Asking for a friend who, on my recommendation, has been using suse 13.1 Gnome for a few years. She’s afraid of the forums, thinks everybody here speaks Geek and doesn’t understand. Don’t understand a whole lot myself but getting by because Linux encourages you to learn 
Anyhow, for too many weeks, she’s been having problems updating, gets cannot connect & permission denied error messages, unable to visit a lot of sites, usually access denied messages and can’t log out of her gmail without allowing the script gstatic. Searching gstatic gives a lot of results about it being a virus/malware redirecting searches in your browser!? Any info on this would be appreciated, thanks
13.1 is no longer official supported it it still supported by the Evergreen project so you have to switch repos.
https://en.opensuse.org/Evergreen
That should not effect browsers though. Which one? maybe try a different one?
In any case need more info like which sites, specific error messages etc
Yes, sometimes I also have the same impression, sadly, unfortunately.
Yes, “gstatic.com” seems to be a piece of malware which used to be “Windows-only” but, from what you’re saying has now begun to annoy the users of machines running Linux.
[HR][/HR]What to do? (Everything written on the Web related to removing the thing from machines running the product from the Redmond folks is difficult to apply to the Linux environment.)
Please try the following:
- Open the Web-Browser and, clean the cache and, I do not mean a “light dust-over”, I mean EVERYTHING
. (Enable each and every option related to cleaning [clearing] items in the user’s Web Browser cache.) 1. (Not as easy – needs a CLI Terminal):
The affected user needs to logout from their GUI session.
The affected machine needs to be free from all other human users (login sessions, GUI sessions, and whatever).
From a VT (tty) session with the “root” user logged in (<Ctrl-Alt>-F1 for tty1; F2/3/4/5/6 for tty2 through tty6), bring the system down to the off-line state:
init 2 (Hello Geeks: it’s a 13.1 system . . . )
{Alternatively: " # init 1" – to bring the system into the “standalone state”}
First: “cd” to ‘/tmp’; clean up everything which looks or smells like rubbish – a reasonably clean (13.2) “/tmp” directory looks something like this:
> ls /tmp/
akonadi-xxx.B62mhH ksocket-kdm
akonadi-yyy.37JJuG lost+found
akonadi-zzz.uKg0Jp mozilla_xxx0
akonadi-aaa.Nl5J3j mozilla_yyy0
akonadi-bbb.lXwZrP mozilla_zzz0
dracut_failed_drivers mozilla_aaa0
gpg-13D5of plugtmp
gpg-BcZUXN ssh-5G3z3ZYnjZ9L
hogsuspend systemd-private-0afca854ccbf4459a17b72a6399d8739-apache2.service-pqFINi
hsperfdata_xxx systemd-private-1ea7808c362c4f7da0dc1e71e915e7fa-apache2.service-YzRix6
hsperfdata_yyy systemd-private-1ea7808c362c4f7da0dc1e71e915e7fa-ntpd.service-Du4gMr
hsperfdata_zzz systemd-private-1ea7808c362c4f7da0dc1e71e915e7fa-rtkit-daemon.service-QGYtje
hsperfdata_aaa systemd-private-4229007e39034974bdfd91df8f5bf2d6-apache2.service-Hz5R3L
hsperfdata_root systemd-private-4229007e39034974bdfd91df8f5bf2d6-rtkit-daemon.service-KXkE9k
hsperfdata_bbb systemd-private-44e51826358e4da198c215e89e514bc2-apache2.service-1hjuci
kde-xxx systemd-private-8586cbee2d74465a82b4aa429356dd6c-apache2.service-gfgxYC
kde-yyy systemd-private-8586cbee2d74465a82b4aa429356dd6c-rtkit-daemon.service-AezN0y
kde-zzz systemd-private-d8cac971d8644530b7b05d7e5641f7f5-apache2.service-jQhVJd
kde-kdm systemd-private-d8cac971d8644530b7b05d7e5641f7f5-ntpd.service-AR3WYo
kde-aaa systemd-private-ead78e6400b145c99a265c2a13d5d043-apache2.service-7XqJwx
kde-root systemd-private-ead78e6400b145c99a265c2a13d5d043-ntpd.service-LRT4ZP
kde-bbb systemd-private-ead78e6400b145c99a265c2a13d5d043-rtkit-daemon.service-Mv41QY
kde-ccc y2yamldata-RWLbVZ
>
(If I remeber correctly, on 13.1 systems, the “systemd” directories may be missing.)
