LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Dozens of hlds processes and unwanted ~/csservers_redirecte_linux_hlds_dp directory. (https://www.linuxquestions.org/questions/linux-security-4/dozens-of-hlds-processes-and-unwanted-%7E-csservers_redirecte_linux_hlds_dp-directory-4175515624/)

Lee_M 08-20-2014 06:12 PM

Dozens of hlds processes and unwanted ~/csservers_redirecte_linux_hlds_dp directory.
 
I have some mischief happening on my Ubuntu 12 dot whatever system and I am asking, how do I find out where and how it started?

Essentially, something on my computer is downloading and running a game server script. Dozens of instances of this "hlds" program bring my computer to it's knees. I suspect web browser malware or a hidden cron job. How do I find and stop the darn thing?

My Ubuntu box has got it's first obvious system intrusion. There are two places the problem is coming from. Malware in my Firefox browser is quite likely. I had the intrusion today after starting Firefox and leaving several pages open. I went youtube then KDFC music radio, and then I opened a motorcycle ad on craigslist. Then I left Firefox running unattended for two hours.

When I return, one of my three always on terminal sessions has popped up, and a multicolored shell script has been started. I manage to get top running and I see the whole computer is jammed with "hlds" processes. Killing them doesn't work. I go to my third terminal (the system takes 30 seconds to process a keystroke), change to the directory cssservers... named above and I see "start" and "stop" commands. I type ./stop and thank heavens all the hlds processes go away.

Snooping around in the history file I find the following commands that seem to have been executed on a Saturday a couple of weeks ago.

Code:

309  ./start
  310  ./start
  311  cd csserver_redirecte_linux_hlds_dp
  312  wget www.csservers.ro/csservers_redirecte_linux_hlds_dp.tar.gz
  313  tar -pxzf csservers_redirecte_linux_hlds_dp.tar.gz
  314  cd csservers_redirecte_linux_hlds_dp
  315  ./stop
  316  ./start

Snooping around even further, I find two copies of the above named tar.gz file downloaded two weeks apart. Downloaded file timestamps are both Saturdays and both about 12 noon.

I have run the following findscript, but I have not found any evidence of
a text file type shell script:

Code:

find .  -type f  -exec grep csservers '{}' /dev/null \;

unSpawn 08-21-2014 01:47 AM

Somebody is abusing your machine. Stop any services that allow access to your machine by raising your firewall to only allow traffic from your management IP (range) and please hold until we can investigate properly (unf. I'm strapped for time right now).

unSpawn 08-25-2014 03:43 PM

So did you? Do you still require help?

Lee_M 08-25-2014 05:20 PM

The first thing I did was edit my aliases file to prevent the mystery program from starting the hlds processes.
Quote:

alias start='stop; echo "Start command has occurred."'
The next thing I did was watch the computer very carefully last Saturday (because that is the day the intrusion event happemed). One at a time I ran the music player (Internet radio KDFC). After an hour or two of that, I opened the Craigslist motorcycle jpg file that was a second possible source of the intrusion.

The result of those trials was I did not see the intrusion happen.

On your suggestion that I turn off Linux service programs, I looked up "Linux how to turn off services" and I found several very good articles. I did not quite know what to do and the services seem pretty reasonable.

And then, I ran out of time too. The whole event seems like it ought to be something that happened 5 years ago and a good enough search ought to turn up a whole analysis of what happened to me. As intrusions and infections go this one is pretty harmless. I am lucky that the "hlds" program has an design error that is easy to spot and easy to fix.

So... the story is still open and thanks for the response. Lee

unSpawn 08-26-2014 01:37 AM

Five years is a long time for an intrusion to go undetected and more than ample time for any perp to try and get root or abuse the machine for other activities. So who owned these processes? How did they manage to introduce the tar ball? (What services could have offered access?) Did you check login records? System and daemon logs?

Lee_M 08-29-2014 01:22 AM

Gnome Desktop Sharing on Ubuntu "Allow other users to view your Desktop" enabled
 
The mystery intruder getting on my Ubuntu 12.04 Linux box is a stranger who discovered my Gnome Desktop Sharing had "Allow other users to view your Desktop" and also "Allow other users to control your desktop" enabled.

I was using my computer the other night and I noticed a new icon had poppd up on the top bar. It was the Gnome Desktop Sharing application. I stepped through the various terminal windows and I saw the following commands being executed in one of the termainal windows:

Code:

480  ./Sstart
  481  c
  482  cd csservers_redirecte_linux_hldsp

To stop the intruder I clicked "Disconnect ethernet".

I had allowed "Allow other users... " a few months ago when I was trying to run an application on an Ubuntu computer in the garage from another Ubuntu computer in the house. I forgot to turn off the settings.

The next question is, how did the outside stranger find me? My home computers are on a local network. For the last few months a Netgear C3000 router+cable modem has been my home router. Before the C3000 I had used a Linksys WRT54 and the cable service's ethernet converter box.

I found out that setting Gnome Desktop Sharing to "Allow other users to access your desktop", then the application opens port 5606 and other ports.

The question again is how did the outside computer user find my computer and then how did the outside user find I had port 5606 open?

Code:

# Command to show all ports on the Linux computer you are on.
netstat -lp  # Pretty verbose.

# Command to scan another computer on local network for ports in a specific range
# IP address of the computer is 192.168 etc.
# Port range is last dashed numbers
# nc is short for netcat
 nc  -nv 192.168.0.19 5200-5900

I had success scanning for an open port security vulnerability between two Linux computers on a local network, where you know the IP number of the other computer and you also know whether gnome-desktop-sharing is on or off (by setting the value yourself).

The next step for me is to figure out how to set up a port scan detector. Am I getting scanned because my main Linux box is connected by a physical ethernet cable to the home router? Is the outsider getting past the router by systematically generating likely addresses and hammering away?

unSpawn 08-31-2014 05:15 AM

Sorry for the late reply.

Quote:

Originally Posted by Lee_M (Post 5229105)
The mystery intruder getting on my Ubuntu 12.04 Linux box is a stranger who discovered my Gnome Desktop Sharing had "Allow other users to view your Desktop" and also "Allow other users to control your desktop" enabled.

Good you found the entry point, bad it was left enabled.


Quote:

Originally Posted by Lee_M (Post 5229105)
The question again is how did the outside computer user find my computer and then how did the outside user find I had port 5606 open?

Good question but for that you should know / show your router configuration at the time of the incident with respect to NAT, mDNS (Avahi?) and UPnP settings.


Quote:

Originally Posted by Lee_M (Post 5229105)
The next step for me is to

The next two steps for you are to 0) mitigate the situation by reconfiguring your router and system to only allow established traffic to your system and 1) to verify the integrity of your system. View your system from the point of view of the perp as s/he may have had access to everything you can access with your user Id. Investigate and draw conclusions. Let me know if you need help with that. Note: right now having a port scan detector is a "nice to have", it's not your first priority, really at the bottom of the list.


All times are GMT -5. The time now is 08:04 AM.