Virus protection

[Canedje]

I do have the idea that my RPI is having a virus.

For about 2 weeks ago the command wgets was suddenly disapeared.
Today the crontab -e was changed by an other crontab, but not done by me.
About a month ago I did found a strange file called "dead.letter". I removed that.

Is there a possibility to check on virussen?
or how can I know somebody did log in?
I do have an extra personall login. Beside that I changed the standard password for user "pi" for about a week ago.

[RaTTuS]

are you connected to the internet ?
have you opened up remote login of your RPI from the internet
have you disabled user pi?
are you using ssh keys and not passwords
does anyone else have access to your RPI

then
if you are concered then copy any data you have off the SD card
re -image the SDcard from raspbain and put on the things you use
follow proper security

looking to see if you have a virus on a running system is not the way to do it
scan your sdcard on another machine

if an attacker has access then all bets are off - everything done via that machine should be considered broken

[mikerr]

About a month ago I did found a strange file called "dead.letter". I removed that.

the dead.letter file is created when you start an email and fail to send it (equivalent to drafts)

[ShiftPlusOne]

Viruses aren't really the thing to worry about. It's bad security practices like using weak or default password which will get you.

[Canedje]

About a month ago I did found a strange file called "dead.letter". I removed that.

the dead.letter file is created when you start an email and fail to send it (equivalent to drafts)

Thanks. Thats good news

[Canedje]

Is there somewhere a possibility to check who did login like in a logfile or so?

[MarkHaysHarris777]

You might simply be experiencing a corrupted SD card; however, I doubt it.

The clue is your crontab. If crontab changes 'somebody' changed it. In any case, the solution is the same-- reimage the SD card and start over.

You may be able to save some file(s) but save the minimum and only save what you must... consider any file a trojan at this point (although its unlikely).

The problem here is that people put their RPi on the Internet without a firewall, and without changing the default password for PI. One simple thing an attacker can do easily is to create another userid and then give it sudo privileges. Look in your /etc/passwd file and see if you have users you're not aware of. Look in your /etc/sudoers file and see if another userid has been given permissions. Often an attacker is not trying to damage your PI... on the contrary... they often hope that your PI will run a long time before you notice that they have access to your system... that way they can use your system as a bot, as part of a DDOSA, or as a way to hide source id and other stuff.

Always put your computers (even your iddy bitty toys) behind a firewall, disable remote login (unless you must have it) and change default passwords... lock down your ssh, disable stupid protocols like telnet, and put your ssh on another port besides 22.

[RaTTuS]

no , because any good cracker will have altered everything
run a scan from another machine

[DougieLawson]

Is there somewhere a possibility to check who did login like in a logfile or so?

/var/log/auth.log has all logins and security related stuff.