I know this story is more-so about a trojan in a trusted place, and not general security, but I have an anecdote to share.
So, time to fess up here. I previously complained about Google trapping me in captcha-hell for enabling Ublock Origin.
I was wrong.
Turns out that I had visited a movie streaming site a while before to watch a season of some show, I forget which. Without any downloads or noticeable input on my part. My Linux box apparently got hacked/malware. All I did was click the occasional “I am a human” box on the website, and sit back with popcorn.
I found out when my ISP starting blocking IP addresses some time later. I checked my modem’s logs, and they showed some unexplained traffic to impossible “unassigned” IP addresses afterward. I didn’t notice for a while.
I was stupid. Even worse, my phone also started behaving badly after that. I think I watched the last few episodes in bed, so must have infected that too.
Don’t assume any system is automatically safe.
I really doubt anything escaped the browser, but websites can make nefarious connections, sure.
I hope so. It’s more likely something infected Firefox itself, and didn’t get into the OS. But when I checked the modem logs, it happened up to a couple of months after the fact. That’s worrying.
What’s even more worrying is that a couple of websites told me I had an IP address that didn’t match my home IP, but would provide the correct one if I refreshed the page a couple of times. So some kind of covert proxy or VPN type of thing was happening.
I ended up just wiping everything, to be safe. Still a bit paranoid though.
Would this be possible to fix on btrfs, or would you have to create a snapshot first?
Almost nothing is ever really done on any filesystem when you press “delete”. The only thing is that those physical parts of the disk with the “deleted” file are marked as “not in use”. The data is there still unchanged, until you save something else and that spot on the disk is the first free spot available for saving that new file.
So, if you accidentally delete files, make sure that nothing gets saved on that disk anymore, not even by the OS. So, either unmount the disk, or cut the power to your computer, or whatever. Then learn how to mount hard drives as read-only and how to mark the “not in use” spots on your disk as “this spot contains this file”.
This is why proper deletion of files always includes filling the disk with random data. As long as nothing has been written on top of where the file was (and in reality: still is), it’s still there. Only access to it has been removed, but that access can be regained. Been there, done that.
