Webcam activate on it's own, Security Issue?

Sup guys,

A few minutes ago my laptop made some beep beep noises and a few seconds later the webcam active on it's own for about 1 second, my guess is that it took a photo but I didn't trigger it so my first though it that my laptop is compromise and someone is accessing my stuff, which of course it' s a big problem. So far the only new stuff I installed recently is the google-talkplugin and skypeforlinux-bin packages (both from AUR repositories) because I need it for my job.

I haven't install or configure any firewall nor any security stuff besides to what Manjaro has by default, so here are my questions:

• How can I improve my security?
• Is there any firewall by default on Manjaro? if so, how do I configure it?
• Have any of you guys experience anything like this before?
• Any port I should block to avoid any remote connection?
• How can I check if any package has been compromise on my install?
• Any other advice on what to do on these cases?
• Should I do a clean install? I would rather don't since that would take me quite sometime to make a backup of everything...
• And finally, I'm an active gamer, what rules should I add to keep steam and it's games connected?

Here is some info about my Manjaro install and laptop just in case it is a hardware related security issue since it is a Lenovo and that brand have a long history adding backdoors and stuff like that...:

System:    Host: TATO Kernel: 4.7.10-1-MANJARO x86_64 (64 bit gcc: 6.2.1) Desktop: KDE Plasma 5.8.3 (Qt 5.7.0)
           Distro: Manjaro Linux                                                                                           
Machine:   Device: laptop System: LENOVO product: 20DM008UUS v: ThinkPad S3 Yoga 14                                        
           Mobo: LENOVO model: 20DM008UUS v: SDK0E50512 STD UEFI: LENOVO v: JFET39WW(1.16) date: 04/27/2015                
Battery    BAT0: charge: 3.5 Wh 7.1% condition: 49.5/56.0 Wh (88%) model: SMP 00HW001 status: Charging                     
CPU:       Dual core Intel Core i5-5200U (-HT-MCP-) cache: 3072 KB
           flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx) bmips: 8782
           clock speeds: max: 2700 MHz 1: 2499 MHz 2: 2499 MHz 3: 2635 MHz 4: 2546 MHz
Graphics:  Card-1: Intel HD Graphics 5500 bus-ID: 00:02.0
           Card-2: NVIDIA GM108M [GeForce 940M] bus-ID: 04:00.0
           Display Server: X.Org 1.18.4 driver: intel Resolution: 1920x1080@59.98hz
           GLX Renderer: Mesa DRI Intel HD Graphics 5500 (Broadwell GT2)
           GLX Version: 3.0 Mesa 13.0.1 Direct Rendering: Yes
Audio:     Card-1 Intel Wildcat Point-LP High Definition Audio Controller driver: snd_hda_intel bus-ID: 00:1b.0
           Card-2 Intel Broadwell-U Audio Controller driver: snd_hda_intel bus-ID: 00:03.0
           Card-3 C-Media driver: USB Audio usb-ID: 002-009
           Sound: Advanced Linux Sound Architecture v: k4.7.10-1-MANJARO
Network:   Card: Intel Wireless 7265 driver: iwlwifi bus-ID: 02:00.0
           IF: wlp2s0 state: up mac: 34:02:86:a0:ca:62
Drives:    HDD Total Size: 1016.2GB (81.1% used)
           ID-1: /dev/sda model: HGST_HTS541010A7 size: 1000.2GB
           ID-2: /dev/sdb model: SanDisk_SSD_U110 size: 16.0GB
Partition: ID-1: / size: 69G used: 62G (95%) fs: ext4 dev: /dev/sda5
           ID-2: swap-1 size: 16.01GB used: 0.00GB (0%) fs: swap dev: /dev/sdb1
Sensors:   System Temperatures: cpu: 47.0C mobo: 35.0C
           Fan Speeds (in rpm): cpu: 0
Info:      Processes: 204 Uptime: 3:40 Memory: 6858.3/7903.1MB Init: systemd Gcc sys: 6.2.1
           Client: Shell (bash 4.4.01) inxi: 2.3.4

Thanks in advance for everyone that can help me with this!

Really simple textbook approach:

Use dark tape to cover webcam and microphone.

You could place a piece of cardboard under the tape so to not glueing your cam and mic. Remove when the need to use it arise.

Also from the textbook:

• Opening unexpected attachments in email is a no go even from people you know.
• Visiting know malware, password, porn, wares sites is a no go.

Very simple precautions which will lift your security level a lot.

Edit:
Firewall is installed but you might need to configure to your needs and use cases.

Search for Firewall in programs.

The firewall can be configured with a variety of profiles which can suit different needs.

I have no knowledge on how you could locate the point of entry and to that end - what files are modified.

Thanks for the advice, the webcam stuff was the first thing I did after that happen and will do for the mic. The attachments are also not really an issue for me since I'm very careful with that as well as the malware and porn sites, I know very well the dangers of that kind of stuff.

Please feel free to speak more technical, I'm a developer and have like 7 years using different Linux distro, doing bash scripts and stuff like that, just not a security expert guy

Now for the firewall stuff, what is the default firewall installed on Manjaro? I couldn't find it as GUI nor the package name. I search it using the PkgBrowser and displayed these:

cutter
ferm
firewalld
fwbuilder
fwknop
gufw
postfwd
shorewall
shorewall6
ufw

but none of these packages are installed. I have used gufw and ufw before, really easy to use but haven't install it since I wouldn't want to have 2 firewall at the same time. Also used one from Fedora some time ago but can't remember it's name.

I think the best way to describe my cases of use would be to describe my daily software use:

• Dev stuff like netbeans, mysql, ssh, git, local apache server
• Games from steam like CS:GO
• Internet browsing and download: firefox, chrome, ktorrent
• Chat clients: skypeforlinux, hangouts
• Screen share apps: team viewer (I enable it's services only when I need to use it)
• Multimedia: Amarok, VLC, Gimp

My manjaro-gnome has it.

It is called Uncomplicated Fire Wall for short ufw. The graphical component is called gufw.

So you could open a terminal and do

$ gufw

Which if ufw installed will request password and open the graphical interface. If not installed do

$ sudo pacman -Syu gufw ufw

For the actual configuration you start out with the defaults.

In any case, block incoming traffic originating from outside your computer - your lan but not from internet. eg an incoming rule that blocks everything except 192.168.x.y/32 (equal a subnet of 1 ip)

After you have verified that the acttack is not originating inside your network you can broaden the scope an allow traffic origination from inside your local network. eg. 192.168.x.y/24 (equal a subnet of 254 ip)

Create a rule to monitor and log outgoing traffic without blocking it. This way you will have a reasonable chance of catching the cause of you webcam activity.

When you find something suspicios you block it and continue monotoring the logs. If you indeed are infected I'll say a couple of hours and you will have found the pest.

If you want to look at the file level to see what files have been modified during a given time frame you could use this

touch -t yyyymmdd0000 start # creates a file named start with timestamp
touch -t yyyymmdd0000 stop # creates a file named stop with timestamp
find . -newer start \! -newer stop # search for everything in between timestamps

snippet source

Lets talk about that firewall.....

If you have open ports listening for connections for connections from the outside these will show up when you type

sudo netstat -4 -6 -anp

You will get a list of TCPIP connections to external targets. You will also see a list of ports with a LISTEN in the state column.

For each of these the addresses and ports are also indicated, either in ipv4 or ipv6 format followed by the port number. Addresses with 0.0.0.0 or a whole bunch of ::::: mean listening and accpeting connections from the world.

These LISTEN ports are the ONLY ports you need to be concerned with.

If you can explain every one of those you have nothing to fear. If your machine is not listening for and accepting connections then you can't get hacked. You probably don't need a firewall.

Some things listen to the world, like sshd, smbd, cupsd. But these have their own restrictions in their configuration files.

So again, This is Linix, not Windows. If a port is not open and listening your machine will not accept any traffic from it.

Adding a firewall means writing iptables rules for everything type of packet you want to pass or reject. But to reject a packet you first have to let it in only to discard it. Better to just keep the port closed.
'
Now back to @tato :

google-talkplugin and skypeforlinux-bin

You need look no further for the source of your problem. You did that to yourself. Two pieces of un-trusted code that you run all the time, and then ask about security?

Why not just use pigeon or kopete? You can still talk to google users, and the code is at least audited and won't be accessing your camera.

