does anybody know about gstatic browser virus?

Asking for a friend who, on my recommendation, has been using suse 13.1 Gnome for a few years. She’s afraid of the forums, thinks everybody here speaks Geek and doesn’t understand. Don’t understand a whole lot myself but getting by because Linux encourages you to learn :slight_smile:
Anyhow, for too many weeks, she’s been having problems updating, gets cannot connect & permission denied error messages, unable to visit a lot of sites, usually access denied messages and can’t log out of her gmail without allowing the script gstatic. Searching gstatic gives a lot of results about it being a virus/malware redirecting searches in your browser!? Any info on this would be appreciated, thanks

13.1 is no longer official supported it it still supported by the Evergreen project so you have to switch repos.

https://en.opensuse.org/Evergreen

That should not effect browsers though. Which one? maybe try a different one?

In any case need more info like which sites, specific error messages etc

Yes, sometimes I also have the same impression, sadly, unfortunately.

Yes, “gstatic.com” seems to be a piece of malware which used to be “Windows-only” but, from what you’re saying has now begun to annoy the users of machines running Linux.
[HR][/HR]What to do? (Everything written on the Web related to removing the thing from machines running the product from the Redmond folks is difficult to apply to the Linux environment.)

Please try the following:

  1. Open the Web-Browser and, clean the cache and, I do not mean a “light dust-over”, I mean EVERYTHING
    . (Enable each and every option related to cleaning [clearing] items in the user’s Web Browser cache.) 1. (Not as easy – needs a CLI Terminal):

The affected user needs to logout from their GUI session.
The affected machine needs to be free from all other human users (login sessions, GUI sessions, and whatever).
From a VT (tty) session with the “root” user logged in (<Ctrl-Alt>-F1 for tty1; F2/3/4/5/6 for tty2 through tty6), bring the system down to the off-line state:

init 2 (Hello Geeks: it’s a 13.1 system . . . )

{Alternatively: " # init 1" – to bring the system into the “standalone state”}
First: “cd” to ‘/tmp’; clean up everything which looks or smells like rubbish – a reasonably clean (13.2) “/tmp” directory looks something like this:


 > ls /tmp/
akonadi-xxx.B62mhH  ksocket-kdm
akonadi-yyy.37JJuG    lost+found
akonadi-zzz.uKg0Jp       mozilla_xxx0
akonadi-aaa.Nl5J3j    mozilla_yyy0
akonadi-bbb.lXwZrP    mozilla_zzz0
dracut_failed_drivers    mozilla_aaa0
gpg-13D5of               plugtmp
gpg-BcZUXN               ssh-5G3z3ZYnjZ9L
hogsuspend               systemd-private-0afca854ccbf4459a17b72a6399d8739-apache2.service-pqFINi
hsperfdata_xxx      systemd-private-1ea7808c362c4f7da0dc1e71e915e7fa-apache2.service-YzRix6
hsperfdata_yyy           systemd-private-1ea7808c362c4f7da0dc1e71e915e7fa-ntpd.service-Du4gMr
hsperfdata_zzz        systemd-private-1ea7808c362c4f7da0dc1e71e915e7fa-rtkit-daemon.service-QGYtje
hsperfdata_aaa        systemd-private-4229007e39034974bdfd91df8f5bf2d6-apache2.service-Hz5R3L
hsperfdata_root          systemd-private-4229007e39034974bdfd91df8f5bf2d6-rtkit-daemon.service-KXkE9k
hsperfdata_bbb        systemd-private-44e51826358e4da198c215e89e514bc2-apache2.service-1hjuci
kde-xxx             systemd-private-8586cbee2d74465a82b4aa429356dd6c-apache2.service-gfgxYC
kde-yyy                  systemd-private-8586cbee2d74465a82b4aa429356dd6c-rtkit-daemon.service-AezN0y
kde-zzz               systemd-private-d8cac971d8644530b7b05d7e5641f7f5-apache2.service-jQhVJd
kde-kdm                  systemd-private-d8cac971d8644530b7b05d7e5641f7f5-ntpd.service-AR3WYo
kde-aaa               systemd-private-ead78e6400b145c99a265c2a13d5d043-apache2.service-7XqJwx
kde-root                 systemd-private-ead78e6400b145c99a265c2a13d5d043-ntpd.service-LRT4ZP
kde-bbb                  systemd-private-ead78e6400b145c99a265c2a13d5d043-rtkit-daemon.service-Mv41QY
kde-ccc               y2yamldata-RWLbVZ
 > 


(If I remeber correctly, on 13.1 systems, the “systemd” directories may be missing.)

