virus warning

Post by faeychild
This morning I had several warnings popup in the notification panel
"Your PC is at risk
Viruses found - Click to fix"
and followed by a red shield icon
The last Waring was followed by a blue Windows Icon
So- clearly legit and competent :-)
It seems to be associated with Firefox. I have no antivirus only
Ghostery and Noscript
It is curious, though

Yep, since you are running Linux, I have no idea where it came from based
on your description. I get on screen pop ups on some sites.
I have never had a notification panel alert.

David W. Hodgins

2022-05-02 23:03:15 UTC

What websites were loaded?

Regards, Dave Hodgins

faeychild

2022-05-03 03:36:41 UTC

On Mon, 02 May 2022 18:32:40 -0400, faeychild

What websites were loaded?
Regards, Dave Hodgins

Didn't think of that!! Phishing attacks ??

A TV guide and youtube tabs

I have noscript with
youtube , google and googlevideo.com trusted. The others are blocked

I may have to experiment a bit

--
faeychild
Running plasmashell 5.20.4 on 5.15.35-desktop-2.mga8 kernel.
Mageia release 8 (Official) for x86_64 installed via Mageia-8-x86_64-DVD.iso

William Unruh

2022-05-02 23:10:58 UTC

Do not click. This is almost certainly clickbait, or in otherwords, they
want to fix the lack of viruses on your machine by transfering one of
their own to you.

David W. Hodgins

2022-05-02 23:14:20 UTC

Post by William Unruh
Do not click. This is almost certainly clickbait, or in otherwords, they
want to fix the lack of viruses on your machine by transfering one of
their own to you.

Post by faeychild
This morning I had several warnings popup in the notification panel

I'd like to check out the site to see how it managed to get the popup into the
notification panel.

Regards, Dave Hodgins

faeychild

2022-05-03 03:50:24 UTC

Post by William Unruh
Do not click. This is almost certainly clickbait, or in otherwords, they
want to fix the lack of viruses on your machine by transfering one of
their own to you.

Post by faeychild
This morning I had several warnings popup in the notification panel

I'd like to check out the site to see how it managed to get the popup into the
notification panel.
Regards, Dave Hodgins

I am running youtube channels in several tabs and a TV guide

https://www.ourguide.com.au/tv_guide.php?r=melbourne&d=02052022&w=now&t=4
and earlier on "cracked.com and theregister.com"

--
faeychild
Running plasmashell 5.20.4 on 5.15.35-desktop-2.mga8 kernel.
Mageia release 8 (Official) for x86_64 installed via Mageia-8-x86_64-DVD.iso

David W. Hodgins

2022-05-03 18:35:48 UTC

Post by William Unruh
Do not click. This is almost certainly clickbait, or in otherwords, they
want to fix the lack of viruses on your machine by transfering one of
their own to you.

Post by faeychild
This morning I had several warnings popup in the notification panel

I'd like to check out the site to see how it managed to get the popup into the
notification panel.

I am running youtube channels in several tabs and a TV guide
https://www.ourguide.com.au/tv_guide.php?r=melbourne&d=02052022&w=now&t=4
and earlier on "cracked.com and theregister.com"

I'm not seeing any sort of a "virus warning" on youtube or ourguide. It's most
likely coming from an advertiser, but which ads show depends on location, browsing
history, and timing, so it can be difficult to track down the source.

Regards, Dave Hodgins

David W. Hodgins

2022-05-14 19:24:27 UTC

Post by William Unruh
Do not click. This is almost certainly clickbait, or in otherwords, they
want to fix the lack of viruses on your machine by transfering one of
their own to you.

Post by faeychild
This morning I had several warnings popup in the notification panel

I'd like to check out the site to see how it managed to get the popup into the
notification panel.

I am running youtube channels in several tabs and a TV guide
https://www.ourguide.com.au/tv_guide.php?r=melbourne&d=02052022&w=now&t=4
and earlier on "cracked.com and theregister.com"

Just came across https://it.slashdot.org/story/22/05/14/1838213/hackers-are-exploiting-wordpress-tools-to-hawk-scams
which may explain the cause.

Regards, Dave Hodgins

faeychild

2022-05-15 22:11:58 UTC

Post by David W. Hodgins
Just came across
https://it.slashdot.org/story/22/05/14/1838213/hackers-are-exploiting-wordpress-tools-to-hawk-scams
which may explain the cause.
Regards, Dave Hodgins

Well Well! An ancient threat arises. Like the Kraken reborn

Mine went quiet when I killed notifications from "discaffix.com".

Not my doing but there it was in Firefox settings

Aragorn saved me some considerable grief

Regards

--
faeychild
Running plasmashell 5.20.4 on 5.15.35-desktop-2.mga8 kernel.
Mageia release 8 (Official) for x86_64 installed via Mageia-8-x86_64-DVD.iso

Aragorn

2022-05-03 16:04:18 UTC

Post by William Unruh
Do not click. This is almost certainly clickbait, or in otherwords,
they want to fix the lack of viruses on your machine by transfering
one of their own to you.

Post by faeychild
This morning I had several warnings popup in the notification panel

I'd like to check out the site to see how it managed to get the popup
into the notification panel.

Commonly this is the result of the biological unit between the
keyboard and the chair having allowed notifications for that site.

If this is enabled for that particular site and that particular browser,
then as soon as the site detects that your browser is online — you
don't even have to load the site — it'll push out a notification.

