I think I've been hacked.
Noticed today that the net was pokey, a tell-tale. System Status showed pretty constant uploading going on to somewhere, in bursts of several minutes, followed by periods of inactivity.
Last time I saw this sort of thing, I tracked it down to my cloud backup hogging the network. This time, however, turning off all the backup/syncing software didn't clean it up.
Ran nethogs, which told me that I had two processes running that seemed to be doing a lot of up/down: /usr/bin/java, loaded early in the sequence (process 1702) and something called "/root/jun". When the uploads kicked in, nethogs suddenly showed a couple of dozen connections from random ports on my machine to a selection of unknown IP addresses on their ports 80. Did some snooping; the IP addresses I found are in the Philippines (!), one in Taiwan.
Fired up ufw, and set it to deny all outgoing connections. The traffic immediately dropped to 0, but one of the CPUs on my machine jumped to 100% usage. I theorized that it was the firewall intercepting a few gazillion connect requests from something on my machine to the outside world. Maybe this "jun" thing?
I killed jun (with sudo killall). The CPU usage dropped back to normal. I went looking for "jun" and found it at /root/jun, just where nethogs said it was. Gingerly removed it, removed the firewall rule disallowing outbound connections, all is well. For a while. Then, same symptoms. Sure enough, "jun" was back in the process list, and back in the /root directory.
So there's some other rogue process that's reinstating "jun". I don't know what it is, so I'm turning off outbound connections until I get it sussed.
Anybody else seen this? Any suggestions as to finding the rogue process behind "jun"s creation? FYI: Ubuntu 12.04LTS, up-to-date (inc. all the bash updates that have been coming down the pipe the last few days). All help gratefully accepted.
Bookmarks