?
Solved

I think my Ubuntu 12.10 box is hacked, but not sure...

Posted on 2016-12-01
13
Medium Priority
?
79 Views
Last Modified: 2016-12-02
Hi,

Im not a Linux dude, so Im using google to find solutions, but I cant find a solution for this matter...
It seems that our Ubuntu 12.10 proxy server is running some unwanted activities nor services..

When I use TOP command, it shows the below line on top and I cant find the command jekakdaokt on google.

PID  USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
1313 root      20   0 44796 2880  204 S  72,9  0,0  53779:35 jekakdaokt

anyone that want to help me out to see if my box is compromised?

Ive changed root password and started with a new proxy server by using Ubuntu 16.04, but not done yet..
0
Comment
Question by:Bjarte Fjelland
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
13 Comments
 
LVL 7

Expert Comment

by:Raghav
ID: 41908505
The very first thing you can do is check / enable firewall "ufw"

1. To check the ufw service status, run -

sudo service status ufw

2. If you have not installed ufw, then run -

sudo apt-get install ufw

Kill the process 1313 and check if it returns.

sudo kill 1313

Good Luck.

--Raghav.
0
 
LVL 1

Author Comment

by:Bjarte Fjelland
ID: 41908513
Hi Raghav,

When doing -> sodu service status ufw <- I've got that the service is unknown.
Doing -> sudo apt-get install ufw <- I've got that the package cant be installed.

After sudo kill 1313 the blow line started:

  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
25876 root      20   0 28692 3540  196 S  18,0  0,0   0:04.74 uplxdzsnsk

It do seems like there is an unwanted service running.
0
 
LVL 7

Expert Comment

by:Raghav
ID: 41908524
what error did you get when you try to install ufw?

--Raghav.
0
CHALLENGE LAB: Troubleshooting Connectivity Issues

Goal: Fix the connectivity issue in the lab's AWS environment so that you can SSH into the provided EC2 instance.  

 
LVL 7

Expert Comment

by:Raghav
ID: 41908535
Also try to kill the process using -

sudo kill -STOP 25876

Check your crontab if it triggers from there.

--Raghav.
0
 
LVL 7

Accepted Solution

by:
Raghav earned 2000 total points
ID: 41908541
0
 
LVL 1

Author Comment

by:Bjarte Fjelland
ID: 41908653
In the crontab:

# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user      command
17 *      * * *      root    cd / && run-parts --report /etc/cron.hourly
25 6      * * *      root      test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6      * * 7      root      test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6      1 * *      root      test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/3 * * * * root /etc/cron.hourly/gcc.sh

in mtab:

/dev/mapper/proxy-root / ext4 rw,errors=remount-ro 0 0
proc /proc proc rw,noexec,nosuid,nodev 0 0
sysfs /sys sysfs rw,noexec,nosuid,nodev 0 0
none /sys/fs/fuse/connections fusectl rw 0 0
none /sys/kernel/debug debugfs rw 0 0
none /sys/kernel/security securityfs rw 0 0
udev /dev devtmpfs rw,mode=0755 0 0
devpts /dev/pts devpts rw,noexec,nosuid,gid=5,mode=0620 0 0
tmpfs /run tmpfs rw,noexec,nosuid,size=10%,mode=0755 0 0
none /run/lock tmpfs rw,noexec,nosuid,nodev,size=5242880 0 0
none /run/shm tmpfs rw,nosuid,nodev 0 0
none /run/user tmpfs rw,noexec,nosuid,nodev,size=104857600,mode=0755 0 0
/dev/sda1 /boot ext2 rw 0 0

in gcc.sh:

#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6

When I Killed with -STOP the process and this apears:

32456 root      20   0 35192 1008  208 S   0,3  0,0  58:39.73 vcyanolhsgcje
0
 
LVL 7

Expert Comment

by:Raghav
ID: 41908684
0
 
LVL 1

Author Comment

by:Bjarte Fjelland
ID: 41908956
I've done the steps in the URL, now rebooting.

This is a squid proxy server with 2 nic, one for internal and other for external. I can see that SSH and port 80 is open from the Internet and I want to close it cos it seems that the malware came via SSH.
Could I close it for external nic and open for the internal nic?
0
 
LVL 1

Author Comment

by:Bjarte Fjelland
ID: 41908971
I think the malware is gone, but how can I be sure?
I cant see any weird command names when running TOP.

But can see SSHD and mysqld is runnning occasionally.
0
 
LVL 7

Expert Comment

by:Raghav
ID: 41909022
Always use a firewall to block unwanted ports and allow only trusted ones. ANY - ANY rule can be dangerous. Restrict access from outside to only trusted hosts if you need to.

Good to hear that the malware process is gone.

--Raghav.
0
 
LVL 30

Expert Comment

by:serialband
ID: 41909194
Since you're not that familiar with Linux, download and install a rootkit scanner.
http://www.chkrootkit.org/
http://rkhunter.sourceforge.net/

Are you using MySQL or SSH for anything?  If not you can turn it off.
service sshd stop
killall sshd
service mysql stop
service status all


If you need to use them, then you should block external sites and only allow specific internal IPs to access your system.
If you've installed ufw, then you can set it to only allow access to ssh port 22 on the local subnet.
If your local subnet is 10.1.1.0 to 10.1.1.255 then:
sudo ufw allow from 10.1.1.0/24 to any port 22
0
 
LVL 1

Author Closing Comment

by:Bjarte Fjelland
ID: 41909867
The link Raghav refers to remove the trojan on the Ubuntu 12.10 box, thanks !
I also see that I need to replace the box with newer Ubuntu version and put up a UFW or iptables.
I cant install any program on it for some reason unknown to me.

Thanks again Raghav!
0
 
LVL 7

Expert Comment

by:Raghav
ID: 41909893
You are most welcome.

--Raghav.
0

Featured Post

What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An analysis of the phishing scam that has been affecting Google users, along with steps to take for protection, as well as what to do if you receive one of the emails.
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…
Suggested Courses
Course of the Month11 days, 10 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question