Linux Lite Forums

General => Security & Bug Fixes => Topic started by: bitsnpcs on November 09, 2017, 10:30:04 AM

Title: Are they false ?
Post by: bitsnpcs on November 09, 2017, 10:30:04 AM
(https://preview.ibb.co/kERhXb/1screenshot.png)

(https://preview.ibb.co/kqVWQw/2screenshot.png)

(https://preview.ibb.co/dS6udG/3screenshot.png)

(https://preview.ibb.co/g3ykkw/4screenshot.png)

(https://preview.ibb.co/goJ7yG/5screenshot.png)

(https://preview.ibb.co/bK1hXb/6screenshot.png)

(https://preview.ibb.co/mEv9Cb/7screenshot.png)

On the forum it is a keylogger used at me, so I begin to look in distro, this is results, I wonder if it is related to this, is false results from both software used, or is another problem /attack altogether ?
Title: Re: Are they false ?
Post by: rokytnji on November 09, 2017, 12:46:19 PM
You can try a quick check

Code: [Select]
users
Title: Re: Are they false ?
Post by: bitsnpcs on November 09, 2017, 03:08:47 PM
Thank You for reply and help.
It is only my username.

edit -
they make thing of hard drive, I dont understand that stuff, it's gone with the couriers now.
Title: Re: Are they false ?
Post by: newtusmaximus on November 11, 2017, 09:09:36 AM
bitsnpcs
Do not understand where the info/readouts you posted came from.  Was that a readout from your router, or from your pc?

I installed SOPHOS on my pcs as an extra precaution.  Slows responses etc.  down a bit  but concerned that incoming/outgoing are screened realtime so that I lessen the chances of passing on something bad to work colleagues etc.
https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx
https://www.sophos.com/medialibrary/PDFs/documentation/savl_9_sgeng.pdf

A bit tedious to set up, but I persevered and  have found it reassuring.

Hope this helps.
Title: Re: Are they false ?
Post by: trinidad on November 11, 2017, 09:17:21 AM
Here.

https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/ (https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/)

https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/

TC
Title: Re: Are they false ?
Post by: bitsnpcs on November 11, 2017, 10:19:04 AM
@newtusmaximus the info came from my Linux Lite computer hard drive.
it is the only OS installed on it
it is not networked
no usb stick/ or disc that ever goes on another computer is attached to it.
The only website I visit using that LL computer is this forum
The only update method I use is Install Updates (part of LL).
LL that is installed was download from the main LL website, and MD5 checked before install.
Nobody uses the computer only me, some sit with me some times.

That computer has no wifi, it is physically unplugged from ethernet since the results.

The results are from chkrootkit, and also from rkhunter (root kit hunter) command line tools as recommended in the security section of the Linux Bible 9th Edition (current edition), followed exactly to the letter.

@trinidad thank you for the info and link.

Can some members run chkrootkit and rkhunter , (they are in Install/Remove Software, aka Synaptic) and reply back so I know if this is a overall security issue, such as the hosting company servers used by Linux Lite have been infected and are distributing it to the community,  or it is one directly targeted at me only on LL.
Title: Re: Are they false ?
Post by: newtusmaximus on November 11, 2017, 10:29:12 AM
Thanks trinidad. Way above my head.
So how vulnerable are we then?

Btsnpscs - will do
Title: Re: Are they false ?
Post by: newtusmaximus on November 11, 2017, 10:54:59 AM
chkrootkit - No warning reported.

rkhunter --check   
"System checks summary
=====================

File properties checks...
    Files checked: 150
    Suspect files: 1

Rootkit checks...
    Rootkits checked : 365
    Possible rootkits: 0

Applications checks...
    All checks skipped

The system checks took: 1 minute and 56 seconds

All results have been written to the log file: /var/log/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

  /usr/bin/whoami                                          [ OK ]
    /usr/bin/gawk                                            [ OK ]
    /usr/bin/lwp-request                                     [ Warning ]
    /usr/bin/s-nail                                          [ OK ]
    /usr/bin/x86_64-linux-gnu-size                           [ OK ]
    /usr/bin/x86_64-linux-gnu-strings                        [ OK ]



  Performing filesystem checks
    Checking /dev for suspicious file types                  [ Warning ]
    Checking for hidden files and directories                [ Warning ]

Folder for chkrootkit  was blank
Title: Re: Are they false ?
Post by: trinidad on November 11, 2017, 11:14:32 AM
If you got the same result with both rootkit checkers it is usually not a false positive however...

https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/1508248 (https://bugs.launchpad.net/ubuntu/+source/chkrootkit/+bug/1508248)

Also have you received a notification from your ISP? Also this particularly involves ssh and other open port usages. To verify what's up on your system, read the documentation, and check for the presence of the malicious files manually. There are many discussions of this on the WWW. If you have the infection best to zero the drive and reinstall, though it can be repaired manually, that is considerably more time consuming and technical. Newer versions of this seem to be leaking out again. The shared memory SHM references in your rkhunter scan are indicative of the newer version of this infection, however the ones you show are for pulse audio so they are most likely a false postive. The operation Windigo entry is a long time bug in chkrootkit.

TC
Title: Re: Are they false ?
Post by: newtusmaximus on November 11, 2017, 11:35:59 AM
[Highlights from my rkhunter log  scan of just now


15:50:21] Info: Found file '/usr/sbin/adduser': it is whitelisted for the 'script replacement' check.

[15:50:28] Info: Found file '/usr/bin/ldd': it is whitelisted for the 'script replacement' check.

[15:50:34] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script, ASCII text executable

[15:50:40] Info: Found file '/bin/egrep': it is whitelisted for the 'script replacement' check.
[15:50:40]   /bin/fgrep                                      [ OK ]
[15:50:41] Info: Found file '/bin/fgrep': it is whitelisted for the 'script replacement' check.

[15:50:44] Info: Found file '/bin/which': it is whitelisted for the 'script replacement' check.

[15:51:55] Info: Found the 'unhide-tcp' command: /usr/sbin/unhide-tcp

[15:51:58] Info: SCAN_MODE_DEV set to 'THOROUGH'
[15:52:01]   Checking /dev for suspicious file types         [ Warning ]
[15:52:01] Warning: Suspicious file types found in /dev:
[15:52:01]          /dev/shm/pulse-shm-331478974: data
[15:52:01]          /dev/shm/pulse-shm-3524711130: data
[15:52:01]          /dev/shm/pulse-shm-1543249499: data
[15:52:01]          /dev/shm/pulse-shm-1019003171: data
[15:52:01]          /dev/shm/pulse-shm-3173629532: data
[15:52:01]          /dev/shm/pulse-shm-3776217293: data
[15:52:01]          /dev/shm/pulse-shm-1763800836: data
[15:52:01]   Checking for hidden files and directories       [ Warning ]
[15:52:01] Warning: Hidden directory found: /etc/.java

[15:52:07] System checks summary
[15:52:07] =====================
[15:52:07]
[15:52:07] File properties checks...
[15:52:07] Files checked: 150
[15:52:07] Suspect files: 1
[15:52:07]
[15:52:07] Rootkit checks...
[15:52:07] Rootkits checked : 365
[15:52:07] Possible rootkits: 0
[15:52:07]
[15:52:07] Applications checks...
[15:52:07] All checks skipped
[15:52:07]
[15:52:07] The system checks took: 1 minute and 56 seconds
[15:52:07]
[15:52:07] Info: End date is Sat Nov 11 15:52:07 GMT 2017

No idea what the significance of the above is.  help please in laypersons terms .
Title: Re: Are they false ?
Post by: bitsnpcs on November 11, 2017, 01:34:42 PM
@trinidad  no notifications from isp.
It is having the ethernet cable removed, is not plugged in, I am not allowed to plug it in.
I am using windows computer.
Title: Re: Are they false ?
Post by: trinidad on November 11, 2017, 03:00:33 PM
@bitsnpcs  What I see are false positives, but to be sure read the documentation and try to locate the files of the infection itself. If they are not there you do not have the ebury rootkit infection. Has a network admin disallowed your use of the LL computer? If so refer him/her to the information I have just given you.

TC
Title: Re: Are they false ?
Post by: trinidad on November 11, 2017, 03:38:57 PM
@newtusmaximus  /etc/.java is created by OpenJDK. Not to worry and not normally editable. Rkhunter doesn't like it because of the obviated file path /etc/.java/.systemPrefs/.systemRootModFile

TC 
Title: Re: Are they false ?
Post by: Vera on November 11, 2017, 04:00:06 PM
@newtusmaximus
Can some members run chkrootkit and rkhunter , (they are in Install/Remove Software, aka Synaptic) and reply back

OK, I installed both. My results from rkhunter are exactly the same as @newtusmaximus .

I tried to run chkrootkit but it says: can't find `awk'
To check if I have it on my system, when I type man awk, it directs me to the man pages for gawk. I then installed traditional awk via Synaptic but when I ran chkrootkit I still got the same message. This is true whether I run chkrootkit as user or as sudo. So, I had to give up on chkrootkit, but wanted to let you know my results of rkhunter as requested.
Title: Re: Are they false ?
Post by: trinidad on November 11, 2017, 04:26:08 PM
@Vera  Didn't need to do all that. Download and install from synaptic. Run sudo su. Then enter your sudo password and run chkrootkit from root.

TC
Title: Re: Are they false ?
Post by: bitsnpcs on November 11, 2017, 06:47:04 PM
@bitsnpcs  What I see are false positives, but to be sure read the documentation and try to locate the files of the infection itself. If they are not there you do not have the ebury rootkit infection. Has a network admin disallowed your use of the LL computer? If so refer him/her to the information I have just given you.

TC
@trinidad what is the documentation you write of , the links?
A Network admin has not disallowed me to use it.
My eldest brother and his wife disallowed me to use it/ told me not to plug it in the ethernet cable to LL machine.

@Vera Thank You for running the test.
Title: Re: Are they false ?
Post by: rokytnji on November 11, 2017, 11:44:03 PM
No need for rootkit hunter install for me.

Code: [Select]
[email protected]:~
$ groups
harry lp uucp dialout cdrom floppy sudo audio dip video plugdev users netdev lpadmin scanner bluetooth

I already covered "users"

Wanna look for zombies?

Run

Code: [Select]
top
Even if you see 1 or 2 zombies in the readout <it probably means nada>. I see zero on mine.
Title: Re: Are they false ?
Post by: ian_r_h on November 12, 2017, 04:21:01 AM
I assumed the lwp, java and pulse-shm reports from rkhunter are false positives (I don't use chkrootkit) given that these have occurred immediately after fresh installs of LL followed by rkhunter (and --update) and before Menu/Favourites/Install Updates on 3 different boxes every time; unless my copy of LL 3.6 64bit .iso downloaded from linuxlite.com and rkhunter downloaded via apt-get from the default repo (and different mirrors) were infected to begin with.

These persist even after sudo rkhunter --propupd

Googling found no evidence that these were anything to worry about.

I can't speak as to the rest.
Title: Re: Are they false ?
Post by: trinidad on November 12, 2017, 10:24:19 AM
Okay friends.

I'm not going to assure someone that their computer is untouched by an incidence of ebury without being in the room with access to the particular box. I realize many here are deeply concerned with security but this thread seems to be headed as usual toward paranoia mode. To sum up again: rkhunter often returns false positives for shm files because it is aware of the newer version of ebury, and also reports obviated file paths, chkrootkit has had the bug in Debian to falsely detect ebury for some time now and is actually somewhat deprecated. I consider Linux itself to be a positive learning experience for anyone who wants to learn about it. The welivesecurity links are full of information which can direct you to the ebury files on your computer if you choose to look for them, which is the best way to be sure if the ebury infection is or is not present on your box. The hacker who invented it is in prison in the US, however newer versions now exist in the wild. It is unlikely that ebury is going away as it is still evolving, but as with all things of this type security people are also continuing to check its progress. The community nature of Linux itself makes successful zero day exploits very difficult to pull off. I cannot say that it is unlikely that a LL user could have contracted ebury, as LL is used in many different ways by many different users, and the likelihood of contracting ebury depends on user praxis. I can say that it is unlikely now that a US user with a broadband ISP (like Spectrum) could contract it unawares as their ISP would notify them, especially if they are looping ssh or samba through their connection.

TC     
Title: Re: Are they false ?
Post by: newtusmaximus on November 12, 2017, 06:43:37 PM
Thanks Trinidad..  learned a lot from this exercise so time not wasted. :)
Title: Re: Are they false ?
Post by: bitsnpcs on November 14, 2017, 03:54:25 PM
@trinidad I do not feel able to cope with the links at this time. I do not think it will be possible for me to do this level of Linux discussed on them either. It is above beginner level.
I will try to work through the links and tasks at a future time, when I rebuild some confidence in using computers.

I am not confident there will be any success at all for me in trying that, but I will try at some stage.

Even though it is highly unlikely to be solved, I will say it as solved as there is nothing else that can be done. There is no marking option etc.
Title: Re: Are they false ?
Post by: Jerry on November 14, 2017, 09:41:22 PM
Whenever I look at my reports from rkhunter and chkrootkit I simply Google them. They always turn out to be false positives and are usually widely known/discussed.
Title: Re: Are they false ?
Post by: bitsnpcs on November 14, 2017, 11:52:08 PM
I will do this.
Title: Re: Are they false ?
Post by: trinidad on November 15, 2017, 07:47:01 AM
@bitnpcs  Yes!!! There is so much information on the web about Linux that you can often just copy and paste the code to a search box, especially if it concerns security. Linux is a vast global community.

TC
Title: Re: Are they false ?
Post by: bitsnpcs on November 15, 2017, 09:12:17 AM
Thanks, I'll post back once completed
Title: Re: Are they false ?
Post by: bitsnpcs on November 15, 2017, 05:20:10 PM
So far I am still manually doing the checks from Ubuntu security page.

For some reason there are auth.log and auth.log.1, the same occurs for many other logs, I am unsure if this is normal, I have not found info on that yet.

One thing I noticed in the both auth.log is login at 06:25:01 hours, every day for same duration since the 8th November (my oldest log date), it takes root/su, using a default in the distro, Linuxquestions says this is used as default for "Samba and Apache to run services in distros", then afterwards it removes its session.
I am unsure why or which services it is running at this time each day ?

It can also be used to backdoor distros, they advice using /dev/null instead to prevent that possibility.
I am not sure on that.

These are the only unknowns in auth.log/s.
Syslog is clear.

I will continue on with the processes and report back.
Title: Re: Are they false ?
Post by: bitsnpcs on November 15, 2017, 07:23:53 PM
Still on the first of security links.

I have solved the above one, in that it is something internal in distro, and it is not trying access externally. Its common behaviour in many Linux distros.

ufw logs clear.

netstat

Code: [Select]
sudo watch netstat -anlp
shows no foreign connection or any to /bin/sh or /bin/su

trace backs running clear currently. ( I was allowed to connect LL, for this and can show them montoring and ufw results)

rkhunter, I have discovered it is false positive, something to do with package manager, Debian say its been fixed.

rkhunter wiki has this for updates which I had done before using it and since then.

Code: [Select]
sudo rkhunter --propupd
On ubuntu forums notice the help

Code: [Select]
sudo rkhunter - h
from this I found a way to update the database

Code: [Select]
sudo rkhunter --update
Neither are on the rkhunter wiki it is a different method and commands.

This found and updated the list of false positives in rkhunter that propupd didn't find.

I then edited the rkhunter.conf file as admin saved and used

Code: [Select]
sudo rkhunter -C
As per the conf to update rkhunter with these changes.

It now runs with no results detected, only everything Okay, not found, or clear.

I have updated LL and notice that both Perl and Pulse have many updates it may help in chkrootkit which I'll start on tomorrow.

Update -
.bash_profile, .bash_rc, .profile, /etc/profile - all clear of other uses

Update 2 -
samba activity noted above, this is a cron job to back up samba password each day.
no cron jobs set at root
cron.d empty/no issues found
cron.daily / all clean no issues found
cron.hourly, cron.monthly empty/no issues found
cron.weekly all clean no issues found
All checking manually.

Code: [Select]
printenvno backdoors, hooks escalated priviledges found , all clean.

/etc/ld.so.conf.d
no malicious linkages found

/etc/rc.local clean
/etc/rc0 thru 6 all files checked all clean
/etc/init.d clean
/etc/network all files clean
/etc/NetworkManager all files clean  :)
Title: Re: Are they false ?
Post by: JmaCWQ on November 15, 2017, 11:23:52 PM
For some reason there are auth.log and auth.log.1, the same occurs for many other logs, I am unsure if this is normal, I have not found info on that yet.

That is normal, just the logs being rotated auto by the system, the .1's are the older logs.
Title: Re: Are they false ?
Post by: bitsnpcs on November 16, 2017, 02:32:32 PM
For some reason there are auth.log and auth.log.1, the same occurs for many other logs, I am unsure if this is normal, I have not found info on that yet.

That is normal, just the logs being rotated auto by the system, the .1's are the older logs.

Thank You for answering and explaining it to me :)
Title: Re: Are they false ?
Post by: bitsnpcs on November 16, 2017, 03:35:26 PM
I have done searching it says chkrootkit Ebury is a known false positive, relate to -G

To test for Ebury older versions using shared memory segments I ran

Code: [Select]
sudo find /lib* -type f -name libns2.so
Clean

To test for Ebury newer version using Unix domain sockets I ran

Code: [Select]
sudo netstat -nap | grep "@/proc/udevd"
Clean

To prevent false positive due to added -G it uses -e Gg in this command, where I found an explanation of the command on Ubuntu threads.

Code: [Select]
ssh -G 2>&1 | grep -e illegal -e unknown -e Gg > /dev/null && echo "System clean" || echo "System infected"
The result was -

(https://preview.ibb.co/fz5LSm/screen2.png)
Title: Re: Are they false ?
Post by: trinidad on November 16, 2017, 04:16:06 PM
Nicely done @bitsnpcs
The first lib command you cite is enough to know whether or not ebury is installed.

TC
Title: Re: Are they false ?
Post by: TheDead on November 16, 2017, 04:53:20 PM
If these are real rootkits, would a Linux antivirus software "clean" the problem? (rootkits are not always cleaned by default on Window's AV :( ) . Ralated but curving the OP a bit, what would be the "Avira" for Linux ? (i.e. free and good). -TD
Title: Re: Are they false ?
Post by: bitsnpcs on November 16, 2017, 05:22:28 PM
@trinidad  Thank You, it is very good to know the first one is enough :)
Title: Re: Are they false ?
Post by: JmaCWQ on November 17, 2017, 01:26:19 AM
Thank You for answering and explaining it to me :)

You are welcome.

One reason I love Linux is I never have to worry about all this virus/rootkit stuff.