joey-world Posted March 5, 2013 Share Posted March 5, 2013 Ok so I'm a linux guy, I love security, and finally I have an issue with my ubuntu 12.04 I believe that, someway, somehow, got hack. It's difficult for me to believe it. One day I was making a regular check on the system, to make sure everything was on it's right place and I found myself facing the following; chkrootkit log: Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found: /usr/lib/jvm/.java-1.6.0-openjdk-amd64.jinfo /usr/lib/debug/.build-id /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/pymodules/python2.7/.path/usr/lib/debug/.build-id Those files, are indeed installed by me, but they are bothering my peace. As I continue reading the log... I find this: wlan0: PACKET SNIFFER(/sbin/wpa_supplicant, /sbin/dhclient) and this: Checking `z2'... user "USERNAME" deleted or never logged from lastlog! Which was kind of odd for me, since as I remember I did setup logs for my user (only user) I don't know if the packet sniffer is wireshark (which I have installed) or zenmap (which I have installed too) My firewall is completele closed, and I only open ports for the programs I use, that is, the basic ones: http, https, DNS, etc. Besides that Everything is closed, I never download anything from unknown or untrusted sources. There's also firewall filtering and drop the conection for pinging proves. Well, I continue trying to find out what the problem was, so I run the virus scanner (Clamav); and I got this: /home/USERNAME/Development Android/adt-bundle-linux/sdk/system-images/android-14/armeabi-v7a/userdata.img: ANDR.Trojan.GingerBreak FOUND/home/USERNAME/Development Android/adt-bundle-linux/sdk/system-images/android-15/armeabi-v7a/userdata.img: ANDR.Trojan.GingerBreak FOUND/home/USERNAME/Development Android/adt-bundle-linux/sdk/system-images/android-16/armeabi-v7a/userdata.img: ANDR.Trojan.GingerBreak FOUND/home/USERNAME/.wine/drive_c/windows/syswow64/INKED.DLL: PUA.Win32.Packer.MsVisualCpp-2 FOUND /home/USERNAME/Development Android/adt-bundle-linux/sdk/platforms/android-13/images/userdata.img ANDR.Trojan.GingerBreak /home/USERNAME/Development Android/adt-bundle-linux/sdk/platforms/android-12/images/userdata.img ANDR.Trojan.GingerBreak /home/USERNAME/Development Android/adt-bundle-linux/sdk/add-ons/addon-dual_screen_apis-kyocera_corporation-8/tools/emulator_dualscreen_win.exe PUA.Win32.Packer.MingwGcc-2 The list goes on and on, I clean by sending everything to quarantine. I took two days to do the next scan, to find this with Clamav: /home/USERNAME/.mozilla/firefox/jublccms.default/Cache/8/7C/1D54Cd01 PUA.JS.Xored /home/USERNAME/.mozilla/firefox/jublccms.default/Cache/0/C4/A5221d01 PUA.JS.Xored It is helpful to add that I never go to any other webpage that I don't know. At the most I follow only about 10 different web pages, and that's it. I have never have problems before and all of the sudden I have a lot of suspicios activity. The question is; What should I do? Thank you for your help. Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.