Some sort of malware

Mecharuva · 2010-09-03 22:22:19

Gmail account had been compromised.
Thought it was from logging on to another computer that was infected.
Changed password on my netbook with Arch Linux here.
A day later, more suspicious activity, from THREE DIFFERENT COUNTRIES.
Therefore there must be some form of malware on my netbook.
I've used Clyde to install packages from AUR, so I assume that's where the problem stems from.
How do I go about weeding out the malware?
I'd rather not have to go through the trouble of reinstalling Arch (USB drive is iffy now, constantly disconnects itself), but if I absolutely have to, I will.
Sad, sad days.

cesura · 2010-09-03 23:00:17

Another "hacked the phrak way" story?
Do you have any idea on how the hacker is getting access to your computer? Is sshd running?

Mecharuva · 2010-09-03 23:12:56

No sshd. For the most part my htop looks fine. See /usr/lib/GConf/gconfd-2 which I don't remember running or adding, /usr/sbin/consolekit-daemon --no-daemon has a metric ****ton of threads, so on and so on... Is there a way to print this output? The currently running applications I mean.

ngoonee · 2010-09-03 23:16:19

gconfd has to be running if you're using Gnome, CK as well if you want a sane session.

Mecharuva · 2010-09-03 23:20:46

Not using GNOME, using Openbox. Needed for GTK maybe? Also, removed sane. I think..
Sane, samba, and cups. Don't use any of the three.

shemz · 2010-09-04 00:02:41

I think ngoonee meant sane as in antonym of insane. A little care in selection of apps and you can get rid of CK (its not KISS anyway). As for gconfd, you must be running a some gnome apps, for example, nautilus spawns atleast one gconfd thread. About your gmail being hacked, you have not provided any detail at all. And what is the connection between installing packages from AUR and a hacker tracking your gmail account?

Mecharuva · 2010-09-04 00:08:35

shemz, there's no detail to be given. Simply, my password was discovered somehow on this netbook, and after changing it, it was discovered again. I believe some item I've installed from the AUR, using clyde in place of pacman, has a keylogger or some sort of file reader in it that found and reported my password to whatever botnet or some such thing that it serves. I remember reading somewhere some time ago that Pidgin stores your GTalk password in an unencrypted file in your home folder... Have removed Pidgin already.

olvar · 2010-09-04 00:23:58

Could it be possible they changed your secret question/answers, and contact mail, so when you changed your password they regained control over it by those means?

If it's not possible, and you are certain of the AUR accusation, could you post the output of pacman -Qm?

Last edited by olvar (2010-09-04 00:25:55)

Mecharuva · 2010-09-04 00:27:04

No, my contact email is the same, and the questions are the same too. It's some World of Warcraft account phishing scheme. I only noticed when I received 65 "message send failed" mails in my inbox. I'm sweeping my installed packages with gtkpacman.

olvar · 2010-09-04 00:43:17

just to help you ponder other alternatives:
is your wifi network secured? have you used public networks or external dns services for instance?

I would find really sad if the guilty is in fact some AUR package

Mecharuva · 2010-09-04 01:07:03

I haven't been on any open/non-secure networks on this netbook since I've installed Arch. My home wireless network uses WPA/WPA2. I think another possibility may be that someone accessed my computer while I was on IRC. I have no firewalls in place. My router is in DMZ mode (trying to open up my NAT type on Xbox Live). Now that I remember this, I'm going to turn DMZ mode off.

jasonwryan · 2010-09-04 01:15:32

Mecharuva wrote:

I believe some item I've installed from the AUR, using clyde in place of pacman, has a keylogger or some sort of file reader in it that found and reported my password to whatever botnet or some such thing that it serves.

If you are going to make this sort of alarmist claim, please post the output of pacman -Qm so that people can review the packages that you have installed.

Mecharuva · 2010-09-04 01:22:24

jasonwryan:
acpi-eeepc-generic 1.0rc3-0.1
ciso 1.0.0-1
clyde-git 20100827-1
gtkpacman 2.3.1-1
hsetroot 1.0.2-1
json-glib 0.10.2-1
pacgraph 20100828-1
pidgin-facebookchat 1.67-1
vbaexpress 1.2-3
volumeicon 0.2.1-2
xcompmgr-git 20100902-1

pataphysician · 2010-09-04 06:03:46

Are you sure your other email, where password for gmail are sent, isn't compromised ?

Last edited by pataphysician (2010-09-04 06:15:12)

pataphysician · 2010-09-04 06:35:16

Also someone could just be forging your email address in the from section of their phishing emails, without actually compromising your account. You would then get automated replies, if the To address don't exist or can't be delivered to, by the email server for the domain which the TO address belongs to.

Unless your seeing other activity other than automated message delivery failure emails, I would think that this is the cause, which of course changing your password won't do a thing about.

