How to detect ill effects of clicking on a link in an malicious email?
https://askubuntu.com/questions/1568462/how-to-detect-ill-effects-of-clicking-on-a-link-in-an-malicious-email
I was stupid enough to fall for what purported to be an e-invitation in my inbox from someone in my address book. I went so far as to click on what was labeled as “View Invitation” and landed on some page that said something like “that event has already past” before it dawned on me that I might have just been pwned.
First sensible thing I did was put the device (laptop running Ubuntu 24.04.4 LTS) into airplane mode (I'm typing this on another device). Then I checked the full message body. I didn't see anything that looked fishy in the SMTP headers, but careful inspection of the visible message reveals it's bogus: It bears a surface resemblance to something from Evite, but the URLs that Thunderbird shows when I cursor-hover over various of the message’s features involve paperlessinvguestview.com and paperlessgrandivio.com. (Yes of course I should have glanced at the lower-left corner of the message’s window before clicking: we have already established that I was stupid.)
Next I looked up both domains on check-host.net. For the first one it turned up nothing (so maybe it's already been shut down?), but for the second it resolved to 104.21.72.204, which it attributed to Cloudflare.
Since I didn't type anything at all, let alone any sensitive information, the only bad potential effect I have thought of is inadvertently downloading/running evil things (of course there may be other bad effects that haven’t occurred to me).
My main question is: How can I detect what harm if any has been done?
I figured I could look to see what files had recently been modified, so at the command line I ran:
find / -mmin -240 -mmin +120 -type f -exec ls -lt {} +
Of course this returned some 1300 lines to stdout (plus more than 1400 lines of “Permission denied” to stderr), but when I filtered that by grep -v \.cache, it fell to a manageable 550 lines. Perusing that didn't unearth any smoking guns either, at least not smoking heavily enough for me to recognize it. A whole lot of 0-length files in /proc and /sys/fs/cgroup/user.slice, and some data in some of my password manager’s cache directories; stuff like that. It did occur to me to wonder about all those unreadable (system) directories, but I was reluctant to rerun the find inside a sudo because who knew if, say, I was now running a key logger that would capture my root password.
I have also run ps -aux, but again from out of its 314 lines of output, there is nothing that stands out to me along the lines of rm /*. It was the same for top. Likewise, perusing contents of /var/log turns up nothing that makes ME panic (kern.log, syslog, and auth.log are the only files modified since, and none is obviously shouting, “Danger!”).
I checked out this question and this one too, but I figure a whole lot may have changed in the more or less decade since they were posted.
I guess at some point I will just have to risk connecting again, if only to install something like ClamAV?