LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-06-2019, 10:53 PM   #1
garylwe
LQ Newbie
 
Registered: Nov 2019
Posts: 4

Rep: Reputation: Disabled
Can someone assist me with my rkhunter.log - i was hacked


These hackers sent me an email from my own email address saying they put a trojan on my pc and wanted ransom. This is a newly installed linuxmint 19.2 xfce and I'm showing possible 7 rootkits. Id really appreciate if you could help me determine if they are real concerns or false positives. Thx in advance...


I just tried sending the text of the rkhunter.log file and it says it's too big to send and to cut out 3000 characters. Is there a way to attach the log file instead of pasting the text?
 
Old 11-07-2019, 01:50 AM   #2
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 19,872
Blog Entries: 12

Rep: Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053
Quote:
Originally Posted by garylwe View Post
These hackers sent me an email from my own email address saying they put a trojan on my pc and wanted ransom.
That sounds like a real concern to me.
Were these sent through your linuxmint install?
Because it sounds like it has nothing to do with your operating system. Your email got hacked, probably not your OS.
Quote:
This is a newly installed linuxmint 19.2 xfce and I'm showing possible 7 rootkits. Id really appreciate if you could help me determine if they are real concerns or false positives. Thx in advance...
Reinstall, use reliable sources for the .iso.
edit: oops, I'm hearing rkhunter often shows loads of possible false positives.

Quote:
I just tried sending the text of the rkhunter.log file and it says it's too big to send and to cut out 3000 characters. Is there a way to attach the log file instead of pasting the text?
Use a pastebin.

Last edited by ondoho; 11-07-2019 at 01:52 AM.
 
Old 11-07-2019, 02:35 AM   #3
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,159
Blog Entries: 1

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
Quote:
Originally Posted by garylwe View Post
These hackers sent me an email from my own email address saying they put a trojan on my pc and wanted ransom. This is a newly installed linuxmint 19.2 xfce and I'm showing possible 7 rootkits. Id really appreciate if you could help me determine if they are real concerns or false positives. Thx in advance...


I just tried sending the text of the rkhunter.log file and it says it's too big to send and to cut out 3000 characters. Is there a way to attach the log file instead of pasting the text?
Maybe it's nothing. These emails are very common, asking for ransom in bitcoins.

AFAIK rkhunter gives many warnings re. hidden files, that are usually used by your system, but in anyway you should check using your favorite search engine to verify if they are false positives or not.
If you want, you can upload rkhuner logs to pastebin, so we could take a look just in case...


Regards
 
Old 11-07-2019, 05:01 AM   #4
garylwe
LQ Newbie
 
Registered: Nov 2019
Posts: 4

Original Poster
Rep: Reputation: Disabled
pastebin of rkhunter.log file to review

https://pastebin.com/qu8KMcC6

gary@gary-HP-LT:~$ sudo rkhunter --versioncheck
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter version...
This version : 1.4.6
Latest version: 1.4.6
gary@gary-HP-LT:~$ sudo rkhunter --update
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ Skipped ]
Checking file i18n/de [ Skipped ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ Skipped ]
Checking file i18n/tr.utf8 [ Skipped ]
Checking file i18n/zh [ Skipped ]
Checking file i18n/zh.utf8 [ Skipped ]
Checking file i18n/ja [ Skipped ]
gary@gary-HP-LT:~$ sudo rkhunter --propupd
[ Rootkit Hunter version 1.4.6 ]
File updated: searched for 180 files, found 145

Last edited by garylwe; 11-07-2019 at 05:06 AM. Reason: add version info
 
Old 11-07-2019, 05:22 AM   #5
garylwe
LQ Newbie
 
Registered: Nov 2019
Posts: 4

Original Poster
Rep: Reputation: Disabled
add netstat -ap tcp output

https://pastebin.com/svyAZpJ5
 
Old 11-07-2019, 06:30 AM   #6
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,159
Blog Entries: 1

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
Quote:
Originally Posted by garylwe View Post
https://pastebin.com/qu8KMcC6

gary@gary-HP-LT:~$ sudo rkhunter --versioncheck
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter version...
This version : 1.4.6
Latest version: 1.4.6
gary@gary-HP-LT:~$ sudo rkhunter --update
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ Skipped ]
Checking file i18n/de [ Skipped ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ Skipped ]
Checking file i18n/tr.utf8 [ Skipped ]
Checking file i18n/zh [ Skipped ]
Checking file i18n/zh.utf8 [ Skipped ]
Checking file i18n/ja [ Skipped ]
gary@gary-HP-LT:~$ sudo rkhunter --propupd
[ Rootkit Hunter version 1.4.6 ]
File updated: searched for 180 files, found 145
I don't see anything suspicious in rkhunter logs, but you may do your own research...


Quote:
Originally Posted by garylwe View Post
Same here...
 
Old 11-07-2019, 06:44 AM   #7
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,461

Rep: Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552
If the e-mail contains anything about them having videos of you visiting adult sites etc. then it's spam, spam, spam!
 
Old 11-07-2019, 06:48 AM   #8
dc.901
Senior Member
 
Registered: Aug 2018
Location: Atlanta, GA - USA
Distribution: CentOS/RHEL, openSuSE/SLES, Ubuntu
Posts: 1,005

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
Quote:
Originally Posted by garylwe View Post
These hackers sent me an email from my own email address saying they put a trojan on my pc and wanted ransom.
Apart from a legit concern here, spoofing an email address is not difficult.
Check and compare email headers... Like send an email to yourself, then check email headers of that email, and compare email headers with the email from hackers.
Check login activity from your email server for your account...
When was your last password reset?
How strong is your password? There are many sites like this that you could use to determine password strength: https://howsecureismypassword.net/
 
1 members found this post helpful.
Old 11-07-2019, 06:50 AM   #9
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,461

Rep: Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552
You can also check your e-mail address against https://haveibeenpwned.com/ to see if it's "out there"
 
2 members found this post helpful.
Old 11-07-2019, 10:56 AM   #10
garylwe
LQ Newbie
 
Registered: Nov 2019
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thanks

Thanks everyone for your input and your assistance....
 
Old 11-07-2019, 01:54 PM   #11
ChuangTzu
Senior Member
 
Registered: May 2015
Location: Where ever needed
Distribution: Slackware/Salix while testing others
Posts: 1,718

Rep: Reputation: 1857Reputation: 1857Reputation: 1857Reputation: 1857Reputation: 1857Reputation: 1857Reputation: 1857Reputation: 1857Reputation: 1857Reputation: 1857Reputation: 1857
https://lifehacker.com/how-spammers-...ote-1579478914
https://en.m.wikipedia.org/wiki/Email_spoofing
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Pls someone with vast knowledge of Linux mail server (Sendmail) should assist me on . aobadun Linux - Server 5 03-07-2014 02:38 AM
rkhunter scan: 1 Rootkit & 6 Possible Suspect Files /var/log/rkhunter.log included Mollusc Linux - Security 10 09-29-2011 08:43 AM
DOSBOX Problems. Could someone please assist me? TheUbuntuKnight Linux - Games 1 08-03-2009 06:35 AM
/var/log/rkhunter.log - rkhunter's (rootkit detection) logfile ahartman Linux - Security 1 07-04-2009 05:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:20 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration