Hacked!

Recently I had an experience that let me re-evaluate my approach to Security on Linux. I had updated my Desktop computer to the latest openSUSE Leap (15.2) version. I also installed the proprietary Nvidia drivers. At random points during the day I experienced a freeze of my KDE desktop. I cannot move my mouse or type on my keyboard. It probably involves Firefox, because I always have Firefox open during these moments. So for a couple of days, I try to see in my logs what is going on. In /var/log/messages (there is a very nice YaST module for that) you can see the latest messages.

Suddenly I see messages that I cannot explain. Below, I have copied some sample log lines that give you an impression of what was happening. I have excluded the lines with personal information. But to give you an impression: I could read line for line the names, surnames, addresses and e-mail addresses of all my family members in the /var/log/messsages file. I thought I was being hacked!

2020-09-04T11:01:48.001457+02:00 linux-910h kdeinit5[8884]: calligra.lib.store: Opening for reading "Thumbnails/thumbnail.png"
2020-09-04T11:01:48.002502+02:00 linux-910h kdeinit5[8884]: calligra.lib.store: Closing
....
2020-09-04T11:01:50.884670+02:00 linux-910h kdeinit5[8884]: calligra.lib.main: virtual bool KoDocument::openUrl(const QUrl&) url= "file:///home/username/Documents/Address list of my family.xls"
....
2020-09-04T11:01:52.571006+02:00 linux-910h kdeinit5[8884]: calligra.filter.msooxml: File "/xl/workbook.xml" loaded and parsed.
2020-09-04T11:01:52.571056+02:00 linux-910h kdeinit5[8884]: calligra.lib.store: opening for writing "content.xml"
2020-09-04T11:01:52.571080+02:00 linux-910h kdeinit5[8884]: calligra.lib.store: Closing
2020-09-04T11:01:52.571105+02:00 linux-910h kdeinit5[8884]: calligra.lib.store: Wrote file "content.xml" into ZIP archive. size 72466

I took immediate action, to prevent my PC from sharing more information over the internet:

1. I unplugged the internet.
2. I changed my root password and my user password.
3. I blocked all external access via YaST Firewall
4. I de-installed the Calligra suite.
5. I informed my family (via my laptop) that I might have been hacked.
6. I informed my work (via my laptop) that I might have been hacked.

I needed to find out what was happening. I needed to know if a trojan / mallware was trying to steal my personal information. So I tried searching for the ZIP archive which was referenced. This might still be stored somewhere on my PC. I used KFind to lookup all files which were created in the last 8 hours. And then I found a lot of thumbnail files which were created by… Gwenview. Stored in a temp folder.

I started to realize that it might not be a hack, but something that was rendering previews, just like in Gwenview. I checked Dolphin and detected that I had the preview function enabled. I checked the log files again. Indeed, whenever I had opened a folder with Dolphin, all Word and Excel files in that folder were ‘processed’. I browsed several folders after deleting Calligra and there were no more log lines added. I re-installed the Calligra suite and noticed the calligra-extras-dolphin package. I browsed the same folders and indeed, the log lines started appearing all over again. I had found the culprit. It wasn’t a hack.

The Dolphin plugin ‘calligra-extras-dolphin’ generates previews for Microsoft Office files. And only for Microsoft Office files. I wasn’t aware that this was happening. In Dolphin I had the preview function enabled. However, I didn’t see the previews in Dolphin, because I used the ‘Details view mode’. So while I browsed my Downloads and Documents folders, this plugin started rendering previews for my Word and Excel files. The only Word and Excel files that I have on my PC are send by my family and my friends, because I save everything in ODF. Two of these files contained the addresses of my family members. Possibly these operations also happen for all ODF preview files. But they are not logged in /var/log/messages. The Calligra plugin does log everything in there.

Rethinking Security on Linux

This incident forced me to rethink my security. I didn’t have a virus scanner installed. I knew that not many viruses were aimed at Linux. And the ones that are aimed at Linux systems mostly target WordPress (or other popular server software). I don’t download files from unknown sources.

This was true for my personal use. But because of Covid-19, I am forced to work from home. And as an IT architect, I evaluate a lot of software. To learn more about commercial software offerings, I request a lot of whitepapers. So in the last 6 months I actually did download a lot of PDF files from unknown sources. Also on my Linux system.

I was already on the verge of using a password manager. However, the thought of needing to change over 100 passwords, caused me to wait for ‘the right time’. And waited I did, because I was contemplating the use of a password manager for over 2 years. Now was the time to change. I decided to look for solutions that were native to Linux.

Searching for a Linux antivirus solution

I have used ClamAV in the past. I remembered that I didn’t like the user interface. However that was years ago. Maybe now it looks better. I opened YaST and installed ClamAV and the ClamTK GUI. I opened the application and… this still wasn’t for me. The software might be amazing, don’t get me wrong. But I didn’t like the look and feel.

Which led me to look for commercial alternatives. When searching on Google, it seams that there are quite a few virus scanners that work natively on Linux.

• ESET NOD32 Antivirus 4 Linux
• Comodo Antivirus for Linux
• F-Prot (End-of-Life 31-July-2021)
• AVG for Linux (discontinued)
• Sophos Antivirus for Linux
• Bitdefender GravityZone Ultra Security for Linux and Mac
• F-Secure Linux Security
• Kaspersky Endpoint Security for Linux

When you start to look into it in more detail, most of that information is very dated. Comodo is still selling Linux Antivirus, but hasn’t updated their solution in years. They only support older distributions and it doesn’t look that they will support newer Linux distributions in the future. F-Prot has stopped selling Antivirus for Linux and will end their support in 2021. AVG has stopped their Linux support already.

