Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Linux Mint17 Infection


  • Please log in to reply
69 replies to this topic

#1 pcpunk

pcpunk

  • Members
  • 5,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:44 PM

Posted 23 August 2014 - 02:06 PM

I visited a site that had a poor web reputation by avast while in LMM17.  When I went to shut-down laptop I could not do so and had to force a shutdown.  At first I logged onto website by accident, but after seeing that it was such well informed site I thought I would be ok while in Linux.  I was thinking maybe this reputation was old as all the info there and the quality of the site was spot on.

 

I then went off-line and ran rkhunter and chkrootkit, one of them found a infection and both found "Threats" and something to do with Java.

 

Today I ran ClamTK and Quarantined eight items, all of which were labeled as PUP's.

 

Can someone help with this as I have no a clue what to do.

 

Laptop still works but start-up is a little different than before, the little swirling icon does not come up as it did before right away.  Not much difference but noticeable to me.


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


BC AdBot (Login to Remove)

 


m

#2 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 11,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:07:44 AM

Posted 23 August 2014 - 04:52 PM


 

I ran ClamTK and Quarantined eight items, all of which were labeled as PUP's.

All browser related I bet.

 

To clear the browser of any nonsense.

Close firefox then open the terminal and move the .mozilla/ folder to .mozilla.save/ then try the browser again.

mv .mozilla/  .mozilla.save/

The browser  will look like a fresh install.

 

 


 

"Threats" and something to do with Java.

Without more Information there is no way to tell. I can't help you much here as I do not know enough about Malware.

 

What do the logs show?

sudo nano /var/log/rkhunter.log

Are you dual booting? What folders/drives did you scan?

 

On a personal note I bet its a false positive.

 

PS

 

I saw your other post in the malware log's section but I can't reply there


Edited by NickAu1, 23 August 2014 - 08:46 PM.


#3 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,878 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:03:44 PM

Posted 23 August 2014 - 06:55 PM

I'd say these are false positives also, the remaining ones. Reason being, one has to give their root password, to allow any infection to run. While it's not impossible for someone to write a script & do this remotely on Linux, it's a lot of trouble. One would have to be really out to get you, at all costs, to pull this off. Plus it would be quite expensive to do so, to pull a prank. 

 

 

 

Laptop still works but start-up is a little different than before, the little swirling icon does not come up as it did before right away. 

 

 

Swirling icon on Linux Mint? These, I've only seen on Windows, and know that you dual boot with XP (or that XP is installed, don't know how often, or if, you run the OS). 

 

If this is on XP. you may want to post in the "Am I Infected" section of the Security forum (after running a Full scan with your security, after updating). Did you click onto the same bad link on that OS, as you did on MInt? 

 

Whatever link it is, you need to delete from all of your OS's, before you do anything else. 

 

Also, hard shutdowns are hard on most any OS. It's best to use the keyboard combo (Ctrl+Alt+Delete) to gain Task Manager Access (Power down options on Linux MInt). From there, one of the tabs (I believe "Power" on Windows) has Restart & Shutdown tabs to safely shutdown or restart. If the keyboard combo doesn't work, on either OS, you have problems to address ASAP. 

 

By trying this out to check for you (on Linux MInt), I inadvertently hit Shutdown, rather than Cancel, fortunately most of this post was auto saved. 

 

So either print this, or write down these instructions for future use, as you don't want too many hard shutdowns, at best, this can cause file corruption, at worse, hardware failures, the system isn't designed for this. It's kind of like with a desktop PC, yanking the power cord from the wall socket. The computer requires proper shutdown. Only in a very serious emergency you want to force a shutdown, like if there's an odd sound or burning smell coming from the computer. 

 

You may wish to boot into your other OS, update your security & run a Full scan with whatever security software is installed (as noted above). 

 

Good Luck with this.  :thumbup2:

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#4 sflatechguy

sflatechguy

  • BC Advisor
  • 2,164 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:44 PM

Posted 23 August 2014 - 09:32 PM

Rootkits are pretty rare in Linux, so I'd also go with "false positive."
Do you have AppArmor or selinux installed and running? Most distributions come with at least one installed by default. If so, it's almost definitely a false positive.
If you still feels there are issues, back up any userdata you want to keep, wipe the Linux partition clean and reinstall Linux.

#5 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 11,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:07:44 AM

Posted 23 August 2014 - 09:37 PM

 

Do you have AppArmor or selinux installed and running?

I would say AppArmor on Linux Mint.



#6 pcpunk

pcpunk
  • Topic Starter

  • Members
  • 5,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:44 PM

Posted 23 August 2014 - 10:06 PM

I was running google chrome, don't forget my signature I know it's easy to do so lol.  I have tried to keep it up to date for all that need it.

 

Yes dual booting with XP Home.  And I was told to scan "/ home" with ClamTK.

 

Is it ok to post my logs HERE?

 

cat1092:  Yes there is a little swirling icon with my LinuxMIntMate upon startup and other functions.  I did delete the Link.  I can remember the ctrl-alt-delete, thanks for the education-really! I need it.

 

I do not have the AppArmor, but it is listed in the Menu after typing it in.  It has a big PLUS by it suggesting to instal I guess.  SHOULD I INSTALL IT?  I will read up on it.

 

I will consider backing up and reinstalling after a little more investigation and maybe posting those logs or just the major offenders.

 

Thanks everyone for taking time out of your weekend to keep me safe. 


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#7 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 11,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:07:44 AM

Posted 23 August 2014 - 10:08 PM

 

Is it ok to post my logs HERE?

Yes Please.



#8 pcpunk

pcpunk
  • Topic Starter

  • Members
  • 5,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:44 PM

Posted 23 August 2014 - 10:21 PM

NickAu1, this did not produce the logs: (sudo nano /var/log/rkhunter.log)  It is supposed to be (/var/log/rikhunter.log) and I tried this also.  What you told me to use did produce something and I will post it in a few minutes. 

 

Screenshot-Terminal-1_zps0dc1915a.png


Edited by pcpunk, 23 August 2014 - 10:24 PM.

sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#9 pcpunk

pcpunk
  • Topic Starter

  • Members
  • 5,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:44 PM

Posted 23 August 2014 - 10:27 PM

From "chkrootkit"  Infection (Suckit rootkit) Warning: /sbin/init  


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#10 pcpunk

pcpunk
  • Topic Starter

  • Members
  • 5,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:44 PM

Posted 23 August 2014 - 10:31 PM

From ClamTK:  

/home/chris/.cache/google-chrome/Default/Cache/f_000c00      PUA.JS.Xored             
/home/chris/.cache/google-chrome/Default/Cache/f_003b06      PUA.JS.Xored             
/home/chris/.cache/google-chrome/Default/Cache/f_00413f      PUA.Script.Packed-2      
/home/chris/.cache/google-chrome/Default/Cache/f_0014d8      PUA.JS.Xored             
/home/chris/.cache/google-chrome/Default/Cache/f_003695      PUA.JS.Xored             
/home/chris/.cache/google-chrome/Default/Cache/f_00306b      PUA.JS.Xored             
/home/chris/.cache/google-chrome/Default/Cache/f_003ace      PUA.Phishing.Bank        
/home/chris/.cache/google-chrome/Default/Cache/f_00035e      PUA.JS.Xored       
 
On rkhunter perhaps I was supposed to use the commands on the bottom?

Edited by pcpunk, 23 August 2014 - 10:32 PM.

sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#11 sflatechguy

sflatechguy

  • BC Advisor
  • 2,164 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:44 PM

Posted 23 August 2014 - 10:35 PM

Suckit is, unfortunately, a real Linux rootkit. Your only option is to wipe the Mint partition, reformat the partition and reinstall Mint. Make sure apparmor is installed and running when you reinstall.

#12 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 11,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:07:44 AM

Posted 23 August 2014 - 10:39 PM

Read this.

Suckit Rootkit detected?

 

Read post 4 By balaknair

 

 

 

If your box really is infected and a rootkit is among the 'trusted' packages in the repos, it merits a closer look, and the Ubuntu repo package maintainers ought to be notified.

Edit: Noob's guide

- Change directories to /sbin and execute an "ls -l init" -- the link count should be 1. Create a hard link to init using ln, and then execute the "ls -l init" again. If the link count is still 1, the SK rootkit is installed.
To do this, in a terminal type in
Code:
cd /sbin
ls -l init
you ought to get an output like
-rwxr-xr-x 1 root root 125704 2010-08-13 04:40 init
The one(I've highlighted it in red here) is the count you want

Now
Code:
sudo mkdir /sbin/test
sudo ln init /sbin/test/init
ls -l init
The output should now look something like
-rwxr-xr-x 2 root root 125704 2010-08-13 04:40 init

If you still get a count of one, that means something in the background is hiding stuff- possibly a rootkit.

Edited by NickAu1, 23 August 2014 - 10:49 PM.


#13 pcpunk

pcpunk
  • Topic Starter

  • Members
  • 5,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:44 PM

Posted 23 August 2014 - 10:43 PM

Ok guys I will take a look at all that.  

 

NickAu1, I guess the command did produce the whole log but I cannot access it all via the scroll, o perhaps there is an option to copy in the toolbar?  I tried ctrl-A.


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#14 sflatechguy

sflatechguy

  • BC Advisor
  • 2,164 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:44 PM

Posted 23 August 2014 - 10:47 PM

So we're back to not knowing for sure if it's a rootkit. Pity.

Run the tests and commands provided in NickAu1's link. That should provide some answers.

Again, if it is a rootkit, you'll need to remove the partition, reformat it and reinstall. If it's a false positive, I'd still install AppArmor if it's not already installed.



#15 pcpunk

pcpunk
  • Topic Starter

  • Members
  • 5,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:44 PM

Posted 23 August 2014 - 10:48 PM

O boy this is a lot of info for me lol. getting tired.


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users