The mozilla_xxx/ directories can be emptied – completely – also removed.
In fact, each and every user directory (a non-system-user directory) can be removed completely – it’ll be recreated at the next system boot and/or login.
There may be some hidden (mostly user) directories also present: “/tmp/.esd-xxx/”; “/tmp/.font-unix/”; “/tmp/.ICE-unix/”; “/tmp/.Test-unix/”; “/tmp/.X11-unix/”; “/tmp/.XIM-unix/” – also clean these directories out . . .
Carry out the same actions in the “/var/tmp/” directory.
[HR][/HR]No need to be afraid: if you delete too much, it’ll be recreated at the next boot and/or user login.
[HR][/HR]With respect to each user’s local system data, repeat this recipe for the “hidden” directories in each user’s home directory:
Check for an unexpected hidden user directory due to “gstatic”.
A possible list of (13.2) expected hidden user directories and files is:
> ls -d .*
. .cache .emacs .gtkrc-2.0-kde4 .profile .thumbnails .xim.template
.. .compose-cache .esd_auth .history .recently-used .vim .xinitrc.template
.adobe .config .fltk .inputrc .scribus .viminfo .Xmodmap
.audacity-data .cups .fonts .kde4 .signature .vimrc .xsession-errors
.bash_history .dbus .gimp-2.8 .lesshst .skel .vnc .xsession-errors-:0
.bashrc .designer .gnome2 .local .ssh .w3m .xsession-errors-:1
.bluefish .directory .gnupg .macromedia .subversion .wine .y2log
.bogofilter .dmrc .gtkrc-2.0 .mozilla .svnqt .Xauthority .y2usersettings
>
Especially, check out each user’s “~/.mozilla/” and “~/.cache/” directories.
[HR][/HR]And, a little tip: if you’re using Firefox, install the plug-in “Ghostery” but, be aware that often web-sites will stop working because, “Ghostery” is consequent, vicious, and hard – that’s why it has web-site “white-list”.
Yes, “gstatic.com” seems to be a piece of malware which used to be “Windows-only” but, from what you’re saying has now begun to annoy the users of machines running Linux.
[HR][/HR]What to do? (Everything written on the Web related to removing the thing from machines running the product from the Redmond folks is difficult to apply to the Linux environment.)
Please try the following:
many thanks for this, will try it on my machine first as, although i don’t have the same symptoms as my friend, now see that noscript has gstatic in whitelist so no doubt i have the virus too! will let you know how it goes
gogalthorp 13.1 is no longer official supported it it still supported by the Evergreen project so you have to switch repos.
thanks, hadn’t realised that 13.1 is no longer supported, would it be better to upgrade to 13.2 rather than switch repos?
That should not effect browsers though. Which one? maybe try a different one?
Only ever use Firefox but from searching gstatic looks like it affects all of them!
and sorry if it’s obvious & i just can’t see it but how do i get the ‘quote tags’ to display quotation marks & originally quoted by?
Ah now I see it ‘reply with quote’ Duh!
Oops!!!
Yes, “NoScript” could be better than “Ghostery” for many users and, it seems to be reasonably up-to-date:
Version 2.9.0.11 Info
Last Updated: April 6, 2016
Am Tue, 19 Jul 2016 12:56:02 GMT
schrieb Sosaidh <Sosaidh@no-mx.forums.microfocus.com>:
> > Yes, “gstatic.com” seems to be a piece of malware which used to be
> > “Windows-only” but, from what you’re saying has now begun to annoy the
> > users of machines running Linux.
> > What to do? (Everything written on the Web related to removing
> > the thing from machines running the product from the Redmond folks is
> > difficult to apply to the Linux environment.)
> >
> > Please try the following:
>
> many thanks for this, will try it on my machine first as, although i
> don’t have the same symptoms as my friend, now see that noscript has
> gstatic in whitelist so no doubt i have the virus too!
OH MY GOD!1111 WE’RE ALL GONNA DIE!!111111111111
Seriously, do you know the difference between the domain gstatic.com and
some virus/browser hijacker (coincidently) also named “gstatic.com”?
Obviously not, and it pretty much seems you are not the only one.
The domain gstatic.com is owned by google and as you might find it annyoing
that some (many?) google service also connect to gstatic.com to run some
javascript, this is definitely not a virus.
https://www.answers.com/Q/What_is_gstatic
https://en.wiki-domains.net/wiki/gstatic.com
If you block gstatic.com with noscript or another utility some google services
(like gmail) will not work as intended as they rely on the ability to connect
to gstatic.com and run javascript (amongst other things).