Myself, I only allow that for two sites: YouTube and the Manjaro forum.
But these days, it's one of the first things you are asked when
visiting a site. Not THE first thing, though. That would be whether
to allow cookies. And the second thing is whether you want to
subscribe to their newsletter. And your third click is to stop the
auto-playing video. :p

Just kidding, but you get the gist. ;)

--
With respect,
= Aragorn =

faeychild

2022-05-03 22:18:14 UTC

Post by Aragorn
subscribe to their newsletter. And your third click is to stop the
auto-playing video. :p
Just kidding, but you get the gist. ;)

YES!!! Particularly the damn auto playing video.
That must be disabled every time Firefox updates :-(

--
faeychild
Running plasmashell 5.20.4 on 5.15.35-desktop-2.mga8 kernel.
Mageia release 8 (Official) for x86_64 installed via Mageia-8-x86_64-DVD.iso

Aragorn

2022-05-03 22:57:05 UTC

Post by Aragorn
subscribe to their newsletter. And your third click is to stop the
auto-playing video. :p
Just kidding, but you get the gist. ;)

YES!!! Particularly the damn auto playing video.
That must be disabled every time Firefox updates :-(

Either way, the point is that with notifications enabled across the
board, it doesn't matter what tabs you have open, because that one
particular site that sends the notification is picking up that you've
launched Firefox and will send out that notification, even when you're
not visiting that site.

I always disable notifications and only allow exceptions for the two
sites I've mentioned, i.e. YouTube and the Manjaro forum. Likewise for
sites wanting to know my location and wanting to access my camera and
microphone — neither of which I have on this particular computer
anyway.

But you do have to have your wits about you when setting up a
browser, and Firefox is no exception to that rule. If you don't want to
be tracked by Google, then you should always check the following...:

° Always send a "do not track me" signal to the server, not just in
private windows. (Note: Not al servers respect this. Most notably,
Google and Mozilla themselves do not respect this signal.)

° Disable the "Warn you for dangerous software", because that's a
Google spy tool. It checks every URL you visit against Google's
list of infected websites.

° Set DuckDuckGo as your main search engine and disable Google as
a search engine. Mozilla gets a considerable amount of money from
Google for making Google the default search engine in Firefox.

--
With respect,
= Aragorn =

faeychild

2022-05-04 01:54:36 UTC

Post by Aragorn
But you do have to have your wits about you when setting up a
browser, and Firefox is no exception to that rule. If you don't want to
° Always send a "do not track me" signal to the server, not just in
private windows. (Note: Not al servers respect this. Most notably,
Google and Mozilla themselves do not respect this signal.)
° Disable the "Warn you for dangerous software", because that's a
Google spy tool. It checks every URL you visit against Google's
list of infected websites.
° Set DuckDuckGo as your main search engine and disable Google as
a search engine. Mozilla gets a considerable amount of money from
Google for making Google the default search engine in Firefox.

Yep! Most of those
Still considering DuckDuck

How have you set "HTTPS-Only Mode"
mine is set to "Don't". I wonder about it. I haven't researched it

--
faeychild
Running plasmashell 5.20.4 on 5.15.35-desktop-2.mga8 kernel.
Mageia release 8 (Official) for x86_64 installed via Mageia-8-x86_64-DVD.iso

Aragorn

2022-05-04 14:07:00 UTC

Post by Aragorn
But you do have to have your wits about you when setting up a
browser, and Firefox is no exception to that rule. If you don't
want to be tracked by Google, then you should always check the
° Always send a "do not track me" signal to the server, not just
in private windows. (Note: Not al servers respect this. Most
notably, Google and Mozilla themselves do not respect this
signal.)
° Disable the "Warn you for dangerous software", because that's a
Google spy tool. It checks every URL you visit against Google's
list of infected websites.
° Set DuckDuckGo as your main search engine and disable Google as
a search engine. Mozilla gets a considerable amount of money
from Google for making Google the default search engine in
Firefox.

Yep! Most of those
Still considering DuckDuck
How have you set "HTTPS-Only Mode"
mine is set to "Don't". I wonder about it. I haven't researched it

Well, I use Chromium as my main browser with Firefox — and most
specifically, it's a modified Firefox from the Arch User Repository,
with extended support for KDE Plasma integration, such as "global menu"
support (which I need) — as a fallback. Both are set to https-only, but
with an exception for my router, which does not accept https.

I've also got Falkon and Pale Moon installed, but I rarely ever use
those, and I haven't even checked whether it's enabled there.

--
With respect,
= Aragorn =

faeychild

2022-05-07 01:47:17 UTC

That one is done

Post by Aragorn
° Disable the "Warn you for dangerous software", because that's a
Google spy tool. It checks every URL you visit against Google's
list of infected websites.

I haven't found this one yet

Post by Aragorn
° Set DuckDuckGo as your main search engine and disable Google as
a search engine. Mozilla gets a considerable amount of money from
Google for making Google the default search engine in Firefox.

I have both in my toolbar. I'm weaning off Google

Pour yourself a drink, Aragorn. I think you found it with the
notification settings

I had two
yahoomail and discaffix.com of all sites.

I disabled them and the notifications stopped

I have been clear for over two hours

--
faeychild
Running plasmashell 5.20.4 on 5.15.35-desktop-2.mga8 kernel.
Mageia release 8 (Official) for x86_64 installed via Mageia-8-x86_64-DVD.iso

2022-05-10 11:47:45 UTC

° Disable the "Warn you for dangerous software", because that's a
Google spy tool. It checks every URL you visit against Google's
list of infected websites.

I haven't found this one yet

In Firefox ESR, go to Edit/Settings/Privacy and Security. Scroll down to
near the bottom of the page, and it will be under "Security."

TJ

faeychild

2022-05-10 22:11:05 UTC

Post by TJ

° Disable the "Warn you for dangerous software", because that's a
Google spy tool. It checks every URL you visit against Google's
list of infected websites.

I haven't found this one yet

In Firefox ESR, go to Edit/Settings/Privacy and Security. Scroll down to
near the bottom of the page, and it will be under "Security."
TJ

I have "Block dangerous and deceptive content"

Assuming this is it?

regards

--
faeychild
Running plasmashell 5.20.4 on 5.15.35-desktop-2.mga8 kernel.
Mageia release 8 (Official) for x86_64 installed via Mageia-8-x86_64-DVD.iso

Aragorn

2022-05-11 01:45:35 UTC

Post by TJ

° Disable the "Warn you for dangerous software", because that's
a Google spy tool. It checks every URL you visit against
Google's list of infected websites.

I haven't found this one yet

In Firefox ESR, go to Edit/Settings/Privacy and Security. Scroll
down to near the bottom of the page, and it will be under
"Security."

