Ubuntu Machine Has Malware And Spyware....Need Help!
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Ubuntu Machine Has Malware And Spyware....Need Help!
Greetings,
I've been using Ubuntu Hardy Heron distro since I bought a preloaded machine with this company's (in Georgia--'Eight Virtues') own version of Ubuntu on it.
Here's what I need.
Someone else besides myself has administrator (sudo) control over my machine.
It's being spammed with porn, and it's got a keylogger on it.
I found these malware with a spyware finder search.
Please don't tell me that Ubuntu CAN'T be cracked, because ANY computer can be cracked by a gifted and talented cracker.
I've had a command to completely wipe the hard drive clean, and I'm using it as sudo, but when I finish the command, it says "permission denied".
Here's what I need:
1. I need to completely wipe the hard drive clean, what if someone ELSE has sudo control (and I'm the *only* person using this machine) over my machine, is there any way to 'over ride' the sudo user??
2. I need to flash the BIOS, is it possible to RESET the BIOS to the factory settings by poping out the battery for like 15 minutes, and then re-inserting it?
3. Let's assume for a minute that the spyware finder was right and this machine really is being spammed with porn and has a keylogger on it and other malware. Would completely wiping the hard drive 7 times over take this stuff off?
4. I've got a copy of the BIOS from the seller of the machine, Eight Virtues in Stone Mountain, GA, but when you put the BIOS in and do the correct command line, it will only go through part of the process and not finish it. Since I have the correct command for flashing the BIOS, I really don't understand why this is not working. That's why I was asking about popping the BIOS battery out and resetting it back to the factory settings.
5. If I was able to get this computer clean again, can you please tell me is there any way to keep Ubuntu Hardy Heron safer from outside intruders. Yeah, yeah, I know it's supposed to be a completely safe distro, I heard this many times before I bought it, but in my case this has proved to be untrue. I'm using a D-Link high-speed gaming router, which also has a password on it, but this has proven ineffective.
6. I've also thought of just going back to the simple Hardy Heron OS that I also have a copy of instead of using the OS that came with the machine, which I also have on a disk that I got from Eight Virtues.
7. Perhaps somebody on this forum could give me the command line for Hardy Heron to wipe the hard drive clean, perhaps the one I found in a Google search is simply incorrect. That's possible, if not very likely.
I know that I've asked a lot of questions for a first post, but I really need help.
I've consulted Google many times looking for the questions that I've asked here, and have found little help.
I also have 'Beginng Ubuntu Linux' (Third Edition) by Keir Thomas and Jamie Sicam, which has not been very helpful at all.
So, I've looked else where for help before I came to this forum to ask.
Thank you for your time and energy, and please don't lecture me about how "safe" Ubuntu Hardy Heron is, because I've heard all of that before.
What I am telling you is the truth, and is actually happening to me.
Thanks a lot.
Ubuntu Lou
Last edited by Ubuntu Lou; 12-22-2008 at 11:31 AM.
If you're intent on erasing the hard drive, get a live CD of ubuntu or any other distro and reinstall. The formatting WILL erase all previous data. Disconnecting the bios battery will reset the bios. Some require that you hold the power button down for about a minute while the battery is removed and then put it back in. Good luck!
3. Let's assume for a minute that the spyware finder was right and this machine really is being spammed with porn and has a keylogger on it and other malware. Would completely wiping the hard drive 7 times over take this stuff off?
Dangerous assumption. Where did you get this spyware finder? If you found it on some random web page, chances are its a fake.
I'm intrigued. Got a link for that spyware scanner?
Anyway, just re-install from normal Ubuntu discs downloaded from the Ubuntu site. If you're feeling really, really paranoid, go for:
$ sudo su -
# dd if=/dev/zero of=/dev/sda
This will clobber _all_ data on the sda drive (check which drive this is if there's any data on any drive you want to keep).
I'd just re-install though.
Securing it afterwards?
1) Don't allow admin access to your router from WAN or wireless.
2) Switch off sshd, telnet, vnc and anything else that allows a remote login
3) Job done.
Let's assume for a minute that the spyware finder was right and this machine really is being spammed with porn and has a keylogger on it and other malware. Would completely wiping the hard drive 7 times over take this stuff off?
Wiping 7 times is complete overkill. In your situation a basic wipe with all zeroes will be fine.
The most I ever do is two passes: One with /dev/urandom, the other with /dev/zero (I do this only to be sure private data does not stay on a machine that is leaving my possession.)
You should also report the issues to the company that provided the machine.
Distribution: Debian Testing, Stable, Sid and Manjaro, Mageia 3, LMDE
Posts: 2,628
Rep:
If yo need remote access get Start up Manager through Synaptic and password protect your recovery log in. This will stop anyone from getting super user status easily.
I found these malware with a spyware finder search.
Calm down.
It's a fake.
It pops up a window along the lines of "Your computer is infected!!!! Click this link to fix it". Maybe it even says "And pay us $9.99".
In linux: Go ahead and click it. The worst that can happen is linux will say "What do you want to do with the file malware.exe ? Save, Ignore, Open with an editor?"
In windows: Malware is installed, and you pay $9.99 for it.
Someone else besides myself has administrator (sudo) control over my machine.
How can you tell? Do you have any hints? Or even better: log data to show us?
Quote:
Originally Posted by Ubuntu Lou
It's being spammed with porn,
Receiving unwanted emails of the pr0n kind doesn't constitute a breach of security.
Quote:
Originally Posted by Ubuntu Lou
and it's got a keylogger on it. I found these malware with a spyware finder search.
I'll echo the others asking for that "spyware" scanner. Posting actual log data and scan results might help us determine. That is, if you would like a second opinion. I'm not saying I don't believe you but, with all due respect, it wouldn't be the first time we saved somebody from reformatting because their perception of things and events did not correlate with reality.
Will the command below totally erase the HARD DRIVE?
If NOT, do you know the right command for THAT?
Thank you *all* very much for your help!
Lou
Quote:
Originally Posted by ilikejam
I'm intrigued. Got a link for that spyware scanner?
Anyway, just re-install from normal Ubuntu discs downloaded from the Ubuntu site. If you're feeling really, really paranoid, go for:
$ sudo su -
# dd if=/dev/zero of=/dev/sda
This will clobber _all_ data on the sda drive (check which drive this is if there's any data on any drive you want to keep).
I'd just re-install though.
Securing it afterwards?
1) Don't allow admin access to your router from WAN or wireless.
2) Switch off sshd, telnet, vnc and anything else that allows a remote login
3) Job done.
Those commands will be enough to render the filesystems on /dev/sda completely unusable (run 'df -kl' to see what's mounted on what disks, it may not be sda on your system - post the output if you've got any doubts/questions), and any malware similarly so. I'd be willing to bet that the system would crash hard at some point during the operation, but by that point you'd have easily done enough. The 'dd' command will first completely clobber the partition table and boot loader, then start writing over each partition in sequence until the machine crashes, or the dd command writes over every last byte on the disk. Once the partition tables are gone the disk is effectively blank as far as any operating system is concerned, so after a couple of seconds you should end up with an un-bootable system, and anything on the disk will be neutralised.
You'd get just as much protection /in this case/ by simply re-installing, and choosing to format any existing filesystems, though. If you have any doubts about the integrity of your host, re-install. If nothing else it'll give you peace of mind - once the filesystem(s) have been (re)formatted, you're safe.
I'll be honest, though - I /seriously/ doubt you've got any malware on your system unless the people you got the machine from are actively malicious. Please do provide a link to the scanner you used - LinuxQuestions is consistently high on Google's results, so you might save someone else from some serious hassle if we can pick apart what's happened to you.
To continue with the general theme of "you've been hoaxed" here is a random news-site about the recent federal court injunction against scareware purveyors:
Quote:
A Baltimore federal court judge ordered six absent defendants yesterday - including one from Maryland - to shut down Internet businesses that the Federal Trade Commission claims are part of a vast $100 million "scareware" scheme that tricked more than a million people into purchasing useless security software by making them think their computers were under attack.
"The evidence in this case is quite overwhelming," said U.S. District Judge Richard D. Bennett.
He also extended a freeze on the defendants' assets and signed an order requiring them to show why they shouldn't be held in contempt of court for missing the hearing and ignoring an earlier restraining order.
Bennett promised he would issue arrest warrants within five days if this round of orders in the civil case is ignored.
I could tell you the real truth about HOW all of this happened, but you wouldn't believe me anyway.
I've been laughed at, and had people think that I'm a nut case before, when I simply asked politely for help.
It's a real long story anyway. And it's got some kind of 'X-Files' moments, in it too.
Here's what I did.....I used BOTH commands that you gave me, and *neither* of them worked.
I also used these yesterday (I found them on Google):
Using sudo (just as I did tonight with your commands).
dd if=/dev/random of=/dev/hda bs=1024 count
# shred -vfz -n 100 /dev/hda
Here's what I'm gonna TRY next, reset the BIOS (which has been corrupted)
by taking the battery out, and pressing on the start button.
THEN, I'm gonna install a regular Ubuntu Hardy Heron OS on it and try your commands AGAIN.
There's a keylogger in the BIOS, please don't tell me that this is impossible, because HOW it was installed (long distance, on the internet), by a tool that was specifically designed & made to do exactly this.
There's only a very small amount of space on the BIOS, but it's enough for a keylogger.
Until the keylogger is gone, it's probably impossible to fix any of these other problems.
I just wanted you to know that I did EXACTLY what you told me, and it did not work....I entered the exact command using sudo.
Onward in the fog.....Lou
Quote:
Originally Posted by ilikejam
Those commands will be enough to render the filesystems on /dev/sda completely unusable (run 'df -kl' to see what's mounted on what disks, it may not be sda on your system - post the output if you've got any doubts/questions), and any malware similarly so. I'd be willing to bet that the system would crash hard at some point during the operation, but by that point you'd have easily done enough. The 'dd' command will first completely clobber the partition table and boot loader, then start writing over each partition in sequence until the machine crashes, or the dd command writes over every last byte on the disk. Once the partition tables are gone the disk is effectively blank as far as any operating system is concerned, so after a couple of seconds you should end up with an un-bootable system, and anything on the disk will be neutralised.
You'd get just as much protection /in this case/ by simply re-installing, and choosing to format any existing filesystems, though. If you have any doubts about the integrity of your host, re-install. If nothing else it'll give you peace of mind - once the filesystem(s) have been (re)formatted, you're safe.
I'll be honest, though - I /seriously/ doubt you've got any malware on your system unless the people you got the machine from are actively malicious. Please do provide a link to the scanner you used - LinuxQuestions is consistently high on Google's results, so you might save someone else from some serious hassle if we can pick apart what's happened to you.
There's a keylogger in the BIOS, please don't tell me that this is impossible, because HOW it was installed (long distance, on the internet), by a tool that was specifically designed & made to do exactly this.
You are aware that Linux doesn't use the BIOS once it gets into the boot process, right?
If you're utterly convinced that you've been compromised, then nothing I or anyone else says will persuade you otherwise. Let's work on that premise.
If you doubt the integrity of the BIOS on your motherboard w.r.t keyloggers et al, then you and me both know that you need to not use that motherboard. So don't. Chuck it in the bin and be done with it. Buy a new motherboard. No amount of drive wiping will be sufficient for your ends.
"I could tell you the real truth about HOW all of this happened, but you wouldn't believe me anyway."
Try me. PM me if you feel the need. You're giving off some serious paranoid vibes here, but if you have reason to be paranoid then fair enough - you'll know if you're willing to share accordingly.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.