The mozilla_xxx/ directories can be emptied – completely – also removed.
In fact, each and every user directory (a non-system-user directory) can be removed completely – it’ll be recreated at the next system boot and/or login.
There may be some hidden (mostly user) directories also present: “/tmp/.esd-xxx/”; “/tmp/.font-unix/”; “/tmp/.ICE-unix/”; “/tmp/.Test-unix/”; “/tmp/.X11-unix/”; “/tmp/.XIM-unix/” – also clean these directories out . . .
Carry out the same actions in the “/var/tmp/” directory.

[HR][/HR]No need to be afraid: if you delete too much, it’ll be recreated at the next boot and/or user login.
[HR][/HR]With respect to each user’s local system data, repeat this recipe for the “hidden” directories in each user’s home directory:

Check for an unexpected hidden user directory due to “gstatic”.

A possible list of (13.2) expected hidden user directories and files is:

 > ls -d .*
.               .cache          .emacs      .gtkrc-2.0-kde4  .profile        .thumbnails  .xim.template
..              .compose-cache  .esd_auth   .history         .recently-used  .vim         .xinitrc.template
.adobe          .config         .fltk       .inputrc         .scribus        .viminfo     .Xmodmap
.audacity-data  .cups           .fonts      .kde4            .signature      .vimrc       .xsession-errors
.bash_history   .dbus           .gimp-2.8   .lesshst         .skel           .vnc         .xsession-errors-:0
.bashrc         .designer       .gnome2     .local           .ssh            .w3m         .xsession-errors-:1
.bluefish       .directory      .gnupg      .macromedia      .subversion     .wine        .y2log
.bogofilter     .dmrc           .gtkrc-2.0  .mozilla         .svnqt          .Xauthority  .y2usersettings
 > 

Especially, check out each user’s “~/.mozilla/” and “~/.cache/” directories.
[HR][/HR]And, a little tip: if you’re using Firefox, install the plug-in “Ghostery” but, be aware that often web-sites will stop working because, “Ghostery” is consequent, vicious, and hard – that’s why it has web-site “white-list”.

Yes, “gstatic.com” seems to be a piece of malware which used to be “Windows-only” but, from what you’re saying has now begun to annoy the users of machines running Linux.
[HR][/HR]What to do? (Everything written on the Web related to removing the thing from machines running the product from the Redmond folks is difficult to apply to the Linux environment.)

Please try the following:

many thanks for this, will try it on my machine first as, although i don’t have the same symptoms as my friend, now see that noscript has gstatic in whitelist so no doubt i have the virus too! will let you know how it goes

gogalthorp 13.1 is no longer official supported it it still supported by the Evergreen project so you have to switch repos.

thanks, hadn’t realised that 13.1 is no longer supported, would it be better to upgrade to 13.2 rather than switch repos?

That should not effect browsers though. Which one? maybe try a different one?

Only ever use Firefox but from searching gstatic looks like it affects all of them!

and sorry if it’s obvious & i just can’t see it but how do i get the ‘quote tags’ to display quotation marks & originally quoted by?

Ah now I see it ‘reply with quote’ Duh!

Oops!!!
Yes, “NoScript” could be better than “Ghostery” for many users and, it seems to be reasonably up-to-date:

Version 2.9.0.11 Info
Last Updated: April 6, 2016

Am Tue, 19 Jul 2016 12:56:02 GMT
schrieb Sosaidh <Sosaidh@no-mx.forums.microfocus.com>:

> > Yes, “gstatic.com” seems to be a piece of malware which used to be
> > “Windows-only” but, from what you’re saying has now begun to annoy the
> > users of machines running Linux.
> > What to do? (Everything written on the Web related to removing
> > the thing from machines running the product from the Redmond folks is
> > difficult to apply to the Linux environment.)
> >
> > Please try the following:
>
> many thanks for this, will try it on my machine first as, although i
> don’t have the same symptoms as my friend, now see that noscript has
> gstatic in whitelist so no doubt i have the virus too!

OH MY GOD!1111 WE’RE ALL GONNA DIE!!111111111111

Seriously, do you know the difference between the domain gstatic.com and
some virus/browser hijacker (coincidently) also named “gstatic.com”?

Obviously not, and it pretty much seems you are not the only one.

