Hey all, anyone have any experience with crypto infected Linux systems? My box that I use has mxrig running, and I've no idea how it got there, where it's hiding, or how to get it off my system. Speculating that it could be some rootkit bologna, and there's vague suggestions on the googles as to how to get it off my system without "nuking it from orbit".

So, before I do that I thought I might see if there's anyone who's had experience with this sort of thing who might be willing to take a peek? Drop me a note at andyob [at] gmail.com if you've had some experience. I got the thing backed up, so I'm ok with letting you pop-on and see if you can work some magic.

Thanks in advance,
-A @ shodanscore.com

---
■ Synchronet ■ Vertrauen ■ Home of Synchronet ■ [vert/cvs/bbs].synchro.net

Re: Ubuntu, Crypto Malware
By: Android8675 to All on Tue Nov 15 2022 07:51 am

> Hey all, anyone have any experience with crypto infected Linux systems? My
> box that I use has mxrig running, and I've no idea how it got there, where
> it's hiding, or how to get it off my system. Speculating that it could be
> some rootkit bologna, and there's vague suggestions on the googles as to how
> to get it off my system without "nuking it from orbit".
>
> So, before I do that I thought I might see if there's anyone who's had
> experience with this sort of thing who might be willing to take a peek? Drop
> me a note at andyob [at] gmail.com if you've had some experience. I got the
> thing backed up, so I'm ok with letting you pop-on and see if you can work
> some magic.

I was running a version of GitLab (a year ago?) that had an exploit published and I was vulnerable for about 24 hours before upgrading to a fixed GitLab version. During that 24 hours, a crypto miner (I forget the name) was installed and it was pretty obvious from the impact on CPU utilization. I found and killed the process manually and deleted the maliciously-installed files (in the /tmp dir, iirc). Tools like ps, top, netstat should help you find the culperate process(es) and get rid of them, but it is important that you find and remove (or update/patch) the software with the original vulnerability that was used to install the crypto miner in the first place.
--
digital man (rob)

Rush quote #57:
He picks up scraps of information, he's adept at adaptation .. Digital Man
Norco, CA WX: 68.5°F, 21.0% humidity, 0 mph NE wind, 0.00 inches rain/24hrs
---
■ Synchronet ■ Vertrauen ■ Home of Synchronet ■ [vert/cvs/bbs].synchro.net

Re: Ubuntu, Crypto Malware
By: Android8675 to All on Tue Nov 15 2022 07:51 am

> Hey all, anyone have any experience with crypto infected Linux systems? My
> box that I use has mxrig running, and I've no idea how it got there, where
> it's hiding, or how to get it off my system. Speculating that it could be
> some rootkit bologna, and there's vague suggestions on the googles as to how
> to get it off my system without "nuking it from orbit".
>
> So, before I do that I thought I might see if there's anyone who's had
> experience with this sort of thing who might be willing to take a peek? Drop
> me a note at andyob [at] gmail.com if you've had some experience. I got the
> thing backed up, so I'm ok with letting you pop-on and see if you can work
> some magic.

if you have it backed up, and your backups are clean, just 'nuke it from orbit'.

why do you want to waste time going on a search for it?
if your files are encrypted you aren't getting them back and you might lose
more anyways.

---
■ Synchronet ■ ::: BBSES.info - free BBS services :::

Re: Ubuntu, Crypto Malware
By: MRO to Android8675 on Tue Nov 15 2022 04:33 pm

> if you have it backed up, and your backups are clean, just 'nuke it from orbit'.
>
> why do you want to waste time going on a search for it?
> if your files are encrypted you aren't getting them back and you might lose
> more anyways.
>

I think he is talking about cryptomining malware rather than a ransomware piece.

I'd personally just restore from the lattest known clean backup if any, and do what
somebody else has recommended: apply security updates and try to ensure they don't
break in the same way again.

Using Unix utilities from within a compromised system is not a great idea. Rootkits
may make evil software undetectable. If you ust scan an infected system, it is usually
better to just image it and scan the image from a known good system instead.

