Malware Fun

Tom · June 18, 2015, 12:44:11 AM

For the first time ever, one of my linux boxes has been infected by malware

Based on some basic googling, its a simple botnet/irc client used to do DDoS attacks.

Scan from VirusTotal

As far as i can tell there was no rootkit installed, or any kind of kernel module hijack. But it did hide itself in /var/tmp/.../.kde and ran itself as 'postgres' where it also installed a user crontab entry to update itself every hour.

The only reason I even noticed it was because i was noticing things being unable to connect to other machines on an increasingly regular basis. Started off with some rsync jobs failing, then other things and just snowballed to more than a couple ssh connections before any more would fail with a 'unable to assign requested address' error message which is incredibly strange to see coming from a client program. Turns out you get that error message when you run out of usable file handles. Most often people run into this error when leaking files and the system is set to limit users to a "low" amount like 2048 or less, or when you're running a daemon like mysql or apache that can often have thousands of file descriptors open at any given time.

When i went to go check to see about open connections with netstat, i found nothing out of the ordinary, so i was confused about this problem for quite some time (weeks now?). It was only today when coming back to working on it after trying to fix it last night by switching the kernel (expecting some kind of weird driver/kernel bug), that i decided to dig a bit deeper and found a curious process listed in htop called "crond". Normally that wouldn't bug me, but it was running as the "postgres" user. At that point I was very suspicious. I did some googling about this, and most places mentioned checking /etc/init.d and the /etc/cron.d/* directories. I found absolutely nothing of interest in either location, but i had a thought... If that program is running as postgres, there MAY be something in the postgres user's crontab... And of course there was. It told cron to run /var/tmp/.../.kde/update every hour. So yeah. Totally infected with a botnet trojan. Nothing else seems to be wrong. I ran some malware scanners which found nothing suspicious (even while the trojan was still installed and running), and dpkg -V which scans all files part of installed packages to see if they match the original checksums, and that passed. So hopefully things are ok for now, but I think I'll be re-installing the OS soon.

Fun times. *sigh*

append: In case anyone is wondering, this was causing my backups to randomly fail, including the separate minecraft backups. So yay, its all fixed

Mr. Analog · June 18, 2015, 07:23:14 AM

Glad you found it! I recently rebuilt a laptop for my family and that thing was so heavily infected I had to wipe it completely

Thorin · June 18, 2015, 07:34:19 AM

Ah, so there is malware for non-Windows PCs.

Also, glad you found it and fixed it. Planning on running a virus scanner on a regular basis from now on?

Tom · June 18, 2015, 02:46:42 PM

Quote from: Thorin on June 18, 2015, 07:34:19 AM
Ah, so there is malware for non-Windows PCs.

On virtually any system really. Android, iOS, OSX, Windows, and yes Linux, but its rare for a home linux system to get infected.. A recent trojan made the rounds that likes to brute force ssh root logins, and that was likely how it got in. Probably while i was away. I've since changed the ssh server on the firewall to not allow root logins with passwords.

Quote from: Thorin on June 18, 2015, 07:34:19 AM
Also, glad you found it and fixed it. Planning on running a virus scanner on a regular basis from now on?

Not on my linux boxes. The incredible unlikeliness of it happening again makes it kind of pointless.

One time in 13 years. Not too bad

Darren Dirt · June 19, 2015, 11:27:45 AM

Quote from: Mr. Analog on June 18, 2015, 07:23:14 AM
Glad you found it! I recently rebuilt a laptop for my family and that thing was so heavily infected I had to wipe it completely

"Hey, [family member or friend], you 'work with computers' right? Can you fix my slow Windows computer thingie?"

Ouch, I try not to get dragged into that anymore, because it can be such a timesink... but it's almost painful to know someone's machine is so bogged down by spyware and crap and you can rescue them from that laggy hell with just a few clicks... and a few more... and... :sigh:

Of course it's your folks so that goes without saying that it's your job to keep them running efficiently in the web tubes.

Mr. Analog · June 19, 2015, 11:33:05 AM

Yeh, I held it off so long but that machine was so @%&#ed up I had to do something about it because I was sick of the never-ending winging.

I told them up front that I would be wiping it completely and doing a ground up rebuild so, I had no sympathy for issues they had after (such as where their favourite malware toolbars had gone, JEZUZ I wish I was joking)

It caused some friction but it wasn't their primary machine, I still can't believe they went and installed McAfee on it after I cleaned all that @%&# off, why people use or trust and send money to McAfee is beyond me

Lazybones · June 19, 2015, 12:10:20 PM

Linux systems don't get malware as often as they just get owned by vulnerabilities in the hundreds of bundled systems / services installed by default.

If you arn't auto updating on the security repos, it is super easy for someone to install a niche perl or python app into your web service and go to town..

Lazybones · June 19, 2015, 12:29:16 PM

Quote from: Lazybones on June 19, 2015, 12:10:20 PM
Linux systems don't get malware as often as they just get owned by vulnerabilities in the hundreds of bundled systems / services installed by default.

If you arn't auto updating on the security repos, it is super easy for someone to install a niche perl or python app into your web service and go to town..

This is actually a growing concern due to things like Docker that bundle the server in with the app. Nothing like a 2 year old un-patched webserver bundled with your app for vulnerabilities.

It is also a problem if you are compiling the server services from source and then not maintaining them at all.

All of these are administrative issues, but common ones.

Tom · June 19, 2015, 03:02:18 PM

Quote from: Lazybones on June 19, 2015, 12:10:20 PM
Linux systems don't get malware as often as they just get owned by vulnerabilities in the hundreds of bundled systems / services installed by default.

If you arn't auto updating on the security repos, it is super easy for someone to install a niche perl or python app into your web service and go to town..

My home server runs just about nothing. It had more things on it than it should have, but it's been an evolving install for years now, so things just built up BUT it was just a kvm host, and everything sat behind a separate linux firewall machine (nice little firewall appliance with 1GB ram, and a 1Ghz atom cpu with HT). So its not simple to get into my network. In this case, it was because I left ssh root login 'with password' enabled, and they managed to get in via brute forcing the password even with rate limiting, and fail2ban installed. I'm somewhat impressed actually.

I've disabled root login w/password on the firewall now, but left root+sharedkey enabled, though I could just use a separate user with su perms instead which is probably a bit more secure.

Quote from: Lazybones on June 19, 2015, 12:29:16 PM
Quote from: Lazybones on June 19, 2015, 12:10:20 PM
Linux systems don't get malware as often as they just get owned by vulnerabilities in the hundreds of bundled systems / services installed by default.

If you arn't auto updating on the security repos, it is super easy for someone to install a niche perl or python app into your web service and go to town..

This is actually a growing concern due to things like Docker that bundle the server in with the app. Nothing like a 2 year old un-patched webserver bundled with your app for vulnerabilities.

It is also a problem if you are compiling the server services from source and then not maintaining them at all.

All of these are administrative issues, but common ones.

Indeed, but docker is containers, so its closer to a VM than "an app". Some people just don't get that I suppose. you should treat it as a separate instance, and keep it updated like you should other machines.

Lazybones · July 21, 2015, 02:34:16 PM

Ssh brute force made easier due to an OpenSSL flaw

http://arstechnica.com/security/2015/07/bug-in-widely-used-openssh-opens-servers-to-password-cracking/

I recently installed fail2ban on my server and run on a none standard port. I might just move to VPN only remote access at this rate.

Mr. Analog · July 21, 2015, 02:54:24 PM

Quote from: Lazybones on July 21, 2015, 02:34:16 PM
Ssh brute force made easier due to an OpenSSL flaw

http://arstechnica.com/security/2015/07/bug-in-widely-used-openssh-opens-servers-to-password-cracking/

I recently installed fail2ban on my server and run on a none standard port. I might just move to VPN only remote access at this rate.

That's for sure holy @%&#

Tom · July 21, 2015, 04:47:19 PM

Mostly it's only REALLY BAD if your config is already REALLY BAD. Hopefully you didn't allow infinite retries.