Dozens of hlds processes and unwanted ~/csservers_redirecte_linux_hlds_dp directory.
I have some mischief happening on my Ubuntu 12 dot whatever system and I am asking, how do I find out where and how it started?
Essentially, something on my computer is downloading and running a game server script. Dozens of instances of this "hlds" program bring my computer to it's knees. I suspect web browser malware or a hidden cron job. How do I find and stop the darn thing? My Ubuntu box has got it's first obvious system intrusion. There are two places the problem is coming from. Malware in my Firefox browser is quite likely. I had the intrusion today after starting Firefox and leaving several pages open. I went youtube then KDFC music radio, and then I opened a motorcycle ad on craigslist. Then I left Firefox running unattended for two hours. When I return, one of my three always on terminal sessions has popped up, and a multicolored shell script has been started. I manage to get top running and I see the whole computer is jammed with "hlds" processes. Killing them doesn't work. I go to my third terminal (the system takes 30 seconds to process a keystroke), change to the directory cssservers... named above and I see "start" and "stop" commands. I type ./stop and thank heavens all the hlds processes go away. Snooping around in the history file I find the following commands that seem to have been executed on a Saturday a couple of weeks ago. Code:
309 ./start I have run the following findscript, but I have not found any evidence of a text file type shell script: Code:
find . -type f -exec grep csservers '{}' /dev/null \; |
Somebody is abusing your machine. Stop any services that allow access to your machine by raising your firewall to only allow traffic from your management IP (range) and please hold until we can investigate properly (unf. I'm strapped for time right now).
|
So did you? Do you still require help?
|
The first thing I did was edit my aliases file to prevent the mystery program from starting the hlds processes.
Quote:
The result of those trials was I did not see the intrusion happen. On your suggestion that I turn off Linux service programs, I looked up "Linux how to turn off services" and I found several very good articles. I did not quite know what to do and the services seem pretty reasonable. And then, I ran out of time too. The whole event seems like it ought to be something that happened 5 years ago and a good enough search ought to turn up a whole analysis of what happened to me. As intrusions and infections go this one is pretty harmless. I am lucky that the "hlds" program has an design error that is easy to spot and easy to fix. So... the story is still open and thanks for the response. Lee |
Five years is a long time for an intrusion to go undetected and more than ample time for any perp to try and get root or abuse the machine for other activities. So who owned these processes? How did they manage to introduce the tar ball? (What services could have offered access?) Did you check login records? System and daemon logs?
|
Gnome Desktop Sharing on Ubuntu "Allow other users to view your Desktop" enabled
The mystery intruder getting on my Ubuntu 12.04 Linux box is a stranger who discovered my Gnome Desktop Sharing had "Allow other users to view your Desktop" and also "Allow other users to control your desktop" enabled.
I was using my computer the other night and I noticed a new icon had poppd up on the top bar. It was the Gnome Desktop Sharing application. I stepped through the various terminal windows and I saw the following commands being executed in one of the termainal windows: Code:
480 ./Sstart I had allowed "Allow other users... " a few months ago when I was trying to run an application on an Ubuntu computer in the garage from another Ubuntu computer in the house. I forgot to turn off the settings. The next question is, how did the outside stranger find me? My home computers are on a local network. For the last few months a Netgear C3000 router+cable modem has been my home router. Before the C3000 I had used a Linksys WRT54 and the cable service's ethernet converter box. I found out that setting Gnome Desktop Sharing to "Allow other users to access your desktop", then the application opens port 5606 and other ports. The question again is how did the outside computer user find my computer and then how did the outside user find I had port 5606 open? Code:
# Command to show all ports on the Linux computer you are on. The next step for me is to figure out how to set up a port scan detector. Am I getting scanned because my main Linux box is connected by a physical ethernet cable to the home router? Is the outsider getting past the router by systematically generating likely addresses and hammering away? |
Sorry for the late reply.
Quote:
Quote:
Quote:
|
All times are GMT -5. The time now is 08:04 AM. |