--
gopher://gopher.richardfalken.com/1/richardfalken

---
■ Synchronet ■ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL

Re: Ubuntu, Crypto Malware
By: Arelor to MRO on Tue Nov 15 2022 05:33 pm

> I'd personally just restore from the lattest known clean backup if any, and
> do what somebody else has recommended: apply security updates and try to
> ensure they don't break in the same way again.
>
> Using Unix utilities from within a compromised system is not a great idea.
> Rootkits may make evil software undetectable. If you ust scan an infected
> system, it is usually better to just image it and scan the image from a
> known good system instead.
>

if ANY body gets a virus they should:

+ backup any non executable files they need
+ wipe the system.
+ change all your passwords and login names on a clean system, ie NOT that computer.
+ disable remote logins if possible.
+ be more careful!
---
■ Synchronet ■ ::: BBSES.info - free BBS services :::

Re: Ubuntu, Crypto Malware
By: MRO to Android8675 on Tue Nov 15 2022 04:33 pm

> if you have it backed up, and your backups are clean, just 'nuke it from
> orbit'.
>
> why do you want to waste time going on a search for it?
> if your files are encrypted you aren't getting them back and you might lose
> more anyways.

Files were fine, it wasn't a malicious app (thankfully), it was just a crypto app was being run from a cloud drive on my system. I blocked off the RADIUS port (1812) and the app stopped coming up. I'll have to figure out how/why it was happening. RADIUS has something to do with authentication. Maybe if I just switch to key auth only it'll block whatever backdoor I've obivously left open.

At any rate, I closed all but the ports I need and it seems OK now.

Glad I didn't have to nuke anything, and thankfully I got a fairly nice backup setup.

---
■ Synchronet ■ Vertrauen ■ Home of Synchronet ■ [vert/cvs/bbs].synchro.net

Re: Ubuntu, Crypto Malware
By: Digital Man to Android8675 on Tue Nov 15 2022 11:51 am

> Re: Ubuntu, Crypto Malware
> By: Android8675 to All on Tue Nov 15 2022 07:51 am

> > Hey all, anyone have any experience with crypto infected Linux systems?

> > So, before I do that I thought I might see if there's anyone who's had
> > experience with this sort of thing who might be willing to take a peek?

> I was running a version of GitLab (a year ago?) that had an exploit
> published and I was vulnerable for about 24 hours before upgrading to a fixe

Is there a simple way to clean out the /tmp folder in Linux, for us phlebs? /var/log folder getting kindda rhobust too)

So I could not for the life of me figure out where the exploit was on my system
until I watched the process carefully. I could kill the process easily enough (sudo top), but it would fire up again within 10-15 minutes. So I watched it fire up and the process information mentioned port 1812 somewhere, and I looked up port 1812 which has something to do with RADIUS authentication?

So I blocked the port on the system and the malware hasn't started up since. I could only guess that the app was being run from a cloud drive somewhere using RADIUS to execute the code locally. I've no idea how that works, and I stopped just after because I was tired, but the problem hasn't returned so I'm OK just keeping that port blocked until I can figure out how/why it's happening.

I might be OK without RADIUS, at least for now. I checked my router settings to make sure no erronious ports were open to the system (originally I had the system on the DMZ, but I figured now would be a good time to lock that down).

At any rate, at least I didn't have to reinstall everything, but at some point I need to update to 22LTS. Something for another day.
--
Android8675@realitycheckbbs.o r g

.... Do you know what kind of game this is?

---
■ Synchronet ■ .: realitycheckbbs.org :: scientia potentia est :.

Re: Ubuntu, Crypto Malware
By: Android8675 to Digital Man on Wed Nov 30 2022 08:27 am

> Re: Ubuntu, Crypto Malware
> By: Digital Man to Android8675 on Tue Nov 15 2022 11:51 am
>
> > Re: Ubuntu, Crypto Malware
> > By: Android8675 to All on Tue Nov 15 2022 07:51 am
>
> > > Hey all, anyone have any experience with crypto infected Linux systems?
>
> > > So, before I do that I thought I might see if there's anyone who's had
> > > experience with this sort of thing who might be willing to take a peek?
>
> > I was running a version of GitLab (a year ago?) that had an exploit
> > published and I was vulnerable for about 24 hours before upgrading to a
> > fixe
>
> Is there a simple way to clean out the /tmp folder in Linux, for us phlebs?

https://askubuntu.com/questions/20783/how-is-the-tmp-directory-cleaned-up

> /var/log folder getting kindda rhobust too)

Most apps that log there should have configurable log rotation policies.

> So I could not for the life of me figure out where the exploit was on my
> system until I watched the process carefully. I could kill the process
> easily enough (sudo top), but it would fire up again within 10-15 minutes.

'sudo ps aux' will display the full path to all running processes. That's how you'd know *where* it is on your system, then you start grepping for what restarts that process upon boot (if it is).
--
digital man (rob)

Synchronet/BBS Terminology Definition #34:
FTN = FidoNet Technology Network
Norco, CA WX: 59.2°F, 68.0% humidity, 0 mph ENE wind, 0.00 inches rain/24hrs
---
■ Synchronet ■ Vertrauen ■ Home of Synchronet ■ [vert/cvs/bbs].synchro.net

Re: Ubuntu, Crypto Malware
By: Android8675 to Digital Man on Wed Nov 30 2022 08:27 am

> I could only guess that the app was being run from a cloud drive somewhere
> using RADIUS to execute the code locally. I've no idea how that works, and I
> stopped just after because I was tired, but the problem hasn't returned so
> I might be OK without RADIUS, at least for now. I checked my router settings
> to make sure no erronious ports were open to the system (originally I had
> the system on the DMZ, but I figured now would be a good time to lock that
> down).
>
> At any rate, at least I didn't have to reinstall everything, but at some
> point I need to update to 22LTS. Something for another day.

you really should reinstall. they didnt exploit radius.
and it's good practice and keeps you on your toes to learn a way
to tear it down and put it up again after working out a system.

i wouldn't trust running an exploited system.

---
■ Synchronet ■ ::: BBSES.info - free BBS services :::

Re: Ubuntu, Crypto Malware
By: Digital Man to Android8675 on Wed Nov 30 2022 11:53 am

> Re: Ubuntu, Crypto Malware
> By: Android8675 to Digital Man on Wed Nov 30 2022 08:27 am
>
> > Is there a simple way to clean out the /tmp folder in Linux, for us phlebs?
>
> https://askubuntu.com/questions/20783/how-is-the-tmp-directory-cleaned-up
>

Thanks...

> > /var/log folder getting kindda rhobust too)
>
> Most apps that log there should have configurable log rotation policies.
>

Thanks again, will research...

> > So I could not for the life of me figure out where the exploit was on my system until I watched the process
>
> 'sudo ps aux' will display the full path to all running processes. That's how you'd know *where* it is on your
> system, then you start grepping for what restarts that process upon boot (if it is).

I'll need to practice this. I find it odd that port 1812 isn't open in my router, so maybe there is another system infected causing this? Probably those fucking wifi lightbulbs I installed last week or some bullshit.

ha, thanks for your help DM.
--
Android8675@ShodansCore
---
■ Synchronet ■ Shodan's Core @ ShodansCore.com

Re: Ubuntu, Crypto Malware
By: MRO to Android8675 on Wed Nov 30 2022 03:56 pm

> you really should reinstall. they didnt exploit radius.
> and it's good practice and keeps you on your toes to learn a way
> to tear it down and put it up again after working out a system.
>
> i wouldn't trust running an exploited system.

I am seriously considering it. Just need to find the time.
--
Android8675@ShodansCore
---
■ Synchronet ■ Shodan's Core @ ShodansCore.com