Solved

I think my Ubuntu 12.10 box is hacked, but not sure...

Posted on 2016-12-01
13
11 Views
Last Modified: 2016-12-02
Hi,

Im not a Linux dude, so Im using google to find solutions, but I cant find a solution for this matter...
It seems that our Ubuntu 12.10 proxy server is running some unwanted activities nor services..

When I use TOP command, it shows the below line on top and I cant find the command jekakdaokt on google.

PID  USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
1313 root      20   0 44796 2880  204 S  72,9  0,0  53779:35 jekakdaokt

anyone that want to help me out to see if my box is compromised?

Ive changed root password and started with a new proxy server by using Ubuntu 16.04, but not done yet..
0
Comment
Question by:Bjarte Fjelland
  • 7
  • 5
13 Comments
 
LVL 4

Expert Comment

by:Raghav
Comment Utility
The very first thing you can do is check / enable firewall "ufw"

1. To check the ufw service status, run -

sudo service status ufw

2. If you have not installed ufw, then run -

sudo apt-get install ufw

Kill the process 1313 and check if it returns.

sudo kill 1313

Good Luck.

--Raghav.
0
 
LVL 1

Author Comment

by:Bjarte Fjelland
Comment Utility
Hi Raghav,

When doing -> sodu service status ufw <- I've got that the service is unknown.
Doing -> sudo apt-get install ufw <- I've got that the package cant be installed.

After sudo kill 1313 the blow line started:

  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
25876 root      20   0 28692 3540  196 S  18,0  0,0   0:04.74 uplxdzsnsk

It do seems like there is an unwanted service running.
0
 
LVL 4

Expert Comment

by:Raghav
Comment Utility
what error did you get when you try to install ufw?

--Raghav.
0
 
LVL 4

Expert Comment

by:Raghav
Comment Utility
Also try to kill the process using -

sudo kill -STOP 25876

Check your crontab if it triggers from there.

--Raghav.
0
 
LVL 4

Accepted Solution

by:
Raghav earned 500 total points
Comment Utility
0
 
LVL 1

Author Comment

by:Bjarte Fjelland
Comment Utility
In the crontab:

# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user      command
17 *      * * *      root    cd / && run-parts --report /etc/cron.hourly
25 6      * * *      root      test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6      * * 7      root      test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6      1 * *      root      test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/3 * * * * root /etc/cron.hourly/gcc.sh

in mtab:

/dev/mapper/proxy-root / ext4 rw,errors=remount-ro 0 0
proc /proc proc rw,noexec,nosuid,nodev 0 0
sysfs /sys sysfs rw,noexec,nosuid,nodev 0 0
none /sys/fs/fuse/connections fusectl rw 0 0
none /sys/kernel/debug debugfs rw 0 0
none /sys/kernel/security securityfs rw 0 0
udev /dev devtmpfs rw,mode=0755 0 0
devpts /dev/pts devpts rw,noexec,nosuid,gid=5,mode=0620 0 0
tmpfs /run tmpfs rw,noexec,nosuid,size=10%,mode=0755 0 0
none /run/lock tmpfs rw,noexec,nosuid,nodev,size=5242880 0 0
none /run/shm tmpfs rw,nosuid,nodev 0 0
none /run/user tmpfs rw,noexec,nosuid,nodev,size=104857600,mode=0755 0 0
/dev/sda1 /boot ext2 rw 0 0

in gcc.sh:

#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6

When I Killed with -STOP the process and this apears:

32456 root      20   0 35192 1008  208 S   0,3  0,0  58:39.73 vcyanolhsgcje
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 4

Expert Comment

by:Raghav
Comment Utility
0
 
LVL 1

Author Comment

by:Bjarte Fjelland
Comment Utility
I've done the steps in the URL, now rebooting.

This is a squid proxy server with 2 nic, one for internal and other for external. I can see that SSH and port 80 is open from the Internet and I want to close it cos it seems that the malware came via SSH.
Could I close it for external nic and open for the internal nic?
0
 
LVL 1

Author Comment

by:Bjarte Fjelland
Comment Utility
I think the malware is gone, but how can I be sure?
I cant see any weird command names when running TOP.

But can see SSHD and mysqld is runnning occasionally.
0
 
LVL 4

Expert Comment

by:Raghav
Comment Utility
Always use a firewall to block unwanted ports and allow only trusted ones. ANY - ANY rule can be dangerous. Restrict access from outside to only trusted hosts if you need to.

Good to hear that the malware process is gone.

--Raghav.
0
 
LVL 27

Expert Comment

by:serialband
Comment Utility
Since you're not that familiar with Linux, download and install a rootkit scanner.
http://www.chkrootkit.org/
http://rkhunter.sourceforge.net/

Are you using MySQL or SSH for anything?  If not you can turn it off.
service sshd stop
killall sshd
service mysql stop
service status all


If you need to use them, then you should block external sites and only allow specific internal IPs to access your system.
If you've installed ufw, then you can set it to only allow access to ssh port 22 on the local subnet.
If your local subnet is 10.1.1.0 to 10.1.1.255 then:
sudo ufw allow from 10.1.1.0/24 to any port 22
0
 
LVL 1

Author Closing Comment

by:Bjarte Fjelland
Comment Utility
The link Raghav refers to remove the trojan on the Ubuntu 12.10 box, thanks !
I also see that I need to replace the box with newer Ubuntu version and put up a UFW or iptables.
I cant install any program on it for some reason unknown to me.

Thanks again Raghav!
0
 
LVL 4

Expert Comment

by:Raghav
Comment Utility
You are most welcome.

--Raghav.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

rdate is a Linux command and the network time protocol for immediate date and time setup from another machine. The clocks are synchronized by entering rdate with the -s switch (command without switch just checks the time but does not set anything). …
Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now