Checking system integrity after clicking scam email link on Linux

Question

Earlier today, my mother opened an email thinking it was from my sister-inlaw, then clicked on the shortened link.

The link loaded a page of fairly nonsensical text. The source of the page had no explicit javascript code, but the text was formatted with a non-standard identifier. NoScript told me there were scripts on the page (but they weren't trusted, so should have been blocked).

The system is Fedora 32, upgraded to this release a few days ago. The browser is Firefox with NoScript installed.

What should I do to confirm the integrity of the system? I'm concerned about the integrity of the Linux system, of course, but I'd also be concerned about any possible transfer of viruses or malware to Windows users my mother emails.

I've done this once before after a similar incident. I'm planning to create a live USB to scan the system for problems (which I did before) using one of the forensic Linux distros designed for this, but I'm pretty sure I did something else last time and can't remember what.

What is necessary to ensure the system's integrity?

I've read Clicked link in faked email and https://security.stackexchange.com/a/17854. https://security.stackexchange.com/a/73660 is fairly scary, though I'm somewhat sceptical of its claims.

I also read various online guides, but had difficulty finding anything specific to Linux and reasonably current. (I think I must be searching the wrong terms because I seem to remember finding this kind of information fairly easily before.)

Answer 1

Most of the standard security in Linux distributions prevent the worse incidents. I assume your mother does not browse as root. And if your distro has the latest patches applied, most of the time, you'r OK.

There are some integrity checks, like chkrootkit; you must stay of course up-to-date and it will not detect everything.

Further, more extreme measures would be to create a Trusted Computing Base, like they had (have?) on AIX. Store a checksum of every file and from time-to-time check if they are still correct. Be sure to update your signatures after each package upgrade.

You could also create a reference system and compare it with that. That is overkill for a single PC, ofcourse.

And you could look into mounting partitions as read-only. I've seen /usr on a read-only, and that kind of works. Keeping up-to-date with the system is horror though.

Answer 2

If you have really been hacked there's no way to make sure you're not running malware and the only way to resolve this is a complete wipe of your system. No, chkrootkit, rkhunter and alike are pretty useless because they are barely maintained, they detect only some well known strains of malware and they don't go beyond that.

This affects not only Linux in Windows though Windows in some ways could be more difficult to hack because not only the boot loader and the NT kernel are signed, pretty much all Windows binaries are signed and you can at least make sure you're running Microsoft binaries (however malware may install itself well outside of everything using the registry, printer spool files, task scheduler tasks, etc. etc. etc. - every day hackers find new way to mask malware such a way it becomes invisible).

In Linux however only the bootloader and the kernel are signed while userspace is not. The kernel will happily run anything you throw at it. There's AIDE which you can install and use but it's useless after the fact and I don't believe it's thorough enough to protect e.g. against rootkits.