# firefox has penetrated my system ?!  it has malware in it.  reading my disk hard.



## debguy (Feb 27, 2021)

So I'm working to improve stability of some software.  Suddenly my disk light starts working hard I can hear it, from years of experience I know it's not "cron running find".  I check my ps list and the only possibility is firefox (which I set to NOT auto update, only has a few pages open and i'm in a tty X is not the active terminal (freebsd and github pages btw).  I KILLED firefox, the light went off immediately.  It had been running hard for probably 30 seconds or longer I did not react to it quickly.  I can also note I have few book marks and kill the cache completely on exit there is no cache to speak of.

Is this kind of "penetration" by firefox normal in freebsd today?  I know for sure firefox does "not activate the disk light hard for 30 seconds" ever for any reason.

Perhaps I am just unlucky and got targeted by an angry hacker.  This was yesterday it happened btw.


----------



## mark_j (Feb 27, 2021)

Instead of this reaction, create a jail, run it in there and trace what it's doing. My bet is it's 'vacuuming' one of the many databases.


----------



## eternal_noob (Feb 27, 2021)

I don't think that Firefox has malware in it. Try a network analyzing tool such as tcpdump(1), net/trafshow, net/ntopng or net/wireshark to be sure though!


----------



## Deleted member 30996 (Feb 27, 2021)

www/firefox-esr is the only browser I've used in over a year. I keep an eye on sysutils/gkrellm2 to keep track of performance issues or unusual behavior. I've never caught it doing reflective of malware and can set it to monitor different ports for activity and build mine from ports.

My one recommendation would be not to allow JavaScript free global access and personally use NoScript to keep it from happening.


----------



## Snurg (Feb 27, 2021)

When Firefox does this, its threads are being displayed as swread in top.
No idea what is going on there, as free memory is atm 20gb.
This behaviour is nothing new, it disappears when one swapoffs the system.


----------



## a6h (Feb 27, 2021)

debguy said:


> Is this kind of "penetration" by firefox normal in freebsd today?


NCND

* Create new profile, start firefox with that, and inspect its behaviour.
* Use `about:performance` to check tab performance.
* Use `about:memory` to check memory usage.
* Use `about:networking` to monitor networking information
* Limit the _saving session operation_: `browser.sessionstore.interval`. More info at:
http://kb.mozillazine.org/Browser.sessionstore.interval
http://kb.mozillazine.org/Session_Restore

[EDIT]:
You can also use Wireshark to inspect traffic. Just read the Wireshark Wiki TLS article beforehand.


----------



## drhowarddrfine (Feb 27, 2021)

debguy said:


> Is this kind of "penetration" by firefox normal in freebsd today?


No it is not. Does Firefox have malware in it? No. Look elsewhere. Many of us run Firefox as our daily driver with no such issues. The problem is neither Firefox or FreeBSD.


----------



## kpedersen (Feb 27, 2021)

I have a slightly weird one with Firefox that maybe is what the OP is experiencing. Whenever I go on a site utilising a Canvas or WebGL with a "loop" via requestAnimationFrame. My hard-drive goes 100%. I think potentially it is creating error logs due to some OpenGL issue (canvas uses GL underneath).

For example this page: https://get.webgl.org/

Honestly I never really looked into it because, well I disable WebGL and my ad-blocker generally stops this stuff displaying anyway (I don't play web games).

But I highly recommend running it in a jail. Firefox is certainly a more trustworthy browser of the bunch, but any program that makes arbitrary connections to thousands of unknown hosts should really be sandboxed.


----------



## eternal_noob (Feb 27, 2021)

kpedersen said:


> I think potentially it is creating error logs due to some OpenGL issue


The problem with Firefox is that it writes every single Javascript error to stdout.


----------



## a6h (Feb 27, 2021)

Years ago, there was a self-proclaimed security expert, who accused Microsoft of implementing a Backdoor into the WMF.
A few days later, he got hosed. It was a public embracement. He was an early example/product of "_self-esteem movement_".


----------



## Raffeale (Feb 27, 2021)

firefox has some bug which hacker could use it to hack your computer. i met a firefox bug , that hacker hacking my wifi and spoof dns for me and dns redbind ,and then use xorg bug to get root privileges. so freebsd should drop the root privileges  after xorg start,this could  prevent hacker got root privileges. the openbsd add new function to drop xorg's root privileges.i think freebsd should do this. i hope the freebsd13 are PIE for all application.


----------



## wolffnx (Feb 27, 2021)

If you have doubts can run `lsof` and many of his filters to see what files are firefox accesing


----------



## Deleted member 30996 (Mar 4, 2021)

Raffeale said:


> ...that hacker hacking my wifi...


There's the weak link in the chain. I live in a building with approx. 50 apartments and use an Ethernet LAN. All radio signals on router and laptops disabled are disabled.

Now net-mgmt/kismet will let me observe many that do use it. I heard one guy talking about using an unsecured hotspot he called inkydink. I said you mean Linksys? Oh yeah, that's it.

I talked them into giving us free wi-fi but you can only use it short distance and I can't use it. None of them here have any computer skills to speak of and it would be a simple thing to provide them one with www/mitmproxy, but not very neighborly or interesting for me. Botnets might be...


----------

