Virus in ubuntu

[craig10x]

Sounds like you must have gone to a really bad website...i don't know...i surf like crazy and been running either ubuntu or an ubuntu based distro for years (since 2008) and never got anything on them...
I don't think going to say Open Suse or Fedora or PCLinuxOS (etc) is going to improve your security...but as was pointed out, just be a bit more cautious then perhaps you have been...for example: i don't going to XXX sites even in linux...so just stick to shall we say "conventional sites" and you shouldn't have a problem...

The only thing i do is download GUFW and turn on the linux firewall and that's it...so i can only assume you probably went to a really risky site....also, only download programs from the software center or TRUSTED linux websites...

At this point, i'd just do a nice clean install of Ubuntu...

[Irihapeti]

The reason I ask is that poorly-configured servers are a frequent cause of security breaches. Remote desktop and ssh seem to be the most common ones. Incidentally, you don't have to install remote desktop. It's already there, and I've seen a number of people get into trouble by playing with it. I don't know very much about samba, but it's possible that it's the culprit in your case. We need to hear what some of the other posters have to say - they no doubt know a lot more about Samba than I do.

[medior]

Hi,
Well, done for spotting this! That's the hard bit done
It would be good to know which process is responsible. Can you try this command:

Code:

sudo netstat -nap | grep 117.25

The output could look something like this (the last two items being process ID and name):

Code:

tcp        0      0 192.168.1.20:51246      117.25.130.43:84     ESTABLISHED 5265/ssh

The process shown isn't necessary evil, you might have to trace back to find the parent process. pstree should help with that.

Code:

pstree -p

[TheFu]

He posted the output from ss already. I didn't see anything from the suspect IP inside that.

Perhaps I'm a little paranoid compared to others. Before 2002, I was hacked twice. Once while on a government network (before firewalls were used) and the other time when running a DNS server that was 3 months behind on patches.

The things that a smart computer user does to be secure are the same across every OS that I know.
#1 - backups. 100%, known-good, easy to restore backups. There are thousands of issues that backups solve, not just a broken HDD.
#2 - don't run services that you don't need/understand.
#3 - stay patched. The easy way on Ubuntu is to only run LTS releases, so patches are available 5 yrs. Most of the other releases only get 5-9 months of support.
For more things to do, check my signature and blog. Securing a web browser.

Whatever happened to this PC - and I can't tell from here - is definitely unusual. Could a bittorrent client be running? Samba usually is not dangerous because ISPs where I live all block those ports on the internet. Perhaps your ISP doesn't? I've been to places in the world where ISPs are just a connection and average computer users hang themselves. How is the machine connected to the internet? Is there are router with a firewall and NAT or is it directly connected. Security is a little different/harder if it is directly attached. Allowing any desktop computer to be directly connected to the internet is a mistake, IMHO.

If you don't live or work with Chinese, I'd put up a firewall rule that blocks the entire subnet. Let me check ... 117.24.0.0/11. That's the entire ISP subnet for the offending IP over 2M IPs.

[alexying200005]

Hi All,

Thx for helping. I have installed Gufw before getting the virus. I always browse the web with Gufw on. After i got the virus, i set up a rule in Gufw to block in and out traffic to the Chinese ip. However, no use.

My computer connects to my router at home, then router connects to internet. My router has a firewall, but i did not do any custom configuration on it, just use its default setting.

For the spying issue, i don't know in what list that Microsfot reports bug to NSA. In bark or white list, does not matter. But helping a spy agency to spy on its customers is not acceptable. I am not an American. So, my privacy is not protected under US laws. NSA can screw with my privacy in any way they want.

By the way, i executed the commands on fixubuntu.com site to disable sending data from my desktop to ubuntu main site. It is not that i don't trust ubuntu. It is because i don't want to take the risk.

[alexying200005]

From TheFu suggestion,

#1 i did not use backup on ubuntu
#2 i normally do not run any service or app i do not know. never install anything outside of ubuntu repos
#3 i always keep updating ubuntu patch by using update app in ubuntu. probably, every 2 or 3 days, i will do an update.

[TheFu]

I am not an American. So, my privacy is not protected under US laws. NSA can screw with my privacy in any way they want.

I am a US citizen and it appears that US laws do not protect me either.

I cannot blame any US-based company for following legally required requests from the government. The hard part is determining "what is actually legal" when the companies are placed under a gag order - prevented from discussing it even with their own lawyers! As a citizen, this concerns me. Free speech should only be refrained for a few weeks when public safety is at immediate risk, not indefinitely. Covering up something embarrassing or illegal should never be prevented by "questionable laws."

Sorry for the OT post. Best to close this thread, I fear.

[QIII]

This has taken a political turn. However, since I want to make sure the OP's issue is fully addressed, I'm not closing it just yet.

No more political drifting.

[alexying200005]

Thank you all for your suggestions. if any one needs any info or data, please post on the thread. Mean while, i will try opensuse and see what happens.

[cariboo]

@alexying200005, how do you connect to the internet?