Hey all, anyone have any experience with crypto infected Linux systems? My box that I use has mxrig running, and I've no idea how it got there, where it's hiding, or how to get it off my system. Speculating that it could be some rootkit bologna, and there's vague suggestions on the googles as to how to get it off my system without "nuking it from orbit".ããSo, before I do that I thought I might see if there's anyone who's had experience with this sort of thing who might be willing to take a peek? Drop me a note at andyob [at] gmail.com if you've had some experience. I got the thing backed up, so I'm ok with letting you pop-on and see if you can work some magic.ããThanks in advance,ã-A @ shodanscore.comã---ã þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.netã

Re: Ubuntu, Crypto Malwareã By: Android8675 to All on Tue Nov 15 2022 07:51 amãã > Hey all, anyone have any experience with crypto infected Linux systems? Myã > box that I use has mxrig running, and I've no idea how it got there, whereã > it's hiding, or how to get it off my system. Speculating that it could beã > some rootkit bologna, and there's vague suggestions on the googles as to howã > to get it off my system without "nuking it from orbit".ã >ã > So, before I do that I thought I might see if there's anyone who's hadã > experience with this sort of thing who might be willing to take a peek? Dropã > me a note at andyob [at] gmail.com if you've had some experience. I got theã > thing backed up, so I'm ok with letting you pop-on and see if you can workã > some magic.ããI was running a version of GitLab (a year ago?) that had an exploit published and I was vulnerable for about 24 hours before upgrading to a fixed GitLab version. During that 24 hours, a crypto miner (I forget the name) was installed and it was pretty obvious from the impact on CPU utilization. I found and killed the process manually and deleted the maliciously-installed files (in the /tmp dir, iirc). Tools like ps, top, netstat should help you find the culperate process(es) and get rid of them, but it is important that you find and remove (or update/patch) the software with the original vulnerability that was used to install the crypto miner in the first place.ã-- ã digital man (rob)ããRush quote #57:ãHe picks up scraps of information, he's adept at adaptation .. Digital ManãNorco, CA WX: 68.5øF, 21.0% humidity, 0 mph NE wind, 0.00 inches rain/24hrsã---ã þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.netã

Re: Ubuntu, Crypto Malwareã By: Android8675 to All on Tue Nov 15 2022 07:51 amãã > Hey all, anyone have any experience with crypto infected Linux systems? Myã > box that I use has mxrig running, and I've no idea how it got there, whereã > it's hiding, or how to get it off my system. Speculating that it could beã > some rootkit bologna, and there's vague suggestions on the googles as to howã > to get it off my system without "nuking it from orbit".ã >ã > So, before I do that I thought I might see if there's anyone who's hadã > experience with this sort of thing who might be willing to take a peek? Dropã > me a note at andyob [at] gmail.com if you've had some experience. I got theã > thing backed up, so I'm ok with letting you pop-on and see if you can workã > some magic.ãããif you have it backed up, and your backups are clean, just 'nuke it from orbit'.ããwhy do you want to waste time going on a search for it?ãif your files are encrypted you aren't getting them back and you might loseãmore anyways.ãããã---ã þ Synchronet þ ::: BBSES.info - free BBS services :::ã

Re: Ubuntu, Crypto Malwareã By: MRO to Android8675 on Tue Nov 15 2022 04:33 pmãã > if you have it backed up, and your backups are clean, just 'nuke it from orbit'.ã > ã > why do you want to waste time going on a search for it?ã > if your files are encrypted you aren't getting them back and you might loseã > more anyways.ã > ããI think he is talking about cryptomining malware rather than a ransomware piece.ããI'd personally just restore from the lattest known clean backup if any, and do whatãsomebody else has recommended: apply security updates and try to ensure they don'tãbreak in the same way again.ããUsing Unix utilities from within a compromised system is not a great idea. Rootkitsãmay make evil software undetectable. If you ust scan an infected system, it is usuallyãbetter to just image it and scan the image from a known good system instead.ãã--ãgopher://gopher.richardfalken.com/1/richardfalkenãã---ã þ Synchronet þ Palantir BBS * palantirbbs.ddns.net * Pensacola, FLã

Re: Ubuntu, Crypto Malwareã By: Arelor to MRO on Tue Nov 15 2022 05:33 pmãã > I'd personally just restore from the lattest known clean backup if any, andã > do what somebody else has recommended: apply security updates and try toã > ensure they don't break in the same way again.ã >ã > Using Unix utilities from within a compromised system is not a great idea.ã > Rootkits may make evil software undetectable. If you ust scan an infectedã > system, it is usually better to just image it and scan the image from aã > known good system instead.ã >ããif ANY body gets a virus they should:ãã+ backup any non executable files they needã+ wipe the system.ã+ change all your passwords and login names on a clean system, ie NOT that computer.ã+ disable remote logins if possible.ã+ be more careful!ã---ã þ Synchronet þ ::: BBSES.info - free BBS services :::ã

Re: Ubuntu, Crypto Malwareã By: MRO to Android8675 on Tue Nov 15 2022 04:33 pmãã > if you have it backed up, and your backups are clean, just 'nuke it fromã > orbit'.ã >ã > why do you want to waste time going on a search for it?ã > if your files are encrypted you aren't getting them back and you might loseã > more anyways.ããFiles were fine, it wasn't a malicious app (thankfully), it was just a crypto app was being run from a cloud drive on my system. I blocked off the RADIUS port (1812) and the app stopped coming up. I'll have to figure out how/why it was happening. RADIUS has something to do with authentication. Maybe if I just switch to key auth only it'll block whatever backdoor I've obivously left open.ããAt any rate, I closed all but the ports I need and it seems OK now.ããGlad I didn't have to nuke anything, and thankfully I got a fairly nice backup setup.ã---ã þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.netã

Re: Ubuntu, Crypto Malwareã By: Digital Man to Android8675 on Tue Nov 15 2022 11:51 amãã > Re: Ubuntu, Crypto Malwareã > By: Android8675 to All on Tue Nov 15 2022 07:51 amãã > > Hey all, anyone have any experience with crypto infected Linux systems?ãã > > So, before I do that I thought I might see if there's anyone who's hadã > > experience with this sort of thing who might be willing to take a peek?ãã > I was running a version of GitLab (a year ago?) that had an exploitã > published and I was vulnerable for about 24 hours before upgrading to a fixeããIs there a simple way to clean out the /tmp folder in Linux, for us phlebs? /var/log folder getting kindda rhobust too)ããSo I could not for the life of me figure out where the exploit was on my systemãuntil I watched the process carefully. I could kill the process easily enough (sudo top), but it would fire up again within 10-15 minutes. So I watched it fire up and the process information mentioned port 1812 somewhere, and I looked up port 1812 which has something to do with RADIUS authentication?ããSo I blocked the port on the system and the malware hasn't started up since. I could only guess that the app was being run from a cloud drive somewhere using RADIUS to execute the code locally. I've no idea how that works, and I stopped just after because I was tired, but the problem hasn't returned so I'm OK just keeping that port blocked until I can figure out how/why it's happening.ããI might be OK without RADIUS, at least for now. I checked my router settings to make sure no erronious ports were open to the system (originally I had the system on the DMZ, but I figured now would be a good time to lock that down).ããAt any rate, at least I didn't have to reinstall everything, but at some point I need to update to 22LTS. Something for another day.ã--ãAndroid8675@realitycheckbbs.o r gãã... Do you know what kind of game this is?ãã---ã þ Synchronet þ .: realitycheckbbs.org :: scientia potentia est :.ã

