Page 3 of 6 FirstFirst 12345 ... LastLast
Results 21 to 30 of 54

Thread: Cheese Webcam Booth - backdoor Trojan?

  1. #21
    Join Date
    Apr 2008
    Location
    Otago
    Beans
    962
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Cheese Webcam Booth - backdoor Trojan?

    Quote Originally Posted by rookcifer View Post
    Everything looks fine on first machine (Samba and printer which should be bound locally). On the second machine, do you have that VNC server locked down with a strong password?

    Other than the VNC server, I don't see any way in.
    No password between the VNC weather machine and the main PC...which, presumably, is how ge got in....
    Ubuntu is computer speak for defenestration

  2. #22
    Join Date
    Apr 2008
    Location
    Otago
    Beans
    962
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Cheese Webcam Booth - backdoor Trojan?

    From rkhunter - the same warning occurs on both machines....
    [18:08:13] Warning: The file '/usr/sbin/unhide' exists on the system, but it is not present in the rkhunter.dat file.
    [18:08:13] /usr/sbin/useradd [ OK ]
    [18:08:13] /usr/sbin/userdel [ OK ]
    [18:08:14] /usr/sbin/usermod [ OK ]
    [18:08:14] /usr/sbin/vipw [ OK ]
    [18:08:14] /usr/sbin/unhide-linux26 [ Warning ]
    [18:08:14] Warning: The file '/usr/sbin/unhide-linux26' exists on the system, but it is not present in the rkhunter.dat file.
    [18:08:21]
    .
    .
    .
    [18:08:57] Checking /dev for suspicious file types [ Warning ]
    [18:08:57] Warning: Suspicious file types found in /dev:
    [18:08:57] /dev/shm/pulse-shm-2901440300: data
    [18:08:57] /dev/shm/pulse-shm-2260800593: data
    [18:08:57] Checking for hidden files and directories [ None found ]
    Ubuntu is computer speak for defenestration

  3. #23
    Join Date
    Apr 2008
    Location
    Otago
    Beans
    962
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Cheese Webcam Booth - backdoor Trojan?

    To further complicate matters, my weather PC is showing at 100% CPU all the time despite the attached from "top"
    Attached Images Attached Images
    Ubuntu is computer speak for defenestration

  4. #24
    Join Date
    Apr 2008
    Location
    Otago
    Beans
    962
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Cheese Webcam Booth - backdoor Trojan?

    bump
    Ubuntu is computer speak for defenestration

  5. #25
    Join Date
    Jan 2008
    Location
    USA
    Beans
    971
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Cheese Webcam Booth - backdoor Trojan?

    As for the first warning from chrootkit, see this thread. It appears others have had this very warning and it was nothing.

    As for the second warning from rkhunter, see this thread. Same thing here, it appears to be nothing out of the ordinary.

  6. #26
    Join Date
    Apr 2008
    Location
    Otago
    Beans
    962
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Cheese Webcam Booth - backdoor Trojan?

    Thanks, once again, for your help....

    So, after all that we are none the wiser how the intruder got in ....or how he can be stopped in the future?!
    Ubuntu is computer speak for defenestration

  7. #27
    Join Date
    May 2006
    Location
    Bogota. Colombia
    Beans
    38

    Re: Cheese Webcam Booth - backdoor Trojan?

    hmmm. it doesn't look normal. i would try to figure out how they did it.

    Is your Wireless AP the router for your net?

    Are you using a dynamic ip or fixed one?

    Your Wireless AP is accesible via web? from inside or it's enabled the remote admin (web access via WAN side of the AP)?

    Your AP uses the standard password?

    Unless your "weather" linux pc is the "frontend" for the internet, i don't see a feasible way to break a system as described.

    Sadly the data that you've send is useless on the sense that the event already happened and there wasn't logs from the event itself. ( a netstat would have been perfect.)
    Andrés Mauricio Mujica
    https://launchpad.net/~andres.mujica
    Ubuntu Bugsquad & Bugcontrol

  8. #28
    Join Date
    May 2006
    Location
    Bogota. Colombia
    Beans
    38

    Re: Cheese Webcam Booth - backdoor Trojan?

    aahh, please check in your AP the firewall and port redirection sections, if your AP uses the standard password and the admin web page is accessible from outside, someone could have accessed, configure a redirection to the vnc pc, and from there .. well who nows!?
    Andrés Mauricio Mujica
    https://launchpad.net/~andres.mujica
    Ubuntu Bugsquad & Bugcontrol

  9. #29
    Join Date
    Oct 2005
    Location
    Davao, Philippines
    Beans
    4,830

    Re: Cheese Webcam Booth - backdoor Trojan?

    Quote Originally Posted by dunbrokin View Post
    So, after all that we are none the wiser how the intruder got in ....or how he can be stopped in the future?!

    and if you're really concerned about your personal data and privacy, you should have wipe your old installation by now for a newer one with basic firewall protection. don't go chasing a ghost who could have covered his tracks after that unlikely incident.

  10. #30
    Join Date
    Apr 2008
    Location
    Otago
    Beans
    962
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Cheese Webcam Booth - backdoor Trojan?

    Is your Wireless AP the router for your net?
    Yes.

    Are you using a dynamic ip or fixed one?
    Dynamic

    Your Wireless AP is accesible via web? from inside or it's enabled the remote admin (web access via WAN side of the AP)?
    Not sure what this means.

    Your AP uses the standard password?
    No, a randomly generated password. A friend came bye last week with his PC (using Vista) and I gave him access to the net via my wireless....not sure if somebody (not him) could have got access to the password that way.

    Unless your "weather" linux pc is the "frontend" for the internet, i don't see a feasible way to break a system as described.
    The weather PC is not the front end. It is just another connection.

    Sadly the data that you've send is useless on the sense that the event already happened and there wasn't logs from the event itself. ( a netstat would have been perfect.)
    But there are netstat logs attached above?
    Ubuntu is computer speak for defenestration

Page 3 of 6 FirstFirst 12345 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •