LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-20-2014, 07:12 PM   #1
Lee_M
LQ Newbie
 
Registered: Aug 2014
Posts: 4

Rep: Reputation: Disabled
Dozens of hlds processes and unwanted ~/csservers_redirecte_linux_hlds_dp directory.


I have some mischief happening on my Ubuntu 12 dot whatever system and I am asking, how do I find out where and how it started?

Essentially, something on my computer is downloading and running a game server script. Dozens of instances of this "hlds" program bring my computer to it's knees. I suspect web browser malware or a hidden cron job. How do I find and stop the darn thing?

My Ubuntu box has got it's first obvious system intrusion. There are two places the problem is coming from. Malware in my Firefox browser is quite likely. I had the intrusion today after starting Firefox and leaving several pages open. I went youtube then KDFC music radio, and then I opened a motorcycle ad on craigslist. Then I left Firefox running unattended for two hours.

When I return, one of my three always on terminal sessions has popped up, and a multicolored shell script has been started. I manage to get top running and I see the whole computer is jammed with "hlds" processes. Killing them doesn't work. I go to my third terminal (the system takes 30 seconds to process a keystroke), change to the directory cssservers... named above and I see "start" and "stop" commands. I type ./stop and thank heavens all the hlds processes go away.

Snooping around in the history file I find the following commands that seem to have been executed on a Saturday a couple of weeks ago.

Code:
309  ./start
  310  ./start
  311  cd csserver_redirecte_linux_hlds_dp
  312  wget www.csservers.ro/csservers_redirecte_linux_hlds_dp.tar.gz
  313  tar -pxzf csservers_redirecte_linux_hlds_dp.tar.gz
  314  cd csservers_redirecte_linux_hlds_dp
  315  ./stop
  316  ./start
Snooping around even further, I find two copies of the above named tar.gz file downloaded two weeks apart. Downloaded file timestamps are both Saturdays and both about 12 noon.

I have run the following findscript, but I have not found any evidence of
a text file type shell script:

Code:
find .  -type f  -exec grep csservers '{}' /dev/null \;
 
Old 08-21-2014, 02:47 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Somebody is abusing your machine. Stop any services that allow access to your machine by raising your firewall to only allow traffic from your management IP (range) and please hold until we can investigate properly (unf. I'm strapped for time right now).
 
1 members found this post helpful.
Old 08-25-2014, 04:43 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
So did you? Do you still require help?
 
Old 08-25-2014, 06:20 PM   #4
Lee_M
LQ Newbie
 
Registered: Aug 2014
Posts: 4

Original Poster
Rep: Reputation: Disabled
The first thing I did was edit my aliases file to prevent the mystery program from starting the hlds processes.
Quote:
alias start='stop; echo "Start command has occurred."'
The next thing I did was watch the computer very carefully last Saturday (because that is the day the intrusion event happemed). One at a time I ran the music player (Internet radio KDFC). After an hour or two of that, I opened the Craigslist motorcycle jpg file that was a second possible source of the intrusion.

The result of those trials was I did not see the intrusion happen.

On your suggestion that I turn off Linux service programs, I looked up "Linux how to turn off services" and I found several very good articles. I did not quite know what to do and the services seem pretty reasonable.

And then, I ran out of time too. The whole event seems like it ought to be something that happened 5 years ago and a good enough search ought to turn up a whole analysis of what happened to me. As intrusions and infections go this one is pretty harmless. I am lucky that the "hlds" program has an design error that is easy to spot and easy to fix.

So... the story is still open and thanks for the response. Lee
 
Old 08-26-2014, 02:37 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Five years is a long time for an intrusion to go undetected and more than ample time for any perp to try and get root or abuse the machine for other activities. So who owned these processes? How did they manage to introduce the tar ball? (What services could have offered access?) Did you check login records? System and daemon logs?
 
Old 08-29-2014, 02:22 AM   #6
Lee_M
LQ Newbie
 
Registered: Aug 2014
Posts: 4

Original Poster
Rep: Reputation: Disabled
Gnome Desktop Sharing on Ubuntu "Allow other users to view your Desktop" enabled

The mystery intruder getting on my Ubuntu 12.04 Linux box is a stranger who discovered my Gnome Desktop Sharing had "Allow other users to view your Desktop" and also "Allow other users to control your desktop" enabled.

I was using my computer the other night and I noticed a new icon had poppd up on the top bar. It was the Gnome Desktop Sharing application. I stepped through the various terminal windows and I saw the following commands being executed in one of the termainal windows:

Code:
480  ./Sstart
  481  c
  482  cd csservers_redirecte_linux_hldsp
To stop the intruder I clicked "Disconnect ethernet".

I had allowed "Allow other users... " a few months ago when I was trying to run an application on an Ubuntu computer in the garage from another Ubuntu computer in the house. I forgot to turn off the settings.

The next question is, how did the outside stranger find me? My home computers are on a local network. For the last few months a Netgear C3000 router+cable modem has been my home router. Before the C3000 I had used a Linksys WRT54 and the cable service's ethernet converter box.

I found out that setting Gnome Desktop Sharing to "Allow other users to access your desktop", then the application opens port 5606 and other ports.

The question again is how did the outside computer user find my computer and then how did the outside user find I had port 5606 open?

Code:
# Command to show all ports on the Linux computer you are on.
netstat -lp   # Pretty verbose.

# Command to scan another computer on local network for ports in a specific range
# IP address of the computer is 192.168 etc.
# Port range is last dashed numbers
# nc is short for netcat
 nc  -nv 192.168.0.19 5200-5900
I had success scanning for an open port security vulnerability between two Linux computers on a local network, where you know the IP number of the other computer and you also know whether gnome-desktop-sharing is on or off (by setting the value yourself).

The next step for me is to figure out how to set up a port scan detector. Am I getting scanned because my main Linux box is connected by a physical ethernet cable to the home router? Is the outsider getting past the router by systematically generating likely addresses and hammering away?
 
Old 08-31-2014, 06:15 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Sorry for the late reply.

Quote:
Originally Posted by Lee_M View Post
The mystery intruder getting on my Ubuntu 12.04 Linux box is a stranger who discovered my Gnome Desktop Sharing had "Allow other users to view your Desktop" and also "Allow other users to control your desktop" enabled.
Good you found the entry point, bad it was left enabled.


Quote:
Originally Posted by Lee_M View Post
The question again is how did the outside computer user find my computer and then how did the outside user find I had port 5606 open?
Good question but for that you should know / show your router configuration at the time of the incident with respect to NAT, mDNS (Avahi?) and UPnP settings.


Quote:
Originally Posted by Lee_M View Post
The next step for me is to
The next two steps for you are to 0) mitigate the situation by reconfiguring your router and system to only allow established traffic to your system and 1) to verify the integrity of your system. View your system from the point of view of the perp as s/he may have had access to everything you can access with your user Id. Investigate and draw conclusions. Let me know if you need help with that. Note: right now having a port scan detector is a "nice to have", it's not your first priority, really at the bottom of the list.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] New user with own rights, should only can access to his own directory and processes Sebi94 Linux - General 5 07-21-2012 08:52 PM
Some unwanted processes multiply themselves, applications time out and swap usage approach 100% blecins Linux - Server 3 01-28-2012 02:40 AM
A couple of questions...(more like dozens) Jwizzman Linux From Scratch 1 11-21-2007 11:55 AM
Deleting unwanted files from any directory without reading each Karthikeyan Gurusamy Linux - Newbie 3 12-24-2005 02:48 AM
Removing unwanted processes in Slackware Streams Slackware 2 09-13-2003 11:59 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration