LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Infected Home Directory (http://www.linuxquestions.org/questions/slackware-14/infected-home-directory-4175489639/)

dave.h 12-30-2013 07:25 PM

Infected Home Directory
 
Sorry this is my first post - so hopefully I'm not breaking with proper protocols.

Problem: Unknown folder (~1Gb) in my home directory with random alpha character name, and with files, again random alpha generated character names.

I am unable to remove/delete the directory and files, even when booting from live alt-distro. 'rm -R' just keeps running and the folder size doesn't change.

Any suggestions?

Thx!

dh

fatalfrrog 12-30-2013 07:31 PM

Is it growing? What are the permissions? Can you remove individual files? (rm -r might be crawling because it's inefficient with large directories)

I am also in AZ (Phoenix) running 14.1, maybe send me a PM and see if I can check it out.

hitest 12-30-2013 07:51 PM

If you have conclusively determined that you have been rooted I would re-install from known safe media (your Slackware 14.1 DVD). Did you find other evidence of a penetration? Are you running some type of firewall(software/hardware)? When you re-install make sure a good firewall is in place. Change all passwords. Monitor your credit card statements.

qweasd 12-30-2013 08:19 PM

Quote:

Originally Posted by dave.h (Post 5089311)
I am unable to remove/delete the directory and files, even when booting from live alt-distro. 'rm -R' just keeps running and the folder size doesn't change.

Are you sure you got "infected"? A more prosaic (and IMHO, more likely) scenario is a borked filesystem, and the reason for that, in turn, may be a borked drive. Have you tried fscking the corresponding partition from a live CD? The result could be very illuminating.

If, on the other hand, you are more than 10% sure you got rooted, just go with what hitest says above. Do your best to determine the attack vector, then wipe and reinstall.

perbh 12-30-2013 08:38 PM

Could you give us the name of this 'top' folder? (it wouldn't - by any chance - start with '.g'?)

metaschima 12-30-2013 09:00 PM

Are you sure it isn't some type of filesystem corruption ?

dave.h 12-30-2013 10:09 PM

OK - I'll try to answer all your questions as best I can...

It's not growing - at least that I've noticed since last evening.
As far as permissions, nothing unusual - the owner is myself and the group 'users'.
path: /home/dave/JIodqkIaXJ

I'm not too concerned about security breaches at this point, but I'm unsure of the origin of this directory/files and the fact that I'm unable to easily remove it that I thought this might been best to post the issue.

As for whether I've been rooted?? That's why am I posting and was hoping for some guidance. I'll try scanning from a live CD for a start.

Thx.

dh

hitest 12-30-2013 10:16 PM

Quote:

Originally Posted by dave.h (Post 5089368)
As for whether I've been rooted?? That's why am I posting and was hoping for some guidance. I'll try scanning from a live CD for a start.

Thx.

dh

You could try to scan for root kits. The rkhunter utility is something you could use to see if you have been compromised. You can install rkhunter from the good people at slackbuilds.org. That may be a place to start.

ReaperX7 12-30-2013 10:31 PM

rkhunter and chkrootkit both should be able to eliminate any rootkits in your system.

You should also consider grabbing a free Linux antivirus scanner to perform a follow up scan as most of these can now accurately detect malware and rootkits.

BitDefender Scanner for UNICES is a good free one as is the SBo available ClamAV. BitDefender even has a rescue disk but I'm not sure if it'll work on Linux as it's mainly geared for Windows. If anything is lurking in your system they should detect it. Also, check your cron jobs, rc startup scripts, and any other autorun utility scripts to make sure nothing malicious has been inserted into the scripts to run without provocation.

If you need a firewall grab the iptables script from AlienBOB's website and drop it in with basic ports only programmed in. Try to limit access outbound on your network also.

You should also consider using a program like Samhain as well for HIDS.

Reinstallation should only be a last resort technique unless the malware has circumvented your kernel and other core software packages.

fatalfrrog 12-30-2013 11:15 PM

Quote:

Originally Posted by ReaperX7 (Post 5089385)
Reinstallation should only be a last resort technique unless the malware has circumvented your kernel and other core software packages.


A reinstall should be a first-restort technique! In the event of a root-level compromise, you must assume you cannot get rid of it 100%. Wipe and restore from the last known good backup!

dave.h 12-30-2013 11:40 PM

Thanks ReaperX7!

As for the scan with both rkhunter and chkrootkit. I had a couple of odd file warnings with the rkhunter (/usr/bin/adduser, ldd, whatis) and a warning for inetd services, and for the chkrookit 'nothing found' or 'not infected'...

Clamav is installed, but I will try scanning from a live CD as well. This may take some time given the directory in question in nearly infinite.
My system is on a laptop so I am using AlienBob's easy firewall already and mostly from behind a my home ww-drt router. I only stop it when dealing with lan routing issues.

I'll try Samhain and HIDS as well... and will post the results.

I agree - a complete re-install is a last resort. I'd prefer to understand the root of the problem first.

dh

jon lee 12-30-2013 11:45 PM

I would hit tab on lilo and enter init=/bin/sh rw
Then I would rm -rf said directory

Actually a thorough cleansing once in awhile can be useful without going through a full reinstall..

cd /home/$user
rm -rf *
rm -rf .*

Same with /root, /tmp, /var/tmp, /usr/tmp

Edit: Oh, it'll make it easier if you also do a
PATH="/bin:/sbin:/usr/bin:/usr/sbin"
export $PATH

(first)

Z038 12-31-2013 12:43 AM

Quote:

Originally Posted by jon lee (Post 5089413)
Actually a thorough cleansing once in awhile can be useful without going through a full reinstall..

cd /home/$user
rm -rf *
rm -rf .*

Same with /root, /tmp, /var/tmp, /usr/tmp

Did you really mean to suggest this? Clearing /tmp and possibly even /var/tmp occasionally, ok. But I hope no one takes your advice on removing all files in their home directory. That is reckless thing to suggest, except perhaps to people who only use their login account for browsing the internet, and never save anything important in their home directory (like photos, personal or financial documents, email, ssh keys, source code, shell scripts, config files, etc).

ReaperX7 12-31-2013 02:07 AM

Quote:

Originally Posted by fatalfrrog (Post 5089402)
A reinstall should be a first-restort technique! In the event of a root-level compromise, you must assume you cannot get rid of it 100%. Wipe and restore from the last known good backup!

That might have been the case 10 years ago, but unless you are certain it is a 100% root-kernel compromise, reinstalling is literally wasting time and resources. It's best to start with damage control and cleanup first, then assess the situation as to how to proceed.

astrogeek 12-31-2013 02:13 AM

!!!YIKES!!!

Quote:

Originally Posted by jon lee (Post 5089413)
I would hit tab on lilo and enter init=/bin/sh rw
Then I would rm -rf said directory

Actually a thorough cleansing once in awhile can be useful without going through a full reinstall..

cd /home/$user
rm -rf *
rm -rf .*

Same with /root, /tmp, /var/tmp, /usr/tmp

Edit: Oh, it'll make it easier if you also do a
PATH="/bin:/sbin:/usr/bin:/usr/sbin"
export $PATH

(first)

I say again - !!!YIKES!!!

I do not doubt that someone told you this when you were a noob, we all get unsound advice! But you should seriously rethink this and never recommend it to some unsuspecting and trusting soul looking for help!

!!!YIKES!!!


All times are GMT -5. The time now is 04:12 AM.