Sophos, Bitdefender, F-Secure and Kaspersky are still offering solutions for Linux, but not aimed at home users. They are targeted at businesses, running Linux on the server.

So the only option for home users is ESET NOD32 Antivirus 4 Linux. This is serving both as an antivirus and as an antimallware software. It has good documentation. The GUI is very user friendly. I like that there are various predefined scans that you can execute directly. I purchased a license for my Desktop and Laptop for 3 years for 60 euros. Which I feel is a very reasonable price.

Choosing a password manager

I already used Mozilla Firefox to save/prefill my passwords. I have secured my browser with a Master password. This solution changed into Mozilla Lockwise, which also added the Android app. Because I also use Firefox on my Android phone, the Mozilla Lockwise solution was sufficient to sync all my passwords across my devices. However, it falls short compared with the features of a true password manager. I first needed to know what I would be looking for. My personal criteria:

• Cloud hosted (centralized storage of passwords)
• Offers a Web interface
• Offers a Linux client
• Offers a Firefox plugin
• Offers an Android app
• User friendly interface
• Secure / trusted by the community
• Has Multi Factor Authentication
• Is preferably open source
• Easy to import Firefox/Chrome saved passwords

I have looked at the following alternatives:

1. LastPass
2. 1Password
3. Dashlane
4. Passbolt
5. KeePassXC
6. Bitwarden

LastPass is a very good password manager that has been around for a while. It has a command-line client for Linux, which is very cool. Of course they offer a web interface. Furthermore they offer GUI clients for Windows, MacOS, Android and iOS. Unfortunately there is no GUI for Linux. They offer plugins for Firefox, Chrome, Opera, Safari and Edge. They have a free tier that is good for personal use across your devices. And if you go premium, you pay $2,90 / month. The only negative that I can think of is that it is not open source software.

1Password is the biggest competitor to LastPass. They also have a command-line client for Linux, which is a big plus. They also offer a web interface. They have GUI clients for Windows, MacOS, Android and iOS. And (like LastPass) unfortunately no Linux GUI client. They have plugins for Firefox, Chrome, Brave, Safari and Edge. And they are (also) not open source. The pricing is less appealing than LastPass, since there is no free tier. You start paying $3 / month after 30 days of free trial. Therefore I would choose LastPass over 1Password.

Dashlane is a competitor to LastPass and 1Password. They don’t have a Linux client. Of course they offer a web interface. And they have clients for Windows, MacOS, Android and iOS. They offer plugins for Firefox, Chrome, Edge and Safari. They are not open source. And I don’t like their pricing structure. The free tier is limited to 1 device, which is a big NO for me. You can only save 50 free passwords. That means that if you go with Dashlane, you might avoid storing certain passwords in your password manager in order not to pay for their premium service. Which is exactly the opposite of what a password manager is trying to accomplish. I would avoid this one.

Passbolt is interesting. Its an open source password manager that offers a self-hosted option. Which is very cool, making it centrally / cloud hosted. However, they do not offer local clients at all. Everything is browser based. They do have Firefox and Chrome plugins. This password manager is very interesting for development teams or webmaster teams. You can put all your passwords in a central place in a trusted application. You can host it yourself on AWS or Azure or on a VPS provider of choice. They are located in Luxembourg, which is good because its in the EU. Passbolt is very much aimed at businesses. I don’t think it is great as a personal password manager.

KeePassXC is a local password manager. The application is available on Linux, Windows and MacOS. Or you can use the Android Client Keepass2Android. There are plugins for Firefox and Chrome. You need to do some work if you want to use your passwords across multiple devices. You can save you database to Google Drive or Dropbox. Or you can use an application like Syncthing to sync your database. The architecture of this password manager is decentral by default. If you want maximum privacy, go for this option. This one is not for me. I like to have a centrally managed cloud solution.

If someone would combine the strenghts of Passbolt and KeepassXC, I feel this combination would gain a lot of traction in the Linux and Open Source world. But that is a pipe dream for now. The solution that I have chosen, might be just as appealing to the open source community.

Bitwarden is the password manager that I have decided to use. It meets all my criteria. It provides me with the ease of use of a centrally managed solution. But its still an open source solution. Best of all, they offer a Linux GUI client. Furthermore they have GUI clients for Windows, MacOS, Android and iOS. They offer plenty of browser plugins: for Firefox, Chrome, Opera, Vivaldi, Brave, Tor Browser, Edge and Safari. They have command line applications for Linux, Windows, MacOS and even offer an NPM package. I love their pricing structure. Their free tier is probably all that you need. You can sync across all your devices and there is no limit on the number of passwords that you can store. However, they also offer a premium tier for just $10 / year. I decided to go for the payed option, to keep them in business.

Conclusion

Linux is a very secure operating system. But security is always a moving target. You can make your Linux system more secure by limiting user permissions, by configuring the firewall, by configuring AppArmor, by sandboxing applications and by making lower level changes (YaST Security Center).

The solutions mentioned in this article do something different, they improve your online security. By preventing viruses and mallware from running on your system. And by making sure that your passwords are always random, strong and unique for each site. The mentioned solutions are simple ways for everyone to up their security game. I hope my evaluation of these solutions helps other Linux users to become safer online.

Published on: 18 september 2020