Linux · Recovery Guide

How to Tell If You Installed a Malicious Linux Package, PPA, or AppImage

Unsure if a Linux package, PPA, or AppImage is harmful? Learn to identify the warning signs and confirm potential threats without altering your system.

Recognising Unusual System Behaviour

Malicious software often makes itself known through unexpected changes in your computer's performance or behaviour. Keep an eye out for these tell-tale signs.

• Your computer is running significantly slower than usual, even when not performing resource-intensive tasks.
• Applications are crashing frequently or behaving erratically.
• You notice a sudden increase in hard drive activity or network traffic when you are not actively using the internet or large files.
• New, unfamiliar processes are running in your system monitor (e.g., htop, gnome-system-monitor).
• Your fan is spinning loudly and constantly, indicating high CPU usage.
• Pop-up windows or advertisements are appearing unexpectedly, even when your web browser is closed.

Investigating Suspicious Files and Directories

Malicious installations may create unusual files or modify existing directories to hide their presence or ensure persistence. Knowing where to look can help you uncover these.

• Check for new, unknown directories in common system paths like /opt/, /usr/local/bin/, or your home directory's hidden files (e.g., ~/.local/share/).
• Look for recently modified files in critical system directories (e.g., /etc/, /boot/) that you didn't personally edit.
• Examine the contents of configuration files in your home directory (e.g., ~/.bashrc, ~/.profile) for unfamiliar commands or scripts.
• Inspect newly created files with unusual names or extensions, especially in temporary directories (e.g., /tmp/).

Checking Running Processes and Network Connections

Malware often runs in the background and may try to communicate with external servers. Examining active processes and network connections can reveal these activities.

• Use htop or top to identify processes consuming excessive CPU or memory, especially if their names are unfamiliar.
• Run ps aux | grep [suspect_process_name] to get more details about a suspicious process, including its full command.
• Use netstat -tulnp (as root) or ss -tulnp to view active network connections and listening ports, looking for connections to unknown IP addresses or services.
• Examine your firewall rules (e.g., sudo ufw status) for any unexpected allowances or open ports that you didn't configure.

Verifying Package Integrity and Sources

Legitimate packages are usually cryptographically signed and come from trusted repositories. If you suspect a malicious installation, checking its origin and integrity can help confirm your suspicions.

1. For Debian/Ubuntu packages, use apt-cache policy [package_name] to see which repository a package came from. Check if it's the official source or an unknown PPA.
2. For AppImages, verify the download source. Did you get it from the official developer's website or a third-party host? Most AppImages should also provide a GPG signature for verification.
3. If you installed from a PPA, check its description and author. Does it seem legitimate for the software it provides?
4. For installed packages, most distributions allow you to verify package integrity. For instance, on Debian/Ubuntu, debsums [package_name] can check modified files (you may need to install debsums first).
5. Review your package manager's history (e.g., /var/log/apt/history.log for Debian/Ubuntu) to see recent installations you don't recall authorising.