Solved

I think my Ubuntu 12.10 box is hacked, but not sure...

Posted on 2016-12-01
13
69 Views
Last Modified: 2016-12-02
Hi,

Im not a Linux dude, so Im using google to find solutions, but I cant find a solution for this matter...
It seems that our Ubuntu 12.10 proxy server is running some unwanted activities nor services..

When I use TOP command, it shows the below line on top and I cant find the command jekakdaokt on google.

PID  USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
1313 root      20   0 44796 2880  204 S  72,9  0,0  53779:35 jekakdaokt

anyone that want to help me out to see if my box is compromised?

Ive changed root password and started with a new proxy server by using Ubuntu 16.04, but not done yet..
0
Comment
Question by:Bjarte Fjelland
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
13 Comments
 
LVL 7

Expert Comment

by:Raghav
ID: 41908505
The very first thing you can do is check / enable firewall "ufw"

1. To check the ufw service status, run -

sudo service status ufw

2. If you have not installed ufw, then run -

sudo apt-get install ufw

Kill the process 1313 and check if it returns.

sudo kill 1313

Good Luck.

--Raghav.
0
 
LVL 1

Author Comment

by:Bjarte Fjelland
ID: 41908513
Hi Raghav,

When doing -> sodu service status ufw <- I've got that the service is unknown.
Doing -> sudo apt-get install ufw <- I've got that the package cant be installed.

After sudo kill 1313 the blow line started:

  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
25876 root      20   0 28692 3540  196 S  18,0  0,0   0:04.74 uplxdzsnsk

It do seems like there is an unwanted service running.
0
 
LVL 7

Expert Comment

by:Raghav
ID: 41908524
what error did you get when you try to install ufw?

--Raghav.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 7

Expert Comment

by:Raghav
ID: 41908535
Also try to kill the process using -

sudo kill -STOP 25876

Check your crontab if it triggers from there.

--Raghav.
0
 
LVL 7

Accepted Solution

by:
Raghav earned 500 total points
ID: 41908541
0
 
LVL 1

Author Comment

by:Bjarte Fjelland
ID: 41908653
In the crontab:

# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user      command
17 *      * * *      root    cd / && run-parts --report /etc/cron.hourly
25 6      * * *      root      test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6      * * 7      root      test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6      1 * *      root      test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/3 * * * * root /etc/cron.hourly/gcc.sh

in mtab:

/dev/mapper/proxy-root / ext4 rw,errors=remount-ro 0 0
proc /proc proc rw,noexec,nosuid,nodev 0 0
sysfs /sys sysfs rw,noexec,nosuid,nodev 0 0
none /sys/fs/fuse/connections fusectl rw 0 0
none /sys/kernel/debug debugfs rw 0 0
none /sys/kernel/security securityfs rw 0 0
udev /dev devtmpfs rw,mode=0755 0 0
devpts /dev/pts devpts rw,noexec,nosuid,gid=5,mode=0620 0 0
tmpfs /run tmpfs rw,noexec,nosuid,size=10%,mode=0755 0 0
none /run/lock tmpfs rw,noexec,nosuid,nodev,size=5242880 0 0
none /run/shm tmpfs rw,nosuid,nodev 0 0
none /run/user tmpfs rw,noexec,nosuid,nodev,size=104857600,mode=0755 0 0
/dev/sda1 /boot ext2 rw 0 0

in gcc.sh:

#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6

When I Killed with -STOP the process and this apears:

32456 root      20   0 35192 1008  208 S   0,3  0,0  58:39.73 vcyanolhsgcje
0
 
LVL 7

Expert Comment

by:Raghav
ID: 41908684
0
 
LVL 1

Author Comment

by:Bjarte Fjelland
ID: 41908956
I've done the steps in the URL, now rebooting.

This is a squid proxy server with 2 nic, one for internal and other for external. I can see that SSH and port 80 is open from the Internet and I want to close it cos it seems that the malware came via SSH.
Could I close it for external nic and open for the internal nic?
0
 
LVL 1

Author Comment

by:Bjarte Fjelland
ID: 41908971
I think the malware is gone, but how can I be sure?
I cant see any weird command names when running TOP.

But can see SSHD and mysqld is runnning occasionally.
0
 
LVL 7

Expert Comment

by:Raghav
ID: 41909022
Always use a firewall to block unwanted ports and allow only trusted ones. ANY - ANY rule can be dangerous. Restrict access from outside to only trusted hosts if you need to.

Good to hear that the malware process is gone.

--Raghav.
0
 
LVL 29

Expert Comment

by:serialband
ID: 41909194
Since you're not that familiar with Linux, download and install a rootkit scanner.
http://www.chkrootkit.org/
http://rkhunter.sourceforge.net/

Are you using MySQL or SSH for anything?  If not you can turn it off.
service sshd stop
killall sshd
service mysql stop
service status all


If you need to use them, then you should block external sites and only allow specific internal IPs to access your system.
If you've installed ufw, then you can set it to only allow access to ssh port 22 on the local subnet.
If your local subnet is 10.1.1.0 to 10.1.1.255 then:
sudo ufw allow from 10.1.1.0/24 to any port 22
0
 
LVL 1

Author Closing Comment

by:Bjarte Fjelland
ID: 41909867
The link Raghav refers to remove the trojan on the Ubuntu 12.10 box, thanks !
I also see that I need to replace the box with newer Ubuntu version and put up a UFW or iptables.
I cant install any program on it for some reason unknown to me.

Thanks again Raghav!
0
 
LVL 7

Expert Comment

by:Raghav
ID: 41909893
You are most welcome.

--Raghav.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The purpose of this article is to demonstrate how we can use conditional statements using Python.
Fine Tune your automatic Updates for Ubuntu / Debian
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question