I have "Block dangerous and deceptive content"
Assuming this is it?

Yes. That setting, if enabled, checks every URL you visit against a
database at Google.

--
With respect,
= Aragorn =

faeychild

2022-05-03 03:43:46 UTC

Post by William Unruh
Do not click. This is almost certainly clickbait, or in otherwords, they
want to fix the lack of viruses on your machine by transfering one of
their own to you.

As I surmised from David's post - phishing

The alerts in the notification panel are not hot and can't respond to
clicks. It makes the entire exercise seem sad and incompetent.

What must it be like to run Windows?

--
faeychild
Running plasmashell 5.20.4 on 5.15.35-desktop-2.mga8 kernel.
Mageia release 8 (Official) for x86_64 installed via Mageia-8-x86_64-DVD.iso

faeychild

2022-05-03 08:58:40 UTC

So further on today I've had web pages not loading or webpage menus not
responding.
And if I set every entry in the noscript menu to trusted, the webpages
load fine.

I may try un-installing noscript and see what happens.

I just checked the "About Firefox" to get the version and the popup
window was blank until I set noscript to all trusted

Firefox 91.8.0esr (64-bit)

I wonder about this and the coincidence with the virus warning

--
faeychild
Running plasmashell 5.20.4 on 5.15.35-desktop-2.mga8 kernel.
Mageia release 8 (Official) for x86_64 installed via Mageia-8-x86_64-DVD.iso

Doug Laidlaw

2022-05-04 01:12:13 UTC

So further on today I've had web pages not loading or webpage menus not
responding.
And if I set every entry in the noscript menu to trusted, the webpages
load fine.
I may try un-installing noscript and see what happens.
I just checked the "About Firefox" to get the version and the popup
window was blank until I set noscript to all trusted
Firefox 91.8.0esr (64-bit)
I wonder about this and the coincidence with the virus warning

Linux is not by nature impervious to viruses; it is just that nobody has
written a virus for Linux. A magazine contained an article describing
in detail, how to write a basic virus for Linux.

I ALWAYS treat messages like yours as suspect, whether they look genuine
or not. This one looks to me like a phishing attempt. If you have no
other reason to suspect a virus, I would ignore it. All you need to do
to be infected is to open the message!

As an example of phishing, some time ago, I received an email, probably
purporting to be from eBay. (At this moment, a screen has popped up with
a window border style like Mint. I was able to close it; it was from a
HTML editor whose launcher was visible.) What I was trying to say was,
that every link in the message was genuine, EXCEPT the one for your
login information, which went to a different IP address, i.e. somebody's
home computer.

Doug.

faeychild

2022-05-04 03:36:35 UTC

I agree. A sudden arrival of multiple virus warnings, AND in the
notification panel as well, is highly suspicious.
And now with the noscript extension suddenly behaving badly, I can only
ponder

regards

--
faeychild
Running plasmashell 5.20.4 on 5.15.35-desktop-2.mga8 kernel.
Mageia release 8 (Official) for x86_64 installed via Mageia-8-x86_64-DVD.iso

Bit Twister

2022-05-04 03:54:35 UTC

I agree. A sudden arrival of multiple virus warnings, AND in the
notification panel as well, is highly suspicious.
And now with the noscript extension suddenly behaving badly, I can only
ponder

If you are not going to give us failing urls you could at least use a test
account to very if problem is system wide or just local to your account.
For example I have a test account "junk". It becomes trivial for me to
click up a xterm
su -u junk
\rm -r .mozilla/*
firefox
and install noscript.

The above deletes previous firefox user files and forces firefox into
a pristine setup without any user changes.

If same noscript errors/problems on same URLs in junk indicates a sysetm
wide problem.

Note site may notice connection from same IP addy and respond differently.

2022-05-05 12:36:24 UTC

Post by Doug Laidlaw
Linux is not by nature impervious to viruses; it is just that nobody has
written a virus for Linux. A magazine contained an article describing
in detail, how to write a basic virus for Linux.

I wouldn't get too complacent with that theory. In my years on the
Mageia QA team, every once in a while we get a security hole fix that is
urgent to test because the hole is known to have been exploited "in the
wild."

So it isn't that "nobody" has written malware for Linux - it's just much
less common.

Post by Doug Laidlaw
I ALWAYS treat messages like yours as suspect, whether they look genuine
or not. This one looks to me like a phishing attempt. If you have no
other reason to suspect a virus, I would ignore it. All you need to do
to be infected is to open the message!
As an example of phishing, some time ago, I received an email, probably
purporting to be from eBay. (At this moment, a screen has popped up with
a window border style like Mint. I was able to close it; it was from a
HTML editor whose launcher was visible.) What I was trying to say was,
that every link in the message was genuine, EXCEPT the one for your
login information, which went to a different IP address, i.e. somebody's
home computer.

Some of these things are platform-independent. It's been a long time
since this happened, but I remember clicking on a site from a Google
search years back that immediately redirected me to something that had a
notification pop up like happened to the OP, clearly meant for Windows
users, but affecting Linux Firefox anyway. The difference was that I
couldn't close it through normal means. It took my browser over almost
completely. I had to resort to ctrl-alt-delete to stop it.

Like I said, it hasn't happened for a long time. That's probably because
of the many changes that have happened to Firefox in the years since. I
have seen a popup now and again, but they don't take over the browser
any more.

I don't use Google as my search engine these days, and I don't miss it
even a little bit. I use DuckDuckGo. If it wasn't the nightmare it would
be to change it everywhere I do business I'd consider dumping Gmail as well.

TJ

Bit Twister

2022-05-05 14:17:50 UTC

Post by TJ
Some of these things are platform-independent. It's been a long time
since this happened, but I remember clicking on a site from a Google
search years back that immediately redirected me to something that had a
notification pop up like happened to the OP, clearly meant for Windows
users, but affecting Linux Firefox anyway. The difference was that I
couldn't close it through normal means. It took my browser over almost
completely. I had to resort to ctrl-alt-delete to stop it.

Yup, been there, done that, have the T-shirt and hat.

