It seems that my computer has been infected with trojans. How to fix it? Thx.

whepin · 01-07-2010, 01:23 PM

I'm now running Ubuntu 9.04. There are 2 accounts on this computer, one is linux, the other is ubuntu.

Before New year, everything had been fine. But after new year, I came back and found that the password of this account linux has been changed. So I fixed using my rescue disk. But since that day on, it seems that this password changes everyday somehow. Everyday when I'm trying to log into my Ubuntu System using the account linux, it says login failed. However, i can still login using the account ubuntu.

I'm really confused. Why is this? I checked the date of expiry. Everything seems to be fine.

Do you have any good ideas? Thanks for your suggestion!

Quakeboy02 · 01-07-2010, 01:26 PM

Do you have a firewall? Do you have ports open to the internet? Are you sure you haven't been rooted? It sounds like someone has gained control of your machine; either through the internet or perhaps after hours, if this is a work or school machine.

whepin · 01-07-2010, 01:39 PM

Thanks for you reply. I haven't installed firewall on my Ubuntu. It is only used in my lab for our robot project. I think myabe our university should have some kind of firewalls to protect all internal computers. But I am not 100 precent sure.

Quakeboy02 · 01-07-2010, 01:48 PM

Well, someone may have rooted your machine, so run rkhunter and chkrootkit to make sure. But I'm thinking that you have someone actually sitting down at the machine and doing this. Have you tried changing your root password to see if the problem stops? Of course, depending on which distro it is, they might be able to just reboot it and change the password that way. You might check to see when the last time it was rebooted to get some idea.

People will do all sorts of evil things when they think no-one can catch them. I once had someone (probably the night guard) using my portable radio. I finally locked in a cabinet but made the mistake of leaving the key in my desk drawer. He simply opened the cabinet with the key and stole the radio. Management wasn't interested in dealing with the theft problem, so people gradually started being more secure at work.

whepin · 01-07-2010, 01:53 PM

Great. I'll try to download these two softwares and see what happens.
Thx.

whepin · 01-07-2010, 02:04 PM

It's so terrible. I found a lot of warnings from these two softwares. It seemed that at least top, ifconfig, netstat and other files had been infected with trojans.

So the problem is how to fix it? This is really important for us.

Thanks.

Quakeboy02 · 01-07-2010, 02:11 PM

I'm not qualified to help you, really. But, you can get to the guys who are by clicking the Report button and asking that your thread be moved to the "Linux - Security" forum. Good luck!

whepin · 01-07-2010, 02:26 PM

Anyway, thank you very much.
I'm now trying to install a firewall and try to block all inbound connections except computers belonging to our LAN. I don't know if this will help a lot. But that is what I can do quickly.

Tinkster · 01-07-2010, 02:28 PM

Moved: This thread is more suitable in <Security> and has been moved accordingly to help your thread/question get the exposure it deserves.

Web31337 · 01-07-2010, 04:25 PM

post your check logs, please.
try to reinstall those binaries.
change all passwords, clear .ssh/authorized_keys* files, if you don't use key-based auth on servers(or if you do, check they don't contain other unknown keys).
run lastlog, history to see last logins and last commands. check .bash_history for your and root accounts. these simple steps may help you.

abefroman · 01-07-2010, 04:38 PM

Quote:

Originally Posted by whepin

It's so terrible. I found a lot of warnings from these two softwares. It seemed that at least top, ifconfig, netstat and other files had been infected with trojans.

So the problem is how to fix it? This is really important for us.

Thanks.

Those could be false positives. Did it find any rootkits?

Is it saying those files are shell scripts not binaries?

Hangdog42 · 01-08-2010, 07:28 AM

Quote:

Originally Posted by whepin

Anyway, thank you very much.
I'm now trying to install a firewall and try to block all inbound connections except computers belonging to our LAN. I don't know if this will help a lot. But that is what I can do quickly.

If you really want help with this, you need to do a few things. Blocking all external inbound connections is just tinkering, you need to block ALL connections with the exception of SSH access from a trusted IP address. If you can completely isolate this box from the network (pull the network plug) that would be better.

Once you've done that you can start gathering evidence. Web3l337 is pointing in the right direction. What is needed are log files and the output from a few commands:

lsof -Pwn
netstat -anpe
ps -axfwwwe

If any of these are too big to post, email them to me and I'll find a place to host them.

Please be aware that there may not be any quick fixes for this. The whole idea here is to do an investigation into what happened so that you can prevent it from happening in the future. Unless you're willing to do that investigation, any action you take will likely be useless.

whepin · 01-08-2010, 08:18 AM

I really appreciate everyone for your help. The following is the output of some commands.

1. lsof -Pwn
..................(nothing)

2.netstat -anpe

Code:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
tcp        0      0 0.0.0.0:2049            0.0.0.0:*               LISTEN      0          6855       -
tcp        0      0 0.0.0.0:48429           0.0.0.0:*               LISTEN      0          6921       2778/rpc.mountd
tcp        0      0 0.0.0.0:58509           0.0.0.0:*               LISTEN      0          6869       -
tcp        0      0 0.0.0.0:42637           0.0.0.0:*               LISTEN      0          5326       2094/rpc.statd
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      0          5285       2072/portmap
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          6444       2406/sshd
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      0          32235      3085/cupsd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          6701       2689/exim4
tcp        0    164 192.168.76.142:22       192.168.76.81:1348      ESTABLISHED 0          143516     31083/sshd: linux [
tcp        0      0 192.168.76.142:22       192.168.76.133:63871    ESTABLISHED 0          75115      22311/sshd: linux [
tcp        0      0 192.168.76.142:22       192.168.76.81:1333      ESTABLISHED 0          122715     29190/sshd: linux [
udp        0      0 0.0.0.0:2049            0.0.0.0:*                           0          6854       -
udp        0      0 192.168.76.142:137      0.0.0.0:*                           0          8684       2798/nmbd
udp        0      0 0.0.0.0:137             0.0.0.0:*                           0          6998       2798/nmbd
udp        0      0 192.168.76.142:138      0.0.0.0:*                           0          8685       2798/nmbd
udp        0      0 0.0.0.0:138             0.0.0.0:*                           0          6999       2798/nmbd
udp        0      0 0.0.0.0:37771           0.0.0.0:*                           110        7982       3061/avahi-daemon:
udp        0      0 0.0.0.0:39333           0.0.0.0:*                           0          6916       2778/rpc.mountd
udp        0      0 0.0.0.0:998             0.0.0.0:*                           0          5315       2094/rpc.statd
udp        0      0 0.0.0.0:50793           0.0.0.0:*                           39         9119       3605/bash
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           110        7981       3061/avahi-daemon:
udp        0      0 0.0.0.0:46191           0.0.0.0:*                           0          6865       -
udp        0      0 0.0.0.0:111             0.0.0.0:*                           0          5269       2072/portmap
udp        0      0 0.0.0.0:47088           0.0.0.0:*                           0          5323       2094/rpc.statd
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING     7954   3061/avahi-daemon:  /var/run/avahi-daemon/socket
unix  2      [ ACC ]     STREAM     LISTENING     5682   2288/acpid          /var/run/acpid.socket
unix  2      [ ]         DGRAM                    2971   1/init              @/com/ubuntu/upstart
unix  2      [ ACC ]     STREAM     LISTENING     7099   2824/hald           @/var/run/hald/dbus-WDIfggcCxa
unix  2      [ ACC ]     STREAM     LISTENING     7751   2985/bluetoothd     /var/run/sdp
unix  2      [ ACC ]     STREAM     LISTENING     7754   2985/bluetoothd     @/org/bluez/audio
unix  2      [ ACC ]     STREAM     LISTENING     7077   2824/hald           @/var/run/hald/dbus-QPn3cWvG9Y
unix  2      [ ]         DGRAM                    3166   832/udevd           @/org/kernel/udev/udevd
unix  2      [ ]         DGRAM                    7134   2824/hald           @/org/freedesktop/hal/udev_event
unix  2      [ ACC ]     STREAM     LISTENING     32236  3085/cupsd          /var/run/cups/cups.sock
unix  2      [ ACC ]     STREAM     LISTENING     6397   2382/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     143618 31083/sshd: linux [
unix  3      [ ]         STREAM     CONNECTED     143617 31095/2
unix  3      [ ]         STREAM     CONNECTED     143558 2382/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     143557 31083/sshd: linux [
unix  2      [ ]         DGRAM                    143544 2359/klogd
unix  3      [ ]         STREAM     CONNECTED     122807 29190/sshd: linux [
unix  3      [ ]         STREAM     CONNECTED     122806 29198/1
unix  3      [ ]         STREAM     CONNECTED     122747 2382/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     122746 29190/sshd: linux [
unix  3      [ ]         STREAM     CONNECTED     77073  2382/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     77072  22521/smbd
unix  3      [ ]         STREAM     CONNECTED     75209  22311/sshd: linux [
unix  3      [ ]         STREAM     CONNECTED     75208  22319/0
unix  3      [ ]         STREAM     CONNECTED     75148  2382/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     75147  22311/sshd: linux [
unix  3      [ ]         STREAM     CONNECTED     8086   2382/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     8085   3113/system-tools-b
unix  3      [ ]         STREAM     CONNECTED     7965   2382/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     7964   3046/wpa_supplicant
unix  3      [ ]         STREAM     CONNECTED     7962   2382/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     7961   3048/nm-system-sett
unix  3      [ ]         STREAM     CONNECTED     7957   2382/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     7956   3061/avahi-daemon:
unix  3      [ ]         STREAM     CONNECTED     7950   3062/avahi-daemon:
unix  3      [ ]         STREAM     CONNECTED     7949   3061/avahi-daemon:
unix  3      [ ]         STREAM     CONNECTED     7864   2382/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     7863   3037/NetworkManager
unix  3      [ ]         STREAM     CONNECTED     7746   2382/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     7745   2985/bluetoothd
unix  3      [ ]         STREAM     CONNECTED     7734   2288/acpid          /var/run/acpid.socket
unix  3      [ ]         STREAM     CONNECTED     7733   2978/acpid.socket
unix  3      [ ]         STREAM     CONNECTED     7728   2824/hald           @/var/run/hald/dbus-QPn3cWvG9Y
unix  3      [ ]         STREAM     CONNECTED     7727   2978/acpid.socket
unix  3      [ ]         STREAM     CONNECTED     7554   2824/hald           @/var/run/hald/dbus-QPn3cWvG9Y
unix  3      [ ]         STREAM     CONNECTED     7500   2945/hald-addon-gen
unix  3      [ ]         STREAM     CONNECTED     7537   2824/hald           @/var/run/hald/dbus-QPn3cWvG9Y
unix  3      [ ]         STREAM     CONNECTED     7240   2921/event3
unix  3      [ ]         STREAM     CONNECTED     7116   2824/hald           @/var/run/hald/dbus-WDIfggcCxa
unix  3      [ ]         STREAM     CONNECTED     7115   2890/hald-runner
unix  3      [ ]         STREAM     CONNECTED     7093   2382/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     7092   2827/console-kit-da
unix  3      [ ]         STREAM     CONNECTED     7079   2382/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     7078   2824/hald
unix  3      [ ]         STREAM     CONNECTED     6400   2382/dbus-daemon
unix  3      [ ]         STREAM     CONNECTED     6399   2382/dbus-daemon

whepin · 01-08-2010, 08:26 AM

3. chkrootkit

Code:

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... INFECTED
Checking `inetd'... not infected
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... INFECTED
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... INFECTED
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... INFECTED
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... /etc/ld.so.hash
Searching for sniffer's logs, it may take a while... nothing found
Searching for rootkit HiDrootkit's default files... nothing found
Searching for rootkit t0rn's default files... nothing found
Searching for t0rn's v8 defaults... Possible t0rn v8 (or variation) rootkit installed
Searching for rootkit Lion's default files... nothing found
Searching for rootkit RSHA's default files... nothing found
Searching for rootkit RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/firefox-3.0.14/.autoreg /usr/lib/xulrunner-1.9.0.14/.autoreg /lib/init/rw/.ramfs /lib/modules/2.6.28-11-generic/volatile/.mounted

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... Warning: Possible Showtee Rootkit installed
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... /usr/include/file.h /usr/include/proc.h
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... Possible ShKit rootkit installed
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: not promisc and no packet sniffer sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted

whepin · 01-08-2010, 08:35 AM

4. ps
http://docs.google.com/View?id=dg267mcp_36g6pzg8hd