Re: Ubuntu, Crypto Malwareã By: Android8675 to Digital Man on Wed Nov 30 2022 08:27 amãã > Re: Ubuntu, Crypto Malwareã > By: Digital Man to Android8675 on Tue Nov 15 2022 11:51 amã >ã > > Re: Ubuntu, Crypto Malwareã > > By: Android8675 to All on Tue Nov 15 2022 07:51 amã >ã > > > Hey all, anyone have any experience with crypto infected Linux systems?ã >ã > > > So, before I do that I thought I might see if there's anyone who's hadã > > > experience with this sort of thing who might be willing to take a peek?ã >ã > > I was running a version of GitLab (a year ago?) that had an exploitã > > published and I was vulnerable for about 24 hours before upgrading to aã > > fixeã >ã > Is there a simple way to clean out the /tmp folder in Linux, for us phlebs?ããhttps://askubuntu.com/questions/20783/how-is-the-tmp-directory-cleaned-upãã > /var/log folder getting kindda rhobust too)ããMost apps that log there should have configurable log rotation policies.ãã > So I could not for the life of me figure out where the exploit was on myã > system until I watched the process carefully. I could kill the processã > easily enough (sudo top), but it would fire up again within 10-15 minutes.ãã'sudo ps aux' will display the full path to all running processes. That's how you'd know *where* it is on your system, then you start grepping for what restarts that process upon boot (if it is).ã-- ã digital man (rob)ããSynchronet/BBS Terminology Definition #34:ãFTN = FidoNet Technology NetworkãNorco, CA WX: 59.2øF, 68.0% humidity, 0 mph ENE wind, 0.00 inches rain/24hrsã---ã þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.netã

Re: Ubuntu, Crypto Malwareã By: Android8675 to Digital Man on Wed Nov 30 2022 08:27 amãã > I could only guess that the app was being run from a cloud drive somewhereã > using RADIUS to execute the code locally. I've no idea how that works, and Iã > stopped just after because I was tired, but the problem hasn't returned soã > I might be OK without RADIUS, at least for now. I checked my router settingsã > to make sure no erronious ports were open to the system (originally I hadã > the system on the DMZ, but I figured now would be a good time to lock thatã > down).ã >ã > At any rate, at least I didn't have to reinstall everything, but at someã > point I need to update to 22LTS. Something for another day.ããyou really should reinstall. they didnt exploit radius.ãand it's good practice and keeps you on your toes to learn a wayãto tear it down and put it up again after working out a system.ããi wouldn't trust running an exploited system.ãã---ã þ Synchronet þ ::: BBSES.info - free BBS services :::ã

Re: Ubuntu, Crypto Malwareã By: Digital Man to Android8675 on Wed Nov 30 2022 11:53 amãã > Re: Ubuntu, Crypto Malwareã > By: Android8675 to Digital Man on Wed Nov 30 2022 08:27 amã >ã > > Is there a simple way to clean out the /tmp folder in Linux, for us phlebs?ã >ã > https://askubuntu.com/questions/20783/how-is-the-tmp-directory-cleaned-upã >ããThanks...ãã > > /var/log folder getting kindda rhobust too)ã >ã > Most apps that log there should have configurable log rotation policies.ã >ããThanks again, will research...ãã > > So I could not for the life of me figure out where the exploit was on my system until I watched the processã >ã > 'sudo ps aux' will display the full path to all running processes. That's how you'd know *where* it is on yourã > system, then you start grepping for what restarts that process upon boot (if it is).ããI'll need to practice this. I find it odd that port 1812 isn't open in my router, so maybe there is another system infected causing this? Probably those fucking wifi lightbulbs I installed last week or some bullshit.ããha, thanks for your help DM.ã-- ãAndroid8675@ShodansCoreã---ã þ Synchronet þ Shodan's Core @ ShodansCore.comã

Re: Ubuntu, Crypto Malwareã By: MRO to Android8675 on Wed Nov 30 2022 03:56 pmãã > you really should reinstall. they didnt exploit radius.ã > and it's good practice and keeps you on your toes to learn a wayã > to tear it down and put it up again after working out a system.ã >ã > i wouldn't trust running an exploited system.ããI am seriously considering it. Just need to find the time.ã-- ãAndroid8675@ShodansCoreã---ã þ Synchronet þ Shodan's Core @ ShodansCore.comã