As for skype? Not on any of my machines. Its a direct pipeline to the NSA courtesy of Microsoft. If you have to run it for your job, don't sound surprised when people are watching you on your own web cam.

if you want to check your installed files if there were "corrupted" since installation.
there is few ways to do it,

sudo pacman -Qkk I don't know exactly the check it does, you will need to save output in a file as it's a long output,

there is also paccheck or pacreport in pacutils from AUR.

paccheck --help to see all the possibilities

paccheck --help
paccheck - check installed packages
usage:  paccheck [options] [<package>]...
        paccheck (--help|--version)

   --config=<path>    set an alternate configuration file
   --dbpath=<path>    set an alternate database location
   --root=<path>      set an alternate installation root
   --null[=<sep>]     parse stdin as <sep> separated values (default NUL)
   --quiet            only display error messages
   --help             display this help information
   --version          display version information

   --recursive        perform checks on package [opt-]depends
   --depends          check for missing dependencies
   --opt-depends      check for missing optional dependencies
   --files            check installed files against package database
   --file-properties  check installed files against MTREE data
   --md5sum           check file md5sums against MTREE data
   --sha256sum        check file sha256sums against MTREE data
   --backup           include backup files in modification checks
   --noextract        include NoExtract files in modification checks
   --noupgrade        include NoUpgrade files in modification checks

there is certainly also a way to list all files that are not owned by a package. I don't know it right now.

after is the "malware" is in a package. no way to know it. beside some rootkit tools or looking at the source.

here an exemple:

$[stephane@manjaro_vm ~]$ sudo paccheck --file-properties --quiet
warning: config /etc/pacman.conf line 20: unknown option 'SyncFirst'
filesystem: '/etc/mtab' symlink target mismatch (expected /proc/self/mounts)
filesystem: '/etc/mtab' modification time mismatch (expected 2015-09-30 22:43:21)
grub: '/boot/grub/grub.cfg' permission mismatch (expected 644)
java-runtime-common: '/usr/lib/jvm/default' symlink target mismatch (expected /dev/null)
java-runtime-common: '/usr/lib/jvm/default' modification time mismatch (expected 2014-11-02 14:26:06)
java-runtime-common: '/usr/lib/jvm/default-runtime' symlink target mismatch (expected /dev/null)
java-runtime-common: '/usr/lib/jvm/default-runtime' modification time mismatch (expected 2014-11-02 14:26:06)
linux44: '/usr/lib/modules/4.4.34-1-MANJARO/modules.alias' modification time mismatch (expected 2016-11-21 20:00:39)
linux44: '/usr/lib/modules/4.4.34-1-MANJARO/modules.alias' size mismatch (expected 983.00 K)
linux44: '/usr/lib/modules/4.4.34-1-MANJARO/modules.alias.bin' modification time mismatch (expected 2016-11-21 20:00:39)
linux44: '/usr/lib/modules/4.4.34-1-MANJARO/modules.alias.bin' size mismatch (expected 961.76 K)
linux44: '/usr/lib/modules/4.4.34-1-MANJARO/modules.builtin.bin' modification time mismatch (expected 2016-11-21 20:00:39)
linux44: '/usr/lib/modules/4.4.34-1-MANJARO/modules.dep' modification time mismatch (expected 2016-11-21 20:00:39)
linux44: '/usr/lib/modules/4.4.34-1-MANJARO/modules.dep' size mismatch (expected 454.20 K)
linux44: '/usr/lib/modules/4.4.34-1-MANJARO/modules.dep.bin' modification time mismatch (expected 2016-11-21 20:00:39)
linux44: '/usr/lib/modules/4.4.34-1-MANJARO/modules.dep.bin' size mismatch (expected 615.73 K)
linux44: '/usr/lib/modules/4.4.34-1-MANJARO/modules.devname' modification time mismatch (expected 2016-11-21 20:00:39)
linux44: '/usr/lib/modules/4.4.34-1-MANJARO/modules.softdep' modification time mismatch (expected 2016-11-21 20:00:39)
linux44: '/usr/lib/modules/4.4.34-1-MANJARO/modules.symbols' modification time mismatch (expected 2016-11-21 20:00:39)
linux44: '/usr/lib/modules/4.4.34-1-MANJARO/modules.symbols' size mismatch (expected 474.32 K)
linux44: '/usr/lib/modules/4.4.34-1-MANJARO/modules.symbols.bin' modification time mismatch (expected 2016-11-21 20:00:39)
linux44: '/usr/lib/modules/4.4.34-1-MANJARO/modules.symbols.bin' size mismatch (expected 588.31 K)
lsb-release: mtree data not available
maia-icon-theme: '/usr/share/icons/maia/index.theme' modification time mismatch (expected 2016-10-13 03:33:47)
maia-icon-theme: '/usr/share/icons/maia/index.theme' size mismatch (expected 1.97 K)
manjaro-alsa: mtree data not available
manjaro-hotfixes: '/etc/polkit-1/rules.d' UID mismatch (expected 102/polkitd)
manjaro-hotfixes: '/etc/polkit-1/rules.d' GID mismatch (expected 0/root)
manjaro-pulse: mtree data not available
redland: mtree data not available
reiserfsprogs: mtree data not available
renderproto: mtree data not available

I have a question maybe someone know.. a lot of package don't have mtree data..why? or it's maybe a bug in paccheck as yes there is some mtree files missing. (is it an option when buildng the package?) but redland have a mtree file.

Definitely remove the skype client, they don't care for Linux users and even the Windows client has been behaving more suspiciously than usual the last couple of months. Either use the web interface or something like GhettoSkype which is just a web app for the web version of skype.

If I may jump in and ask additional, only partially related question. Pulseaudio is doing this. If I kill it, it comes back right away. I can uninstall it. But is this best solution? Will I lose sound on the computer? Will I lose anything else? (beside port listening ) What is the best way with dealing with pulseaudio since, as you already said, blocking pulseaudio from doing it, would be better than afterward with firewall filtering it out.

I was searching the internet for answers, but 'pulseaudio' 'listening' 'ports' 'blocking' brings all kind of useless links

Thanks everyone for all the advises, I will check it out all of them once I'm finish with some post release bugs I'm dealing with on my job today . I was thinking on installing clamav toolkit to do a double check along all the thing you guys mention just to make sure there isn't any funny business going on.

@AlManja, pulseaudio manage all your audio devices so yeah, if you remove it you will lose your audio. I was playing with it a few weeks ago to make an USB Audio Adapter work (it worked btw) but don't know all it's features to tell you if that's a normal behavior or not. You may need to ask it on another post for more detailed info

NO. You can still play sound with ALSA without pulse.
The attraction to pulseaudio (if there is one) is that it allows you to play sound from one machine to other machines on your network. Pulse is only supposed to listen locally, on your local network.

All 17 people who actually WANT to play sound from one machine to another could do this before Pulse was foisted on the Linux world.

Pulseaudio comes back on because systemd turns it back on.

After uninstalling it you might have to reboot, and check your alsa settings but sound will work without pulse.

Ahh cool, I will uninstall it then, thank you!

Expect some configuration changes and hunting down bugs.
And maybe force a reinstall of alsa after you uninstall pulse.
Its got hooks into everything. It was written by the systemd guy.

Open your web browser open any page right click on it, Click on view page info, click on permissions, You can then see why your cam flicked on and your mike was active, check the entries. I did this on the manjaro page all defaulted on cam, mike, data, and every nasty is default on.

You could install RKhunter? To check for rootkits

I don't remember what exactly I did before to get rid of PA continously listening without loosing PA. Maybe you can try to uninstall the networking part like pulseaudio-zeroconf.

sounds a good idea

Yes I know who. I have read that he moved on to new projects such as systemd before he completely finished pulse and few others like this...

That '...hunting down bugs..." scared me, since it is way above my pay grade. I uninstalled 6 different programs/packages, whatever had pulse in it's name. Luckily everything is working. (Phew!) Well I only tried you tube. I have some videos in my queue to watch/learn. Videos have sound, that's all I need, I'm not very demanding

Thanks for all the help and information!

p.s.
When we get customizable net edition, pulse will not be in my install list

If you live behind a router/firewall, this is not necessary.

Also if you want to double check if your machine's pulseaudio can be connected to look in /etc/pulse/default.pa where you should see something like thisL

### Network access (may be configured with paprefs, so leave this commented                  
### here if you plan to use paprefs)                                                         
#load-module module-esound-protocol-tcp                                                      
load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1                                 
#load-module module-zeroconf-publish                                

The un-commented line allows connections from anywhere, but then filters them to allow only connections from 127.0.0.1. This is a stupid practice, because you now have yet another place for people to check to be sure their machine is secure. Besides it allows Joe user to override this by simply making a copy of default.pa in their own directory and thereby allow access from anywhere to their own user pulse audio.

See this page for Details.

You can try commenting that line to see if doing so stops pulse from listening remotely while still providing local pulse services. If that fails you just have to trust pulse to filter properly. (Or uninstall it). (A perfect example of arrogant programming, but about what you would expect considering who wrote pulseaudio.

Even PulseAudio's own documentation confirms the boatload of security issues that pulseaudio has built in.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.