Help with Ubuntu 12.04 possible intrusion

[joey-world]

Ok so I'm a linux guy, I love security, and finally I have an issue with my ubuntu 12.04

I believe that, someway, somehow, got hack.

It's difficult for me to believe it.

One day I was making a regular check on the system, to make sure everything was on it's right place and I found myself facing the following;

chkrootkit log:

Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/jvm/.java-1.6.0-openjdk-amd64.jinfo /usr/lib/debug/.build-id /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/pymodules/python2.7/.path
/usr/lib/debug/.build-id

Those files, are indeed installed by me, but they are bothering my peace.

As I continue reading the log... I find this:

wlan0: PACKET SNIFFER(/sbin/wpa_supplicant[1607], /sbin/dhclient[1817])

and this:

Checking `z2'... user "USERNAME" deleted or never logged from lastlog!

Which was kind of odd for me, since as I remember I did setup logs for my user (only user) I don't know if the packet sniffer is wireshark (which I have installed) or zenmap (which I have installed too)

My firewall is completele closed, and I only open ports for the programs I use, that is, the basic ones:

http, https, DNS, etc.

Besides that Everything is closed, I never download anything from unknown or untrusted sources. There's also firewall filtering and drop the conection for pinging proves.

Well, I continue trying to find out what the problem was, so I run the virus scanner (Clamav);

and I got this:

/home/USERNAME/Development Android/adt-bundle-linux/sdk/system-images/android-14/armeabi-v7a/userdata.img: ANDR.Trojan.GingerBreak FOUND
/home/USERNAME/Development Android/adt-bundle-linux/sdk/system-images/android-15/armeabi-v7a/userdata.img: ANDR.Trojan.GingerBreak FOUND
/home/USERNAME/Development Android/adt-bundle-linux/sdk/system-images/android-16/armeabi-v7a/userdata.img: ANDR.Trojan.GingerBreak FOUND
/home/USERNAME/.wine/drive_c/windows/syswow64/INKED.DLL: PUA.Win32.Packer.MsVisualCpp-2 FOUND

/home/USERNAME/Development Android/adt-bundle-linux/sdk/platforms/android-13/images/userdata.img ANDR.Trojan.GingerBreak
/home/USERNAME/Development Android/adt-bundle-linux/sdk/platforms/android-12/images/userdata.img ANDR.Trojan.GingerBreak
/home/USERNAME/Development Android/adt-bundle-linux/sdk/add-ons/addon-dual_screen_apis-kyocera_corporation-8/tools/emulator_dualscreen_win.exe PUA.Win32.Packer.MingwGcc-2

The list goes on and on, I clean by sending everything to quarantine.

I took two days to do the next scan, to find this with Clamav:

/home/USERNAME/.mozilla/firefox/jublccms.default/Cache/8/7C/1D54Cd01 PUA.JS.Xored
/home/USERNAME/.mozilla/firefox/jublccms.default/Cache/0/C4/A5221d01 PUA.JS.Xored

It is helpful to add that I never go to any other webpage that I don't know. At the most I follow only about 10 different web pages, and that's it. I have never have problems before and all of the sudden I have a lot of suspicios activity.

The question is; What should I do?

Thank you for your help.

[digininja]

Its hard to tell from what you've said if you have an infection or if it is just something playing up with your scanners. You could try uploading some of the affected files to virus total and see what other scanners think. The ones you've mentioned are either Windows or Android so wouldn't run under Linux, I doubt even under Wine. The two JS files are mentioned here http://ubuntuforums.org/showthread.php?t=2042687 and don't appear to be a problem.

Simplest advice, wipe the system and reinstall from the ground up. Only safe way to recover from an attack/malware and if you aren't sure then you have to assume a compromise of some kind. (although I'd say it looks unlikely)

The only comment I can make on the info you've provided is about the firewall, you say it is locked down so only "ports you use are open". Is this outbound or inbound? If it is outbound then any malware or attacker that calls back home could simply use one of those ports, if you mean inbound then just by having those open you've exposed a reasonable attack surface.

[joey-world]

The only comment I can make on the info you've provided is about the firewall, you say it is locked down so only "ports you use are open". Is this outbound or inbound? If it is outbound then any malware or attacker that calls back home could simply use one of those ports, if you mean inbound then just by having those open you've exposed a reasonable attack surface.

Yes I'm aware of reverse connection backdoors, and my firewall is block from inbound and outbound, and I have some rules for specific ports that can be used.

For example I need by force DNS (53 outbound) otherwise I will not resolve Domain names for web pages, another example I have http (80 outbound) otherwise I will not be able to connect to web pages. Each necessary service needed was manually configured. I know still a threat to have those ports open, but it's impossible to close those ones, may as well remove your wireless and Ethernet port right? n.n

Thank you for your advice.

I will keep checking the computer for more anomalies; If I still have issues, then I guess I will have no other option but to wipe everything and re-start all over again.

It's just that is too much work, for a "maybe" you know.

Best Regards

[digininja]

Yes I'm aware of reverse connection backdoors, and my firewall is block from inbound and outbound, and I have some rules for specific ports that can be used.

