Linux box became a bot, is spamming packages and killing my router
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I guess the only thing left to do now is to wipe the PC off.
Indeed.
Quote:
Originally Posted by perrin4869
It was all probably my fault anyways for having a weak root password and allowing ssh password logins in the first place.
Auch!
Quote:
Originally Posted by perrin4869
I checked the logs and there are tons of failed login attemps to root from different IPs. No successful login logs but those were probably silenced. Learned a whole lot about Linux security through this experience.
Quote:
Originally Posted by perrin4869
I do have some lingering questions about the results of the clamav scan however. What does it mean that "RKH_libkeyutils.so.1.9-v1" sig is "greedy"?
When you work with regexes a "greedy match" means the search term is not refined meaning it'll return more than it should. The reason for that is there wasn't enough information, not enough time or not enough feedback to refine things.
/boot/System.map-generic-3.10.17: RKH_libkeyutils.so.1.9-v1.UNOFFICIAL FOUND
/boot/initrd-tree/lib/libc-2.17.so: RKH_libkeyutils.so.1.9-v1.UNOFFICIAL FOUND
/boot/initrd-tree/lib64/libc-2.19.so: RKH_libkeyutils.so.1.9-v1.UNOFFICIAL FOUND
/boot/initrd-tree/bin/busybox: RKH_libkeyutils.so.1.9-v1.UNOFFICIAL FOUND
/boot/System.map-huge-3.10.17: RKH_libkeyutils.so.1.9-v1.UNOFFICIAL FOUND
Are those files infected too?
They are likely false positives.
If you want to make certain you could compare those files (SHA256?) hashes with the hashes created from known good package contents on a repository.
Quote:
Originally Posted by perrin4869
Does unofficial mean that it hasn't been confirmed yet?
No, "unofficial" means these are signatures not included in ClamAV or any 3rd-party ClamAV signature databases provider like Sanesecurity, MalwarePatrol, INetMsg, etc, etc.
Quote:
Originally Posted by perrin4869
And why weren't those files detected when I did a scan for the whole filesystem with
Code:
clamscan -r --bell -i /
Because RKH is a post-op tool, because the signatures are for very specific situations and because they aren't as refined as they should be, it would not make sense to have them used by default as it will only confuse users so I explicitly left that functionality out.
Quote:
Originally Posted by perrin4869
Also, would it be safe for, after wiping out, to go ahead and just copy /etc and $HOME from the old installation as is into the new installation or do I risk having the infection again?
It is never safe until you have either verified or visually inspected files. For text-based files in/etc comparing hashes is easy to do and for binary files it's imperative. (Needless to say any files used for system startup, cron jobs, login or related to providing any access to the system are suspect and should rather come from the installation. If comparing hashes then show a match you discard the "old" file, if they don't you inspect them with say 'diff' to find the cause of the change.) /home is a different situation because we do not know the infection vector and no distribution comes with hashes for that kind of content plus you don't have any backups to compare against. I'd be cautious and visually inspect files individually before introducing them in the system.
Also, would it be safe for, after wiping out, to go ahead and just copy /etc and $HOME from the old installation as is into the new installation or do I risk having the infection again?
I would selectively copy the /etc/ config files you have personally adjusted. Then examine them to ensure nothing is incorrect, making sure nothing got appended to the file (or anywhere else in it)
As for home files, copy over the ones you know you'll need. Making sure executable bits are not permitted on files would be a good idea and browsing through to make sure it doesn't look changed. As unspawn said, checksum checks would defintely be the best way to go here - but that really only works if you had them prior to this all happening.
For you to get "re-infected" you would have to run a exectuable file with script to run the install script for the malware, as root.
In the future, intrusion detection software may be of use to you. I haven't used it, but you could try tripwire
Obviously, never letting them in is better. But it could save a lot more headache next time.
I would selectively copy the /etc/ config files you have personally adjusted. Then examine them to ensure nothing is incorrect, making sure nothing got appended to the file (or anywhere else in it)
Should be the other way around: compare files first and if found OK then copy.
Quote:
Originally Posted by Miati
For you to get "re-infected" you would have to run a exectuable file with script to run the install script for the malware, as root.
You don't know the infection vector so that's speculation.
Quote:
Originally Posted by Miati
In the future, intrusion detection software may be of use to you. I haven't used it, but you could try tripwire
Running Ckrootkit, Rootkit Hunter, any file system integrity checker (personally I'd suggest Samhain: see previous posts of mine) or any other post-incident tool amounts to just that: after the fact alerting / breach confirmation. Indeed prevention is better. The OP should start by reading his Linux distributions user and security documentation.
Great analysis, though sorry for the necro. I had not ever heard of a Linux desktop being compromised like this in all my 15 years using Linux. Servers compromised, yes, due to not being patched, but never a desktop!
Ok, good job on finding the exploit and managing it, but I am still not clear about the initial break in. From what I have gleamed thus far, is there a MySQL server running on this system? You may want to further secure the mysql user account in linux to prevent access to bash?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.