PDA

View Full Version : [ubuntu] [Urgent] some malware(for me) got installed in ubuntu I think



debd
August 9th, 2011, 06:04 PM
I foolishly clicked on this link: <snip> (please dont click on it) in ubuntu in chrome.. the page went unresponsive, machine hung and I restarted.
Internet speed was dropped to horribly slow.. Tried some link-expander to find about the link but didn't work.

On avarage my internet speed is around 35KB/s which now is at 2-3 KB/s in ubuntu. PING was ok. I checked with my ISP and my local friends who use the same service and found that network is ok.

Next I checked for processes in ubuntu and there were 15-20 instances of processes named flush 1-2, flush 1-3, flush 2-3 .. etc. each having sequential PIDs. Trying to kill them even with sudo kill -9 didn't work. I checked my ports and among those usually open there was port 53. I blocked both in and out on 53 from UFW. to no avail.

While restating, the shutdown screen had something like "shutting down internet superserver" and thats a new one I'm seeing. I only have a ftp server and postgres installed for that matter.. what would be a superserver?? And then getting back into ubuntu didn't help. same speed with internet. Output of sudo ps -e is attached. Should I attach dmesg output? FYI, I dont use a root account.

I booted into Windows and surprize! same stuff here.
Opened AVG and noticed a odd network interface named with some garbage letters which I never installed. Though there was no listing of that network interface in the 'network connections' window.
As last measure I blocked several ports .. and still no work. Then I (dont know why) unchecked "Microsoft file and printer sharing" from the active network cards properties. And now networks back to normal in Windows..

Please give me some hint about how to get ubuntu back to normal.
If you need more info pls tell me.

debd
August 9th, 2011, 06:49 PM
someone??
any input??

Thewhistlingwind
August 9th, 2011, 10:44 PM
http://linux.die.net/man/8/flush

http://book.opensourceproject.org.cn/embedded/oreillybuildembed/opensource/belinuxsys-chp-10-sect-1.html

My gut says you've been hijacked to spam mail?

Which would be odd, because the two above seem to conflict each other?

I'm not sure what the issue is, I just hope I don't have to pay out on the steak dinner bet. ;)

My advice, see what users are logged in with the command of that name.

EDIT: Thats without reading prog.txt be back when I'm done.

The link would be helpful actually, if you could PM it.

At the very least someone could visit it in a VM to see if the "exploit" is replicable.

debd
August 10th, 2011, 06:13 PM
thanks for replying.
well.. I found these links:
http://ubuntuforums.org/showthread.php?t=1442114&page=2 (the flush processes listed are similar)
http://www.linuxquestions.org/questions/debian-26/99-cpu-usage-due-to-flush-8-0-and-flush-8-16-a-822553/
and
http://lwn.net/Articles/326552/

while the super server thing is still going over my head...

and for..
I just hope I don't have to pay out on the steak dinner bet.
I'll rather do a reinstall or maybe a new one (if the fact is that at all :twisted: )

but that new interface in win was suspicious...

Chayak
August 11th, 2011, 04:49 PM
debd, pm me that link. I'm a security researcher and I'm rather interested in what it's doing.