If you don’t trust those services (which is a valid point but NOT the issue
here), then don’t use them.
If you want to use google services which rely on the availability of the domain
gstatic.com, you will have to allow (i.e. whitelist) that domain or they will
not work correctly or at least give you some warnings that gstatic.com can not
be reached.
The developer of noscript decided to whitelist that domain (and some more, just
have a look at it) in order to avoid breaking some very popular domains (i.e.
google services).
AK
–
Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)
Yes, but, how is that going to help the originator of this thread?
[HR][/HR]Currently, attempts to browse to <https://www.gstatic.com/> result in:
404. That’s an error.
The requested URL / was not found on this server. That’s all we know.
Which may possibly mean that Google have recognised the issue and done something to alleviate the problems their customers are experiencing.
[HR][/HR]I suspect that, “Sosaidh” and his/her friends will have to initially do what I wrote earlier and also search each user’s directories for traces of a rogue executable (assuming that the thing has begun to drop executable files with the Linux ELF format onto the infected machines).
[HR][/HR]@Sosaidh:
Do you have “wine” installed on your systems?
If so, you may have this malware in the “~/.wine/” directory structures.
- IMHO the only way to effectively remove the thing will be to delete everything in the “~/.wine/” directories, and then re-install the MS Windows applications.
Please take note of the openSUSE “Lifetime” information: <https://en.opensuse.org/Lifetime>.
openSUSE 13.2 - will be maintained until 2 months after release of Leap 42.2 (EXPECTED First Quarter of 2017)
Please also take note of the openSUSE “Evergreen” information: <https://en.opensuse.org/openSUSE:Evergreen>
Am Wed, 20 Jul 2016 08:56:02 GMT
schrieb dcurtisfra <dcurtisfra@no-mx.forums.microfocus.com>:
> Yes, but, how is that going to help the originator of this thread?
With a little luck this will help that he stops hunting a ghost.
> Currently, attempts to browse to <https://www.gstatic.com/>
> result in:
> >
> > Google
> > 404. That’s an error.
> >
> > The requested URL / was not found on this server. That’s all weknow.
> >
> Which may possibly mean that Google have recognised the issue and done
> something to alleviate the problems their customers are experiencing.
Either that, or it simply means what the error says.
The URL (sic!) is not available and that does not mean that there is no content
on that server, just that there is no content available under THAT URL, which
makes sense considerung the use of gstatic.com.
It is NOT there for being browsed directly, it is there for static (hence the
name) content being loaded by other sites via javascript CSS, etc.
via dedicated URLs and direct browsing is diabled.
Anyway, good luck in hunting the “gstatic virus”, if you really find it, it
will have nothing to do with the URL gstatic.com, but OTOH please send me a
sample then.
AK
–
Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)
Am Wed, 20 Jul 2016 10:36:36 GMT
schrieb AK <Akoellh@no-mx.forums.microfocus.com>:
> Am Wed, 20 Jul 2016 08:56:02 GMT
> schrieb dcurtisfra <dcurtisfra@no-mx.forums.microfocus.com>:
>
> > Yes, but, how is that going to help the originator of this thread?
>
> With a little luck this will help that he stops hunting a ghost.
>
> > Currently, attempts to browse to <https://www.gstatic.com/>
> > result in:
> > >
> > > Google
> > > 404. That’s an error.
> > >
> > > The requested URL / was not found on this server. That’s all we know.
> > >
> > Which may possibly mean that Google have recognised the issue and done
> > something to alleviate the problems their customers are experiencing.
>
> Either that, or it simply means what the error says.
>
> The URL (sic!) is not available and that does not mean that there is no
> content on that server, just that there is no content available under THAT
> URL, which makes sense considerung the use of gstatic.com.
P.S.
Just to prove my point:
https://ssl.gstatic.com/ -> 404
https://ssl.gstatic.com/gb/images/p1_a4541be8.png -> little icons, classic case for static content
AK
Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)
Are you absolutely certain that, the network service is running correctly?
Which Name Server have you activated on your 13.1 systems?
- If it’s BIND then, try (with the "root
" user) from a CLI Terminal prompt “rndc flush”. - If you have a 13.1 with “nscd” then the command is “nscd -i <database>” where ‘<database>’ is one of “passwd group hosts services netgroup”.
