You are not logged in.

#1 2021-05-03 20:30:47

mpamphslinuxrock
Member
Registered: 2020-04-21
Posts: 37

Rotajakiro malware

Hello to everyone,
is there any way to see if our system has the above malware? And what can we do to delete it?

Last edited by mpamphslinuxrock (2021-05-03 21:21:48)

Offline

#2 2021-05-03 20:33:56

Slithery
Forum Moderator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 4,344

Re: Rotajakiro malware

A Google search for 'rotajakito' gives 0 hits.

What are you talking about?


No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Online

#3 2021-05-03 21:22:12

mpamphslinuxrock
Member
Registered: 2020-04-21
Posts: 37

Re: Rotajakiro malware

rotajakiro..i am sorry i correct it

Offline

#4 2021-05-03 22:26:27

merlock
Member
Registered: 2018-10-30
Posts: 163

Re: Rotajakiro malware


It's a big club...and you ain't in it -- George Carlin
Eenie meenie, chili beanie, the spirits are about to speak -- Bullwinkle J. Moose
Registered Linux user #149839
perl -e 'print$i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10); '

Offline

#5 2021-05-04 13:23:25

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 9,134

Re: Rotajakiro malware

The article has no info how this trojan gets on systems, or what mechanisms it uses to stay hidden from the OS once it has infiltrated a system.

If it has root access It appears to use a systemd-daemon.service , while for non-root dbus services session-dbus and gvfsd-helper are used.

As far as I can find those 3 names don't occur in any official archlinux package .


Checking folders that are used by systemd and/or dbus services seems like a good idea.
I'd check atleast /etc/systemd , /usr/lib/systemd and /usr/share/dbus-1 and their subfolders preferably while booted from a guaranteed rotajakiro-free medium .

Archlinux installation iso or maybe a bootable rescue disk from an antivirus firm ?

Last edited by Lone_Wolf (2021-05-04 13:23:56)


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
Did you use the guided installer ? If yes, I can't help you.

(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#6 2021-05-04 14:01:33

seth
Member
Registered: 2012-09-03
Posts: 20,479

Offline

#7 2021-05-05 09:22:23

mpamphslinuxrock
Member
Registered: 2020-04-21
Posts: 37

Re: Rotajakiro malware

seth wrote:

Monitor for outbound traffic to 176.107.176.16
https://community.blueliv.com/#!/s/608a … 3eb53560a5

so what should we see in this site?could you explain? How we can see if we are infected?And of course the next step?How can we remove the threat?

Last edited by mpamphslinuxrock (2021-05-05 09:38:38)

Offline

#8 2021-05-05 10:42:43

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 9,134

Re: Rotajakiro malware

According to blueliv any traffic to that ip-address is suspect.

If there's no traffic to it, you're unlikely to be infected.

The netlab article lists 4 domains , they are unresolvable from my system and whois claims they've expired.
It does seem possible those domain addresses have been taken down by their registrars .

For your other questions see my post #5 .


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
Did you use the guided installer ? If yes, I can't help you.

(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#9 2021-05-05 22:19:34

mpamphslinuxrock
Member
Registered: 2020-04-21
Posts: 37

Re: Rotajakiro malware

with this command?

sudo iftop -n

Offline

#10 2021-05-06 07:08:08

seth
Member
Registered: 2012-09-03
Posts: 20,479

Re: Rotajakiro malware

You probaby also want to filter for the destiination network.

Alternatively DROP and LOG the IP in iptables/netfilter and you can use https://aur.archlinux.org/packages/psad/ to track the log and send you a notification when the IP is met.
NOTICE: The if the backdoor operates w/ root permissions it can manipulate your iptables/netfilter config as well as the entire network stack, completely hiding its traffic. To be really sure, you'd monitor it from an external node (eg. your router)

Do you have any reason to assume you might be affected.

Offline

#11 2021-05-06 12:18:59

mpamphslinuxrock
Member
Registered: 2020-04-21
Posts: 37

Re: Rotajakiro malware

no i have not any reason. But i think that this is a very serious threat...and of course all of us need to know! how can I monitor my router from an external node? could you send me an example ?

Offline

#12 2021-05-06 13:29:22

seth
Member
Registered: 2012-09-03
Posts: 20,479

Re: Rotajakiro malware

monitor my router from an external node

You want to monitor your archlinux installation from an external node which could eg. be your router.
First step: possess and have control over an external node (anything between the potentially infected system and the interwebz)
Second step: figure how to monitor, filter and log traffic on that sytem (for archlinux, see the wiki on iptables & netfilter)

Offline

#13 2021-05-06 13:31:14

schard
Member
From: Hannover
Registered: 2016-05-06
Posts: 1,148
Website

Re: Rotajakiro malware

mpamphslinuxrock wrote:

no i have not any reason. But i think that this is a very serious threat...and of course all of us need to know!

Nine countries on this planet, some of which hating each other, posess nuclear weapons. That is a very serious threat.
Malware has been around since the dawn of software. And while it is always a good idea to be on the lookout for contemporary threats there's nothing that makes RotaJakiro particularly special.
The strategy stays the same: keep your software up-to-date and the network interfaces minimal to provide the least attack surface and you should be fine.
And don't install untrusted software.

Last edited by schard (2021-05-06 13:52:01)

Offline

Board footer

Powered by FluxBB