ChromeOS · Recovery Guide

How to Spot Compromise Inside Your Chromebook Linux (Crostini) Container

Learn to identify the signs of a compromised Linux (Crostini) container on your Chromebook, helping you to detect potential security breaches early.

Recognising Unusual Behaviour

A compromised Linux container might behave unexpectedly. Keeping an eye out for these changes can be the first step in identifying a problem.

• Your Chromebook's fan spins up frequently even when you're not doing anything demanding, indicating high CPU usage within the container.
• The Linux terminal opens by itself or displays unfamiliar messages without your interaction.
• Applications within your Linux container crash more often than usual or refuse to launch.
• You notice new, unfamiliar files or directories appearing in your Linux file system, especially in unexpected locations like your home directory (/home/your_username).
• Your Chromebook's battery drains significantly faster when your Linux container is running, suggesting abnormal resource consumption.

Checking for Rogue Processes

Malicious software often runs in the background as a process. You can use command-line tools to identify any suspicious activity.

1. Open your Linux terminal. You can usually find this by searching for 'Terminal' in your Chromebook's app launcher.
2. Type top and press Enter to see a live view of running processes, ordered by CPU usage. Look for processes with unfamiliar names or unusually high resource consumption.
3. Alternatively, use ps aux to see a snapshot of all running processes. Scroll through the output and look for any processes that you don't recognise, especially those running as root or with unusual command lines.
4. To check network connections, which could indicate data being sent elsewhere, use netstat -tuln. Look for unexpected outgoing connections, especially to unfamiliar IP addresses or ports.
5. If you spot anything suspicious, make a note of the process ID (PID) and the command being run, but do not terminate it yet, as this might alert an attacker.

Investigating File System Integrity

Attackers often modify or add files to maintain persistence or to exfiltrate data. Inspecting critical system directories can reveal these changes.

• Use the command ls -la /tmp to list the contents of the temporary directory. Look for any unexpected executable files or scripts.
• Examine cron jobs, which are scheduled tasks, by typing crontab -l. Malicious entries could allow an attacker to run commands periodically.
• Check the /etc directory for recently modified or unfamiliar configuration files using ls -lat /etc. Pay close attention to files ending in .conf or .sh.
• Review logs for suspicious activity. Common log locations include /var/log/syslog and /var/log/auth.log (for authentication attempts). Use grep to search for keywords like 'error', 'failed', or unfamiliar usernames.
• Look for unusual executables or scripts in typical user directories like /home/your_username/.local/bin or /usr/local/bin.

Analysing Network Activity

A compromised container might be communicating with external servers, either sending out your data or receiving commands. Monitoring network connections can help pinpoint this activity.

1. Open your Linux terminal.
2. To see all active network connections, use the command ss -tulnpa. This provides a comprehensive list of TCP and UDP connections.
3. Look for connections to unfamiliar IP addresses or unusual port numbers. Research any suspicious IP addresses using online tools to determine their origin.
4. Pay attention to processes listed as 'LISTEN' that you don't recognise, as these could indicate a backdoor allowing remote access.
5. If you suspect data exfiltration, observe the 'Sent-Q' and 'Recv-Q' columns in ss output for unusually high numbers on unfamiliar connections, which might suggest large amounts of data being transferred.
6. You can also use ping a_suspicious_ip_address to test connectivity to an unknown address without revealing too much information to a potential attacker.