LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-14-2019, 04:22 PM   #1
0loxw0qk
LQ Newbie
 
Registered: Jun 2019
Posts: 1

Rep: Reputation: Disabled
Was my pc hacked? (am I a slave?)


Hi there,
I'm new to Ubuntu and using Ubuntu 18.04 on my PC.

Few days back, I noticed a text file named "pwn3d.txt" on my home folder. The text inside the file was : "You are (fully) pwn3d due to a homobraphic error on your software dependencies"

I didn't notice any unusual activity and my accounts weren't hacked. Also, I don't remember installing any suspicious soft wares or running any unauthorized scripts.

But still, I got panicked and reinstalled my Ubuntu (I still have windows installed) Today I tried to dug into the logs to see if I can find any suspicious behavior, and I think I found few:

My firewall (UFW) is blocking tons of stuff:
https://i.stack.imgur.com/zLs4M.png - screen shot for few examples

I have --slave commands, few examples from alternative.logs:
update-alternatives 2019-02-10 00:12:25: run with --quiet --install /usr/bin/awk awk /usr/bin/mawk 5 --slave /usr/share/man/man1/awk.1.gz awk.1.gz /usr/share/man/man1/mawk.1.gz --slave /usr/bin/nawk nawk /usr/bin/mawk --slave /usr/share/man/man1/nawk.1.gz nawk.1.gz /usr/share/man/man1/mawk.1.gz

update-alternatives 2019-06-14 10:38:23: run with --install /usr/bin/c++ c++ /usr/bin/g++ 20 --slave /usr/share/man/man1/c++.1.gz c++.1.gz /usr/share/man/man1/g++.1.gz

update-alternatives 2019-06-09 13:34:33: run with --quiet --install /usr/bin/c99 c99 /usr/bin/c99-gcc 20 --slave /usr/share/man/man1/c99.1.gz c99.1.gz /usr/share/man/man1/c99-gcc.1.gz

when i ran the following command: cat /etc/passwd|grep '/bin/bash' I got the following result alongside with my own username:
root:x:0:0:root:/root:/bin/bash

Any suggestions? am I under attack? should I format my computer? Is there any danger for other devices on my network (laptops, router, streamers)?

Please help me.
 
Old 06-14-2019, 09:28 PM   #2
Contrapak
Member
 
Registered: May 2019
Location: /home/
Distribution: Arch Linux
Posts: 104

Rep: Reputation: 12
Nuke your computer and install Ubuntu from a certified distributor.
 
Old 06-14-2019, 10:10 PM   #3
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 14,943
Blog Entries: 25

Rep: Reputation: 4206Reputation: 4206Reputation: 4206Reputation: 4206Reputation: 4206Reputation: 4206Reputation: 4206Reputation: 4206Reputation: 4206Reputation: 4206Reputation: 4206
I looked at this post earlier tonight. I'm inclined to agree with Contrapak, especially if you don't have any crucial data on that box. A web search for "pwn3d.txt" turned up some awfully fishy links, but I felt I didn't know enough to respond at that point.

Alternatively, you could boot to a Live CD of something, install a malware scanner to the live environment, disconnect from any networks, and scan the HDD.

You may also wish to look at this Wikipedia article: https://en.wikipedia.org/wiki/Have_I_Been_Pwned%3F
 
Old Yesterday, 03:04 AM   #4
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 11,621
Blog Entries: 9

Rep: Reputation: 3077Reputation: 3077Reputation: 3077Reputation: 3077Reputation: 3077Reputation: 3077Reputation: 3077Reputation: 3077Reputation: 3077Reputation: 3077Reputation: 3077
Quote:
Originally Posted by 0loxw0qk View Post
I got panicked and reinstalled my Ubuntu (I still have windows installed) Today I tried to dug into the logs to see if I can find any suspicious behavior, and I think I found few:

My firewall (UFW) is blocking tons of stuff:
https://i.stack.imgur.com/zLs4M.png - screen shot for few examples