For example I need by force DNS (53 outbound) otherwise I will not resolve Domain names for web pages, another example I have http (80 outbound) otherwise I will not be able to connect to web pages. Each necessary service needed was manually configured. I know still a threat to have those ports open, but it's impossible to close those ones, may as well remove your wireless and Ethernet port right? n.n

I don't know the best way to do it on Linux but on OSX I used to use an app called Little Snitch that would lock down which apps could connect outbound, everything was disabled unless specifically allowed. My text editor never needed to do DNS requests so it couldn't talk out on port 53. That kills a lot of malware as they have to get into the processes that are allowed out.

It's just that is too much work, for a "maybe" you know.

Depends on how much you trust/rely on the system. It sounds like you've put some effort into securing it which means you are slightly worried about attacks, how much will it nag at you to know that there might be something in there if you don't rebuild?

[GuardMoony]

The only real weird thing i see is:

Checking `z2'... user "USERNAME" deleted or never logged from lastlog!

- The packet sniffer ( witch really isn't a sniffer. its for WPA/dhcp on wlan )

- The java you installed yourself

- The Android stuff seems to be false positive. ( just google for it )

- The PUA. ( Potentially Unwanted Application ) There probably needed by some wine program your running. Or for a website ( PUA.JS.Xored is just a javascript, probaly false positive )

[digip]

BFR (Backup, format, reinstall) Say it with me...Int he event of a compromised system, thats really the only true way of knowing that you are clean. Sucks, but its a reality all of us face. he fact you think you caught something, is at least a good thing, even if there was no compromise, because most users, never bother to check or know where to begin, so +1 for admin paranoia. Its worth it and I'm the same way.

[ibuildgrits]

As I continue reading the log... I find this:

wlan0: PACKET SNIFFER(/sbin/wpa_supplicant[1607], /sbin/dhclient[1817])

I just ran into this on a fresh, never plugged into the net, install of 12.10. Turns out its just the way chkrootkit reacts to dhclient because its passing raw packets. I did 5 fresh installs and 3 low level formats in 3 days over this and your .noinit flag. I checked my dvd against sha256 and all so my install medium is legit. If you can get false positives with modern paid-for solutions, im sure open-source solutions are no different.

[joey-world]

Thank you so much for your great advice guys.

I am a little bit relieve now, you could say.

I stick to admin paranoia and I will reformat later. Yes It may be unnecessary (according to my teacher of linux in the university). But like I say better safe than sorry. The only thing it hurts is all the time it took to harden the system. Thanks to this I've been thinking in the idea of setting up a script to install and configure all the "tweaks" needed from a fresh installation. How about that? :)

That way other users can benefit from it too.

Thank you again for all the time and effort you guys have put into this topic.

Best Regards

joey-world

[digip]

There is a script or set of scripts out there, I forget what the name is, that hardens linux and does essential hardening. I know someone mentioned it on the forums before, but its been a while since the topic came up. Think of it like a Suhosin php patch for php, that kind of does the same thing with linux. It more of less adds firewall rules, turns off unessential ports, services, etc, and lets you tweak what runs on startup and so on. I wish I used linux more, because I'm the kind of person who takes a default VLC install, and hex edits it to run as root..lol. But I am just as paranoid about intrusions as the next person, I just think it silly for VLC to force a wrapper or lower level user for users of systems who are only going to be running as root 99% of the time, like I do with BT5. I don't care if I get hacked on BT5 on my laptop because there is nothing personal tied to it and its more or less just for experimenting with. If it were say, my home desktop, then yeah, I would create a new user, harden it, etc, but I have no need for it. Most I did was change host names, passwd, and startup services and fix broken things like getting sound to work on my laptop. Just need it to work, and if it gets whacked I always carry a live disc with me anyway so could care less since the laptop is almost always used exclusively remotely in combo with OpenVPN anyway, so no ones really going to be able to see my traffic.

[shutin]

I've nuked from orbit so many times at this point, every OS is basically a slightly modified live cd. Sometimes you just have to let go and stop reading your damn logs and get on with your life. Don't forget you are running Linux instead of windows for crying out loud. You are already much safer, even if you can't understand every scary entry you see in syslog.

[Foxtrot]

Digip, was it http://bastille-linux.sourceforge.net/ ??

Thanks,

-Foxtrot

[digip]

Digip, was it http://bastille-linux.sourceforge.net/ ??

Thanks,

-Foxtrot

That might have been it. I know it was mentioned in a thread someone asked me about and I had never heard of it, but that might be the one.

[joey-world]

Thank you again for your information guys.

I was researching about it.

I found the same log even with a fresh instalation. I stopped the network, and it seems the log doesn't come out anymore. So I figure it is a regular false positive.

Anyways, I started to finishing up my fresh installation of ubuntu when I get this

http://forums.hak5.org/index.php?/topic/29101-ubuntu-and-china/

My heart was broken. I recommend reading the information, Take care guys.

[Icanbreakthesecuffs]

I noticed it said gingerbreak, you might want to read this article.

http://news.techworld.com/security/3298629/android-users-hit-by-lethal-trojan-root-hack/