Last edited by pataphysician (2010-09-04 06:44:39)

shemz · 2010-09-04 12:10:33

Turning off DMZ mode is not suggested, unless you really need it. But then many old game server setups require clients to accept incoming connections at random ports, and so DMZ is required. Anyway, I am also using dd-wrt which is a linux based firmware for my router, and I believe iptables is preconfigured. Also ssh and telnet are disabled by default, and I never had any security problems with it, even with DMZ mode on occasionally. And yes pidgin saves user passwords in a simple xml file, but then again I have been using pidgin for as long as I remember, and never has this sort of problem. There are many threads on this forum concerning user security, which you could review.

All the packages from your pacman -Qm output are voted by atleast 100 users. Which package you can blame on out of these? If you still believe that there is some sort of malware, then try deleting your user and its home directory and create a new user. Remember to backup any important config files. This will save you from the hassles of reinstalling everything.

Mecharuva · 2010-09-04 22:14:02

pataphysician, I am seeing account activity from a number of IP addresses all over the world, not just mail system error reports.

And shemz, I did not think of that -- at all.
I'll do that here soon, thanks a whole, huge heap.

hiciu · 2010-09-05 03:04:44

Check extensions in firefox (/ other browser), maybe there is something suspicious. Also, with this script, you can check if any files on your system are different from ones in repo:

#!/bin/bash
TEMP=$(mktemp -d)
cd $TEMP

echo ' => Comparing fs with pacman db...'
 /usr/bin/pacman -Ql | cut -d ' ' -f 2- > db.txt && sort -u db.txt > db.sorted.txt &
 sudo find / -xdev -type f -o -type l > fs.txt && sort -u fs.txt > fs.sorted.txt &
wait
 comm -2 -3 {fs,db}.sorted.txt > non-db.txt &
 comm -1 -3 {fs,db}.sorted.txt > missing.txt &
wait
rm {fs,db}{,.sorted}.txt

echo ' => Checking installed packages...'
 pacman -Qq > pacman.qq.txt && sort -u pacman.qq.txt > pacman.qq.sorted.txt &
 pacman -Slq > pacman.slq.txt && sort -u pacman.slq.txt > pacman.slq.sorted.txt &
wait
comm -12 pacman.{qq,slq}.sorted.txt > packages.txt
rm pacman.{qq,slq}{,.sorted}.txt
rm -f md5sums.txt && touch md5sums.txt

for package in $(cat packages.txt); do
 echo -n "  -> Checking $package..."
 sudo powerpill -Sw --noconfirm $package
 rm -rf pkgtmp && mkdir pkgtmp
 bsdtar -x -C pkgtmp -f /var/cache/pacman/pkg/$(pacman -Sp $package | sed 's@.*/@@g')

 cd pkgtmp
 find -type f ! -name .PKGINFO ! -name .INSTALL ! -name .CHANGELOG -exec md5sum {} \; >> ../md5sums.txt
 cd $TEMP
 
 tput el1; tput cr;
done

echo " => Checking filesystem..."
cd /
md5sum --check --quiet $TEMP/md5sums.txt > $TEMP/diffrent.txt

echo " => Done. Check non-db.txt, missing.txt and different.txt from $TEMP"

It's very dirty (hacked from few other scripts), but it get jobs done. You will need change it to match your system. It check every file in filesystem, if it's from repo then it compares md5 sums, if it's not from repo then it should inform you about it (so don't worry about config files in /etc/, they should be different from stock ones).

And maybe run this from livecd, because if your system was hacked / compromised, then you can't even trust your /bin (eg. /usr/bin/md5sum may be changed to return original checksum on modified binaries).

Is there a way to print this output? The currently running applications I mean.

ps aux

Check "lsof -i -P -n", "last" and /var/log/* too.

Last edited by hiciu (2010-09-05 03:09:31)

Arch Linux

#1 2010-09-03 22:22:19

Some sort of malware

#2 2010-09-03 23:00:17

Re: Some sort of malware

#3 2010-09-03 23:12:56

Re: Some sort of malware

#4 2010-09-03 23:16:19

Re: Some sort of malware

#5 2010-09-03 23:20:46

Re: Some sort of malware

#6 2010-09-04 00:02:41

Re: Some sort of malware

#7 2010-09-04 00:08:35

Re: Some sort of malware

#8 2010-09-04 00:23:58

Re: Some sort of malware

#9 2010-09-04 00:27:04

Re: Some sort of malware

#10 2010-09-04 00:43:17

Re: Some sort of malware

#11 2010-09-04 01:07:03

Re: Some sort of malware

#12 2010-09-04 01:15:32

Re: Some sort of malware

#13 2010-09-04 01:22:24

Re: Some sort of malware

#14 2010-09-04 06:03:46

Re: Some sort of malware

#15 2010-09-04 06:35:16

Re: Some sort of malware

#16 2010-09-04 12:10:33

Re: Some sort of malware

#17 2010-09-04 22:14:02

Re: Some sort of malware

#18 2010-09-05 03:04:44

Re: Some sort of malware

Board footer