Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can a Linux user get help with infection here?


  • Please log in to reply
18 replies to this topic

#1 The Uprightman

The Uprightman

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Oz (aka Australia)
  • Local time:11:32 PM

Posted 23 June 2015 - 09:37 PM

Hi all,

I think that I have a compromised Linux OS (Ubuntu 14.04) and was wondering if I would be able to find any assistance with that here?

I am new to Linux and do not know where to find or how to produce the information that you would want to look at so would need some direction with that please.

Thanks for any assistance or clarification that can be provided.

Some basic information that resulted in me posting here.......

I purchased a premuim membership with the file hosting site "Fileboom"

Within a matter of days my credit card had been cancelled by my financial instituion due to attempted fraudulent activity.

By this stage I had downloaded 6 files (all or some potentially housing a payload) and whilst I had taken care to restrict the privileges to read only for the owner and none for anyone else - the follwing day I noticed that the permissions for those files had been changed.

A few days later, I was unale to close a text document that I had open as I was advised that the location of it could not be found.(not sure if related but odd)

Finally, a few days later and I am not able to access the internet , despite my router advising me that i am connected and everything is as it should be.

Resetting the router to default factory settings did not resolve the issue.

Connected the router to another pc and found that it connects fine to the internet.

Attempted to transfer files from compromised pc to clean pc via USB stick  - seemed to copy the file from compromised pc to USB very quickly  - connected USB to clean pc to transfer 100 Mb file and found that the file was now only 23 Mb. Attempted the same with different files - same result.

What information, system logs etc can i provide that would be helpful to someone to look at whilst I am waiting for some assistance please?


Edited by The Uprightman, 23 June 2015 - 11:52 PM.


BC AdBot (Login to Remove)

 


m

#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:11:32 PM

Posted 23 June 2015 - 11:55 PM

Repairing a compromised Linux machine is extremely difficult at best. (I may be understating it here)

 

All of your problems could be related to simple poor choices... giving your CC to the wrong people, not enabling your firewall, downloading code from non-trusted sources, not updating your software etc.

 

Or it could be that you have some serious system corruption issues causing everything to malfunction.

 

If your files have permissions changing on executable files that you have downloaded, that also contain payloads (how did you establish this??), without being changed by you or an application on your system... that is bad news. Even in a Windows situation it would be advisable to re-install your operating system, as a backdoored machine can never be trusted again.


Edited by TsVk!, 24 June 2015 - 12:22 AM.


#3 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:12:32 AM

Posted 24 June 2015 - 12:15 AM

After the Malware team gives you the all clear, Please pop into the Linux section and we can guide you is setting up Ubuntu if you like.



#4 The Uprightman

The Uprightman
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Oz (aka Australia)
  • Local time:11:32 PM

Posted 24 June 2015 - 12:26 AM

Thanks Bleeperizer & NickAu.

I will do as you suggest but as part of my Linux learning I am going to try a few different distros and desktops to see which one I like the most. Ubuntu with the Gnome desktop is the only one I have tried so far - it seems to be very user friendly  - easy to use.

If I get the all clear from the Malware Team I will most likely install openSuSe and give the KDE desktop a go.

Thanks again



#5 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:11:32 PM

Posted 24 June 2015 - 12:27 AM

After the Malware team gives you the all clear, Please pop into the Linux section and we can guide you is setting up Ubuntu if you like.

 Assuming the changing permissions on payload files is correct, I know of no way to all clear a machine in this situation...

 

But having great helpers (in the Linux section here) help you set up your machine properly can avoid this type of pain again.



#6 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:11:32 PM

Posted 24 June 2015 - 12:28 AM

Try Mint with Cinnamon desktop... very nice beginners Linux.



#7 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:12:32 AM

Posted 24 June 2015 - 12:36 AM

Have you still got the files by any chance?



#8 The Uprightman

The Uprightman
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Oz (aka Australia)
  • Local time:11:32 PM

Posted 24 June 2015 - 12:38 AM

Okay, thanks Bleeperizer  - one other thing that I forgot to mention was that at one point - when starting my pc, I briefly noticed a black screen that asked for "root login" credentials prior to the regular login screen appearing. I only noticed this happening once but was enough to raise the alarm for me.

 

Seems like the simplest solution here would be to simply rip the compromised HD out,  replace it with a new one and re-install the OS.

Thanks again for taking the time to have a look at my problem.



#9 The Uprightman

The Uprightman
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Oz (aka Australia)
  • Local time:11:32 PM

Posted 24 June 2015 - 12:41 AM

Sorry NickAu - I deleted them after I noticed the permissions had been changed on them. I now understand that by that stage its probably to late and would have little or no effect on the infection going about its job :(

 

 

@Bleeperizer : I have downloaded the ISO for openSUSE but upon reading about Linux Mint i might just take up on your suggestion.


Edited by The Uprightman, 24 June 2015 - 12:45 AM.


#10 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:12:32 AM

Posted 24 June 2015 - 12:50 AM

I would stick with Buntu based distros. Ie Ubuntu, Mint, Zorin etc.

 

 

Seems like the simplest solution here would be to simply rip the compromised HD out,  replace it with a new one and re-install the OS

There is no need to do that, A format will be fine.

 

PS.

 

What type of files were they? EXE ( Windows Software ), Movie, Photos?


Edited by NickAu, 24 June 2015 - 01:00 AM.


#11 The Uprightman

The Uprightman
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Oz (aka Australia)
  • Local time:11:32 PM

Posted 24 June 2015 - 01:23 AM

Hi Nick,

 

 

What type of files were they? EXE ( Windows Software ), Movie, Photos?

 

The files were a mix of avi, mp4 and wmv containers - all audio & video - no exe files that I could see, however, they did have that old trick of using "html" on the end......

 

 

There is no need to do that, A format will be fine.

 

Spoke to a local tech on the phone who also suggested the same as you have (i.e low level format should be enough).

 

 

I would stick with Buntu based distros. Ie Ubuntu, Mint, Zorin etc.

 

Sold!.....I will delete the openSuSe iso and download Mint.

 

 

 

Thanks for your assistance and advice Nick


Edited by The Uprightman, 24 June 2015 - 01:24 AM.


#12 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:12:32 AM

Posted 24 June 2015 - 01:35 AM

Please start a new post in the Linux section so we can assist you with the new Linux Mint install.



#13 The Uprightman

The Uprightman
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Oz (aka Australia)
  • Local time:11:32 PM

Posted 24 June 2015 - 01:37 AM

 

 

Please start a new post in the Linux section so we can assist you with the new Linux Mint install.

 

Will do Nick.



#14 pcpunk

pcpunk

  • Members
  • 5,282 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:32 AM

Posted 24 June 2015 - 01:39 AM

Look forward to seeing you on the Linux/Dark Side Forum.  Some of the guys here are running Kubuntu which would be nice for your pc.  Some are also running Mint versions which I like a lot, I'm running the KDE version.  Nothing wrong with the Ubuntu 14.04 though, so if you like that one stick with it!

 

I always download stuff to Downloads then scan it with ClamAV.


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#15 The Uprightman

The Uprightman
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Oz (aka Australia)
  • Local time:11:32 PM

Posted 24 June 2015 - 02:03 AM

 

 

Look forward to seeing you on the Linux/Dark Side Forum.  Some of the guys here are running Kubuntu which would be nice for your pc.  Some are also running Mint versions which I like a lot, I'm running the KDE version.  Nothing wrong with the Ubuntu 14.04 though, so if you like that one stick with it!

 

Cheers Pcpunk !






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users