1. Forum
  2. DOVE-Net
  3. Unix

  • Ubuntu, Crypto Malware

    From Android8675@VERT to All on Tue Nov 15 07:51:24 2022
    Hey all, anyone have any experience with crypto infected Linux systems? My box that I use has mxrig running, and I've no idea how it got there, where it's hiding, or how to get it off my system. Speculating that it could be some rootkit bologna, and there's vague suggestions on the googles as to how to get it off my system without "nuking it from orbit".

    So, before I do that I thought I might see if there's anyone who's had experience with this sort of thing who might be willing to take a peek? Drop me a note at andyob [at] gmail.com if you've had some experience. I got the thing backed up, so I'm ok with letting you pop-on and see if you can work some magic.

    Thanks in advance,
    -A @ shodanscore.com

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Digital Man@VERT to Android8675 on Tue Nov 15 11:51:14 2022
    Re: Ubuntu, Crypto Malware
    By: Android8675 to All on Tue Nov 15 2022 07:51 am

    Hey all, anyone have any experience with crypto infected Linux systems? My box that I use has mxrig running, and I've no idea how it got there, where it's hiding, or how to get it off my system. Speculating that it could be some rootkit bologna, and there's vague suggestions on the googles as to how to get it off my system without "nuking it from orbit".

    So, before I do that I thought I might see if there's anyone who's had experience with this sort of thing who might be willing to take a peek? Drop me a note at andyob [at] gmail.com if you've had some experience. I got the thing backed up, so I'm ok with letting you pop-on and see if you can work some magic.

    I was running a version of GitLab (a year ago?) that had an exploit published and I was vulnerable for about 24 hours before upgrading to a fixed GitLab version. During that 24 hours, a crypto miner (I forget the name) was installed and it was pretty obvious from the impact on CPU utilization. I found and killed the process manually and deleted the maliciously-installed files (in the /tmp dir, iirc). Tools like ps, top, netstat should help you find the culperate process(es) and get rid of them, but it is important that you find and remove (or update/patch) the software with the original vulnerability that was used to install the crypto miner in the first place.
    --
    digital man (rob)

    Rush quote #57:
    He picks up scraps of information, he's adept at adaptation .. Digital Man Norco, CA WX: 68.5øF, 21.0% humidity, 0 mph NE wind, 0.00 inches rain/24hrs
    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Android8675@VERT/REALITY to Digital Man on Wed Nov 30 08:27:07 2022
    Re: Ubuntu, Crypto Malware
    By: Digital Man to Android8675 on Tue Nov 15 2022 11:51 am

    Re: Ubuntu, Crypto Malware
    By: Android8675 to All on Tue Nov 15 2022 07:51 am

    Hey all, anyone have any experience with crypto infected Linux systems?

    So, before I do that I thought I might see if there's anyone who's had experience with this sort of thing who might be willing to take a peek?

    I was running a version of GitLab (a year ago?) that had an exploit published and I was vulnerable for about 24 hours before upgrading to a fixe

    Is there a simple way to clean out the /tmp folder in Linux, for us phlebs? /var/log folder getting kindda rhobust too)

    So I could not for the life of me figure out where the exploit was on my system until I watched the process carefully. I could kill the process easily enough (sudo top), but it would fire up again within 10-15 minutes. So I watched it fire up and the process information mentioned port 1812 somewhere, and I looked up port 1812 which has something to do with RADIUS authentication?

    So I blocked the port on the system and the malware hasn't started up since. I could only guess that the app was being run from a cloud drive somewhere using RADIUS to execute the code locally. I've no idea how that works, and I stopped just after because I was tired, but the problem hasn't returned so I'm OK just keeping that port blocked until I can figure out how/why it's happening.

    I might be OK without RADIUS, at least for now. I checked my router settings to make sure no erronious ports were open to the system (originally I had the system on the DMZ, but I figured now would be a good time to lock that down).

    At any rate, at least I didn't have to reinstall everything, but at some point I need to update to 22LTS. Something for another day.
    --
    Android8675@realitycheckbbs.o r g

    ... Do you know what kind of game this is?

    ---
    þ Synchronet þ .: realitycheckbbs.org :: scientia potentia est :.
  • From Digital Man@VERT to Android8675 on Wed Nov 30 11:53:18 2022
    Re: Ubuntu, Crypto Malware
    By: Android8675 to Digital Man on Wed Nov 30 2022 08:27 am

    Re: Ubuntu, Crypto Malware
    By: Digital Man to Android8675 on Tue Nov 15 2022 11:51 am

    Re: Ubuntu, Crypto Malware
    By: Android8675 to All on Tue Nov 15 2022 07:51 am

    Hey all, anyone have any experience with crypto infected Linux systems?

    So, before I do that I thought I might see if there's anyone who's had experience with this sort of thing who might be willing to take a peek?

    I was running a version of GitLab (a year ago?) that had an exploit published and I was vulnerable for about 24 hours before upgrading to a fixe

    Is there a simple way to clean out the /tmp folder in Linux, for us phlebs?

    https://askubuntu.com/questions/20783/how-is-the-tmp-directory-cleaned-up

    /var/log folder getting kindda rhobust too)

    Most apps that log there should have configurable log rotation policies.

    So I could not for the life of me figure out where the exploit was on my system until I watched the process carefully. I could kill the process easily enough (sudo top), but it would fire up again within 10-15 minutes.

    'sudo ps aux' will display the full path to all running processes. That's how you'd know *where* it is on your system, then you start grepping for what restarts that process upon boot (if it is).
    --
    digital man (rob)

    Synchronet/BBS Terminology Definition #34:
    FTN = FidoNet Technology Network
    Norco, CA WX: 59.2øF, 68.0% humidity, 0 mph ENE wind, 0.00 inches rain/24hrs ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Android8675@VERT/SHODAN to Digital Man on Mon Dec 5 10:44:52 2022
    Re: Ubuntu, Crypto Malware
    By: Digital Man to Android8675 on Wed Nov 30 2022 11:53 am

    Re: Ubuntu, Crypto Malware
    By: Android8675 to Digital Man on Wed Nov 30 2022 08:27 am

    Is there a simple way to clean out the /tmp folder in Linux, for us phlebs?

    https://askubuntu.com/questions/20783/how-is-the-tmp-directory-cleaned-up


    Thanks...

    /var/log folder getting kindda rhobust too)

    Most apps that log there should have configurable log rotation policies.


    Thanks again, will research...

    So I could not for the life of me figure out where the exploit was on my system until I watched the process

    'sudo ps aux' will display the full path to all running processes. That's how you'd know *where* it is on your
    system, then you start grepping for what restarts that process upon boot (if it is).

    I'll need to practice this. I find it odd that port 1812 isn't open in my router, so maybe there is another system infected causing this? Probably those fucking wifi lightbulbs I installed last week or some bullshit.

    ha, thanks for your help DM.
    --
    Android8675@ShodansCore
    ---
    þ Synchronet þ Shodan's Core @ ShodansCore.com