2 pids in ps auxww, showing
>claws-mail is now still in memory with 2 pids, and I cannot
>as user kill them. Only root can kill them with a kill-9 "pid",
>ps says they are Rs flagged
>
>Otherwise, my mail runs fine. I have repeated this with the
>attached email many times.
>
>I can provide a short video of my screen to show what
>is happening, if needed.
>
>My system is a recent Slackware current, modified by me with a newer
>kernel.
>
>Kernel:  5.8.10
>X-Server:  X.Org X Server 1.20.8 X Protocol Version 11, Revision 0
>Claws-mail: 3.17.8  self-compiled
>Window Manager: ICEWM
> 
>Please be warned that I experienced a lockup with this email and
>it leaves some sort of resident zombie-like pid owned by root.
>
>I would appreciate it is anyone could stick this email in
>their Mail Trash folder and either verify what I'm saying
>or suggest a possible simple explanation.
>
>Thank You,
>Joe Milosch 
>
>_______________________________________________
>Users mailing list
>Users at lists.claws-mail.org
>https://lists.claws-mail.org/cgi-bin/mailman/listinfo/users


More information about the Users mailing list