[SOLVED] I found an strange process running from /tmp

Mixu · 2023-05-28 13:01:25

Hi!

Since some time I've seen my computer with hiccups when watching films, or even moving the cursor around.
Looking some processes I found out there was an systemctl, or dbus-x11, or any other typical linux app running from a directory called for example /tmp/5FD8-BF38-AB32-2KB8

As I was looking for the whole internet, looks like it's a miner malware, but I can't get rid of it.
It runs as my main user, not root, so it must have been infected from some kind of strange kodi plugin, or some compromised package.

I was checking on crontab if it's loading in some way, and I can't find any entry, also nothing in .bashrc/.bashprofile, etc.
I also checked the list of services enabled in systemctl, but didn't find anything relevant.

If you open htop, or top, the process dissapears. I've read it hids itself. But if you do a ps waux | grep tmp, you can find it easily.

Funny thing is that if I boot my computer, and first thing I do is login to root, then the process is run after some seconds/minutes. So probably it's opening from a service, or some startup scripts.

Would anyone know how to find the place it first runs in the system?
I'm not sure what information could I provide to help find the issue.

Thanks!

Last edited by Mixu (2023-05-28 19:03:59)

Trilby · 2023-05-28 13:52:53

Mixu wrote:

I'm not sure what information could I provide to help find the issue.

Any would be good. You've given a narative of your encounter with some problem, but you've not given any concrete information.

Mixu wrote:

I found out there was an systemctl, or dbus-x11, or any other typical linux app running from a directory called for example /tmp/5FD8-BF38-AB32-2KB8

What does this actually mean? How did you find this (i.e., what commands did you run and what was their output)? What do you mean it was "running from" that path? Do you mean /tmp/5FD8-BF38-AB32-2KB8 was and executable process that was running? (And if that's what you mean, which command / tool gave you that information)?

Mixu wrote:

looks like it's a miner malware, but I can't get rid of it.

It does? How / why? What leads you to these conclusions?

Mixu wrote:

It runs as my main user, not root

This is useful information. Though being more specific about how you determined this might be good - though it's probably safe to assume this came from `ps` output, right? In either case, please show the full output as the other columns from the ps output would be helpful.

Mixu wrote:

... so it must have been infected from some kind of strange kodi plugin, or some compromised package.

I'm not sure how you arrived at this conclusion - it doesn't follow from anything you've presented here.

Mixu wrote:

I was checking on crontab ... I also checked the list of services enabled in systemctl, but didn't find anything relevant.

Are you sure you'd know what was relevant? Show these lists so we can understand what's going on.

Mixu wrote:

If you open htop, or top, the process dissapears. I've read it hids itself.

You've read this? Where?

Mixu wrote:

But if you do a ps waux | grep tmp, you can find it easily.

Well, no, I can't, because it's not running on my system. You can find it easily. So please do so, and share that output here.

Mixu wrote:

So probably it's opening from a service, or some startup scripts.

If so, then that list of services you determined to be irrelevant is in fact very relevant.

EDIT: tone is lost in text, and I realize such a dissecting of your post might come across as confrontational - this is not intended. But to be able to help we need information - and my intent is to outline all the varieties of information you could / should provide in order to get help.

Last edited by Trilby (2023-05-28 13:58:35)

ewaller · 2023-05-28 14:39:52

Moving to Newbie Corner

Mixu · 2023-05-28 14:41:29

Hi Trilby, thanks for your answer! Yeah, I didn't sense any confrontational sense, fine for me

I'll try to sum up all the information.

Using this command I get the following output. I can see the process is running, in this case the executable is "gvfsd", some second before it was "systemctl d" but I couldn't capture the output with that one.
Also, we can see here that the file is running as my user 'mixu'.

$ ps waux | grep tmp
root          64  0.0  0.0      0     0 ?        S    16:01   0:00 [kdevtmpfs]
mixu         982 29.9 14.8 3063316 2418780 ?     SLl  16:02   0:36 /tmp/D3F5-2CC4-26D4-15BA/gvfsd
root        1138  0.0  0.0   6892  2464 tty1     S+   16:04   0:00 grep tmp

While writing this post another process has appeared:

 ps waux | grep tmp
root          64  0.0  0.0      0     0 ?        S    16:01   0:00 [kdevtmpfs]
mixu        3614 19.0 14.7 3063372 2416668 ?     SLl  16:19   0:55 /tmp/BF39-0F87-E880-0CD1/sleep
mixu        3878  0.0  0.0   6892  2400 pts/0    S+   16:24   0:00 grep tmp

This is the full output of

$ ps waux -H

https://pastebin.com/G25CEBfa

Not sure, but now that I see the full process list, this one makes me a little suspicious, but as far as I know, there's some dbus per user configuration:

/home/mixu/.local/share/ibus-table/dbus-daemon

And this one the output of 'systemctl'
https://pastebin.com/m3zxuKrF

Regarding knowing the procedence of the infection, is because I only use this machine for browsing the web and watching stuff on Kodi, so probably its procedence would be from a compromised Kodi plugin, or maybe a Chrome extension, or a package, because it's the only thing I recall reading some news that potentially could be hacked back in the days. I was using an ad blocker extension that was shown in news that it was compromised and Google removed it from the store.

When I use `crontab -l` in user mixu and root, it won't show up any scheduled task.

For when the gvfsd process was running, I opened htop, and just in a moment the process dissapeared, and after a while the sleep one popped up again.

If I file that running process it shows it's an ELF executable and there are some files around:

$ls /tmp/2D06-5672-E44B-B1C1/
systemd       .systemd.log  .systemd.res  
$ file /tmp/2D06-5672-E44B-B1C1/systemd 
/tmp/2D06-5672-E44B-B1C1/systemd: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=633b659e5d1711bcf635d68fc97f7b80083979e3, stripped
$ cat /tmp/2D06-5672-E44B-B1C1/.systemd.log 
1685284596213
$ cat /tmp/2D06-5672-E44B-B1C1/.systemd.res 
5fpo+zWpbqYYWFJsryEBIa6xkm5nvtT+IWrQ6pBYTg4= mixu  ~ 

As to why I guess it would be a miner, it's that if you look on google for an appearing tmp process with high CPU and memory usage, it probably is a miner.
Also, using the following command I can see it's connecting to some place: (some time ago the IP was 192.99.69.170 )

 netstat -tnp | grep 4339
tcp        0      0 192.168.0.17:36572      142.44.243.6:14444      ESTABLISHED 4339/systemd

And looking for this last IP you can go into this webpage for example: https://github.com/ethereum-mining/ethminer/issues/1827
Also, googling the other IP https://www.google.com/search?q=192.99. … 32&bih=868
I can see mentions of Claymore Miner, and other mining related pages.

Regarding how I know the process hides, I'm looking for the webpage where I read that, but can't find it, it was a similar issue to mine and there was a post in a forum with someone with the same issue. If I find the post I'll put it here.

Hope there's plenty information, thanks!

seth · 2023-05-28 15:00:17

Instead of file'ing the binary, I'd copy it to preserve it for close inspection.
Since the process runs as your user, you'd look at your user services, not the system ones.

Then mount /tmp "noexec"…

Funny thing is that if I boot my computer, and first thing I do is login to root, then the process is run after some seconds/minutes. So probably it's opening from a service, or some startup scripts.

Does it activate without yo logging in as your regular user?
Next to user services, see https://wiki.archlinux.org/title/Autostarting

Mixu · 2023-05-28 15:15:40

Hi seth! Yes, I'll save those files, thanks for the suggestion!

The user services you mean to run systemctl --user ?

Exactly, it runs without logging in with my current user (mixu).

If I mount /tmp with "noexec" it will probably fail to load the malware, and won't find the issue, isn't it?

I've noticed this line:
mixu 757 0.0 0.0 79488 3504 ? Ssl 16:59 0:00 /home/mixu/.local/share/icc/icc-daemon

And if I rename that file there's no duplication for this part of the processes list

mixu         730  0.5  0.0  19320 11652 ?        Ss   16:59   0:00   /usr/lib/systemd/systemd --user
mixu         731  0.0  0.0  23788  5332 ?        S    16:59   0:00     (sd-pam)
mixu         742  0.0  0.0 312888 11436 ?        Ssl  16:59   0:00     /usr/bin/gnome-keyring-daemon --foreground --components=pkcs11,secrets --control-directory=/run/user/1000/keyring
mixu         747  0.0  0.0   8544  4436 ?        Ss   16:59   0:00     /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
mixu         757  0.0  0.0  79488  3504 ?        Ssl  16:59   0:00   /home/mixu/.local/share/icc/icc-daemon
root         826  0.6  0.0  19212 11428 ?        Ss   16:59   0:00   /usr/lib/systemd/systemd --user
root         827  0.0  0.0  23788  5384 ?        S    16:59   0:00     (sd-pam)
root         835  0.0  0.0 312780 13372 ?        SLsl 16:59   0:00     /usr/bin/gnome-keyring-daemon --foreground --components=pkcs11,secrets --control-directory=/run/user/0/keyring
root         840  0.0  0.0   8508  4308 ?        Ss   16:59   0:00     /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

