Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit? Malware? Nothing?


  • Please log in to reply
1 reply to this topic

#1 spenca57

spenca57

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 21 February 2018 - 03:51 PM

For a while now I have been dealing with some bizarre IPs in netstat -a queries, unusual processes that show up in Security Task Manager (ibtsiva.exe in the system32 dir to name one), and unusual files on my computer. In security task manager, when I click on the text in file options to display the text in the files of the unusual processes they often begin with the statement "this program cannot be run in DOS mode." I have dabbled in cyber security and ethical hacking before and know a bit about standard metasploit modules and things of that nature and if I remember correctly a lot of metasploit modules have statements like that in them, DOS mode being Denial of Service as opposed to the exploit being used for intrusion. I have asked for help in other forums of this blog for my Windows OS, but perhaps the most unusual files I have came across showed up after a rkhunter scan that showed suspicous file types in the /dev folder on my Ubunutu system. There is about 10 files and the names of them are all as follows:

/dev/shm/pulse-shm-<sequenceofrandomnumbers>

<sequenceofrandomnumbers> being a sequence of random numbers something like 1125874632178.

Furthermore, there was a warning saying that "The command 'user/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script, ASCII text executable"

Since on my Windows system I found a lot of unusual bitlocker (I didn't install bitlocker on either of my systems) files that were last modified sometime last year (long before I purchased the computer) I decided to do a grep -r "bitlocker". The results returned a lot dirs in the /etc directory, for example:

etc/ssl/private

etc/cups/ssl

etc/cups/subscriptions.conf.O

etc/security/opasswd

etc/ufw/after.init

to name a few.

Interestingly, I decided to do a bit of REing of the bitlocker.exe I found on my Windows system and the same "This program cannot be run in DOS mode" statement was near the entry point of the program. There was also a lot of abnormal strings in the file, some traditional Chinese characters and other random characters that appears to be a different language. I would post screenshots of the strings and oddities I discovered while REing however I am writing this from my Ubuntu system. I have included screenshots of the rkhunter scan and the grep -r "bitlocker" results.

 



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:38 PM

Posted 22 February 2018 - 11:26 AM

Hello, We should get a deeper look. Please follow this Preparation Guide and post in a new topic.
Let me know if all went well..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users