While using whonix, I noticed something in workstation which is worth
considering. In the home directory (I mean /home/user/) there was a
".htaccess" file which I had not created. Inside, the file had defined
".txt" extention as PHP script. The thing some hackers do to execute
text files as PHP. Also I hadn’t installed apache webserver. Could this possibly be an attack?
Are you running a hidden service of any kind?
Perhaps you accidentally downloaded the file using a browser?
This topic might even be a good template for a FAQ where we explain script kiddies vs sophisticated attackers and off-the-shelf malware vs tailored malware. Or perhaps we just improve the malware chapter?
It’s unlikely the result of a compromise. Any slightly skilled attacker would not leave such obvious traces. Long time ago I educated myself on malware building toolkits, they were not even remotely as obviously detectable as this. You can verify that by learning about off-the-shelf malware building toolkits. It is certainly dangerous to install (sadly only if you do not know what you are doing) and use such software, but researching textual, screenshots and video tutorials should be safe.
It is more likely, that rootkit technology is already a standard feature of malware build toolkits. Can someone share more knowledge on this topic? Are there any (linux) open source malware builder tools?
The only thing that might have happened is an attacker wanting you to find something. But how likely is that? It occurs to me, because script kiddies do stuff like remote controlling random Windows user victims and then troll them opening a forced chat window, opening their dvd driver and other stuff. But for linux, I don’t know if that kind of script kiddie stuff even exists. And sophisticated attackers would avoid, unless perhaps Zersetzung is their strategy.
Firstly thanks for the responses but I really don’t have an idea how that file appeared in my home directory. About the the part that you said maybe I accidentally downloaded it, there is a problem with this theory. If I download a script I must have found it usefull for some reason. If it is useful to me (for example maybe I wanted to have a sample of a special script) then I save it in a good directory indicating what’s inside for further referencing not put it like garbage in home directory. Please pay attention that the file was hidden (whith a dot at the beggining) exactly like a standard “.htaccess”
It is very unlikely that I did it myself. And ofcourse that file in the home directoy would have no use even for the attacker. Why some attacker should place it there? maybe just to make a fun? How? Or maybe a warning? Cause it is clear that I somehow would find the file. If really somebody else put it there it means a compromise. No difference for what purpose.
About this part, can you please mention some good resources, PDFs , videos or anything educational ? (I have programming abilities in different languages, if this helps)
Thank You
That’s why I wrote accidentally. Some server may have been (temporarily) misconfigured serving .htaccess file, offering it for download rather than internally using it. A short distraction and then pressing a key you wanted to press, thereby accepting the download warning and boom, you got the file.
Anything is possible. Fun, unlikely, since so easily missed and disregarded imho. A warning or Zersetzung, perhaps.
Yes.
I am not sure it’s wise to advertise this. However, if you use search engines and ask in the right places, I am quite sure you will find the right search terms to be enabled to do further research.