I've unplugged the LAN cable, the loads of transmitted datas where getting sooo high

what is the top process from nethogs ??

what is the top process from nethogs ??

still /root/.local/syslogd

Install and run rkhunter?

no way this is a normal system file.

Install and run rkhunter?

what is that?

RootKit Hunter?

system files dont resides at /root/

http://www.chkrootkit.org/ is another option.

http://www.chkrootkit.org/ is another option.

I already have that

Syslogd definitely does not store it's data in anyone's home folder, not even root's.

Syslogd writes to /var/log/

still /root/.local/syslogd

could you, please, upload this file and send it to me?

RKHunter has fount 4 suspect files

could you, please, upload this file and send it to me?

OK, via private chat.

That folder .local is the XDG "standard" location for USER data files related to installed applications, but no system app like syslogd should be writing to that folder.

could you, please, upload this file and send it to me?

ahm, I have a problem. that file is disappeared

but it shows in nethogs?

but it shows in nethogs?

yes

and it isn't hidden

ok. its pid still is 16203?

ok. its pid still is 16203?

21708

That /usr/sbin/rsyslogd looks like the REAL system log daemon. The other in /root/.local looks very much like an infection to me.

cp /proc/21708/exe /tmp/strange_file

How do i get open terminal on right click ?

That /usr/sbin/rsyslogd looks like the REAL system log daemon. The other in /root/.local looks very much like an infection to me.

so there's a fake syslogd

damnit

cp /proc/21708/exe /tmp/strange_file

done

How do i get open terminal on right click ?

solved!

so there's a fake syslogd

Sure looks like it to me. I'd kill that process if you can. killall syslogd

Sure looks like it to me. I'd kill that process if you can. killall syslogd

thanks, those stopped, now i have to systemctl disable syslogd to avoid them auto-starting?

thanks, those stopped, now i have to systemctl disable syslogd to avoid them auto-starting?

oups, it doesn't exist

I'm not sure someone installing a rootkit would use the standard start methods to start it.

I'm not sure someone installing a rootkit would use the standard start methods to start it.

right, right, right.

You do need to find out how it's starting and disable that, though, for sure, assuming it is an infection like it appears to be.

done

ok, could you send strange_file to me?

ok, could you send strange_file to me?

sure, just a sec

May I have a copy, also? Would love to find out what you got there. :)

so, can I send it here?

Maybe send it here, wait a moment for those who want it to download it, then delete that message so that nobody gets it accidentally?

Maybe send it here, wait a moment for those who want it to download it, then delete that message so that nobody gets it accidentally?

ok, i will

Nobody download this file Michael is about to send unless you know how to quarantine possibly malicious software, K? ;)

here it is (loading...)

ahm, something is still uploading loads of data, damnit

Did the process restart itself?

Did the process restart itself?

yep .-.

Yea, it's looking more and more like a virus or other evil thing. "This file is packed with the UPX executable packer" ← It's a 32 bit executable file it would appear.

I'm deleting the file now, from the chat

Yea, it's looking more and more like a virus or other evil thing. "This file is packed with the UPX executable packer" ← It's a 32 bit executable file it would appear.

oh..

Still looking it over. Not sure what it is yet, but if I can't figure it out, I may try it out in a virtual machine later.

If I were you, I would nuke this installation and do a clean install.

If I were you, I would nuke this installation and do a clean install.

damn, I have all my programs here, and my customizations.. :c

that stupid syslogd is re-making himself everywhere, now it is in /home/mmessaggi/.local/syslogd

Yea, I agree with J. If you must, boot from a LiveCD and rescue your non-executable data and config files, and quarantine any executable stuff you need to rescue then do a clean install.

What's the difference in bashrc in home and bashrc in /etc

?

"upx: strange_file: CantUnpackException: header corrupted 2" ← Strange file for sure.

What's the difference in bashrc in home and bashrc in /etc

bashrc in home overrides settings in the /etc/bashrc (systemwide) for a single user (the one who's home it's in). It's for user customization of personal bash preferences and shell variables.

? Thanks

? Thanks

Welcome. :)

what the-..

Evil!

ERROR: S client not available

Botnet node?

J. Neto: You testing that in a VM there? That was gonna be my next test.

Botnet node?

dont know.

Botnet node?

so maybe that's why my poor i7-6700 gets with 100% on all the 8vCore in idle?

J. Neto: You testing that in a VM there? That was gonna be my next test.

yes. a disconnected VM.

yes. a disconnected VM.

Right on. Saves me from spinning one up. So it IS indeed something sinister then. Good to know. :)

but you could branch your own investigation. I am no security expert, just curious. :)

ClamAV doesn't see it as malicious, but that's probably because it's obscured by the compression. :(

I'm no expert, either, but I've studied network security in my spare time out of curiosity for a while now, so I know how to stay safe while playin' with this kinda stuff. Pretty dickish move to put stuff like this out there, for sure.

Glad you caught it, Michael. It's probably either a spam-bot or a DDOS bot.

Glad you caught it, Michael. It's probably either a spam-bot or a DDOS bot.

but it resists to my killall, that stupid program .-.

killall -9 syslogd even? (Force kill?)

The -9 puts a little extra "oomph" behind the kill.

killall -9 syslogd even? (Force kill?)

nothing, it's working as root

Yea, the killall has to be given as root, too.

Yea, the killall has to be given as root, too.

yep, I did, but it doesn't work

Brutal. Yea, it's an evil thing then. You'll have to boot up a LiveCD to clean it, I suspect. Only way to be REALLY certain though, is a clean install.

Brutal. Yea, it's an evil thing then. You'll have to boot up a LiveCD to clean it, I suspect. Only way to be REALLY certain though, is a clean install.

ok, i will, so.. thanks for trying to help me..

Sorry you got a nasty like that, but glad you caught it. Might be good to find out where it came from if you can, so you don't get re-infected on the new clean setup.

If you ran any software from any unusual sources, that'd likely be a first suspect.

Yeah, that's way too many syslogd processes to be the real deal, and syslogd isn't the default on many distros these days, anyhow. rsyslogd is.

Nice work testing this evil beast. I'ma go ahead and keep a copy of this thing archived so I can wireshark it later. Find out more about it. :)

it looks for lua and related libs (http, crypto, torrent). I'll send the strace log.

welcome!

it looks for lua and related libs (http, crypto, torrent). I'll send the strace log.

Wow! Evil. So it sounds like it's setting up shop in any system it gets into.

I'm using my dad's Fedora laptop tu write a LiveUSB, my old one is destroyed, rip it.

Nice work testing this evil beast. I'ma go ahead and keep a copy of this thing archived so I can wireshark it later. Find out more about it. :)

nice. keep me informed of your findings.

Wow! Evil. So it sounds like it's setting up shop in any system it gets into.

maybe it went on my system because I have public static IP enabled..

Nice work testing this evil beast. I'ma go ahead and keep a copy of this thing archived so I can wireshark it later. Find out more about it. :)

What's that?

maybe it went on my system because I have public static IP enabled..

If it's not well secured at the outside (firewalled properly) then it *could* be one way something like that could get in, yea. Especially if you're running any open services which may have unpatched vulnerabilities.