Major Problems After Installing overGrive

[bjrosen]

This morning I did something that was colossally stupid, I installed an RPM from an untrusted source. This is something I never do, I don't know what I was thinking.

I was looking for a Google Drive client for Fedora. Google doesn't provide one so I looked around to see what was available. There is an opensource client called grive. I looked around for an RPM and found something called overGrive. It's from a webdesign firm in South Africa, the .za address should have stopped me in my tracks but my brain was off.

I installed it and let it attach itsself to Google Drive. It then asked for a license, which was unexpected so I uninstalled it. I then went to my Google Drive account and found that it installed 26 hidden files. I disconnected it from Google Drive and deleted it's files. I then changed my Google Password. Then my troubles really began. I was unable to create any shells becauses all of the processes were used up. I rebooted and came up in VGA because the kernel had been switched to a debug kernel. I rebooted and selected a regular kernel and then the process problem started again. At that point I did a fresh install of Fedora. However I still had problems when I logged into my personal account. I deleted some lock files it left behind but I wasn't comfortable so created a fresh home directory and renamed the old one. That fixed my problems. I also regenerated my ssh keys and changed my authorized_keys files in all my systems so that the old key wouldn't work (I was worried that they might have stolen my keys).

It's possible that overGrives behavior was just due to incompetence but I strongly suspect that it's deliberate and that this is a very dangerous piece of malware. Stay away from overGrive!!!

[Crashdamage]

Aaaaaccckkk!!! I'm sure glad I use Insync! And to think I came that close to trying OverGrive...

Android since v1.0. Linux since 2001.

[antikythera]

Thanks for sharing your cautionary tales of your experience. I use Chrome as my default browser so have access to the Google Drive app from the browser apps shortcut, my MATE panel drawer and mintmenu. I don't feel the need to set up folder synch. as well though. I guess it depends how reliant you are on the cloud storage for day-to-day work.

[bjrosen]

One more piece of info, although it's a South African URL and they claim to be a Cape Town web design company the IP address points to a German hosting service.

---------------------------------------------------------------------------------------------------
I use Cloud strictly for moving photos from my phone to my desktop. I'm using Dropbox which is in the Fedora repos and does a great job. The reason that I was looking for a Google Drive option is because I'm not convinced that Dropbox has a viable business model and I want an alternative before they go under.

[kurtdriver]

Post the German IP address please.

[bjrosen]

The website is at
https://www.thefanclub.co.za

Which resolves to 88.198.7.171 according to Url to IP

whois gives

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '88.198.0.0 - 88.198.15.255'

% Abuse contact for '88.198.0.0 - 88.198.15.255' is 'abuse@hetzner.de'

inetnum: 88.198.0.0 - 88.198.15.255
netname: HETZNER-RZ-NBG-NET
descr: Hetzner Online AG
descr: Datacenter Nuernberg
country: DE
admin-c: HOAC1-RIPE
tech-c: HOAC1-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
mnt-lower: HOS-GUN
mnt-routes: HOS-GUN
created: 2006-01-12T10:26:20Z
last-modified: 2006-01-12T10:26:20Z
source: RIPE # Filtered

role: Hetzner Online GmbH - Contact Role
address: Hetzner Online GmbH
address: Industriestrasse 25
address: D-91710 Gunzenhausen
address: Germany
phone: +49 9831 505-0
fax-no: +49 9831 505-3
abuse-mailbox: abuse@hetzner.de
remarks: *************************************************
remarks: * For spam/abuse/security issues please contact *
remarks: * abuse@hetzner.de, not this address. *
remarks: * The contents of your abuse email will be *
remarks: * forwarded directly on to our client for *
remarks: * handling. *
remarks: *************************************************
remarks:
remarks: *************************************************
remarks: * Any questions on Peering please send to *
remarks: * peering@hetzner.de *
remarks: *************************************************
org: ORG-HOA1-RIPE
admin-c: MH375-RIPE
tech-c: GM834-RIPE
tech-c: SK2374-RIPE
tech-c: TF2013-RIPE
tech-c: MF1400-RIPE
tech-c: SK8441-RIPE
nic-hdl: HOAC1-RIPE
mnt-by: HOS-GUN
created: 2004-08-12T09:40:20Z
last-modified: 2015-08-06T09:39:14Z
source: RIPE # Filtered

% Information related to '88.198.0.0/16AS24940'

route: 88.198.0.0/16
descr: HETZNER-RZ-NBG-BLK4
origin: AS24940
org: ORG-HOA1-RIPE
mnt-by: HOS-GUN
created: 2006-01-02T08:59:04Z
last-modified: 2006-01-02T08:59:04Z
source: RIPE # Filtered

organisation: ORG-HOA1-RIPE
org-name: Hetzner Online GmbH
org-type: LIR
address: Industriestrasse 25
address: D-91710
address: Gunzenhausen
address: GERMANY
phone: +49 9831 5050
fax-no: +49 9831 5053
admin-c: TF2013-RIPE
admin-c: MF1400-RIPE
admin-c: GM834-RIPE
admin-c: HOAC1-RIPE
admin-c: MH375-RIPE
admin-c: SK2374-RIPE
admin-c: SK8441-RIPE
mnt-ref: HOS-GUN
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
abuse-c: HOAC1-RIPE
created: 2004-04-17T11:07:58Z
last-modified: 2015-08-06T12:01:31Z
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.80.1 (DB-3)

[kurtdriver]

Could you list the names of the files it installed?

It certainly is proprietary software, it offers support which means they want money. I'm wondering if the 26 files are config files, it's quite normal for applications to install a hidden directory of config files at installation. Where these files in your home directory?

[kurtdriver]

Are these on the list? They are config files and can be deleted.
.overgrive.lastsync
.overgrive.cache
.overgrive.log

[rbrick49]

[QUOTE=bjrosen;1739531]This morning I did something that was colossally stupid, I installed an RPM from an untrusted source. This is something I never do, I don't know what I was thinking.

I was looking for a Google Drive client for Fedora. Google doesn't provide one so I looked around to see what was available. There is an opensource client called grive. I looked around for an RPM and found something called overGrive. It's from a webdesign firm in South Africa, the .za address should have stopped me in my tracks but my brain was off.

I installed it and let it attach itsself to Google Drive. It then asked for a license, which was unexpected so I uninstalled it. I then went to my Google Drive account and found that it installed 26 hidden files. I disconnected it from Google Drive and deleted it's files. I then changed my Google Password. Then my troubles really began. I was unable to create any shells becauses all of the processes were used up. I rebooted and came up in VGA because the kernel had been switched to a debug kernel. I rebooted and selected a regular kernel and then the process problem started again. At that point I did a fresh install of Fedora. However I still had problems when I logged into my personal account. I deleted some lock files it left behind but I wasn't comfortable so created a fresh home directory and renamed the old one. That fixed my problems. I also regenerated my ssh keys and changed my authorized_keys files in all my systems so that the old key wouldn't work (I was worried that they might have stolen my keys).

It's possible that overGrives behavior was just due to incompetence but I strongly suspect that it's deliberate and that this is a very dangerous piece of malware. Stay away from overGrive!!![google drive works on firefox just install fom here https://www.google.com/drive/download/]

[bjrosen]

Are these on the list? They are config files and can be deleted.
.overgrive.lastsync
.overgrive.cache
.overgrive.log

There were lock files in my directory as I remember. I deleted everything with the grive name in it however I was still seeing all of the processes used up until I switched home directories so I suspect that there are some obfuscated files that launch as part of the desktop.

[Jim Jackson]

I've been using Copy.com to backup files. 15 gb free or with some code 20gb free. As far as I can tell this service is not malware.

[Crashdamage]

I use Google Drive via Insync, Dropbox and Copy.com extensively. They all work well. I tie them all together with CloudHQ which has turned out to be a really nice service.

[ZKRiNG]

What happens finally?

[The Fan Club]

Hi, I am the creator of overGrive. We are a South African site yes - and our servers are hosted in Germany.

We are also the creators of Grive Tools that was dependant on Grive. When Google changed their API and Grive stopped working, we decided to rewrite the whole Google Drive solution from scratch using only the Google Drive Api v.2.

We do not produce Malware, and do not have access to user files as speculated. A simple packet sniffer or firewall will show there is no traffic accept to your Google Drive. All of this is done securely via the Google Api.

Every single action that overGrive takes is logged. You can view the log in your home folder .overgrive.log

overGrive is currently syncing millions of files per month for thousands of happy users.

If anybody has a question regarding overGrive please contact us at info@thefanclub.co.za

Kind Regards
Christiaan

[rip057]

just a quick note... there is a linux google drive client, that while not 100% endorsed by google, it is an open source project that someone on the original google drive team created. it has since been taken over by another coder

the original github maintained by Burcu Dogan is here
https://github.com/rakyll/drive

like i said it has been taken over by Emmanuel Odeke and its github is located here
https://github.com/odeke-em/drive

its command line interface only but pretty easy to use

you will need to have golang installed along with git and mercurial

Code:

dnf install golang git mercurial

once golang installed it will need a $GOPATH env variable set up, for more information about golang, google is your friend since they also invented go language

Code:

export GOPATH=(YOURGOPATHDIR)

a simple install is

Code:

cd $GOPATH
go get -u github.com/odeke-em/drive/cmd/drive

and Im more than certain this is a trustworthy piece of code and an invaluable one for those that are trying to use google drive as remote back up.

the bin directory inside your $GOPATH dir has the drive binary, just copy that to your /usr/bin dir and go from there

also i have personally never used grive, but you should always investigate rpms before you install them... fedora is almost bullet proof, but once you install something inside the system that isnt from a repository of something you know to be good, you can easily compromise that bullet-proofness