Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible backdoor in Linux Mint?


  • Please log in to reply
20 replies to this topic

#1 auto1571

auto1571

  • Members
  • 295 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 10 October 2016 - 10:33 AM

Hi, I recently did several scans on my linux system. One of the things that concerned me was that chkrootkit discovered possible Windigo installed which I understand is a backdoor. The reason for my concerns are the other night I was on a chat which I didn't realize until later it used P2P feeds and lots of people have been known to try and hack people on that chat. However when I was on it I had Firewall enabled and was using PureVPN.

I checked for vulnerable ports to see if they were open and they were not unless I'm mistaken. Iam wondering if the only possible way the windigo got installed would be knowing an ip and then exploiting a vulnerable port unless of course it was a false positive.

 

I have asked on other sites but they were'nt able to really answer these questions.

 

Thanks.



BC AdBot (Login to Remove)

 


#2 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 10 October 2016 - 11:32 AM

What exactly did chrootkit flag as being an indication of windigo ???

 

If it is a file (and if you are truly infected then there should be infection files present) then check it out by scanning it at VirusTotal ... https://www.virustotal.com/ ... as far as I'm aware most executable file types can be scanned.

 

If it is a heuristic detection then it is more than likely a false positive. Heuristic detections are based on analysing file/process behaviour, and are not as reliable as the AV companies would have you believe they are.



#3 auto1571

auto1571
  • Topic Starter

  • Members
  • 295 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 10 October 2016 - 11:51 AM

What exactly did chrootkit flag as being an indication of windigo ???

 

If it is a file (and if you are truly infected then there should be infection files present) then check it out by scanning it at VirusTotal ... https://www.virustotal.com/ ... as far as I'm aware most executable file types can be scanned.

 

If it is a heuristic detection then it is more than likely a false positive. Heuristic detections are based on analysing file/process behaviour, and are not as reliable as the AV companies would have you believe they are.

 

 

 

Well here are the results from the chkrootkit log:

 


Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:  
/usr/lib/jvm/.java-1.8.0-openjdk-amd64.jinfo /usr/lib/debug/.build-id /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /lib/modules/4.4.0-21-generic/vdso/.build-id /usr/lib/debug/.build-id 

Searching for Linux/Ebury - Operation Windigo ssh...        Possible Linux/Ebury - Operation Windigo installetd

wlp4s0: PACKET SNIFFER(/sbin/wpa_supplicant[1310], /sbin/wpa_supplicant[1310], /sbin/dhclient[1355])



#4 Al1000

Al1000

  • Global Moderator
  • 7,174 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:36 AM

Posted 10 October 2016 - 12:11 PM

Do you need more detailed advice on how to upload the files to VirusTotal?

Also, which operating system are you using?

Edited by Al1000, 10 October 2016 - 12:12 PM.


#5 auto1571

auto1571
  • Topic Starter

  • Members
  • 295 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 10 October 2016 - 12:15 PM

Do you need more detailed advice on how to upload the files to VirusTotal?

Also, which operating system are you using?

 

 

Yes please. I am not sure what files I am supposed to upload to virus total. Also this is Linux mint.



#6 Al1000

Al1000

  • Global Moderator
  • 7,174 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:36 AM

Posted 10 October 2016 - 12:51 PM

No problem. The files you want to upload are these four:
/usr/lib/jvm/.java-1.8.0-openjdk-amd64.jinfo
/usr/lib/debug/.build-id
/usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit
/lib/modules/4.4.0-21-generic/vdso/.build-id
You upload the files one at a time.

I'm not on Mint just now, but try this first:
  • Click on the link to VirusTotal that Gary posted above.
  • On VirusTotal homepage, click on Choose File
  • In the window that opens, if there is a "Location" box at the top, simply copy and paste the first file as I have listed it above, into the box, then click on "Open"
  • Wait for the file to be scanned, then repeat the process for the other files
If there is no "location box" in the window that opens when you press "Choose File," click on "file system" under "places," then navigate to the files, one at a time.

Please let me know if you need more detailed advice on how to navigate to the files, but I suspect there will probably be a "Location bar" in Mint, so you can just copy and paste the files as I have listed them.

Edited by Al1000, 10 October 2016 - 12:53 PM.


#7 auto1571

auto1571
  • Topic Starter

  • Members
  • 295 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 10 October 2016 - 01:47 PM

Hi, at the time of writing I was attempting to re-install the system. I thought I had aborted the whole re-installation process but I obviously hadn't as the system wont boot up at all now. So I am thinking I should just continue with the re-installation?

