Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 12
Hi Guys, Well here I was doing some research online for work, no apps open except the browser (FF3 or Epiphany, can't remember) and two terminals running htop. Suddenly I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2007
    Posts
    10

    Exclamation New Virus For Ubuntu/Linux?


    Hi Guys,

    Well here I was doing some research online for work, no apps open except the browser (FF3 or Epiphany, can't remember) and two terminals running htop. Suddenly I notice htop display CPU usage to 100% ... there is a process "whiptail" running, killing my CPU at 100% .. htop couldn't kill it (apparently invoked by root, right?), so I had to manually sudo kill it. There was also a --nocancel parameter I noticed, but can't remember what else I saw. Then after this process was dead my CPU immediately jumped to 100% again, but this time it was dpkg that started doing something. I didn't realize what it was doing at first -- I figured it was doing an automatic update and went back to work. Then suddenly I lost network connection while simultaneously realizing that I have auto-updates turned off (only notifications are on). Taking a closer look at the dpkg process in htop, I noticed that it was un-installing a whole bunch of programs. Before I knew it, half my system is gone and none of the icons on my desktop work. I quickly shut-down and rebooted the system, but everything was gone. No gnome, no nothing. startx does nothing too, says something about X being mis-configured. I went in recovery mode and tried a few things, but it was no use because everything was gone anyway. I am writing this from the Live CD.

    I have to work, so I am contemplating if I should reinstall everything or leave the system the way it is now so I can extract any useful info to post here.

    (Also posted this on ubuntuforums, in case you were interested in replies there, can search for same title )

  2. #2
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    Whiptail is a dialog box system. If anything someone has cracked you over ssh. Are you running ssh with a reasonably simple password? On the default ssh port of 22?

  3. #3
    Just Joined!
    Join Date
    Aug 2005
    Location
    South West England
    Posts
    91
    Here are some tips to stop it happening in the future.

    Someone could have got in because of potential exploits and used whiptail as a thing to distract the system or use as a rootkit. Alternatively, whiptail might have a bug that does this for some obscene reason.

    Always update all the time, you're keeping your system updated?
    Keep all your passwords completely secure ( lower case, upper case, numbers, symbols, etc) and use a firewall, with outgoing ports as only the ones you use, and
    incoming as nothing (or some of them if necessary)

    Uninstall programs you don't need


    Use:

    netstat -anlp | grep LISTEN

    to check if anything is listening on these ports (backdoors, etc).

    I regularly (usually) reinstall to rid me of anything that might be something like this.

  4. #4
    Just Joined!
    Join Date
    Sep 2007
    Posts
    10
    Thanks for replying bigtomrodney and dandart.

    I have to admit, I do have ssh running on the default port 22. However, I do also have everything firewalled, and configured using ufw. What I can't remember is if I had allowed port 22, I will check and post an update.

    Also, I had just formatted my system recently and installed a fresh copy of ubuntu 8.10, so there were relatively no new programs. What I just realized now though, is that I had installed AllTray and mailnotify (Mail Notification) using the ubuntu repos this morning since I was trying to figure out the best way to have evolution mail client minimized on the task bar.

    Atleast the good thing about this is that, I had just backed up everything a few days ago when I formatted so I didn't lose anything much. Plus, my home dir is intact too. Just a mass uninstallation of programs. I try to keep a close eye on the system, hence why I had htop open. Actually, one htop was monitoring my other system over ssh (which is running as a server/in the same residence.)

    So whats the best way to prevent this from happening again guys? My passwords are quite secure -- containing numbers symbols and letters. What would be the best possible config for my firewall? Perhaps that was it. I will post the allow/deny stuff soon.


    Thanks again for the help!

  5. #5
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    From memory when installing ssh myself, the package script opens the firewall itself to allow it to work. As a start I would change the port in /etc/ssh/sshd_config and restart the service. Also on the off chance you have set a root password make sure you disable root login over ssh.

    Port 22 is scanned all the time I find. At one point running my humble home computer I was scanned 1000 times on port 22 in a week. I switched to another higher port and have yet to be scanned once ( I check my logs regularly). It's all script-kiddie stuff. Getting off that port would be a good start, unless someone is intent on hacking your particular PC. Then it's tinfoil hat time

  6. #6
    Just Joined!
    Join Date
    Sep 2007
    Posts
    10
    thanks again bigtomrodney. I can't think why anyone would want to hack into my laptop, i don't store anything there. Good thing my server where all the important stuff is can't even be reached from the internet -- or even local network until I plug in manually when I need it lol.

    I didn't know ssh opens up the firewall, I will definitely change that port as you suggested. By the way, where are those logs that you speak of? Where I can see what ports were scanned? /var/log/* but which file?

    Thanks again!

  7. #7
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    I usually want to see all of the logs pertaining to ssh, so I run the following command
    Code:
    sudo grep -ir ssh /var/log/* |less
    sudo grep -ir breakin /var/log/* |less
    sudo grep -ir attempt /var/log/* |less
    Each one can be paged through using cursors or the space bar. It gives me a good idea of what's going on.

  8. #8
    Just Joined!
    Join Date
    Sep 2007
    Posts
    10
    thanks, this helps a lot! I am gonna use this in the future.. also I think I may have found something interesting:

    gnome-ssh-askpass was removed (not by me anyway), but it may have been removed when everything else got erased too. so i don't know!

    but nothing for breaking or attempt!

  9. #9
    Just Joined!
    Join Date
    Aug 2005
    Location
    South West England
    Posts
    91
    I've always done:
    cat /var/log/messages | grep invalid | cut -d " " -f 13-13 | uniq | sort
    to get a list of all intruders who have tried to brute force crack my SLES server.
    It's almost the same on RHEL, you have to search for "failure" instead of "invalid" and use 14 as well as 13..

    There's a recent vulnerability found in hplip and cups services, could have been that (from the inside), or ssh brute force does occasionally work. If you wish, you can disable passwords entirely, and only use keys.

    Here's how:

    Create a public/private key pair (perhaps on machines you wish to connect to it with) by using:
    ssh-keygen
    It will place ~/.ssh/id_rsa (private key) and ~/.ssh/id_rsa.pub (public key) into your .ssh directory of the connecting computer. Now copy id_rsa.pub to ~/.ssh/authorized_keys of the machine you wish to connect to.

    In /etc/ssh/sshd_config, set:

    RSAAuthentication yes
    PubkeyAuthentication yes
    PasswordAuthentication no

    to disable passwords and enable keys (search for those entries and edit them)

    Then you can have (optionally) passwordless key pairs that are still (somewhat) secure!

    Then restart SSH.

    Cheers
    Dan

  10. #10
    Just Joined!
    Join Date
    Sep 2007
    Posts
    10
    thanks Dan, I appriciate the help.. I will definitly set that up. Also, is there a way to have both? keys as well as password, thus creating two layers of authenticaton?

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •