Critical: Unknown File(backdoored?), Plasma broken

Briefly describe your issue below:

Context: new used laptop. Wiped the drive clean. Inspected for hardware tampering for good measure. Installed parrotsec on it to try for a week. Absolutely done nothing or fiddled with the inner workings of the distro apart from the frequent parrot-upgrade. Also did watch some youtube on it from time to time.

The issue was two-fold, the latter more serious, after another parrot-upgrade, kde plasma broke: widgets disappeared from the panel(all of them), right and mouse wheel(scroll through workspaces) don’t work on the desktop, and the search doesn’t work i.e. no search entries display. The second more serious issue is that an unknown file disguised as a video file but doesn’t work with vlc, actually a text file that I opened in nano which turns out to be a little garbled version of the man page of passwd appeared in my /home/user. The exact title(ignore double quotes) of the file was “that shouldn’t boot. Otherwise a cracker only needs physical access and a boot disk to access your entire system.” Anyway, everything apart from /boot is encrypted. But that’s not really relevant, I digress. Why did this unknown file appear out of nowhere? Am I compromised? Is the firmware backdoored remotely? Should I scrap it or just do a clean install again on the drive? I already permanently disabled computrace and amt by the way.

What version of Parrot are you running? (include version (e.g. 4.6), edition(e.g. Home//KDE/OVA, etc.), and architecture (currently we only support amd64)

4.7 KDE Plasma amd64

What method did you use to install Parrot? (Debian Standard / Debian GTK / parrot-experimental)

Debian Standard. The one that has a simple gui with keyboard controls.
Configured to multiboot with other systems? (yes / no)
No.

If there are any similar issues or solutions, link to them below:

If there are any error messages or relevant logs, post them below:

It’s tough to say where this file could come from, but the KDE issue you talking about, I had it as well. Don’t remember exactly what I’ve done but if memory serves me right after update it fixed itself.

Can you upload the file so we can take a look?

1 Like

@Louis
Maybe share the hash (sha256) if you are not sure that someone have you on target with the presumably backdoor file. There are a bunch of malware database online to verify if the file is a malware or not. However if its a well crafted malware targeted only for you, I doubt any anti-malware would detect it on the basis of signature. Heuristic behavior is a different subject.

But to be on a safer side, upload the file to a cloud [Google drive? if you use it] in an encrypted archive and drop a link to that file here :slight_smile: Im good with malware analysis. Maybe I could help.

Cheers!

checksum will not do much if the file (specially binary file) can change / patch itself or it is completely new malware. Give the whole file is the best way to analysis it.

I know. I suggested @Louis to share checksum just in case if she thinks the presumably malicious file may contain sensitive data that she might not want to share publicly.