The domain gstatic.com is owned by google and as you might find it annyoing
that some (many?) google service also connect to gstatic.com to run some
javascript, this is definitely not a virus.

https://www.answers.com/Q/What_is_gstatic

https://en.wiki-domains.net/wiki/gstatic.com

If you block gstatic.com with noscript or another utility some google services
(like gmail) will not work as intended as they rely on the ability to connect
to gstatic.com and run javascript (amongst other things).

If you don’t trust those services (which is a valid point but NOT the issue
here), then don’t use them.

If you want to use google services which rely on the availability of the domain
gstatic.com, you will have to allow (i.e. whitelist) that domain or they will
not work correctly or at least give you some warnings that gstatic.com can not
be reached.

The developer of noscript decided to whitelist that domain (and some more, just
have a look at it) in order to avoid breaking some very popular domains (i.e.
google services).

AK


Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)

Yes, but, how is that going to help the originator of this thread?
[HR][/HR]Currently, attempts to browse to <https://www.gstatic.com/&gt; result in:

Google
404. That’s an error.

The requested URL / was not found on this server. That’s all we know.

Which may possibly mean that Google have recognised the issue and done something to alleviate the problems their customers are experiencing.
[HR][/HR]I suspect that, “Sosaidh” and his/her friends will have to initially do what I wrote earlier and also search each user’s directories for traces of a rogue executable (assuming that the thing has begun to drop executable files with the Linux ELF format onto the infected machines).
[HR][/HR]@Sosaidh:
Do you have “wine” installed on your systems?
If so, you may have this malware in the “~/.wine/” directory structures.

  • IMHO the only way to effectively remove the thing will be to delete everything in the “~/.wine/” directories, and then re-install the MS Windows applications.

Please take note of the openSUSE “Lifetime” information: <https://en.opensuse.org/Lifetime&gt;.

openSUSE 13.2 - will be maintained until 2 months after release of Leap 42.2 (EXPECTED First Quarter of 2017)

Please also take note of the openSUSE “Evergreen” information: <https://en.opensuse.org/openSUSE:Evergreen&gt;

Am Wed, 20 Jul 2016 08:56:02 GMT
schrieb dcurtisfra <dcurtisfra@no-mx.forums.microfocus.com>:

> Yes, but, how is that going to help the originator of this thread?

With a little luck this will help that he stops hunting a ghost.

> Currently, attempts to browse to <https://www.gstatic.com/>
> result in:
> >
> > Google
> > 404. That’s an error.
> >
> > The requested URL / was not found on this server. That’s all weknow.
> >
> Which may possibly mean that Google have recognised the issue and done
> something to alleviate the problems their customers are experiencing.

Either that, or it simply means what the error says.

The URL (sic!) is not available and that does not mean that there is no content
on that server, just that there is no content available under THAT URL, which
makes sense considerung the use of gstatic.com.

It is NOT there for being browsed directly, it is there for static (hence the
name) content being loaded by other sites via javascript CSS, etc.
via dedicated URLs and direct browsing is diabled.

Anyway, good luck in hunting the “gstatic virus”, if you really find it, it
will have nothing to do with the URL gstatic.com, but OTOH please send me a
sample then.

AK


Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)

Am Wed, 20 Jul 2016 10:36:36 GMT
schrieb AK <Akoellh@no-mx.forums.microfocus.com>:

> Am Wed, 20 Jul 2016 08:56:02 GMT
> schrieb dcurtisfra <dcurtisfra@no-mx.forums.microfocus.com>:
>
> > Yes, but, how is that going to help the originator of this thread?
>
> With a little luck this will help that he stops hunting a ghost.
>
> > Currently, attempts to browse to <https://www.gstatic.com/>
> > result in:
> > >
> > > Google
> > > 404. That’s an error.
> > >
> > > The requested URL / was not found on this server. That’s all we know.
> > >
> > Which may possibly mean that Google have recognised the issue and done
> > something to alleviate the problems their customers are experiencing.
>
> Either that, or it simply means what the error says.
>
> The URL (sic!) is not available and that does not mean that there is no
> content on that server, just that there is no content available under THAT
> URL, which makes sense considerung the use of gstatic.com.

P.S.

Just to prove my point:

https://ssl.gstatic.com/ -> 404

https://ssl.gstatic.com/gb/images/p1_a4541be8.png -> little icons, classic case for static content

AK

Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)

Are you absolutely certain that, the network service is running correctly?
Which Name Server have you activated on your 13.1 systems?

  • If it’s BIND then, try (with the "root
    " user) from a CLI Terminal prompt “rndc flush”. - If you have a 13.1 with “nscd” then the command is “nscd -i <database>” where ‘<database>’ is one of “passwd group hosts services netgroup”.

