For example, Firefox can be used during installation to research the web. Is the "enterprise version" of Firefox, which is not updated as often. In Labtix 2 with even more information, such as battery status, etc. The configuration file is in Labtix 1: /etc/conky/nf, in Labtix 2: ~/conky.rc. The output window is in the upper right corner. The plug-in can be activated with a right mouse click and "Battery Monitor Settings", if not already done.Ī tool for displaying system information on the desktop. In the panel gives you information about the status of the battery when you mouse over it. Then you can change the brightness with Backlight Brightness. Sometimes the screen is too dark and cannot be made brighter with the keyboard (function keys). Scans the network (please connect first) and shows e.g. Very useful when your device has the internal monitor removed and an external display is connected.
(partly smaller deviations between the Labtix versions possible) ApplicationĪ tool for configuring the screen layout. So now we are 100% sure we are hacked and we have these things to do: 1) if possible keep a backup of this system for investigation, if not keep as much copies of files and the output of commands as possible 2) restore backup and check if it's clean -or- re-install OS 3) find out what we can do to avoid getting hacked again (at least not in the same way :-).Labtix comes with a number of useful tools preinstalled: It's probably a good indication of the open door to our system. Note this file /opt/glassfish3/glassfish/domains/domain1/applications/Sarketsdr/gety.
usr/share/command-not-found/programs.d/amd64-main.db usr/share/locale-langpack/en_GB/LC_MESSAGES/util-linux.mo opt/glassfish3/glassfish/domains/domain1/applications/Sarketsdr/gety Let's use this bit of info to scan our system for other files that are probably related to this malicious code: find / -mount -type f -exec sh -c 'grep -q "\.minexmr\.\|wipefs" ""' \ -print In my case the later pointed to an open log file with this content: # head /tmp/mcalogĬMD: /bin/wipefs -B -o stratum+tcp://:8888 -u 49ijJ3HJUg1b2MGnDmnEDJWdphGzWXgtbbBENx43NJiAUZWf8cSGryiZtYVZz3dgRcZH3Leokoqqi8SfRexMW32aFfvoHBp -p x -k
Wipefs knoppix code#
So we have code for "mining various cryptocoins" here.īefore turning off the machine it's good to have a look at the process with strace (if you're comfortable with it) or look at the files in /proc/ - at least cat cmdline and ls -la fd. Try "xmrminer" -help' for more information. Let's look at the strings in wipefs: strings /bin/wipefs In my case crontab had a line to run /bin/wipefs every 12 minutes. A note of caution here: If dpkg -V reports nothing then don't put your guard down because it's not unlikely that the virus/hacker has taken steps to fool it. Based on the description of the ss and netstat (man ss, man netstat) it's obvious that we have malicious code here that is trying to hide itself. That is surely a sign of compromise for executables (like /bin/ss and netstat). Googling the md5 of the suspicious /bin/wipefs you get results that suggest hacking/virus.ĭpkg -verify lists a few files that have been altered since installation. And it's not at all normal to have an executable in /etc. What follows is the most important parts of my investigation.Ī typical investigation to find out whether this is malicious code # man wipefsĪccording to its description on the man page this executable has no reason running - more so running for a long time and consuming a lot of CPU. I found out that this system was compromised. In my case wipefs was run by /bin/wipefs and was also using 100% of my CPU. I had a similar case in a server running java/glassfish.
0 kommentar(er)
