Is this an infection?

Discussion in 'malware problems & news' started by Ulysses_, Feb 28, 2012.

Thread Status:
Not open for further replies.
  1. Ulysses_
    Offline

    Ulysses_ Registered Member

    ADSL router set up to send an email every time it detects something suspicious AND blocks it. Emails like the following examples are sent very often:

    Message: TCP FIN Scan
    Source: 209.85.148.132, 80
    Destination:192.168.2.7, 1694 (from PPPoE1 Inbound)

    Message: Smurf
    Source: 192.168.0.255
    Destination:192.168.0.22, Type:3, Code:3 (from PPPoE1 Outbound)

    Message: Full Spau Scan
    Source: 118.122.188.27, 0
    Destination:178.128.96.66, 0 (from PPPoE1 Inbound)

    Message: Vecna Scan
    Source: 192.168.2.2, 41262
    Destination:46.137.134.188, 8080 (from PPPoE1 Outbound)

    Message: TCP Null Scan
    Source: 85.25.109.38, 0
    Destination:46.246.176.96, 0 (from PPPoE1 Inbound)

    Message: SYN Flood to Host
    Source: 192.168.2.7, 1520
    Destination:209.85.148.101, 80 (from PPPoE1 Outbound)

    Message: UDP Flood to Host
    Source: 46.246.248.12, 32768
    Destination:4.2.2.4, 53 (from PPPoE1 Outbound)

    Is this a sign of infection? Only using linux.
  2. Cudni
    Offline

    Cudni Global Moderator

    It doesn't look like one
  3. Ulysses_
    Offline

    Ulysses_ Registered Member

    What does the first email mean? Is my PC scanning a site or a site scanning my PC? Why?
  4. BrandiCandi
    Offline

    BrandiCandi Guest

    The first one-
    What that looks like to me: your router blocked a packet that was sent from port 80 on IP 209.85.148.132 . The blocked recipient was port 1694 on IP 192.168.2.7. Your router decided that this packet matched the rules for TCP FIN scans.

    In general, it is common for attackers to run automated scans of any device accessible from the internet looking for vulnerable machines. Your firewall blocked it so it's working the way it should.

    This is a link describing what a TCP FIN scan is.
    http://lab.gsi.dit.upm.es/semanticwiki/index.php/TCP_FIN_scan

    This is a description of port scans in general:
    http://en.wikipedia.org/wiki/Port_scanner
  5. Ulysses_
    Offline

    Ulysses_ Registered Member

    Thanks. Therefore the following where the source and destination are the other way round means that the attacker is running an executable in my computer that is trying to send packets to the outside world?

    Message: Vecna Scan
    Source: 192.168.2.2, 41262
    Destination:46.137.134.188, 8080 (from PPPoE1 Outbound)
  6. Ulysses_
    Offline

    Ulysses_ Registered Member

    PS This is a linux machine, is it that easy to run a malicious executable in it without my consent?
  7. hogndog
    Offline

    hogndog Registered Member

    Open your Software Manager or the Synaptic Package Manager and look for this application,
    this will explain what ClamAV is for Linux.. ;)

    http://clamtk.sourceforge.net/

    Hope this helps..
    Hogndog
  8. Ulysses_
    Offline

    Ulysses_ Registered Member

    That's disappointing, I have bad experience from antivirus software on windows. They distract you, take resources, slow you down and are hopeless against zero-day threats.

    The only way to find out if there is an infection is by installing antivirus software?
  9. BrandiCandi
    Offline

    BrandiCandi Guest

    AVs on Linux will nearly all scan for Windows viruses. This can be useful on networks that contain both Linux and Windows boxes, or networks with Windows servers. Linux users sometimes scan email and docs that are shared with Windows users so as not to spread viruses. But AVs on Linux are kind of worthless in detecting Linux viruses because no one knows of any out there.

    No, AV software isn't the only way to find a compromise in Linux. Your best bet is to look at your logs for suspicious activity, such as:

    - empty logs or time missing from logs. It's common for attackers to erase logs because they want to erase their tracks.

    - incorrect time stamps- attackers also copy and paste logs to erase the part that shows their activity. If the times are inconsistent that can indicate compromise.