I have --slave commands, few examples from alternative.logs:
update-alternatives 2019-02-10 00:12:25: run with --quiet --install /usr/bin/awk awk /usr/bin/mawk 5 --slave /usr/share/man/man1/awk.1.gz awk.1.gz /usr/share/man/man1/mawk.1.gz --slave /usr/bin/nawk nawk /usr/bin/mawk --slave /usr/share/man/man1/nawk.1.gz nawk.1.gz /usr/share/man/man1/mawk.1.gz

update-alternatives 2019-06-14 10:38:23: run with --install /usr/bin/c++ c++ /usr/bin/g++ 20 --slave /usr/share/man/man1/c++.1.gz c++.1.gz /usr/share/man/man1/g++.1.gz

update-alternatives 2019-06-09 13:34:33: run with --quiet --install /usr/bin/c99 c99 /usr/bin/c99-gcc 20 --slave /usr/share/man/man1/c99.1.gz c99.1.gz /usr/share/man/man1/c99-gcc.1.gz

when i ran the following command: cat /etc/passwd|grep '/bin/bash' I got the following result alongside with my own username:
root:x:0:0:root:/root:/bin/bash
All this is perfectly normal.
UFW blocks a lot of internal chatter mostly between your box and your router.
Some commands have --slave options.

Since you already did a full reinstall I don't see what more you can do (except for the windows side - there i'm totally ignorant).
But of course it's better to be safe than sorry, and get into deep malware scanning.
That would probably include booting from a Live USB system or such; I'm sure specialised distros exist.
 
Old Yesterday, 06:44 AM   #5
FlinchX
Member
 
Registered: Nov 2017
Distribution: Slackware Linux
Posts: 325

Rep: Reputation: Disabled
Quote:
Originally Posted by Contrapak View Post
certified distributor.
what's this?
 
Old Yesterday, 08:41 PM   #6
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 14,943
Blog Entries: 25

Rep: Reputation: 4206Reputation: 4206Reputation: 4206Reputation: 4206Reputation: 4206Reputation: 4206Reputation: 4206Reputation: 4206Reputation: 4206Reputation: 4206Reputation: 4206
For most Linux distros, the most "certified distributor" is the distro's own website.
 
Old Yesterday, 08:55 PM   #7
allend
LQ 5k Club
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 5,192

Rep: Reputation: 1853Reputation: 1853Reputation: 1853Reputation: 1853Reputation: 1853Reputation: 1853Reputation: 1853Reputation: 1853Reputation: 1853Reputation: 1853Reputation: 1853
I found this forum post.
It appears that the JavaScript was loaded when the user was using npm.
The script appears to be innocuous, as real malware would not advertise its presence. Also, the link in the script to homografo.junquera.xyz does not resolve.
 
Old Yesterday, 11:09 PM   #8
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 11,621
Blog Entries: 9

Rep: Reputation: 3077Reputation: 3077Reputation: 3077Reputation: 3077Reputation: 3077Reputation: 3077Reputation: 3077Reputation: 3077Reputation: 3077Reputation: 3077Reputation: 3077
^ good research!
the question about how you can even get that stuff seems to be answered here:
Quote:
Originally Posted by slutti
I've been installing a lot through npm the last few days, just for experimenting
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] How to restart a "MySQL slave-of-a-slave completely(!) from scratch?" sundialsvcs Linux - Server 4 02-13-2017 06:36 PM
I find file zone in the slave zone to the do a transfer of zone from Windows Server 2012 as master dns and CentOS as slave DNS. To learn Linux - Newbie 1 09-02-2016 09:36 AM
MySQL Slave - Log queries including those executed on Slave Replay helptonewbie Linux - Server 0 04-11-2012 06:17 AM
[SOLVED] My network is hacked for sure. I want to reinstall but it will be hacked again. MsRefusenik Linux - Security 19 10-18-2010 05:02 PM
MySQL Master-Slave Replication - How to make the slave read-only? saagar Linux - Server 1 08-31-2010 08:13 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 11:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration