Bitcoin Forum
December 05, 2016, 02:55:39 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Found a hidden process, now what?  (Read 4182 times)
check_status
Full Member
***
Offline Offline

Activity: 196


Web Dev, Db Admin, Computer Technician


View Profile
June 19, 2012, 10:25:35 AM
 #1

Code:
WARNING : info.procs changed during test : 366 (was 365)
WARNING : info.procs changed during test : 365 (was 366)
HIDDEN Processes Found: 1 sysinfo.procs = 365   ps_count = 366

 Shocked  I don't know if this is a false positive or if Jynx has evolved.   Shocked

Quote
Gradually the Linux kernel has evolved and doing quite more complex work to modify it to those ends, so currently the most effective way to install a rootkit on a Linux system is to go towards the 'userland'


This kind of rootkits there are two types , or which change the typical binary system associated information (ps and friends) and more sophisticated rootkits inject a library in the process.


Have long existed rootkits acting that way, but had remained somewhat hidden, relatively recently has released a fully functional implementation of a rootkit capable of infecting a Linux system today, his name: Jynx


This type of rootkits act injecting a shared library (. So) in all system processes.
http://7256log.blogspot.com/2011/10/analisis-de-jynx-linux-rootkit.html

Quote
Jynx Kit Userland Rootkit

Authored by ErrProne
Jynx Kit is a LD_PRELOAD userland rootkit. Fully undetectable from chkrootkit and rootkithunter. Includes magic packet SSL reverse back connect shell. Solid building block for further LD_PRELOAD rootkits.
http://packetstormsecurity.org/files/105893/Jynx-Kit-Userland-Rootkit.html

For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
1480949739
Hero Member
*
Offline Offline

Posts: 1480949739

View Profile Personal Message (Offline)

Ignore
1480949739
Reply with quote  #2

1480949739
Report to moderator
1480949739
Hero Member
*
Offline Offline

Posts: 1480949739

View Profile Personal Message (Offline)

Ignore
1480949739
Reply with quote  #2

1480949739
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1092


Will read PM's. Have more time lately


View Profile
June 19, 2012, 10:45:30 AM
 #2

Code:
WARNING : info.procs changed during test : 366 (was 365)
WARNING : info.procs changed during test : 365 (was 366)
HIDDEN Processes Found: 1 sysinfo.procs = 365   ps_count = 366

 Shocked  I don't know if this is a false positive or if Jynx has evolved.   Shocked

Quote
Gradually the Linux kernel has evolved and doing quite more complex work to modify it to those ends, so currently the most effective way to install a rootkit on a Linux system is to go towards the 'userland'


This kind of rootkits there are two types , or which change the typical binary system associated information (ps and friends) and more sophisticated rootkits inject a library in the process.


Have long existed rootkits acting that way, but had remained somewhat hidden, relatively recently has released a fully functional implementation of a rootkit capable of infecting a Linux system today, his name: Jynx


This type of rootkits act injecting a shared library (. So) in all system processes.
http://7256log.blogspot.com/2011/10/analisis-de-jynx-linux-rootkit.html

Quote
Jynx Kit Userland Rootkit

Authored by ErrProne
Jynx Kit is a LD_PRELOAD userland rootkit. Fully undetectable from chkrootkit and rootkithunter. Includes magic packet SSL reverse back connect shell. Solid building block for further LD_PRELOAD rootkits.
http://packetstormsecurity.org/files/105893/Jynx-Kit-Userland-Rootkit.html
Do what Windows sysadmins used to do.Reformat!  Grin

My BTC Tip Jar: 1Pgvfy19uwtYe5o9dg3zZsAjgCPt3XZqz9 , GPG ID: B3AAEEB0 ,OTC ID: johnthedong
Escrow service is available on a case by case basis! (PM Me to verify I'm the escrow!)

Rugatu
Full Member
***
Offline Offline

Activity: 182



View Profile WWW
June 19, 2012, 11:06:02 AM
 #3

Code:
WARNING : info.procs changed during test : 366 (was 365)
WARNING : info.procs changed during test : 365 (was 366)
HIDDEN Processes Found: 1 sysinfo.procs = 365   ps_count = 366

 Shocked  I don't know if this is a false positive or if Jynx has evolved.   Shocked

Quote
Gradually the Linux kernel has evolved and doing quite more complex work to modify it to those ends, so currently the most effective way to install a rootkit on a Linux system is to go towards the 'userland'


This kind of rootkits there are two types , or which change the typical binary system associated information (ps and friends) and more sophisticated rootkits inject a library in the process.


Have long existed rootkits acting that way, but had remained somewhat hidden, relatively recently has released a fully functional implementation of a rootkit capable of infecting a Linux system today, his name: Jynx


This type of rootkits act injecting a shared library (. So) in all system processes.
http://7256log.blogspot.com/2011/10/analisis-de-jynx-linux-rootkit.html

Quote
Jynx Kit Userland Rootkit

Authored by ErrProne
Jynx Kit is a LD_PRELOAD userland rootkit. Fully undetectable from chkrootkit and rootkithunter. Includes magic packet SSL reverse back connect shell. Solid building block for further LD_PRELOAD rootkits.
http://packetstormsecurity.org/files/105893/Jynx-Kit-Userland-Rootkit.html



According to your first link, the text in Spanish says:

Quote
En resumen, lo que hacen este tipo de rootkits es añadir una línea en el fichero /etc/ld.so.preload apuntando hacia la librería del rootkit en la que se encuentran 're-escritas' ciertas funciones asociadas a la obtención de información del sistema.

Which translates to:

Quote
In summary, what these kind of rootkits do is write a new line in "/etc/ld.so.preload" pointing to the rootkit's library, in which you can find rewritten certain system info functions.

So in order to "unhook" it you would have to manually edit that file and remove any strange .so libs you encounter.

Code:
sudo nano /etc/ld.so.preload

Have any questions? Q&A with BTCitcoins on Rugatu
check_status
Full Member
***
Offline Offline

Activity: 196


Web Dev, Db Admin, Computer Technician


View Profile
June 19, 2012, 09:41:41 PM
 #4

Well, either the file is empty or it's contents are hidden. Cheesy

For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
dooglus
Legendary
*
Offline Offline

Activity: 1988



View Profile
June 20, 2012, 02:23:08 AM
 #5

The rootkit would make that file appear to be normal; that's what they do.

If you can boot from a known-good live CD then you'll be able to mount your root partition and see how that file really looks, before the rootkit has a chance to run and start masking itself.

Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
June 20, 2012, 03:49:49 AM
 #6

This is the usual fix for windows computers but I heard it also works on linux
http://www.youtube.com/watch?v=4JJsy4ABHkA

check_status
Full Member
***
Offline Offline

Activity: 196


Web Dev, Db Admin, Computer Technician


View Profile
June 21, 2012, 02:37:13 AM
 #7

Something not correct is occuring, my auto updater, Ubuntu 11.04 64bit, is asking me to update a language pack, I don't have Firefox, and Firefox isn't present on the entire network.   Shocked

For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
check_status
Full Member
***
Offline Offline

Activity: 196


Web Dev, Db Admin, Computer Technician


View Profile
June 23, 2012, 07:07:12 AM
 #8

The rootkit would make that file appear to be normal; that's what they do.

If you can boot from a known-good live CD then you'll be able to mount your root partition and see how that file really looks, before the rootkit has a chance to run and start masking itself.
I'm going to have to do this for sure. All of the Linux tools I've used are coming up empty, top and the like, yet the system responds as if it is overloaded by too many processes.

When I do this, strace, I found out why there is nothing in ld.so.preload  Grin :

Code:
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3

still looking...
Edit: RKH {Warning} Is this bad?

Code:
Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: a /usr/bin/perl script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script text executable
Warning: The command '/bin/which' has been replaced by a script: /bin/which: POSIX shell script text executable

Checking for hidden files and directories       [ Warning ]
Warning: Hidden directory found: '/etc/.java'
Warning: Hidden directory found: '/dev/.udev'
Warning: Hidden directory found: '/dev/.initramfs'

For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
Rugatu
Full Member
***
Offline Offline

Activity: 182



View Profile WWW
June 23, 2012, 10:27:53 AM
 #9

The rootkit would make that file appear to be normal; that's what they do.

If you can boot from a known-good live CD then you'll be able to mount your root partition and see how that file really looks, before the rootkit has a chance to run and start masking itself.
I'm going to have to do this for sure. All of the Linux tools I've used are coming up empty, top and the like, yet the system responds as if it is overloaded by too many processes.

When I do this, strace, I found out why there is nothing in ld.so.preload  Grin :

Code:
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3

still looking...
Edit: RKH {Warning} Is this bad?

Code:
Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: a /usr/bin/perl script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script text executable
Warning: The command '/bin/which' has been replaced by a script: /bin/which: POSIX shell script text executable

Checking for hidden files and directories       [ Warning ]
Warning: Hidden directory found: '/etc/.java'
Warning: Hidden directory found: '/dev/.udev'
Warning: Hidden directory found: '/dev/.initramfs'

Yes, that looks really bad! Re-install your OS before it's too late.

Have any questions? Q&A with BTCitcoins on Rugatu
Bitsky
Hero Member
*****
Offline Offline

Activity: 542


View Profile
June 23, 2012, 10:59:43 AM
 #10

While I don't want to stop anybody from doing whatever they want because they assume something is wrong, it would be a good idea to invest a little time into research, since that is faster and more reliable than blindly formatting, especially since rkhunter generates false positives too.

http://askubuntu.com/questions/1537/rkhunter-warning-about-etc-java-etc-udev-etc-initramfs
Also, on Ubuntu there should be debsums which can be used to verify packages.
Of course you can always reinstall, but you'll get the same messages again.

Bounty: Earn up to 68.7 BTC
Like my post? Feel free to drop a tip to 1BitskyZbfR4irjyXDaGAM2wYKQknwX36Y
check_status
Full Member
***
Offline Offline

Activity: 196


Web Dev, Db Admin, Computer Technician


View Profile
June 23, 2012, 12:59:37 PM
 #11

Yes, I have been able to see the scripts which appear to be legitimate, therefore, must be false positives from RKH.
I'm now back to where I was before I downloaded, installed and misconfigured RKH.  Undecided
I'll poke around with a manufactured Live CD some and try to discover what the fuzz.

Would OSSEC HIDS be of value to see what the fuzz is happening?

For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
Foxpup
Legendary
*
Offline Offline

Activity: 1694



View Profile
June 23, 2012, 01:02:15 PM
 #12

The rootkit would make that file appear to be normal; that's what they do.

If you can boot from a known-good live CD then you'll be able to mount your root partition and see how that file really looks, before the rootkit has a chance to run and start masking itself.
I'm going to have to do this for sure. All of the Linux tools I've used are coming up empty, top and the like, yet the system responds as if it is overloaded by too many processes.

When I do this, strace, I found out why there is nothing in ld.so.preload  Grin :

Code:
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3

still looking...
Edit: RKH {Warning} Is this bad?

Code:
Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: a /usr/bin/perl script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script text executable
Warning: The command '/bin/which' has been replaced by a script: /bin/which: POSIX shell script text executable

Checking for hidden files and directories       [ Warning ]
Warning: Hidden directory found: '/etc/.java'
Warning: Hidden directory found: '/dev/.udev'
Warning: Hidden directory found: '/dev/.initramfs'

Yes, that looks really bad! Re-install your OS before it's too late.

Roll Eyes It's perfecty normal. My known-good MEPIS 11 installation has exactly the same setup:
Code:
$ file /usr/sbin/adduser /usr/bin/ldd /usr/bin/lwp-request /bin/which
/usr/sbin/adduser:    a /usr/bin/perl script text executable
/usr/bin/ldd:         Bourne-Again shell script text executable
/usr/bin/lwp-request: a /usr/bin/perl -w script text executable
/bin/which:           POSIX shell script text executable
$ ls -d /etc/.* /dev/.*
/dev/.   /dev/.initramfs        /dev/.udev  /etc/..     /etc/.pwd.lock
/dev/..  /dev/.initramfs-tools  /etc/.      /etc/.java

My known-good Debian installation is identical except it does not have /dev/.initramfs or /dev/.initramfs-tools:
Code:
$ file /usr/sbin/adduser /usr/bin/ldd /usr/bin/lwp-request /bin/which
/usr/sbin/adduser:    Perl script, ASCII text executable
/usr/bin/ldd:         Bourne-Again shell script, ASCII text executable
/usr/bin/lwp-request: Perl script, ASCII text executable
/bin/which:           POSIX shell script, ASCII text executable
$ ls -d /etc/.* /dev/.*
/dev/.  /dev/..  /etc/.  /etc/..  /etc/.java  /etc/.pwd.lock

Will pretend to do unverifiable things (while actually eating an enchilada-style burrito) for bitcoins: 1K6d1EviQKX3SVKjPYmJGyWBb1avbmCFM4
check_status
Full Member
***
Offline Offline

Activity: 196


Web Dev, Db Admin, Computer Technician


View Profile
June 23, 2012, 01:18:49 PM
 #13

Thanks foxpup for the confirmation.

Something not correct is occuring, my auto updater, Ubuntu 11.04 64bit, is asking me to update a language pack, I don't have Firefox, and Firefox isn't present on the entire network.   Shocked

Quote
EvilGrade is a framework which the exploits weaknesses in the auto-update services of multiple common software packages and the attack performed by this framework is one of the best example for client exploitation. This framework tricks the service into believing there is a signed update available for the product, thus prompting the user to install the upgrade where the upgrade is the attacker’s payload. This type of attack is a bit difficult for a normal user to detect since they don’t see anything suspicious and the upgrade looks legitimate.

We can use this framework with the combination of DNS spoofing or Man-in-the-middle attack in order to spoof the software upgrade. This therefore tricks the victim into downloading the upgrade, thereby executing our malicious arbitrary code.

The EvilGrade supports various famous software like Notepad, iTunes, Java plug-in, WinZip, Winamp, DAP, OpenOffices, LinkedIn, Speedbit, etc.

Evilgrade takes the advantage of various applications because most of these verify neither the update contents nor the master update server. Basically, in this type of attack, the attacker seeks to modify the DNS traffic of the victim and return them to some other ip address controlled by the attacker.
http://resources.infosecinstitute.com/hacking-autoupdate-evilgrade/

For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
Rugatu
Full Member
***
Offline Offline

Activity: 182



View Profile WWW
June 23, 2012, 01:26:47 PM
 #14

Thanks check_status, is true that every day we learn something new  Smiley

Have any questions? Q&A with BTCitcoins on Rugatu
check_status
Full Member
***
Offline Offline

Activity: 196


Web Dev, Db Admin, Computer Technician


View Profile
June 24, 2012, 02:15:54 AM
 #15

If Firefox had been installed, and the update appearing to be legitimate, Ubuntu's 'update-notifier' application, I would have clicked it, even though it was only a language pack available for update. It's also entirely possible I already installed some malware because of this EvilGrade method.  Cry

How can you determine what IP's update-notifier is providing the update from?
Is it possible to force the sources.list addresses to use a host file instead of DNS?
Can tzdata be removed from Ubuntu without breaking it's ability to function?

For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
Rugatu
Full Member
***
Offline Offline

Activity: 182



View Profile WWW
June 24, 2012, 03:40:37 AM
 #16

If Firefox had been installed, and the update appearing to be legitimate, Ubuntu's 'update-notifier' application, I would have clicked it, even though it was only a language pack available for update. It's also entirely possible I already installed some malware because of this EvilGrade method.  Cry

How can you determine what IP's update-notifier is providing the update from?
Is it possible to force the sources.list addresses to use a host file instead of DNS?
Can tzdata be removed from Ubuntu without breaking it's ability to function?

If you put at least one of those questions on Rugatu you will really make some bitcoiners happy  Roll Eyes

Have any questions? Q&A with BTCitcoins on Rugatu
Foxpup
Legendary
*
Offline Offline

Activity: 1694



View Profile
June 24, 2012, 04:07:52 AM
 #17

Is it possible to force the sources.list addresses to use a host file instead of DNS?
I'm pretty sure the hosts file is always prefered over the network's DNS server anyway, though this probably can't be relied upon if you suspect a rootkit. You can, however, put the repo's IP address directly in the sources.list file, eg:
Code:
deb ftp://130.89.148.12/debian/ squeeze main contrib non-free
(though this also shouldn't be relied upon if you've got a rootkit)

Can tzdata be removed from Ubuntu without breaking it's ability to function?
No. What's tzdata got to do with anything anyway?

Will pretend to do unverifiable things (while actually eating an enchilada-style burrito) for bitcoins: 1K6d1EviQKX3SVKjPYmJGyWBb1avbmCFM4
check_status
Full Member
***
Offline Offline

Activity: 196


Web Dev, Db Admin, Computer Technician


View Profile
June 24, 2012, 06:04:53 AM
 #18

Is it possible to force the sources.list addresses to use a host file instead of DNS?
I'm pretty sure the hosts file is always prefered over the network's DNS server anyway, though this probably can't be relied upon if you suspect a rootkit. You can, however, put the repo's IP address directly in the sources.list file, eg:
Code:
deb ftp://130.89.148.12/debian/ squeeze main contrib non-free
(though this also shouldn't be relied upon if you've got a rootkit)
Then I will do this when/if I reinstall the OS, I want to gather more details first though before I nuke stuff.

Can tzdata be removed from Ubuntu without breaking it's ability to function?
No. What's tzdata got to do with anything anyway?
tzdata, is one of a small list of programs that is allowed complete internet access through all IDS and firewalls.
I had strange behavior appear, after wipe and reinstalls, only after the very first internet connection, which seemed to affect, gnome, network-manager and screensaver, (affected in that order). My internal domain would change to a blackberry ID. No internet connectivity after installation and gnome, network-manager, screensaver did not wig out and the internal domain name did not change. Because of this, I thought the possible infection is occurring through some first connect event, DNS or first outbound connecting program after the network is up. I eliminated ntpd and bluez before first connect and the issues still occurred. Outside of tzdata and DNS I'm not aware of what else could be contributing to this behavior.

For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
Foxpup
Legendary
*
Offline Offline

Activity: 1694



View Profile
June 24, 2012, 08:17:03 AM
 #19

tzdata, is one of a small list of programs that is allowed complete internet access through all IDS and firewalls.
What are you talking about? tzdata is a collection of data files (as the name suggests), and contains no programs. The only executable file related to it (tzconfig) is actually just a shell script consisting entirely of an echo command displaying installation instructions. Nothing related to tzdata should be accessing the network in any way, and you can safely delete any executable files related to it.

Will pretend to do unverifiable things (while actually eating an enchilada-style burrito) for bitcoins: 1K6d1EviQKX3SVKjPYmJGyWBb1avbmCFM4
check_status
Full Member
***
Offline Offline

Activity: 196


Web Dev, Db Admin, Computer Technician


View Profile
June 25, 2012, 02:28:04 AM
 #20

tzdata, is one of a small list of programs that is allowed complete internet access through all IDS and firewalls.
What are you talking about? tzdata is a collection of data files (as the name suggests), and contains no programs. The only executable file related to it (tzconfig) is actually just a shell script consisting entirely of an echo command displaying installation instructions. Nothing related to tzdata should be accessing the network in any way, and you can safely delete any executable files related to it.
Well then, I must have misunderstood the Ubuntu help code boxes that show tzdata collecting local and utc time, assuming it had network functions. Since I don't need to put anymore time and effort into tzdata I can focus on more probable targets.

pcap:
Will pcap files gathered from/on a system that may be infected provide useful data?
I don't have a switch that can do port mirroring so what methods would help me to overcome this limitation?
 

For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!