For a while now I have been dealing with some bizarre IPs in netstat -a queries, unusual processes that show up in Security Task Manager (ibtsiva.exe in the system32 dir to name one), and unusual files on my computer. In security task manager, when I click on the text in file options to display the text in the files of the unusual processes they often begin with the statement "this program cannot be run in DOS mode." I have dabbled in cyber security and ethical hacking before and know a bit about standard metasploit modules and things of that nature and if I remember correctly a lot of metasploit modules have statements like that in them, DOS mode being Denial of Service as opposed to the exploit being used for intrusion. I have asked for help in other forums of this blog for my Windows OS, but perhaps the most unusual files I have came across showed up after a rkhunter scan that showed suspicous file types in the /dev folder on my Ubunutu system. There is about 10 files and the names of them are all as follows:
<sequenceofrandomnumbers> being a sequence of random numbers something like 1125874632178.
Furthermore, there was a warning saying that "The command 'user/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script, ASCII text executable"
Since on my Windows system I found a lot of unusual bitlocker (I didn't install bitlocker on either of my systems) files that were last modified sometime last year (long before I purchased the computer) I decided to do a grep -r "bitlocker". The results returned a lot dirs in the /etc directory, for example:
to name a few.
Interestingly, I decided to do a bit of REing of the bitlocker.exe I found on my Windows system and the same "This program cannot be run in DOS mode" statement was near the entry point of the program. There was also a lot of abnormal strings in the file, some traditional Chinese characters and other random characters that appears to be a different language. I would post screenshots of the strings and oddities I discovered while REing however I am writing this from my Ubuntu system. I have included screenshots of the rkhunter scan and the grep -r "bitlocker" results.