The answer posted by “Akoellh” is a moot point: if you use Google then, you have to accept Google’s terms and conditions.
Currently not certain about this: using the Russian search engine Yandex doesn’t reveal anything definite about such a virus. There is an entry in the Kaspersky forum but, it also does not really reveal anything: <https://forum.kaspersky.com/index.php?showtopic=352226>
"Originally posted by Akoellh
OH MY GOD!1111 WE’RE ALL GONNA DIE!!
"Originally posted by Akoellh
Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)
Exactly :o
"Originally posted by Akoellh
The domain gstatic.com is owned by google and as you might find it annoying
that some (many?) google service also connect to gstatic.com to run some
javascript, this is definitely not a virus.
Thank you! feeling foolish but grateful to have the question answered, and the ghost hunt over, have to admit after reading results of my first search of gstatic.com my gut instinct said it's not a virus....should have trusted that and not the fear of attack !! Did do as suggested by dcurtisfra so have learnt at least how to really clean tmp folder....
When my friend first asked about this another thread here suggested her ISP and I had felt the problem was there too, so had her get in touch with them, she spoke to their tech guy who re-set her connection, which did help a lot, but he also told her she must have a really bad virus if she couldn’t close gmail without allowing something else to run, the ghost hunt was on!! Thanks again for dispelling that one
Know i’m an idiot but still don’t get how to reply with quotes properly so that it gives ‘originally posted by’ ?
Am Wed, 20 Jul 2016 12:46:01 GMT
schrieb Sosaidh <Sosaidh@no-mx.forums.microfocus.com>:
> > but still don’t get how to reply with quotes properly
> so that it gives ‘originally posted by’ ?
>
I suspect you are using the Forum via your web browser, while I am using the
forum as a Newsgroup with an NNTP reader (integrated into my mail client).
If you want to use quotes, you can do this via the Web interface whil quoting
via the NNTP interface is done differently (and automatically in way similar to
quoting when replying to an email).
That’s the difference and if I were you I would not bother and use the default
way of quoting which in the web interface will even look more elegant.
AK
–
Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)
[QUOTE=Akoellh;2785952]Am Tue, 19 Jul 2016 12:56:02 GMT
OH MY GOD!1111 WE’RE ALL GONNA DIE!!
Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)
Exactly :o
The domain gstatic.com is owned by google and as you might find it annyoing
that some (many?) google service also connect to gstatic.com to run some
javascript, this is definitely not a virus.
Thank you! feeling foolish but grateful to have the question answered, and the ghost hunt over, have to admit after reading results of my first search of gstatic.com my gut instinct said it's not a virus....should have trusted that and not the fear of attack !! Did do as suggested by dcurtisfra so have learnt at least how to really clean tmp folder!
When my friend first asked about her problems another thread here suggested her ISP which made sense to me so had her get in touch with them, she spoke with their tech guy who re-set connection, which helped a lot, but he also told her that she must have a nasty virus if she couldn’t close her gmail without allowing something else to run! the ghost hunt was on! So thanks for dispelling that one…
Guess we’ve already established that I’m an idiot but could somebody tell me how to reply properly with quotes so that it says 'originally posted by!?
This is how you do that technically:
[noparse]
quoted text here
[/noparse],
You can also use the Reply with Quote button.
@dcrustifra
Are you absolutely certain that, the network service is running correctly?
Does appear there was a problem with her network service as once she got in touch & had connection reset, a lot of problems disappeared and now that she’s taken gstatic out of noscripts untrusted list sites are working well again 
Do you have “wine” installed on your systems?
If so, you may have this malware in the “~/.wine/” directory structures.
- IMHO the only way to effectively remove the thing will be to delete everything in the “~/.wine/” directories, and then re-install the MS Windows applications.
Good to learn how to clean up directories but no don’t have ‘wine’ installed! thankfully…
Please take note of the openSUSE “Lifetime” information: <https://en.opensuse.org/Lifetime>.
openSUSE 13.2 - will be maintained until 2 months after release of Leap 42.2 (EXPECTED First Quarter of 2017)
Like 13.1 so will look into “Evergreen” but maybe time to take the ‘Leap’ just hoping this old machine will cope!
thanks for all your help
Better take the Leap now. 13.1 Evergreen’s support stops in november. There will be no more Evergreen, given the lifetime of Leap releases.
Ok still not quite getting it but improved, will try suggestions by @Akoellh
also wanting to mark this thread solved but not seeing where to do that now either!?
Thanks for that!