The answer posted by “Akoellh” is a moot point: if you use Google then, you have to accept Google’s terms and conditions.

Currently not certain about this: using the Russian search engine Yandex doesn’t reveal anything definite about such a virus. There is an entry in the Kaspersky forum but, it also does not really reveal anything: <https://forum.kaspersky.com/index.php?showtopic=352226&gt;

"Originally posted by Akoellh
OH MY GOD!1111 WE’RE ALL GONNA DIE!!

"Originally posted by Akoellh
Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)

Exactly :o

"Originally posted by Akoellh
The domain gstatic.com is owned by google and as you might find it annoying
that some (many?) google service also connect to gstatic.com to run some
javascript, this is definitely not a virus.

Thank you! feeling foolish but grateful to have the question answered, and the ghost hunt over,  have to admit after reading results of my first search of gstatic.com my gut instinct said it's not a virus....should have trusted that and not the fear of attack !! Did do as suggested by dcurtisfra so have learnt at least how to really clean tmp folder....

When my friend first asked about this another thread here suggested her ISP and I had felt the problem was there too, so had her get in touch with them, she spoke to their tech guy who re-set her connection, which did help a lot, but he also told her she must have a really bad virus if she couldn’t close gmail without allowing something else to run, the ghost hunt was on!! Thanks again for dispelling that one
Know i’m an idiot but still don’t get how to reply with quotes properly so that it gives ‘originally posted by’ ?

Am Wed, 20 Jul 2016 12:46:01 GMT
schrieb Sosaidh <Sosaidh@no-mx.forums.microfocus.com>:

> > but still don’t get how to reply with quotes properly
> so that it gives ‘originally posted by’ ?
>

I suspect you are using the Forum via your web browser, while I am using the
forum as a Newsgroup with an NNTP reader (integrated into my mail client).

If you want to use quotes, you can do this via the Web interface whil quoting
via the NNTP interface is done differently (and automatically in way similar to
quoting when replying to an email).

That’s the difference and if I were you I would not bother and use the default
way of quoting which in the web interface will even look more elegant.

AK


Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)

[QUOTE=Akoellh;2785952]Am Tue, 19 Jul 2016 12:56:02 GMT

OH MY GOD!1111 WE’RE ALL GONNA DIE!!

Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)

Exactly :o

The domain gstatic.com is owned by google and as you might find it annyoing
that some (many?) google service also connect to gstatic.com to run some
javascript, this is definitely not a virus.

                    Thank you! feeling foolish but grateful to have the question answered, and the ghost hunt over,  have to admit after reading results of my first search of gstatic.com my gut instinct said it's not a virus....should have trusted that and not the fear of attack !! Did do as suggested by dcurtisfra so have learnt at least how to really clean tmp folder!

When my friend first asked about her problems another thread here suggested her ISP which made sense to me so had her get in touch with them, she spoke with their tech guy who re-set connection, which helped a lot, but he also told her that she must have a nasty virus if she couldn’t close her gmail without allowing something else to run! the ghost hunt was on! So thanks for dispelling that one…

Guess we’ve already established that I’m an idiot but could somebody tell me how to reply properly with quotes so that it says 'originally posted by!?

This is how you do that technically:

[noparse]

quoted text here
[/noparse],

You can also use the Reply with Quote button.

@dcrustifra

Are you absolutely certain that, the network service is running correctly?

Does appear there was a problem with her network service as once she got in touch & had connection reset, a lot of problems disappeared and now that she’s taken gstatic out of noscripts untrusted list sites are working well again :slight_smile:

Do you have “wine” installed on your systems?
If so, you may have this malware in the “~/.wine/” directory structures.

  • IMHO the only way to effectively remove the thing will be to delete everything in the “~/.wine/” directories, and then re-install the MS Windows applications.

Good to learn how to clean up directories but no don’t have ‘wine’ installed! thankfully…

Please take note of the openSUSE “Lifetime” information: <https://en.opensuse.org/Lifetime&gt;.
openSUSE 13.2 - will be maintained until 2 months after release of Leap 42.2 (EXPECTED First Quarter of 2017)

Like 13.1 so will look into “Evergreen” but maybe time to take the ‘Leap’ :slight_smile: just hoping this old machine will cope!
thanks for all your help

Better take the Leap now. 13.1 Evergreen’s support stops in november. There will be no more Evergreen, given the lifetime of Leap releases.

Ok still not quite getting it but improved, will try suggestions by @Akoellh
also wanting to mark this thread solved but not seeing where to do that now either!?

Thanks for that!