But it stills run the process in the /tmp directory.

I've noticed another process in /home/mixu/.config/dconf/initctl and keeps alternating with /home/mixu/.local/share/ibus-table/dbus-daemon, /home/mixu/.cache/fontconfig/sleep... weird

Systemctl --user gives me this output:
https://pastebin.com/ctHy7MkC
Nothing that I see that could be wrong.

Last edited by Mixu (2023-05-28 15:19:50)

seth · 2023-05-28 15:28:08

Audit the paths, https://wiki.archlinux.org/title/Audit_ … ies_access

Btw. you've at least NM, dhcpcd and connman enabled…
Also: is your root user subject to xlogin as well?
And when you only login as root, do the suspicious processes still run as mixu?

Mixu · 2023-05-28 15:42:45

You mean I have internet access, right?
Regarding xlogin for root, you mean to enter X/Wayland? I'm not sure I understand what xlogin is, sorry!

And yes, when I login to root in console mode, the suspicious process still run as mixu.

Now I waited for some time as root to see if the processes appear, and they didn't. Once I logged in console with my user, they appeared again... maybe it's a false positive (or true negative)?

I'll try to audit my home folder, thanks for the suggestion

seth · 2023-05-28 15:48:21

No, I mean you've conflicting network services.

And there's an xlogin slice, this thing here: https://aur.archlinux.org/packages/xlogin …

pacman -Qs xlogin

Now I waited for some time as root to see if the processes appear, and they didn't. Once I logged in console with my user, they appeared again... maybe it's a false positive (or true negative)?

I'd say that process still needs you to login.

And don't audit your entire $HOME, just the offending paths where the thing copies itself.

Mixu · 2023-05-28 15:58:27

seth wrote:

No, I mean you've conflicting network services.

Ah! Which ones should I remove?

And don't audit your entire $HOME, just the offending paths where the thing copies itself.

Oh ok! thanks

I'm starting with this one:

# auditctl -l
-w /home/mixu/.cache/fontconfig -p rwxa

Oh, and I don't have installed xlogin

Last edited by Mixu (2023-05-28 15:58:50)

Trilby · 2023-05-28 16:00:52

FWIW, system services can specify a "User=" to run as. I'd not be surprised if that's the source of this - though I have not yet caught up on the new information in the thread (thanks Mixu for providing details).

Mixu · 2023-05-28 16:35:22

I just found out this on the journalctl log:

May 28 18:17:23 MeowPC kernel: audit: type=1327 audit(1685290643.220:191): proctitle="/home/mixu/.ssh/service/ssh-agent"
May 28 18:17:23 MeowPC kernel: audit: kauditd hold queue overflow
May 28 18:17:23 MeowPC kernel: audit: audit_lost=311 audit_rate_limit=0 audit_backlog_limit=64
May 28 18:17:23 MeowPC kernel: audit: type=1302 audit(1685290643.220:191): item=0 name="/home/mixu/.cache/fontconfig/" inode=131590 dev=08:22 mode=040755 ouid=1000 ogid=100 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
May 28 18:17:23 MeowPC kernel: audit: kauditd hold queue overflow
May 28 18:17:23 MeowPC kernel: audit: audit_lost=310 audit_rate_limit=0 audit_backlog_limit=64
May 28 18:17:23 MeowPC kernel: audit: type=1307 audit(1685290643.220:191): cwd="/home/mixu"
May 28 18:17:23 MeowPC kernel: audit: kauditd hold queue overflow
May 28 18:17:23 MeowPC kernel: audit: audit_lost=309 audit_rate_limit=0 audit_backlog_limit=64
May 28 18:17:23 MeowPC kernel: audit: type=1300 audit(1685290643.220:191): arch=c000003e syscall=87 success=no exit=-2 a0=555a0e09cb10 a1=555a0d5cacbb a2=0 a3=7fffe1ae4250 items=1 ppid=933 pid=957 auid=1000 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 tty=(none) ses=5 comm="ssh-agent" exe="/home/mixu/.ssh/service/ssh-agent" key=(null)
May 28 18:17:23 MeowPC kernel: kauditd_printk_skb: 45 callbacks suppressed

and rename that file, and for the moment no suspicious process is running

And regarding xlogin, I can see some logs:

May 28 18:22:10 MeowPC systemd[1]: xlogin@mixu.service: Deactivated successfully.
May 28 18:22:02 MeowPC systemd[1]: Created slice Slice /system/xlogin.
May 28 18:21:39 MeowPC systemd[1]: Removed slice Slice /system/xlogin.
May 28 18:15:50 MeowPC systemd[1]: xlogin@mixu.service: Deactivated successfully.
May 28 18:15:49 MeowPC kernel: audit: type=1130 audit(1685290549.790:114): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=xlogin@mixu comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Now I wonder if that ssh-agent file was wrong already and put there, or was it infected in any way?

EDIT:
Now I found out that in my .bashrc I had this:

linux_bash="$HOME/.ssh/service/ssh-agent"
if [ -e "$linux_bash" ];then
setsid "$linux_bash" 2>&1 & disown
fi

Now I found out that in my .bash_profile I had this:

linux_bash="$HOME/.local/share/icc/icc-daemon"
if [ -e "$linux_bash" ];then
setsid "$linux_bash" 2>&1 & disown
fi

I don't remember me putting it there, uhm...
It must have been there for quite some time because after that one there is another line that I remember I put.

Googling "setsid $linux_bash" if found out this:

https://github.com/Saren-Arterius/dbus- … jan-sample
https://www.linuxquestions.org/question … page2.html
https://askubuntu.com/questions/1090365 … esses-owne
http://www.lieberbiber.de/2018/09/04/a- … c-malware/

And this post on reddit specifically talks about arch repo? https://www.reddit.com/r/linux/comments … n_malware/

Looks quite similar to my case!
A kodi plugin... argh! I knew it! XD

Last edited by Mixu (2023-05-28 17:01:55)

Irets · 2023-05-28 18:02:32

I've been following this thread in the background and it has been an interesting read.
Which Kodi plugins have you installed? Do they originate from AUR? If not, where?

seth · 2023-05-28 18:31:46

Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

Mixu · 2023-05-28 19:08:13

Sure, done!
Thanks all for the help!

@Irets, it must be way back in 2019, because the files were dated back then.
I don't remember which plugin would it be, years ago I tried several different addons, like scrapper ones, listing, integrations, I can't remember exactly, but I never used them from AUR, so it could be from some compromised repository elsewhere.

Arch Linux

#1 2023-05-28 13:01:25

[SOLVED] I found an strange process running from /tmp

#2 2023-05-28 13:52:53

Re: [SOLVED] I found an strange process running from /tmp

#3 2023-05-28 14:39:52

Re: [SOLVED] I found an strange process running from /tmp

#4 2023-05-28 14:41:29

Re: [SOLVED] I found an strange process running from /tmp

#5 2023-05-28 15:00:17

Re: [SOLVED] I found an strange process running from /tmp

#6 2023-05-28 15:15:40

Re: [SOLVED] I found an strange process running from /tmp

#7 2023-05-28 15:28:08

Re: [SOLVED] I found an strange process running from /tmp

#8 2023-05-28 15:42:45

Re: [SOLVED] I found an strange process running from /tmp

#9 2023-05-28 15:48:21

Re: [SOLVED] I found an strange process running from /tmp

#10 2023-05-28 15:58:27

Re: [SOLVED] I found an strange process running from /tmp

#11 2023-05-28 16:00:52

Re: [SOLVED] I found an strange process running from /tmp

#12 2023-05-28 16:35:22

Re: [SOLVED] I found an strange process running from /tmp

#13 2023-05-28 18:02:32

Re: [SOLVED] I found an strange process running from /tmp

#14 2023-05-28 18:31:46

Re: [SOLVED] I found an strange process running from /tmp

#15 2023-05-28 19:08:13

Re: [SOLVED] I found an strange process running from /tmp

Board footer