Find the answer to your Linux question:
Results 1 to 10 of 10
Like Tree1Likes
  • 1 Post By BoDiddley
I feel like an idiot and embarrassed for allowing this but i tried opening a file i got from the internet using sudo and now i think there's some spyware ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined! pouar's Avatar
    Join Date
    Dec 2011
    Posts
    18

    Exclamation posible spyware on my PC that i can't get rid of


    I feel like an idiot and embarrassed for allowing this but i tried opening a file i got from the internet using sudo and now i think there's some spyware on the system since snort is telling me that an executible is trying to access the internet as shown on this snort log
    Code:
    [**] [1:1394:12]  <eth0> SHELLCODE x86 inc ecx NOOP [**]
    [Classification: Executable code was detected] [Priority: 1] 
    01/08-12:49:03.285198 00:1D:92:33:9E:FC -> 00:23:69:C6:B6:DE type:0x800 len:0x498
    192.168.2.105:44926 -> 50.19.117.191:80 TCP TTL:64 TOS:0x0 ID:32391 IpLen:20 DgmLen:1162 DF
    ***AP*** Seq: 0x55A2638  Ack: 0xCF3507FD  Win: 0xFA6  TcpLen: 32
    TCP Options (3) => NOP NOP TS: 1476749 428764709
    this keeps coming up, but with different ip addresses. anyway to get rid of it?.

  2. #2
    Linux Newbie BoDiddley's Avatar
    Join Date
    Oct 2010
    Location
    Plainfield, New Jersey
    Posts
    137
    You can tram ClamTK (ClamAV with a gui). Also try chkrootkit. It is as it sounds - searches for "known" rootkits. The problem is whether what you have has been around awhile, and is known. You can also see what "netstat -P" produces to see if you can catch the program transmitting.
    jayd512 likes this.
    "Wisdom is justified of all her children"

  3. #3
    Administrator jayd512's Avatar
    Join Date
    Feb 2008
    Location
    Kentucky
    Posts
    5,023
    Good suggestions there!

    What file was it that you suspect started the problem?
    Have you tried a Google search in the filename to see if there are any reports about it?
    Jay

    New users, read this first.
    New Member FAQ
    Registered Linux User #463940
    I do not respond to private messages asking for Linux help. Please keep it on the public boards.

  4. #4
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,598
    Viruses are uncommon on Linux, although there is malware out there that will try to pwn your system so it can become a botnet C&C system. As mentioned, use ClamAV or chkrootkit to find it. If that doesn't work, there are other/commercial AV programs that work with Linux. Myself, I use f-prot as well as ClamAV, but McAfee and Symantec both have Linux versions that may help - they have free versions and trial versions that you can use to find this.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  5. #5
    Just Joined! pouar's Avatar
    Join Date
    Dec 2011
    Posts
    18
    crack for winrar (before you start judging I just wanted to see if there was any features that wasnt included in the trial so I know whether or not I want the program before buying, turns out I dont so I deleted the program a little after I downloaded).
    Last edited by pouar; 01-09-2012 at 02:05 AM.

  6. #6
    Just Joined!
    Join Date
    May 2005
    Posts
    4

    Your going to be busy...

    If they are smart you have a problem, root kitting linux is an easy process as everyone has access to the code. Get a rescue CD as a start, you may not be able to find the guilty files if you boot from the current installed files.

    Use netstat or lsof to try find the process ID of whatever is trying to do the network stuff. If you can find the PID you can use ps to find the file. If you have a PID but can't find the file suspect a root kit.

    Go to sysresccd.org and try this as a start.

    Boot from rescue disk and do a "find" with a date to match the hack date and see what turns up, you may be able to focus the remedial action based on this, if nothing turns up it's more work.

    If like most you have 1 drive then next choice is to get a clean initrd, kernel and modules, you maybe able to use the rescue CD to build an initrd otherwise download one.

    It's unlikely they rebuilt the kernel on you, but get a clean kernel anyway, download from your dist site.

    Also get a new set of kernel modules or the MD5's at least.

    Get the MD5 for all the libs on your system.

    Use the rescue cd to mount the drive, replace the kernel and initrd and delete all the modules and replace or do an MD5 to verify.

    Verify the MD5's of all the libs, replace those that don't match.

    This should give you a clean boot, I have no idea if there are any hacks that use grub, maybe reinstall grub as well.

    Enjoy, I had a tool get in through sendmail about 15 years ago, I realised he could have hidden stuff all over my machine so I ended up re-installing the OS, I then started using 1 drive for the OS and other drives for all my stuff makes it easier to upgrade and less hassle if I think there are issues.

    Good luck..

    Ps. keeping an MD5 of all the libs on a system may sound paranoid but it will speed up this process.

  7. #7
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,598
    Quote Originally Posted by pouar View Post
    crack for winrar (before you start judging I just wanted to see if there was any features that wasnt included in the trial so I know whether or not I want the program before buying, turns out I dont so I deleted the program a little after I downloaded).
    Well, the real winrar has a trial license (full functionality) that has no time limit (or at least used to), although it nags you to buy a license... As for rar on Linux, I install the versions that are in the package manager - rar/unrar, etc. They are command-line tools, but work very well for me.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  8. #8
    Just Joined!
    Join Date
    Sep 2010
    Location
    NF10
    Posts
    8

    Smile xvart reply

    Thanks for the detailed reply.
    You wrote in a way that so may posters don't do.
    Your post seemed complete, to the point, with detailed instructions.
    We need more people willing to do what you did.
    Thanks

    Quote Originally Posted by xvart View Post
    If they are smart you have a problem, root kitting linux is an easy process as everyone has access to the code. Get a rescue CD as a start, you may not be able to find the guilty files if you boot from the current installed files.

    Use netstat or lsof to try find the process ID of whatever is trying to do the network stuff. If you can find the PID you can use ps to find the file. If you have a PID but can't find the file suspect a root kit.
    Last edited by jayd512; 01-09-2012 at 05:50 PM. Reason: Fixed your [code] tag

  9. #9
    Just Joined!
    Join Date
    Jul 2008
    Posts
    54

    Question How did it go?

    I haven't run into a linux virus yet (not that I'm looking forward to doing so.) I'm interested in your results.

  10. #10
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,598
    Virus scanners on Linux systems are usually there to scan emails and file downloads to Windows machines, or Wine applications on Linux. When someone tries to compromise a Linux system, they are not installing (usually) viruses, but are trying to get root access so they can turn the machine into a botnet controller, or a spam forwarding device. In any case, without root access, viruses cannot infect the system outside of the user that downloaded it, barring system vulnerabilities (0 day attacks) - which are usually fixed PDQ by the LInux and open source communities.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •