Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: Do I have a rootkit?

  1. #11
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    15,054
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Do I have a rootkit?

    What are the arguments to wget? The process table has those. You can even find the entire environment based on the PID, if you need. It is in /proc/{PID}/

    ps -eaf|grep wget

  2. #12
    Join Date
    Nov 2018
    Beans
    11

    Re: Do I have a rootkit?

    Thank you for your help. Here is what gives me "ps -eaf | grep wget" inside a loop:

    Code:
    user     13042 13053  0 23:30 ?        00:00:00 wget -S --spider https://blogbird.000webhostapp.com/forwarder
    user     13054 13053  0 23:30 ?        00:00:00 wget -S --spider https://blogbird.000webhostapp.com
    user     13063 11565  2 23:30 ?        00:00:00 wget -O - https://blogbird.000webhostapp.com
    Edit: one line was missing
    Last edited by feliixx; 6 Days Ago at 11:23 PM.

  3. #13
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    15,054
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Do I have a rootkit?

    If you aren't using blogbird, then your machine is being used to increase their clicks. Check the wget manpage. If you don't use wget, move the binary for a few days, see what happens.

    Not a rootkit, just a simple hack. If you have versioned backups, go through those to see when the compromise happened and which new files were added to your box under what userid.

    For example, I can't tell if "user" is the real values above or if you are hiding some username. Find all the processes running under that userid and figure out where they are getting started. ptree might be helpful.

    When you are ready to move on, wipe the system, reinstall fresh, using more secure methods this time around. The OS on this machine can not be trusted anymore.

  4. #14
    Join Date
    Nov 2018
    Beans
    11

    Re: Do I have a rootkit?

    Thank you. Yes "user@latop" are my real ids. I wanted something neutral.

    OK, I will process these further checks and see what happens. I understand the best would be to wipe the system.It's probably time to move to Ubuntu 18.04 as I was still on the 16.04.

  5. #15
    Join Date
    Nov 2018
    Beans
    11

    Re: Do I have a rootkit?

    With something like this:
    Last edited by feliixx; 4 Days Ago at 03:39 PM.

  6. #16
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    15,054
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Do I have a rootkit?

    I'm on 16.04. 18.04 just isn't ready for my needs yet. Support for 16.04 has 3 more years. No hurry.

    I'm not gonna try to figure out that command. Sorry.

    Did you check the different crontab locations? There are 6+ places that a task can be started by cron or anacron.

  7. #17
    Join Date
    Nov 2018
    Beans
    11

    Re: Do I have a rootkit?

    Thanks. Anyway I'm going to reinstall everything. Unfortunately, I'm on Kubuntu, so it is only supported for 3 years. I will check these contrabs but I'd like to try first something on ufw before wiping the system.

    Do you have any rule to suggest to add to ufw?

    It is probably my last message here so thanks for your help!

Page 2 of 2 FirstFirst 12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •