Where to look for trojan file in ubuntu infected server?

wpeckham · 10-11-2020, 04:20 PM

Quote:

Originally Posted by sgosnell

Which is it? 100% or 30%? You are contradicting yourself.

I have the feeling that the OP might have been looking at different numbers displayed by htop and misinterpreting them. Since the OP has not actually shown us any evidence, it is difficult to say. (And even more difficult to justify and firm conclusions!)

wpeckham · 10-11-2020, 04:28 PM

Quote:

Originally Posted by Ketmen

1. When i tried to login with putty a new popup screen appeared about new ssh key, which means somehow my old key was deleted. When I went to /var/log/auth.log noticed that the logging started a few hours ago. After isolating PID which is causing high cpu, with ps -efw PID to find when the PID started, noticed that the time is matching the auth logging started. Found my root pass in plain text, no encryption, in /var/tmp/pam.log whis telling me that intruder seems to be recording my pass as I am typing it, most probably keystroke recording.

That is not the only possible explanation for that message. Did you look for the key file and verify that it was gone?

Quote:

2. Noticed that my server is slow, when open htop noticed that 4 cores are loaded each 100%, but there were no PIDs showing such load. htop was showing just about 30% load. No way that you can find those pid using regular Linux commands, check microtreend arical, the link I postedd above. I used perf record and in the report noticed directories and apps that actually do not exist on my server and soo on...

Exactly what metric convinced you that your cores were 100% loaded? Even were they, one would rarely expect a single process to be the ONLY process implicated. What processes appeared to be using significant CPU cycles? Did you check the percentage of time in wait? Is this server running on hardware, or on a hypervisor?

Quote:

Well, I broke my promise because you are asking direct questions about issue for the learning purpose. And yes I am novice with ubuntu, but I work on other similar things so it is easy for me to learn, I just need ubuntu sintax, but I am short for tips and tricks.
I hope my answers helped you. From someone's post you see his level of knowledge/experience.Have no time to talk about me just about issues. From the reactions on my post I have concluded that my issue is for top Linux guys.
Take care

It is difficult to determine what level of expertise might suffice, since you have buried all evidence under an avalanche of unsupported conclusions. To verify any conclusions, yours AND ours, we need to see the DATA!

pan64 · 10-12-2020, 02:33 AM

Yes, would be nice to give more information about this situation. You may try to post (for example) a screenshot about htop.
The password issue was not discussed. I do not really understand how can your password put into pam.log in a readable format, but: I'm definitely sure if I would install a keylogger onto your host it will not write pam.log, but something else (even better to send info immediately without storing).
pam probably stores some info in log (also would be nice to see that content - you can replace your PW), perhaps you typed your password instead of your username or something similar happened (which happened to me too already).

Ketmen · 10-12-2020, 12:19 PM

Quote:

Originally Posted by pan64

Yes, would be nice to give more information about this situation. You may try to post (for example) a screenshot about htop.
The password issue was not discussed. I do not really understand how can your password put into pam.log in a readable format, but: I'm definitely sure if I would install a keylogger onto your host it will not write pam.log, but something else (even better to send info immediately without storing).
pam probably stores some info in log (also would be nice to see that content - you can replace your PW), perhaps you typed your password instead of your username or something similar happened (which happened to me too already).

Here is content fom pam.log:

*** Mon Oct 12 15:10:03 2020
mypasswordinplaintext^@*** Mon Oct 12 15:10:32 2020
mypasswordinplaintext^@*** Mon Oct 12 15:10:39 2020
mypasswordinplaintext^@*** Mon Oct 12 15:26:29 2020
mypasswordinplaintext^@*** Mon Oct 12 16:49:09 2020
mypasswordinplaintext^@

It adds record each time I log in. Of course I delete it each time before I log put.

ondoho · 10-13-2020, 01:28 AM

^ unfortunately I do not have a pam.log on my system anywhere.
Which brings us to another problem: you haven't told us anything about your OS & setup yet.
FWIW, I think something like this could happen when someone accidentally enters their password into a username field.

Changed your password yet?

Quote:

an avalanche of unsupported conclusions

When people start giving details about a situation like this (and +1 to Ketmen for doing this at all), they often contain a quick staccato of "obvious" conclusions which aren't all that obvious (to me).

Examples:

Quote:

When i tried to login with putty a new popup screen appeared about new ssh key, which means somehow my old key was deleted.

Why does this mean that the old key was deleted?
That seems like an invalid conclusion to me.

Quote:

Found my root pass in plain text, no encryption, in /var/tmp/pam.log which is telling me that intruder seems to be recording my pass as I am typing it, most probably keystroke recording.

Again, this is an invalid conclusion, unless you say why it "is telling" you this.

Other points to point out:

Quote:

when open htop noticed that 4 cores are loaded each 100%, but there were no PIDs showing such load.

I am also seeing this sometimes.
That doesn't mean something nefarious is going on.

ondoho · 10-13-2020, 01:34 AM

Quote:

Originally Posted by Ketmen

Even on Google you can find information about things I am talking about. For your info : https://www.trendmicro.com/vinfo/us/...it-for-stealth.

Sorry but NOTHING you told us so far bears ANY resemblance to what is described in that article - except high CPU usage.
But it's a good article and it tells you exactly what to look for and what to analyse. Why don't you start with that.

PS: Antivirus for Linux exists. Use it if you're paranoid.

PPS: 99% of all attacks happen through a misconfigured web browser, through javascript. Use Firefox with a well-known javascript blocking addon, and allow javascript only from trusted sources. Maybe delete your current FF profile just to be safe. Avoid fishy addons.

Hermani · 10-15-2020, 01:04 PM

Quote:

Originally Posted by Ketmen

Have no time to talk about me just about issues.

A computer is a complicated tool and at a forum like this, only specific questions regarding the operating system that computer is running can be solved. You are not likely to find any more "top Linux experts" that will help you anywhere else on this planet unless you hire them.

The issue is that you can't provide the informations others need to go on. You are jumping to conclusions that make no sense and seem to be convinced that people are doing things to your computer. This may or may not be true. Please note that the possibility of someone specifically hacking your computer is quite small and significantly smaller than you jumping to the wrong conclusions as you have already proven to do.

However this all does not matter at all. You will probably not be helped by this discussion trying to find a problem that may or may not exist.

If you are convinced that your Linux system is compromised and you are not capable to find the problem I would recommend you to back-up your data (if you haven't already), wipe the system and install a new Linux instance.

And if you want to keep your paranoid self satisfied as well, please read up on Linux system hardening, use a hardware firewall solution like an old computer running pfSense and use a private DNS server like PiHole.