I have FF set up to always switch to new tab/window and middle click mouse
to see link page.
That gives me a chance to use Ctl w to close the current tab window.

Sometimes I can use a desktop hot key to switch desktop window to
get a root prompt to kill firefox.

Post by TJ
I don't use Google as my search engine these days, and I don't miss it
even a little bit. I use DuckDuckGo. If it wasn't the nightmare it would
be to change it everywhere I do business I'd consider dumping Gmail as well.

HEHEHEHE, I was thinking the same thing because they broke my fetchmail script.
Was real happy to get it back running about two or three days ago.

I do have to work on postfix to see if I can get it to send via gmail from my node.

Aragorn

2022-05-05 15:00:12 UTC

Post by TJ
Some of these things are platform-independent. It's been a long time
since this happened, but I remember clicking on a site from a Google
search years back that immediately redirected me to something that
had a notification pop up like happened to the OP, clearly meant
for Windows users, but affecting Linux Firefox anyway. The
difference was that I couldn't close it through normal means. It
took my browser over almost completely. I had to resort to
ctrl-alt-delete to stop it.

Yup, been there, done that, have the T-shirt and hat.
I have FF set up to always switch to new tab/window and middle click
mouse to see link page.
That gives me a chance to use Ctl w to close the current tab window.
Sometimes I can use a desktop hot key to switch desktop window to
get a root prompt to kill firefox.

Doesn't Ctrl+Alt+Esc followed by a mouse-click on the offending window
work anymore in Mageia? (It's independent of the chosen window manager
or desktop environment.)

In Manjaro it still does, and last I checked, in PCLinuxOS as well —
for details, please consult Mrs. Sellers of the PCLOS Marketing
Department. :p

I'd be surprised if Mageia had somehow decided to disable that
functionality, although admittedly, I don't know whether it works under
Wayland. That's a very different beast, of course.

--
With respect,
= Aragorn =

Bit Twister

2022-05-05 15:14:00 UTC

Post by TJ
Some of these things are platform-independent. It's been a long time
since this happened, but I remember clicking on a site from a Google
search years back that immediately redirected me to something that
had a notification pop up like happened to the OP, clearly meant
for Windows users, but affecting Linux Firefox anyway. The
difference was that I couldn't close it through normal means. It
took my browser over almost completely. I had to resort to
ctrl-alt-delete to stop it.

Yup, been there, done that, have the T-shirt and hat.
I have FF set up to always switch to new tab/window and middle click
mouse to see link page.
That gives me a chance to use Ctl w to close the current tab window.
Sometimes I can use a desktop hot key to switch desktop window to
get a root prompt to kill firefox.

Doesn't Ctrl+Alt+Esc followed by a mouse-click on the offending window
work anymore in Mageia?

Never tried it. Do not want to try while replying to this post.

Post by Aragorn
(It's independent of the chosen window manager
or desktop environment.)

Ok, I am using Xfce as DE.

Bit Twister

2022-05-05 17:34:56 UTC

Post by Bit Twister
Sometimes I can use a desktop hot key to switch desktop window to
get a root prompt to kill firefox.

Doesn't Ctrl+Alt+Esc followed by a mouse-click on the offending window
work anymore in Mageia? (It's independent of the chosen window manager
or desktop environment.)

Does not seem to work on Xfce Mageia 8 release.

Aragorn

2022-05-05 17:49:58 UTC

Post by Bit Twister
Sometimes I can use a desktop hot key to switch desktop window to
get a root prompt to kill firefox.

Doesn't Ctrl+Alt+Esc followed by a mouse-click on the offending
window work anymore in Mageia? (It's independent of the chosen
window manager or desktop environment.)

Does not seem to work on Xfce Mageia 8 release.

That's odd, because that functionality is an X11 builtin. Are you
using Wayland by any chance?

Oh and by the way, you don't need a root prompt to kill a misbehaving
Firefox. Just a regular prompt will do.

$ killall firefox

... will send a SIGKILL to all Firefox processes running under your
user account. If you do that from a root prompt, then it'll kill all
Firefox processes in the system, including those run under a different
UID.

--
With respect,
= Aragorn =

Bit Twister

2022-05-05 18:42:22 UTC

Post by Bit Twister
Sometimes I can use a desktop hot key to switch desktop window to
get a root prompt to kill firefox.

Doesn't Ctrl+Alt+Esc followed by a mouse-click on the offending
window work anymore in Mageia? (It's independent of the chosen
window manager or desktop environment.)

Does not seem to work on Xfce Mageia 8 release.

That's odd, because that functionality is an X11 builtin. Are you
using Wayland by any chance?

Not that I can tell.
$ cat /etc/sysconfig/desktop
DISPLAYMANAGER=lightdm

]$ systemctl status display-manager.service | grep PID:
Main PID: 790 (lightdm)

Post by Aragorn
Oh and by the way, you don't need a root prompt to kill a misbehaving
Firefox. Just a regular prompt will do.

hehehehe, going to assume you can not kill other user process if not root. :)

I have separate user accounts for anything needing id/pw.

$ grep firefox /etc/passwd | wc -l
11

$ grep mail /etc/passwd | wc -l
7

I click a desktop shortcut which will su into whatever account and that login
will launch desired browser/mail user agent.
Upon app exit, it logs out of the account.
Browser accounts submit an at job to tar in a pristine ~/.mozilla tar file
and check for new files.

Post by Aragorn
$ killall firefox
... will send a SIGKILL to all Firefox processes running under your
user account. If you do that from a root prompt, then it'll kill all
Firefox processes in the system, including those run under a different
UID.

or use the pkill command pkill -f firefox which is the typical kill command
I use in my scripts.

Aragorn

2022-05-05 19:26:15 UTC

Post by Bit Twister
Sometimes I can use a desktop hot key to switch desktop window
to get a root prompt to kill firefox.

Doesn't Ctrl+Alt+Esc followed by a mouse-click on the offending
window work anymore in Mageia? (It's independent of the chosen
window manager or desktop environment.)

Does not seem to work on Xfce Mageia 8 release.

That's odd, because that functionality is an X11 builtin. Are you
using Wayland by any chance?

