Coisas realmente estranhas e perturbadoras no meu arquivo / boot / grub / grubenv… Malware / Adware?

Question

Coisas realmente estranhas e perturbadoras no meu arquivo / boot / grub / grubenv… Malware / Adware?

#1 resposta do 2IRN (0 votos)

-1

Desde a última atualização do ubuntu (16.04), alguns dias atrás, eu tenho problemas com o grub. A atualização do grub-pc não foi bem ... Agora, na inicialização, ele diz: "Erro: Bloqueio de ambiente inválido. Pressione a tecla para continuar ..." Não é um problema enorme, uma vez que é iniciado normalmente depois disso. Mas... Olhando para como corrigir isso, achei isso: link

Antes de aplicar a solução acima (e porque estou curioso), eu dei uma olhada no /boot/grub/grubenv (arquivo binário) E foi isso que eu encontrei: (obtido com more /boot/grub/grubenv )

\E2\DA\DEh# GRUB Environment Block

default=0
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
#############################
\BB\DA\DEfile:patterns.inieO\E2\DA\DEh# GRUB Environment Block

default=0
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
#############################
\BB\DA\DEfile:patterns.inieO%pre%\F0i{"content":["# Adblock Plus preferences","version=4","","[Subscription]","url=https://easylist-downloads.a  Z0plus.org/exce<\E8rules.txt","title=Allow non-intrusive advertising","fixedTi-8true","homepageac'Pableads.com/","lastDo 4=1490883696","\A9PStatus=synchronize_ok
:Success69%pre%SCheck8942208","expire,10564esoftEation    171790=_1703301411","requiredV-~2.-\AECount=6%pre%":\C0 filters]","! Text-based search ads on netzwelt.d!F$@@||google%2uds/$)\E50,subdocument,  main=rE%pre%cse?$\A6>%pre%! !ic image\A7t3n\A2uru!\D5(de/api/view\A7%pre%d ^0%pre%u/b/$ZB*%pre%)%q0Sedo parking     Us",>!adsense/
!\F0D/caf.js$sitekey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQJ\AF%pre%(fs/gen_204?-\FE\AB%pre%\FE\AB%pre%6\AB%pre%staticE|)S%pre%aA)\B0\FE\AA%pre%\FE\AA%pre%2\AA%pre%img.sedoM"\B2%pre%^q*\FE\AF%pre%\FE\AF%pre%J\AF%pre%:\AB%pre%%pre%/u5\FE[\FE[=[ $elemhide\FE%pre%\FE%pre%.%pre%\||g.doubleclick.net/appsM\A5A%pre%/2\E3\FEQ\FEQ5Q\B5Ntext/EA\E24by 
InfluAds (h\ED\B6%pre%a:\A3forum\[email protected]?t=9518)D\00iD\A1Bco:%pre%","#@##!%pre%_W**
\F0i{"content":["# Adblock Plus preferences","version=4","","[Subscription]","url=https://easylist-downloads.a  Z0plus.org/exce<\E8rules.txt","title=Allow non-intrusive advertising","fixedTi-8true","homepageac'Pableads.com/","lastDo 4=1490883696","\A9PStatus=synchronize_ok
:Success69%pre%SCheck8942208","expire,10564esoftEation    171790=_1703301411","requiredV-~2.-\AECount=6%pre%":\C0 filters]","! Text-based search ads on netzwelt.d!F$@@||google%2uds/$)\E50,subdocument,  main=rE%pre%cse?$\A6>%pre%! !ic image\A7t3n\A2uru!\D5(de/api/view\A7%pre%d ^0%pre%u/b/$ZB*%pre%)%q0Sedo parking     Us",>!adsense/
!\F0D/caf.js$sitekey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQJ\AF%pre%(fs/gen_204?-\FE\AB%pre%\FE\AB%pre%6\AB%pre%staticE|)S%pre%aA)\B0\FE\AA%pre%\FE\AA%pre%2\AA%pre%img.sedoM"\B2%pre%^q*\FE\AF%pre%\FE\AF%pre%J\AF%pre%:\AB%pre%%pre%/u5\FE[\FE[=[ $elemhide\FE%pre%\FE%pre%.%pre%\||g.doubleclick.net/appsM\A5A%pre%/2\E3\FEQ\FEQ5Q\B5Ntext/EA\E24by 
InfluAds (h\ED\B6%pre%a:\A3forum\[email protected]?t=9518)D\00iD\A1Bco:%pre%","#@##!%pre%_W**

Na verdade, tenho o AdBlock Plus instalado no meu navegador Chrome, mas parece-me que ele não tem nada a ver aqui, ou não é? Também existem referências a sites aparentemente inexistentes, como o Pableads.com e o Z0plus.org, que me preocupam ... Eu sou o único a ter isso no meu arquivo grubenv?

EDIT: Depois de aplicar a solução fornecida no link Meu PC inicializa normalmente. O problema está resolvido um arquivo meu grubenv é agora assim:

%pre%

Atenciosamente, Stéphane

boot grub2 malware

por S_Bersier 03.05.2017 / 09:52

1 resposta

Tags boot grub2 malware

eu instalei o Ubuntu em um laptop Acer, e somente a recuperação do Windows aparece Ubuntu Noob tentando inicialização dupla com o Windows 8.1 [duplicado]

score 0 · Answer 1

Mas o problema / pergunta ainda é sobre o possível malware?

Eu não posso dizer como essa porcaria terminou no seu /boot/grub/grubenv , mas o acesso root é necessário para editar este arquivo!

Você pode fazer uma investigação para verificar o sistema contra modificações estrangeiras:

examine sua linha de comando history , talvez um comando tenha causado isso
pesquise a pasta / var / log / *, especialmente kern.log e o auth.log para entradas suspeitas
use rkhunter
- another rootkit detection software. Install the rkhunter package from the Universe Repository
use chkrootkit
- chkrootkit can be used to help determine if a machine has been compromised. While not what you should use for the 'final word' on if you have been compromised, it runs a lot of useful checks and can direct suspicions towards finding a solution. To install chkrootkit install the chkrootkit package.
Verificar arquivos e pacotes novamente no gerenciador de pacotes:
- sudo debsums -a | grep -v OK