    - in auth logs, look for authorizations during times you know you were logged out or from new users. You may also see tons of failed login attempts which would indicate brute force attack. Look for extra/new user accounts that you didn't set up. (well I'm assuming you're not running as root. If you are... hmm. Don't know what to tell you)

    - in sys logs, look for seg faults. A seg fault doesn't necessarily indicate compromise, but if you see it along with other suspicious stuff then you're probably compromised.

    - are you running a firewall on Linux (separate from the router firewall)? If so, look at the firewall logs for frequent connections to unregistered ports

    - You can check network traffic. You didn't say which distro you're using, but I think most Linux distros have netstat. (check the man page for netstat if you're not familiar with it) Look at the listening ports & established connections. Google ports & services that looks suspicious. For example if you see an ssh connection but you didn't connect to any remote server yourself, then you've been compromised.

    - list your cron jobs & look for any that are suspicious. Again you can google anything that looks weird.

    - run rootkit hunter. I think this needs a solid baseline otherwise you might get false positives. So unless you already installed rkhunter when you knew your computer was clean, this may not help you now. Look to install & run it after you know you're clean.

    There are other signs of compromise, but that's a good start.

    If you're not sure or you're just not going to sleep until you've gotten it sorted out, then consider reinstalling. I'm assuming you've got your data backed up. If not, you may want to do that now.
    Last edited by a moderator: Mar 6, 2012
  10. Ulysses_
    Offline

    Ulysses_ Registered Member

    Before going into this comprehensive procedure (thanks BrandiCandi), is the evidence already available in the messages from the router's intrusion detection as listed in the OP, and especially this one that proves my computer is sending packets to scan a site?

    Message: Vecna Scan
    Source: 192.168.2.2, 41262
    Destination:46.137.134.188, 8080 (from PPPoE1 Outbound)
  11. Ulysses_
    Offline

    Ulysses_ Registered Member

    Crucially, it would be much much better not to get infected in the first place. Is this hopeless?
  12. BrandiCandi
    Offline

    BrandiCandi Guest

    Well yeah. In that sense I suppose you can implement some new security moving forward based on what you learn from this incident.

    The first rule of incident response is DON'T PANIC. I've been there myself and I utterly failed to remain calm. But you'll get through this. Panic will only lead you to rash decisions that may or may not make things worse.

    Honestly I can't tell you that I can answer your question about the outbound traffic. I'm googling it right now, I'm interested to know as well. I'll post back whatever I find.
  13. BrandiCandi
    Offline

    BrandiCandi Guest

    Are you using wine?
  14. BrandiCandi
    Offline

    BrandiCandi Guest

    OK, here's what I've got. A Vecna Scan is simply a type of nmap scan which is used to look for open ports & vulnerable services.
    The source is one of your machines. It used an unassigned port (41262).
    The Destination is an IP that comes back as Amazon Web Services, Elastic Compute Cloud in Ireland. Port 8080 is an alternate port for HTTP (your basic internet traffic).

    Do you use a Cloud service (data backups? cloud music player for android or the computer)? Maybe you've got a kindle that you've synced on this computer?

    If not, I'm at a loss and i would recommend you look at a few logs.
  15. Ulysses_
    Offline

    Ulysses_ Registered Member

    None of these.

    Yes, occasionally. Every time an email came from the adsl router's intrusion detection system I checked the date and time and it was never at the same time as wine was used.

    All emails from the router were dated at a time when firefox was being used. I thought it was the fault of firefox and the distro (vectorlinux 6), so upgraded to the peppermint two distro, and some emails were still sent, again dated when the browser was used.
  16. BrandiCandi
    Offline

    BrandiCandi Guest

    Aha. It's my understanding that if you use wine, it is possible for Windows malware to execute on a Linux box. A lot of people think that Linux is immune to Windows malware, and it is for the most part. But wine makes a few more things possible. I don't know how to confine wine to prevent it. (FWIW I dual boot & run windows in virtual machines to use windows apps because I know how to secure those, don't know if those options work for you)

    In my very limited experience, there is no one-step way to positively identify a Linux box compromise. I suppose if you find an entry that's really obvious then you can (like if you have a new user called "blackhatbadboy"). But to get positive confirmation that you're owned, then you just have to do some digging in your logs. I don't know of any tools to automatically find a Linux compromise beyond clamav (or some other virus program), chkrootkit and rkhunter. Those are worth running but they have limitations as I mentioned previously.

