Was my pc hacked? (am I a slave?)
 

Hi there,
I'm new to Ubuntu and using Ubuntu 18.04 on my PC.

Few days back, I noticed a text file named "pwn3d.txt" on my home folder. The text inside the file was : "You are (fully) pwn3d due to a homobraphic error on your software dependencies"

I didn't notice any unusual activity and my accounts weren't hacked. Also, I don't remember installing any suspicious soft wares or running any unauthorized scripts.

But still, I got panicked and reinstalled my Ubuntu (I still have windows installed) Today I tried to dug into the logs to see if I can find any suspicious behavior, and I think I found few:

My firewall (UFW) is blocking tons of stuff:
https://i.stack.imgur.com/zLs4M.png - screen shot for few examples

I have --slave commands, few examples from alternative.logs:
update-alternatives 2019-02-10 00:12:25: run with --quiet --install /usr/bin/awk awk /usr/bin/mawk 5 --slave /usr/share/man/man1/awk.1.gz awk.1.gz /usr/share/man/man1/mawk.1.gz --slave /usr/bin/nawk nawk /usr/bin/mawk --slave /usr/share/man/man1/nawk.1.gz nawk.1.gz /usr/share/man/man1/mawk.1.gz

update-alternatives 2019-06-14 10:38:23: run with --install /usr/bin/c++ c++ /usr/bin/g++ 20 --slave /usr/share/man/man1/c++.1.gz c++.1.gz /usr/share/man/man1/g++.1.gz

update-alternatives 2019-06-09 13:34:33: run with --quiet --install /usr/bin/c99 c99 /usr/bin/c99-gcc 20 --slave /usr/share/man/man1/c99.1.gz c99.1.gz /usr/share/man/man1/c99-gcc.1.gz

when i ran the following command: cat /etc/passwd|grep '/bin/bash' I got the following result alongside with my own username:
root:x:0:0:root:/root:/bin/bash

Any suggestions? am I under attack? should I format my computer? Is there any danger for other devices on my network (laptops, router, streamers)?

Please help me.

Nuke your computer and install Ubuntu from a certified distributor.

I looked at this post earlier tonight. I'm inclined to agree with Contrapak, especially if you don't have any crucial data on that box. A web search for "pwn3d.txt" turned up some awfully fishy links, but I felt I didn't know enough to respond at that point.

Alternatively, you could boot to a Live CD of something, install a malware scanner to the live environment, disconnect from any networks, and scan the HDD.

You may also wish to look at this Wikipedia article: https://en.wikipedia.org/wiki/Have_I_Been_Pwned%3F

All this is perfectly normal.
UFW blocks a lot of internal chatter mostly between your box and your router.
Some commands have --slave options.

Since you already did a full reinstall I don't see what more you can do (except for the windows side - there i'm totally ignorant).
But of course it's better to be safe than sorry, and get into deep malware scanning.
That would probably include booting from a Live USB system or such; I'm sure specialised distros exist.

what's this?

For most Linux distros, the most "certified distributor" is the distro's own website.

I found this forum post.
It appears that the JavaScript was loaded when the user was using npm.
The script appears to be innocuous, as real malware would not advertise its presence. Also, the link in the script to homografo.junquera.xyz does not resolve.

^ good research!
the question about how you can even get that stuff seems to be answered here:

Totally agree.

If your computer is doing anything that seems suspicious, or there is any other reason to believe that your computer might have malware, assume that it does and reinstall the affected OS. If you aren't sure which OS got infected, reinstall all of them. After you do that, change all of your passwords and keys, and monitor for any fraud. Check your other devices for malware as well.