You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2021-05-03 20:30:47
- mpamphslinuxrock
- Member
- Registered: 2020-04-21
- Posts: 41
Rotajakiro malware
Hello to everyone,
is there any way to see if our system has the above malware? And what can we do to delete it?
Last edited by mpamphslinuxrock (2021-05-03 21:21:48)
Offline
#2 2021-05-03 20:33:56
- Slithery
- Administrator
- From: Norfolk, UK
- Registered: 2013-12-01
- Posts: 5,776
Offline
#3 2021-05-03 21:22:12
- mpamphslinuxrock
- Member
- Registered: 2020-04-21
- Posts: 41
Re: Rotajakiro malware
rotajakiro..i am sorry i correct it
Offline
#4 2021-05-03 22:26:27
- merlock
- Member
- Registered: 2018-10-30
- Posts: 258
Re: Rotajakiro malware
Take a look at this:
Eenie meenie, chili beanie, the spirits are about to speak -- Bullwinkle J. Moose
It's a big club...and you ain't in it -- George Carlin
Registered Linux user #149839
perl -e 'print$i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10); '
Offline
#5 2021-05-04 13:23:25
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 13,281
Re: Rotajakiro malware
The article has no info how this trojan gets on systems, or what mechanisms it uses to stay hidden from the OS once it has infiltrated a system.
If it has root access It appears to use a systemd-daemon.service , while for non-root dbus services session-dbus and gvfsd-helper are used.
As far as I can find those 3 names don't occur in any official archlinux package .
Checking folders that are used by systemd and/or dbus services seems like a good idea.
I'd check atleast /etc/systemd , /usr/lib/systemd and /usr/share/dbus-1 and their subfolders preferably while booted from a guaranteed rotajakiro-free medium .
Archlinux installation iso or maybe a bootable rescue disk from an antivirus firm ?
Last edited by Lone_Wolf (2021-05-04 13:23:56)
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
#6 2021-05-04 14:01:33
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,943
Re: Rotajakiro malware
Monitor for outbound traffic to 176.107.176.16
https://community.blueliv.com/#!/s/608a … 3eb53560a5
Offline
#7 2021-05-05 09:22:23
- mpamphslinuxrock
- Member
- Registered: 2020-04-21
- Posts: 41
Re: Rotajakiro malware
Monitor for outbound traffic to 176.107.176.16
https://community.blueliv.com/#!/s/608a … 3eb53560a5
so what should we see in this site?could you explain? How we can see if we are infected?And of course the next step?How can we remove the threat?
Last edited by mpamphslinuxrock (2021-05-05 09:38:38)
Offline
#8 2021-05-05 10:42:43
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 13,281
Re: Rotajakiro malware
According to blueliv any traffic to that ip-address is suspect.
If there's no traffic to it, you're unlikely to be infected.
The netlab article lists 4 domains , they are unresolvable from my system and whois claims they've expired.
It does seem possible those domain addresses have been taken down by their registrars .
For your other questions see my post #5 .
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
#9 2021-05-05 22:19:34
- mpamphslinuxrock
- Member
- Registered: 2020-04-21
- Posts: 41
Re: Rotajakiro malware
with this command?
sudo iftop -nOffline
#10 2021-05-06 07:08:08
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,943
Re: Rotajakiro malware
You probaby also want to filter for the destiination network.
Alternatively DROP and LOG the IP in iptables/netfilter and you can use https://aur.archlinux.org/packages/psad/ to track the log and send you a notification when the IP is met.
NOTICE: The if the backdoor operates w/ root permissions it can manipulate your iptables/netfilter config as well as the entire network stack, completely hiding its traffic. To be really sure, you'd monitor it from an external node (eg. your router)
Do you have any reason to assume you might be affected.
Offline
#11 2021-05-06 12:18:59
- mpamphslinuxrock
- Member
- Registered: 2020-04-21
- Posts: 41
Re: Rotajakiro malware
no i have not any reason. But i think that this is a very serious threat...and of course all of us need to know! how can I monitor my router from an external node? could you send me an example ?
Offline
#12 2021-05-06 13:29:22
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,943
Re: Rotajakiro malware
monitor my router from an external node
You want to monitor your archlinux installation from an external node which could eg. be your router.
First step: possess and have control over an external node (anything between the potentially infected system and the interwebz)
Second step: figure how to monitor, filter and log traffic on that sytem (for archlinux, see the wiki on iptables & netfilter)
Offline
#13 2021-05-06 13:31:14
- schard
- Forum Moderator
- From: Hannover
- Registered: 2016-05-06
- Posts: 2,152
- Website
Re: Rotajakiro malware
no i have not any reason. But i think that this is a very serious threat...and of course all of us need to know!
Nine countries on this planet, some of which hating each other, posess nuclear weapons. That is a very serious threat.
Malware has been around since the dawn of software. And while it is always a good idea to be on the lookout for contemporary threats there's nothing that makes RotaJakiro particularly special.
The strategy stays the same: keep your software up-to-date and the network interfaces minimal to provide the least attack surface and you should be fine.
And don't install untrusted software.
Last edited by schard (2021-05-06 13:52:01)
Inofficial first vice president of the Rust Evangelism Strike Force
Offline
Pages: 1