Solved

I think my Ubuntu 12.10 box is hacked, but not sure...

Posted on 2016-12-01
13
65 Views
Last Modified: 2016-12-02
Hi,

Im not a Linux dude, so Im using google to find solutions, but I cant find a solution for this matter...
It seems that our Ubuntu 12.10 proxy server is running some unwanted activities nor services..

When I use TOP command, it shows the below line on top and I cant find the command jekakdaokt on google.

PID  USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
1313 root      20   0 44796 2880  204 S  72,9  0,0  53779:35 jekakdaokt

anyone that want to help me out to see if my box is compromised?

Ive changed root password and started with a new proxy server by using Ubuntu 16.04, but not done yet..
0
Comment
Question by:Bjarte Fjelland
  • 7
  • 5
13 Comments
 
LVL 7

Expert Comment

by:Raghav
ID: 41908505
The very first thing you can do is check / enable firewall "ufw"

1. To check the ufw service status, run -

sudo service status ufw

2. If you have not installed ufw, then run -

sudo apt-get install ufw

Kill the process 1313 and check if it returns.

sudo kill 1313

Good Luck.

--Raghav.
0
 
LVL 1

Author Comment

by:Bjarte Fjelland
ID: 41908513
Hi Raghav,

When doing -> sodu service status ufw <- I've got that the service is unknown.
Doing -> sudo apt-get install ufw <- I've got that the package cant be installed.

After sudo kill 1313 the blow line started:

  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
25876 root      20   0 28692 3540  196 S  18,0  0,0   0:04.74 uplxdzsnsk

It do seems like there is an unwanted service running.
0
 
LVL 7

Expert Comment

by:Raghav
ID: 41908524
what error did you get when you try to install ufw?

--Raghav.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 7

Expert Comment

by:Raghav
ID: 41908535
Also try to kill the process using -

sudo kill -STOP 25876

Check your crontab if it triggers from there.

--Raghav.
0
 
LVL 7

Accepted Solution

by:
Raghav earned 500 total points
ID: 41908541
0
 
LVL 1

Author Comment

by:Bjarte Fjelland
ID: 41908653
In the crontab:

# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user      command
17 *      * * *      root    cd / && run-parts --report /etc/cron.hourly
25 6      * * *      root      test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6      * * 7      root      test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6      1 * *      root      test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/3 * * * * root /etc/cron.hourly/gcc.sh

in mtab:

/dev/mapper/proxy-root / ext4 rw,errors=remount-ro 0 0
proc /proc proc rw,noexec,nosuid,nodev 0 0
sysfs /sys sysfs rw,noexec,nosuid,nodev 0 0
none /sys/fs/fuse/connections fusectl rw 0 0
none /sys/kernel/debug debugfs rw 0 0
none /sys/kernel/security securityfs rw 0 0
udev /dev devtmpfs rw,mode=0755 0 0
devpts /dev/pts devpts rw,noexec,nosuid,gid=5,mode=0620 0 0
tmpfs /run tmpfs rw,noexec,nosuid,size=10%,mode=0755 0 0
none /run/lock tmpfs rw,noexec,nosuid,nodev,size=5242880 0 0
none /run/shm tmpfs rw,nosuid,nodev 0 0
none /run/user tmpfs rw,noexec,nosuid,nodev,size=104857600,mode=0755 0 0
/dev/sda1 /boot ext2 rw 0 0

in gcc.sh:

#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6

When I Killed with -STOP the process and this apears:

32456 root      20   0 35192 1008  208 S   0,3  0,0  58:39.73 vcyanolhsgcje
0
 
LVL 7

Expert Comment

by:Raghav
ID: 41908684
0
 
LVL 1

Author Comment

by:Bjarte Fjelland
ID: 41908956
I've done the steps in the URL, now rebooting.

This is a squid proxy server with 2 nic, one for internal and other for external. I can see that SSH and port 80 is open from the Internet and I want to close it cos it seems that the malware came via SSH.
Could I close it for external nic and open for the internal nic?
0
 
LVL 1

Author Comment

by:Bjarte Fjelland
ID: 41908971
I think the malware is gone, but how can I be sure?
I cant see any weird command names when running TOP.

But can see SSHD and mysqld is runnning occasionally.
0
 
LVL 7

Expert Comment

by:Raghav
ID: 41909022
Always use a firewall to block unwanted ports and allow only trusted ones. ANY - ANY rule can be dangerous. Restrict access from outside to only trusted hosts if you need to.

Good to hear that the malware process is gone.

--Raghav.
0
 
LVL 29

Expert Comment

by:serialband
ID: 41909194
Since you're not that familiar with Linux, download and install a rootkit scanner.
http://www.chkrootkit.org/
http://rkhunter.sourceforge.net/

Are you using MySQL or SSH for anything?  If not you can turn it off.
service sshd stop
killall sshd
service mysql stop
service status all


If you need to use them, then you should block external sites and only allow specific internal IPs to access your system.
If you've installed ufw, then you can set it to only allow access to ssh port 22 on the local subnet.
If your local subnet is 10.1.1.0 to 10.1.1.255 then:
sudo ufw allow from 10.1.1.0/24 to any port 22
0
 
LVL 1

Author Closing Comment

by:Bjarte Fjelland
ID: 41909867
The link Raghav refers to remove the trojan on the Ubuntu 12.10 box, thanks !
I also see that I need to replace the box with newer Ubuntu version and put up a UFW or iptables.
I cant install any program on it for some reason unknown to me.

Thanks again Raghav!
0
 
LVL 7

Expert Comment

by:Raghav
ID: 41909893
You are most welcome.

--Raghav.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
centos linux 65 159
Internet Explorer and Google Chrome will not open 14 52
expand ext4 on centos 6 5 37
PHP website on Linux - server DNS address could not be found. 18 51
Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question