no i have not any reason. But i think that this is a very serious threat...and of course all of us need to know!
Nine countries on this planet, some of which hating each other, posess nuclear weapons. That is a very serious threat.
Malware has been around since the dawn of software. And while it is always a good idea to be on the lookout for contemporary threats there's nothing that makes RotaJakiro particularly special.
The strategy stays the same: keep your software up-to-date and the network interfaces minimal to provide the least attack surface and you should be fine.
And don't install untrusted software.
monitor my router from an external node
You want to monitor your archlinux installation from an external node which could eg. be your router.
First step: possess and have control over an external node (anything between the potentially infected system and the interwebz)
Second step: figure how to monitor, filter and log traffic on that sytem (for archlinux, see the wiki on iptables & netfilter)
Alternatively DROP and LOG the IP in iptables/netfilter and you can use https://aur.archlinux.org/packages/psad/ to track the log and send you a notification when the IP is met.
NOTICE: The if the backdoor operates w/ root permissions it can manipulate your iptables/netfilter config as well as the entire network stack, completely hiding its traffic. To be really sure, you'd monitor it from an external node (eg. your router)
Do you have any reason to assume you might be affected.
]]>sudo iftop -n
If there's no traffic to it, you're unlikely to be infected.
The netlab article lists 4 domains , they are unresolvable from my system and whois claims they've expired.
It does seem possible those domain addresses have been taken down by their registrars .
For your other questions see my post #5 .
]]>Monitor for outbound traffic to 176.107.176.16
https://community.blueliv.com/#!/s/608a … 3eb53560a5
so what should we see in this site?could you explain? How we can see if we are infected?And of course the next step?How can we remove the threat?
]]>If it has root access It appears to use a systemd-daemon.service , while for non-root dbus services session-dbus and gvfsd-helper are used.
As far as I can find those 3 names don't occur in any official archlinux package .
Checking folders that are used by systemd and/or dbus services seems like a good idea.
I'd check atleast /etc/systemd , /usr/lib/systemd and /usr/share/dbus-1 and their subfolders preferably while booted from a guaranteed rotajakiro-free medium .
Archlinux installation iso or maybe a bootable rescue disk from an antivirus firm ?
]]>What are you talking about?
]]>