1. Forum
  2. DOVE-Net
  3. Unix

  • Ubuntu, Crypto Malware

    From Android8675@VERT to MRO on Wed Nov 30 08:43:15 2022
    Re: Ubuntu, Crypto Malware
    By: MRO to Android8675 on Tue Nov 15 2022 04:33 pm

    if you have it backed up, and your backups are clean, just 'nuke it from orbit'.

    why do you want to waste time going on a search for it?
    if your files are encrypted you aren't getting them back and you might lose more anyways.

    Files were fine, it wasn't a malicious app (thankfully), it was just a crypto app was being run from a cloud drive on my system. I blocked off the RADIUS port (1812) and the app stopped coming up. I'll have to figure out how/why it was happening. RADIUS has something to do with authentication. Maybe if I just switch to key auth only it'll block whatever backdoor I've obivously left open.

    At any rate, I closed all but the ports I need and it seems OK now.

    Glad I didn't have to nuke anything, and thankfully I got a fairly nice backup setup.

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Android8675@VERT/REALITY to Digital Man on Wed Nov 30 08:27:07 2022
    Re: Ubuntu, Crypto Malware
    By: Digital Man to Android8675 on Tue Nov 15 2022 11:51 am

    Re: Ubuntu, Crypto Malware
    By: Android8675 to All on Tue Nov 15 2022 07:51 am

    Hey all, anyone have any experience with crypto infected Linux systems?

    So, before I do that I thought I might see if there's anyone who's had experience with this sort of thing who might be willing to take a peek?

    I was running a version of GitLab (a year ago?) that had an exploit published and I was vulnerable for about 24 hours before upgrading to a fixe

    Is there a simple way to clean out the /tmp folder in Linux, for us phlebs? /var/log folder getting kindda rhobust too)

    So I could not for the life of me figure out where the exploit was on my system until I watched the process carefully. I could kill the process easily enough (sudo top), but it would fire up again within 10-15 minutes. So I watched it fire up and the process information mentioned port 1812 somewhere, and I looked up port 1812 which has something to do with RADIUS authentication?

    So I blocked the port on the system and the malware hasn't started up since. I could only guess that the app was being run from a cloud drive somewhere using RADIUS to execute the code locally. I've no idea how that works, and I stopped just after because I was tired, but the problem hasn't returned so I'm OK just keeping that port blocked until I can figure out how/why it's happening.

    I might be OK without RADIUS, at least for now. I checked my router settings to make sure no erronious ports were open to the system (originally I had the system on the DMZ, but I figured now would be a good time to lock that down).

    At any rate, at least I didn't have to reinstall everything, but at some point I need to update to 22LTS. Something for another day.
    --
    Android8675@realitycheckbbs.o r g

    ... Do you know what kind of game this is?

    ---
    þ Synchronet þ .: realitycheckbbs.org :: scientia potentia est :.
  • From Digital Man@VERT to Android8675 on Wed Nov 30 11:53:18 2022
    Re: Ubuntu, Crypto Malware
    By: Android8675 to Digital Man on Wed Nov 30 2022 08:27 am

    Re: Ubuntu, Crypto Malware
    By: Digital Man to Android8675 on Tue Nov 15 2022 11:51 am

    Re: Ubuntu, Crypto Malware
    By: Android8675 to All on Tue Nov 15 2022 07:51 am

    Hey all, anyone have any experience with crypto infected Linux systems?

    So, before I do that I thought I might see if there's anyone who's had experience with this sort of thing who might be willing to take a peek?

    I was running a version of GitLab (a year ago?) that had an exploit published and I was vulnerable for about 24 hours before upgrading to a fixe

    Is there a simple way to clean out the /tmp folder in Linux, for us phlebs?

    https://askubuntu.com/questions/20783/how-is-the-tmp-directory-cleaned-up

    /var/log folder getting kindda rhobust too)

    Most apps that log there should have configurable log rotation policies.

    So I could not for the life of me figure out where the exploit was on my system until I watched the process carefully. I could kill the process easily enough (sudo top), but it would fire up again within 10-15 minutes.

    'sudo ps aux' will display the full path to all running processes. That's how you'd know *where* it is on your system, then you start grepping for what restarts that process upon boot (if it is).
    --
    digital man (rob)

    Synchronet/BBS Terminology Definition #34:
    FTN = FidoNet Technology Network
    Norco, CA WX: 59.2øF, 68.0% humidity, 0 mph ENE wind, 0.00 inches rain/24hrs ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From MRO@VERT/BBSESINF to Android8675 on Wed Nov 30 15:56:04 2022
    Re: Ubuntu, Crypto Malware
    By: Android8675 to Digital Man on Wed Nov 30 2022 08:27 am

    I could only guess that the app was being run from a cloud drive somewhere using RADIUS to execute the code locally. I've no idea how that works, and I stopped just after because I was tired, but the problem hasn't returned so
    I might be OK without RADIUS, at least for now. I checked my router settings to make sure no erronious ports were open to the system (originally I had the system on the DMZ, but I figured now would be a good time to lock that down).

    At any rate, at least I didn't have to reinstall everything, but at some point I need to update to 22LTS. Something for another day.

    you really should reinstall. they didnt exploit radius.
    and it's good practice and keeps you on your toes to learn a way
    to tear it down and put it up again after working out a system.

    i wouldn't trust running an exploited system.

    ---
    þ Synchronet þ ::: BBSES.info - free BBS services :::
  • From Android8675@VERT/SHODAN to Digital Man on Mon Dec 5 10:44:52 2022
    Re: Ubuntu, Crypto Malware
    By: Digital Man to Android8675 on Wed Nov 30 2022 11:53 am

    Re: Ubuntu, Crypto Malware
    By: Android8675 to Digital Man on Wed Nov 30 2022 08:27 am

    Is there a simple way to clean out the /tmp folder in Linux, for us phlebs?

    https://askubuntu.com/questions/20783/how-is-the-tmp-directory-cleaned-up


    Thanks...

    /var/log folder getting kindda rhobust too)

    Most apps that log there should have configurable log rotation policies.


    Thanks again, will research...

    So I could not for the life of me figure out where the exploit was on my system until I watched the process

    'sudo ps aux' will display the full path to all running processes. That's how you'd know *where* it is on your
    system, then you start grepping for what restarts that process upon boot (if it is).

    I'll need to practice this. I find it odd that port 1812 isn't open in my router, so maybe there is another system infected causing this? Probably those fucking wifi lightbulbs I installed last week or some bullshit.

    ha, thanks for your help DM.
    --
    Android8675@ShodansCore
    ---
    þ Synchronet þ Shodan's Core @ ShodansCore.com
  • From Android8675@VERT/SHODAN to MRO on Mon Dec 5 10:45:36 2022
    Re: Ubuntu, Crypto Malware
    By: MRO to Android8675 on Wed Nov 30 2022 03:56 pm

    you really should reinstall. they didnt exploit radius.
    and it's good practice and keeps you on your toes to learn a way
    to tear it down and put it up again after working out a system.

    i wouldn't trust running an exploited system.

    I am seriously considering it. Just need to find the time.
    --
    Android8675@ShodansCore
    ---
    þ Synchronet þ Shodan's Core @ ShodansCore.com