Not that I can tell.
$ cat /etc/sysconfig/desktop
DISPLAYMANAGER=lightdm
Main PID: 790 (lightdm)

That's not the right way to check for Wayland. Try this — this is all
one line:

$ loginctl show-session $(awk '/tty/ {print $1}' <(loginctl)) -p\
Type | awk -F= '{print $2}'

If you don't get any output from that command, then you're still using
X11. If you're on Wayland, it will tell you that.

Do you have xkill installed? That's what Ctrl+Alt+Esc invokes,
normally.

[nx-74205:/dev/pts/3][/home/aragorn]
[aragorn] > locate xkill
/usr/bin/xkill
/usr/share/licenses/xorg-xkill
/usr/share/licenses/xorg-xkill/COPYING
/usr/share/man/man1/xkill.1.gz

Post by Aragorn
Oh and by the way, you don't need a root prompt to kill a
misbehaving Firefox. Just a regular prompt will do.

hehehehe, going to assume you can not kill other user process if not root. :)

Correct. It would be oddly amusing if you could kill other users'
processes. :p

Post by Bit Twister
I have separate user accounts for anything needing id/pw.
$ grep firefox /etc/passwd | wc -l
11
$ grep mail /etc/passwd | wc -l
7
I click a desktop shortcut which will su into whatever account and
that login will launch desired browser/mail user agent.
Upon app exit, it logs out of the account.
Browser accounts submit an at job to tar in a pristine ~/.mozilla tar
file and check for new files.

Okay, that explains why you'd want a root prompt. ;)

--
With respect,
= Aragorn =

Bit Twister

2022-05-05 22:54:26 UTC

Post by Bit Twister
Sometimes I can use a desktop hot key to switch desktop window
to get a root prompt to kill firefox.

Doesn't Ctrl+Alt+Esc followed by a mouse-click on the offending
window work anymore in Mageia? (It's independent of the chosen
window manager or desktop environment.)

Does not seem to work on Xfce Mageia 8 release.

That's odd, because that functionality is an X11 builtin. Are you
using Wayland by any chance?

Not that I can tell.
$ cat /etc/sysconfig/desktop
DISPLAYMANAGER=lightdm
Main PID: 790 (lightdm)

That's not the right way to check for Wayland. Try this — this is all
$ loginctl show-session $(awk '/tty/ {print $1}' <(loginctl)) -p\
Type | awk -F= '{print $2}'

Nothing comes back.

Post by Aragorn
If you don't get any output from that command, then you're still using
X11. If you're on Wayland, it will tell you that.
Do you have xkill installed? That's what Ctrl+Alt+Esc invokes,
normally.

If so I would have to assume DE hotkey definition which Mageia Xfce does
not have Ctrl+Alt+Esc set. Tried it again and no xkill skull cross bones
pointer shows up to pick app window/screen to kill. My Desktop xkill
shortcut does launch xkill

$ get_src_rpm xkill

Looked for : xkill
Using : /usr/bin/xkill
Installed rpm : xkill-1.0.5-3.mga8
rpm short name: xkill
Source rpm : xkill-1.0.5-3.mga8.src.rpm
Information : (none)
Packager : umeabot <umeabot>
Summary : Kill a client by its X resource
List rpm contents: rpm --query --list xkill-1.0.5-3.mga8

William Unruh

2022-05-06 01:56:17 UTC

Post by Bit Twister
Sometimes I can use a desktop hot key to switch desktop window
to get a root prompt to kill firefox.

Doesn't Ctrl+Alt+Esc followed by a mouse-click on the offending
window work anymore in Mageia? (It's independent of the chosen
window manager or desktop environment.)

Does not seem to work on Xfce Mageia 8 release.

That's odd, because that functionality is an X11 builtin. Are you
using Wayland by any chance?

Not that I can tell.
$ cat /etc/sysconfig/desktop
DISPLAYMANAGER=lightdm
Main PID: 790 (lightdm)

That's not the right way to check for Wayland. Try this — this is all
$ loginctl show-session $(awk '/tty/ {print $1}' <(loginctl)) -p\
Type | awk -F= '{print $2}'

Nothing comes back.

I get
tty

tty
coming back

alt-ctrl-esc does nothing for me (Mga8) with xkill installed.

Post by Bit Twister
$ get_src_rpm xkill
Looked for : xkill
Using : /usr/bin/xkill
Installed rpm : xkill-1.0.5-3.mga8
rpm short name: xkill
Source rpm : xkill-1.0.5-3.mga8.src.rpm
Information : (none)
Packager : umeabot <umeabot>
Summary : Kill a client by its X resource
List rpm contents: rpm --query --list xkill-1.0.5-3.mga8

David W. Hodgins

2022-05-06 02:32:09 UTC

Post by William Unruh
alt-ctrl-esc does nothing for me (Mga8) with xkill installed.

It works in Plasma on my system. Press alt-ctrl-esc and then click on a window
such as a konsole, and it kills the konsole.

It doesn't work in Xfce4 though.

Regards, Dave Hodgins

Bit Twister

2022-05-06 03:00:35 UTC

Post by William Unruh
alt-ctrl-esc does nothing for me (Mga8) with xkill installed.

It works in Plasma on my system. Press alt-ctrl-esc and then click on a window
such as a konsole, and it kills the konsole.
It doesn't work in Xfce4 though.

Yep, launch "xfce4-settings-editor", select xfce4-keyboard-shortcuts
and scroll around and you will notice no clt-ctrl-esc definition.

William Unruh

2022-05-06 15:19:45 UTC

Post by William Unruh
alt-ctrl-esc does nothing for me (Mga8) with xkill installed.

It works in Plasma on my system. Press alt-ctrl-esc and then click on a window
such as a konsole, and it kills the konsole.
It doesn't work in Xfce4 though.

Ah, the computer I tried it on is XFCE

Post by David W. Hodgins
Regards, Dave Hodgins

2022-05-05 16:07:06 UTC

Yup, been there, done that, have the T-shirt and hat.
I have FF set up to always switch to new tab/window and middle click mouse
to see link page.
That gives me a chance to use Ctl w to close the current tab window.
Sometimes I can use a desktop hot key to switch desktop window to
get a root prompt to kill firefox.