Edited by Al1000, 10 October 2016 - 01:57 PM.
remove quoted post


#8 Al1000

Al1000

  • Global Moderator
  • 7,174 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:36 AM

Posted 10 October 2016 - 02:00 PM

Yes, that would be the best thing to do at this stage.

(Please don't quote posts unless it is necessary to do so. It wastes space and makes threads longer, and it is rarely necessary to quote an entire post for the purpose of responding to it. I have edited your post to remove my post that you quoted in its entirety.)

#9 auto1571

auto1571
  • Topic Starter

  • Members
  • 295 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 10 October 2016 - 02:19 PM

Thanks for your reply. However are you able to answer the concerns about  "Possible Linux/Ebury - Operation Windigo installetd." An attacker can't infect you through just knowing your ip and then looking for vulnerable ports can they?

 

The only vulnerable ports I know of are the Samba ports and they were both closed on my vpn ip and my real ip. Plus I had a firewall set to reject all incoming traffic. The port checkers I used were http://www.canyouseeme.org/ and http://www.yougetsignal.com/tools/open-ports/



#10 Al1000

Al1000

  • Global Moderator
  • 7,174 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:36 AM

Posted 10 October 2016 - 03:41 PM

You would be better to ask this question in the General Security forum. That's where the security experts on Bleeping Computer will see it, and will be able to give you a much more informative answer than you are likely to receive here.

On a practical level however, you can be sure that Mint is clean if you reinstall it. :)

#11 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 10 October 2016 - 04:37 PM

Sorry to be late getting back to you on this.

 

Firstly if you're reinstalling Linux, then that will get rid of any infection you might have.

 

Secondly, in answer to your question about vulnerable ports ....

 

If you have a firewall enabled, then all your ports will be protected against probing by external agencies. By default a firewall will only open a port when the "conversation" is instigated by you, any attempts to instigate communications from outside will be blocked, and even queries will be stonewalled.

 

By default Mint comes with a firewall which needs to be switched on, see ... https://help.ubuntu.com/community/UFW ... (I know the instructions are for Ubuntu, but Mint is an Ubuntu derivative, so the same firewall is installed on both).

 

To summarise ...

 

Open a terminal in Linux, and type .... sudo ufw enable ... to switch on your firewall, you will be prompted to enter your password, so enter it to complete the process.


Edited by Gary R, 10 October 2016 - 04:41 PM.


#12 auto1571

auto1571
  • Topic Starter

  • Members
  • 295 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 10 October 2016 - 04:42 PM

Hi Gary,

 

I was using PureVPN via OpenVPN too. Does that mean I would still be protected against attackers? I mean configuring a vpn through openvpn wouldn't enable the port ssh 22 would it?



#13 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 10 October 2016 - 04:54 PM

A VPN really just relays your communications via a 3rd party server, so I can't see any particular reason why a port would be open unless you were using it at the time.

 

All ports are vulnerable when they're open, which is why you have an anti-virus. The anti-virus monitors the data passing through the port and flags any that matches any of the "signatures" it has.

 

With Linux the number of real world infections you're likely to come across is fairly small, so the need for an anti-virus is debatable. Many people content themselves with having a good backup and recovery regime, and on the rare occasions that they may get infected, they do what you've done and re-install (and then recover to their last clean backup).

 

Personally I use Aptik and Timeshift as part of my backup/recovery regime, and using them I can get my system back up and running in no time at all.

 

http://www.teejeetech.in/2016/04/aptik-v1641.html

http://www.teejeetech.in/p/timeshift.html


Edited by Gary R, 10 October 2016 - 04:59 PM.


#14 auto1571

auto1571
  • Topic Starter

  • Members
  • 295 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 10 October 2016 - 05:09 PM

I think I might be overthinking and getting paranoid lol. Well I guess it's servers that are more vulnerable then.

 

Anyway slightly off topic but I recently discovered Qubes which seems an interesting distro.



#15 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 10 October 2016 - 06:20 PM

Not really, you had an infection, and naturally you wanted to know what the likelihood was of catching another. Like I said, Linux infections are comparatively uncommon, but they do exist.

 

You could of course "tie down" your browser a bit, and that will further reduce your chances of getting infected again. If you're using Firefox then there's a number of useful security add-ons I can recommend, and if you're using another browser then let me know which, and if I'm able to then I'll make similar recommendations for that.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users