As I think about it, I don't remember getting one of those "takeover"
sites since Firefox was revamped to not use the old plugins any more,
something about running tabs/windows in a sandbox now. Although, it
actually could be longer even than that.

I too have my search engine set to open a new tab when I click on a
link, so maybe that makes a difference. I have seen phony "Your PC is
INFECTED" sites, but all I have to do is close the tab.

HEHEHEHE, I was thinking the same thing because they broke my fetchmail script.
Was real happy to get it back running about two or three days ago.
I do have to work on postfix to see if I can get it to send via gmail from my node.

I couldn't dump gmail altogether, anyway. I need a google account of
some sort to be able to use the "Google Play Store" (terrible name for a
repository) to install even free software on my Android devices.

TJ

faeychild

2022-05-04 03:18:37 UTC

Further developments are a feral "Noscript" that started breaking
websites yesterday
Sites fail to load or load incompletely
For instance, I thought to upload a screenshot of the notifications only
to find that "imagebox" site was blocked by Noscript

I had to check all as "trusted" to have it load.
Many other sites are behaving like this.

And I wonder if the virus warning is at all connected.

https://imgbox.com/rnbMTz1T

screenshot showing notification warnings

--
faeychild
Running plasmashell 5.20.4 on 5.15.35-desktop-2.mga8 kernel.
Mageia release 8 (Official) for x86_64 installed via Mageia-8-x86_64-DVD.iso

Bit Twister

2022-05-04 03:42:07 UTC

Post by faeychild
This morning I had several warnings popup in the notification panel

Ah, so, Now we can see that those were not notifications in the panel.
They were pop up from web site.

Post by faeychild
"Your PC is at risk
Viruses found - Click to fix"
and followed by a red shield icon
The last Waring was followed by a blue Windows Icon
So- clearly legit and competent :-)

Nope, usual window crap from either an infected site or just click bait
for the site to gain ad revenue. A bit of reflection should make a linux
user wonder how a web page can scan the install for viruses. :)

Post by faeychild
It seems to be associated with Firefox. I have no antivirus only
Ghostery and Noscript
It is curious, though

Further developments are a feral "Noscript" that started breaking
websites yesterday
Sites fail to load or load incompletely
For instance,

And yet more useless information. :(

PROVIDE LINK(s) TO ALLOW US TO AT LEAST HAVING A SHOT AT TELLING
_YOU_ IF THE PROBLEM IS GLOBAL OR JUST LOCAL ON YOUR SYSTEM.

Post by faeychild
I thought to upload a screenshot of the notifications only
to find that "imagebox" site was blocked by Noscript

FYI: You can use import desired.format_here to pull items off your screen
improving pointing attention to desired item. Example: import random_name.png or
import random_name.jpg

$ get_src_rpm import

Looked for : import
Using : /usr/bin/magick
Installed rpm : imagemagick-7.0.10.62-1.mga8.tainted
rpm short name: imagemagick
Source rpm : imagemagick-7.0.10.62-1.mga8.tainted.src.rpm
Information : http://www.imagemagick.org/
Packager : neoclust <neoclust>
Summary : An X application for displaying and manipulating images
List rpm contents: rpm --query --list imagemagick-7.0.10.62-1.mga8.tainted

Post by faeychild
I had to check all as "trusted" to have it load.
Many other sites are behaving like this.
And I wonder if the virus warning is at all connected.
https://imgbox.com/rnbMTz1T
screenshot showing notification warnings

Yep, all site generated pop ups.

faeychild

2022-05-06 04:25:13 UTC

Post by faeychild
It seems to be associated with Firefox. I have no antivirus only
Ghostery and Noscript
It is curious, though

I have removed "noscript" because fighting on two fronts is insane. One
battle at a time. And they may be linked

The virus warning is associated with Firefox.
It did not manifest virus warnings with the 'Junk" user even after 50
minutes of running junk user's Firefox.

But came back immediately that I logged back to my site,

I comes through only on Youtube site, but not every time on youtube.

It can happen immediately or may take several minutes.

I am intrigued that the warning uses the notification panel and not a
popup window in Firefox

Firefox does not scan for viruses so it is a phishing attempt
It doesn't happen with junk user.
The time line is erratic. Maybe it is polling

To waste less of my dwindling life span I am considering backup of
bookmarks and passwords and remove re-install Firefox.

I don't have the remotest inkling how the phishing would differentiate
between users on the same machine unless something was installed on my
setup.

All the more reason to remove it

--
faeychild
Running plasmashell 5.20.4 on 5.15.35-desktop-2.mga8 kernel.
Mageia release 8 (Official) for x86_64 installed via Mageia-8-x86_64-DVD.iso

Bit Twister

2022-05-06 05:37:22 UTC

Post by faeychild
It seems to be associated with Firefox. I have no antivirus only
Ghostery and Noscript
It is curious, though

I have removed "noscript" because fighting on two fronts is insane. One
battle at a time. And they may be linked
The virus warning is associated with Firefox.
It did not manifest virus warnings with the 'Junk" user even after 50
minutes of running junk user's Firefox.
But came back immediately that I logged back to my site,
I comes through only on Youtube site, but not every time on youtube.
It can happen immediately or may take several minutes.
I am intrigued that the warning uses the notification panel and not a
popup window in Firefox
Firefox does not scan for viruses so it is a phishing attempt
It doesn't happen with junk user.
The time line is erratic. Maybe it is polling
To waste less of my dwindling life span I am considering backup of
bookmarks and passwords and remove re-install Firefox.

Very good idea to always save bookmarks and whatnot. It does
not hurt to use the saved stuff and do the restore in the app in a test
account to verify no loss of contents. I found out the hard way that I did
not get my ThunderBird address book exported/imported correctly for
importing into claws-mail.

Post by faeychild
I don't have the remotest inkling how the phishing would differentiate
between users on the same machine unless something was installed on my
setup.
All the more reason to remove it

Code on web site keeps database of ip addresses making connection.

Go to http://browserspy.dk/ to see stuff your browser provides.

Saw an article quite awhile back about some smart malware checking if
access was from a virtual machine and would not activate so as to hide
better from malware hunters and code.

As for ip address run any of the following:
curl http://icanhazip.com
curl http://ident.me
curl whatismyip.akamai.com
curl https://ipecho.net/plain
wget -qO - http://icanhazip.com
wget -qO - http://ident.me/
wget -qO - http://smxi.org/opt/ip.php
wget -qO - https://ipecho.net/plain

from both user accounts and you will see that your ISP ip address is the same.

faeychild

2022-05-06 22:23:37 UTC

Post by faeychild
Firefox does not scan for viruses so it is a phishing attempt
It doesn't happen with junk user.
The time line is erratic. Maybe it is polling
To waste less of my dwindling life span I am considering backup of
bookmarks and passwords and remove re-install Firefox.

And reconstruction from memory is imperfect with nagging doubts about
something missed. I have done stuff like that.

I don't have a test account so the next best thing would be to rename
"mozilla" folder, let it rebuild and see what happens

Post by Bit Twister
Code on web site keeps database of ip addresses making connection.
Go to http://browserspy.dk/ to see stuff your browser provides.

Yes. The browser certainly squeals. Shouts it from the rooftops

And I always find something at these sites.

navigator.appMinorVersion Property is not supported!
navigator.appMinorVersion is not a string. It's a undefined

navigator.securityPolicy Property is not supported!
navigator.securityPolicy is not a string. It's a undefined .

Does that matter??

Great!! Who knows Now I'm up for more research and heavy Googling

--
faeychild
Running plasmashell 5.20.4 on 5.15.35-desktop-2.mga8 kernel.
Mageia release 8 (Official) for x86_64 installed via Mageia-8-x86_64-DVD.iso

Aragorn

2022-05-06 22:48:40 UTC

Post by faeychild
I don't have a test account so the next best thing would be to rename
"mozilla" folder, let it rebuild and see what happens

Firefox menu → (Edit →) Settings → Privacy & Security.

↓

Scroll down until you see "Permissions". Click on the "Settings"
button next to "Notifications".

↓

Look at the sites that are listed there. Block anything that looks
suspicious and removing anything that you're certain you're not ever
going to visit.

--
With respect,
= Aragorn =

William Unruh

2022-05-07 01:50:44 UTC

And reconstruction from memory is imperfect with nagging doubts about
something missed. I have done stuff like that.
I don't have a test account so the next best thing would be to rename
"mozilla" folder, let it rebuild and see what happens

Well make a test account. Just make a new user in MCC->System->Manage
Users

Post by Bit Twister
Code on web site keeps database of ip addresses making connection.
Go to http://browserspy.dk/ to see stuff your browser provides.

Yes. The browser certainly squeals. Shouts it from the rooftops
And I always find something at these sites.
navigator.appMinorVersion Property is not supported!
navigator.appMinorVersion is not a string. It's a undefined
navigator.securityPolicy Property is not supported!
navigator.securityPolicy is not a string. It's a undefined .
Does that matter??
Great!! Who knows Now I'm up for more research and heavy Googling

Bit Twister

2022-05-07 02:52:58 UTC

And reconstruction from memory is imperfect with nagging doubts about
something missed. I have done stuff like that.
I don't have a test account so the next best thing would be to rename
"mozilla" folder, let it rebuild and see what happens

Dead easy to create. mcc->System
mcc->System->Manage users on system
or just drakuser at root prompt

Post by Bit Twister
Code on web site keeps database of ip addresses making connection.
Go to http://browserspy.dk/ to see stuff your browser provides.

Yes. The browser certainly squeals. Shouts it from the rooftops
And I always find something at these sites.
navigator.appMinorVersion Property is not supported!
navigator.appMinorVersion is not a string. It's a undefined
navigator.securityPolicy Property is not supported!
navigator.securityPolicy is not a string. It's a undefined .
Does that matter??

You have an irrigating habit for asking questions and not providing
the commands/instructions for us to recreate the condition's for
researching your problem/question.

I spent several minutes looking through browserspy selections and did
not see your messages.

faeychild

2022-05-07 05:06:50 UTC

Post by Bit Twister
Dead easy to create. mcc->System
mcc->System->Manage users on system
or just drakuser at root prompt

You mean the junk user.
I have never considered that for destructive testing.
I'm not sure why! it's perfectly suited

Post by faeychild
And I always find something at these sites.
navigator.appMinorVersion Property is not supported!
navigator.appMinorVersion is not a string. It's a undefined
navigator.securityPolicy Property is not supported!
navigator.securityPolicy is not a string. It's a undefined .
Does that matter??

You have an irrigating habit for asking questions and not providing
the commands/instructions for us to recreate the condition's for
researching your problem/question.

The question was rhetorical . I will have to mark them as such or not
state them. And the "undefined-not supported" mumbo jumbo above is
typical of the comments that sends me off all day to google trying to
understand something I don't care about, And totally sidetracks my
original purpose>

Post by Bit Twister
I spent several minutes looking through browserspy selections and did
not see your messages.

Well that's even more interesting. Your setup is clearly different and
doesn't trigger the same warnings.

After an afternoon on Google will I find that it doesn't matter?
Don't answer that! Rhetorical again :-)

My original "virus" warning seems to have been solved by Aragorn. So
maybe I have the time after all

I found an entry in Notifications for "discaffix". An evil site:
according to Google

And I have saved the "junk" user from destruction

regards

--
faeychild
Running plasmashell 5.20.4 on 5.15.35-desktop-2.mga8 kernel.
Mageia release 8 (Official) for x86_64 installed via Mageia-8-x86_64-DVD.iso

Bit Twister

2022-05-07 12:26:03 UTC

Post by Bit Twister
Dead easy to create. mcc->System
mcc->System->Manage users on system
or just drakuser at root prompt

You mean the junk user.
I have never considered that for destructive testing.
I'm not sure why! it's perfectly suited

Yep, helps to quickly isolate if the problem is system wide or just
with the user account.

Post by Bit Twister
I spent several minutes looking through browserspy selections and did
not see your messages.

Well that's even more interesting.

And begs the question were the messages in the terminal or in app?

Post by faeychild
Your setup is clearly different and
doesn't trigger the same warnings.

That is what we do when looking at user questions in an attempt to
run down the problem. If the problem is not in a user pristine app usage
then the problem can be an app setting if not Desktop setting.

The su - junk access rules out Desktop setting. You would logout your
user account and into junk to test under Desktop conditions.

With me testing, it is always with the latest firefox/thunderbird apps because
I usually upgrade from vendor site within a day of new version release.
Also have to take into consideration I run Xfce DE.

Post by faeychild
After an afternoon on Google will I find that it doesn't matter?
Don't answer that! Rhetorical again :-)

For me it is a quick pasting of error message in the second box at
https://www.google.com/advanced_search
scroll possible selections for what looks close as to description
and Solved/Solution word if present.

Post by faeychild
My original "virus" warning seems to have been solved by Aragorn. So
maybe I have the time after all

Yep, I concur, and the screenshot cleared up that the pop up was just
a site generated message and not a DE Panel notification which threw me
off track. That would worry me.

Post by faeychild
according to Google

I would always have to take that Google's warning seriously.

Post by faeychild
And I have saved the "junk" user from destruction

That is the purpose of the account, You wipe it and start with a
fresh/clean setup to have a known debugging starting point.

I also have a "normal" account which is an unmodified DE account where
I can use its files for comparesion when debugging some DE problem.

I once experimented with changing Themes and dinked up my account.
That broke me of exterminating in my user account. It improves
productivity to have other accounts for testing. For example: ls /home
bittwister gnome junk kde normal xfce

faeychild

2022-05-08 00:15:30 UTC

Post by Bit Twister
with the user account.

Post by Bit Twister
I spent several minutes looking through browserspy selections and did
not see your messages.

I can't find it myself now and I can't remember which test I used and I
can't locate the original link - from Aragorn, I think

Post by faeychild
Well that's even more interesting.

And begs the question were the messages in the terminal or in app?

terminal? the messages were in the browserspy web page and I still
haven't Googled them.

Post by Bit Twister
That is the purpose of the account, You wipe it and start with a
fresh/clean setup to have a known debugging starting point.

Absolutely correct
I have a mental block. I have never considered "junK" as sacrificial

I need to have a talk to myself

--
faeychild
Running plasmashell 5.20.4 on 5.15.35-desktop-2.mga8 kernel.
Mageia release 8 (Official) for x86_64 installed via Mageia-8-x86_64-DVD.iso

faeychild

2022-05-08 00:25:20 UTC

Post by faeychild
I can't find it myself now and I can't remember which test I used and I
can't locate the original link - from Aragorn, I think

It's under the "Browser" test. I would swear it didn't work a moment
ago. The list order has changed also.

--
faeychild
Running plasmashell 5.20.4 on 5.15.35-desktop-2.mga8 kernel.
Mageia release 8 (Official) for x86_64 installed via Mageia-8-x86_64-DVD.iso

Bit Twister

2022-05-08 03:05:27 UTC

Post by faeychild
I can't find it myself now and I can't remember which test I used and I
can't locate the original link - from Aragorn, I think

It's under the "Browser" test. I would swear it didn't work a moment
ago.

Not sure bu magia may have released a new firefox update.

Post by faeychild
The list order has changed also.

Shucky dern, there is the keywords I missed. My vendor firefox release output is
navigator.appName Netscape
navigator.appCodeName Mozilla
navigator.appVersion 5.0 (X11)
navigator.appMinorVersion Property is not supported! navigator.appMinorVersion is not a string. It's a undefined
navigator.vendor
navigator.userAgent Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 . More info...
navigator.oscpu Linux x86_64 . More info...
navigator.platform Linux x86_64
navigator.securityPolicy Property is not supported! navigator.securityPolicy is not a string. It's a undefined . More info...
navigator.onLine true . More info...
Info browser.name firefox
Info browser.version 100.0
Info layout.name gecko
Info layout.version 100.0
Info os.name linux
Internet Explorer real version This only works in Microsoft Internet Explorer!

I do not pay any attention to anything with 'Microsoft' in the line.

faeychild

2022-05-08 12:13:06 UTC

Post by Bit Twister
Internet Explorer real version This only works in Microsoft Internet Explorer!
I do not pay any attention to anything with 'Microsoft' in the line.

That is not an error on your part, it's a feature! :-)

--
faeychild
Running plasmashell 5.20.4 on 5.15.35-desktop-2.mga8 kernel.
Mageia release 8 (Official) for x86_64 installed via Mageia-8-x86_64-DVD.iso

2022-05-06 12:50:36 UTC

Post by faeychild
It seems to be associated with Firefox. I have no antivirus only
Ghostery and Noscript
It is curious, though

I have removed "noscript" because fighting on two fronts is insane. One
battle at a time. And they may be linked
The virus warning is associated with Firefox.
It did not manifest virus warnings with the 'Junk" user even after 50
minutes of running junk user's Firefox.
But came back immediately that I logged back to my site,
I comes through only on Youtube site, but not every time on youtube.
It can happen immediately or may take several minutes.
I am intrigued that the warning uses the notification panel and not a
popup window in Firefox
Firefox does not scan for viruses so it is a phishing attempt
It doesn't happen with junk user.
The time line is erratic. Maybe it is polling
To waste less of my dwindling life span I am considering backup of
bookmarks and passwords and remove re-install Firefox.
I don't have the remotest inkling how the phishing would differentiate
between users on the same machine unless something was installed on my
setup.
All the more reason to remove it

If "junk" is unaffected, just removing and re-installing Firefox is
unlikely to help. The problem most likely rests within the faeychild
Firefox profile. Junk would be using a different profile, but the same
Firefox.

Removing Firefox will not delete the individual user profiles, which
reside in the .mozilla folder in the individual /home directories.

TJ

Aragorn

2022-05-06 17:13:08 UTC