    Remember, you can always reinstall the OS if you want to be as certain as you can get that you're no longer infected.
  17. Ulysses_
    Offline

    Ulysses_ Registered Member

    I do something easier than reinstalling. I install linux in a virtual machine and dispose of the VM if it seems infected. Done that many times, it's instant, you just wait for the copy of the raw VM to finish. But still infections appear later when the browser is used. :'(

    Biggest worry is keyloggers being installed. Number two worry is man-in-the-middle intercepting of the browser's SSL sessions, as well as thunderbird's email client SSL sessions. I think both have been done on me because I have been a bit of an activist in the past.

    You know any countermeasures for these two threats?
  18. BrandiCandi
    Offline

    BrandiCandi Guest

    Hmm. Everything I said may be completely irrelevant. My understanding was that you were running Linux (peppermint) on bare metal.

    So what exactly is the host OS? Windows?

    And Linux is in a guest VM? And you occasionally run wine in it?
  19. Ulysses_
    Offline

    Ulysses_ Registered Member

    Host OS is peppermint with networking blocked (gufw firewall set to block both incoming and outgoing connections).

    Guest is peppermint connecting to the adsl router through the bridged networking driver provided by vmware.

    Wine is only run on the guest and only occasionally, and as I said wine was NOT run at the time the intrusion-related emails were generated.
  20. Ulysses_
    Offline

    Ulysses_ Registered Member

    There is also a separate VM devoted to emails, with mint as the guest OS. And yet another VM devoted to p2p downloading, with tinycore as the guest OS. But the VM that always gets infected is the browser VM above.
  21. BrandiCandi
    Offline

    BrandiCandi Guest

    OK, that is more clear now. And my previous notes on reading logs still stand.

    So the VM that runs peppermint is the one that you use for browsing, and it "always gets infected"? I would suggest looking at what you're doing to figure out what's getting you infected, then either quit doing that or find a way to confine it. And you don't do much of anything with the host OS seeing as how all connections are blocked, right?

    I guess I don't understand because it seems pretty simple to me. Why don't you just revert back to a snapshot after every use?
  22. Ulysses_
    Offline

    Ulysses_ Registered Member

    Of course, the host is only for word processing, video encoding, little programming projects, and nothing that requires networking.

    Because in the free version of vmware, ie vmware player, snapshots are not available. Only non-persistent disks are available which I tried using for a while and regretted it. Don't want to shut down at the end of every browsing session and boot up before the beginning of the next session because there may be bookmarks to save and downloads to copy across to the host before shutting down which loses everything. And sometimes the browser VM gets very unresponsive to the point of forcing you to shut down and therefore lose changes made. All this trouble is prevented with regular virtual disks that keep the changes and if you dispose the VM only when you want to, not when you are forced to abruptly.

    By the way, it only takes one incident of keylogger malware for passwords to be secretly stolen, and only one incident of mitm for your banking password to be stolen. So prevention is much more appreciated than removal of malware.
    Last edited: Mar 8, 2012
  23. BrandiCandi
    Offline

    BrandiCandi Guest

    I didn't know that about the free version of vmware, seems rather limiting. I don't like vmware myself, I find virtualbox easier to configure. That's free & you can take all the snapshots your hard drive can hold.

    I think we have migrated from the original question of "was I hacked" into a whole separate issue of the best security approach for your needs, which is fine but I just want to be clear.

    To wrap up the 'was I hacked' bit, IMO the only way to answer that is to look at the logs on the VM that you think got cracked. If you're still not certain I would just rebuild the VM from the original ISO and then change the passwords on any accounts you think were affected.

    Now onto the best security approach. I've included a lot of links, I don't know what you are aware of already.

    Your approach of using a different VM for each application is something I haven't seen. It could probably be successful with the right tweaking. If the OS you use for browsing is always getting hacked then you need to harden it. IMO the most important piece you're missing is blocking scripts & ads in the browser. The attacks you cited (except MITM) occur inside the browser. If you only allow scripts to run on trusted pages then it's a lot harder for anyone to hijack your creds. You didn't mention which browser you use, but chrome has NotScript and Firefox has NoScript, I'm sure Opera & the others have versions as well.

    MITM happens when you connect to the internet. Are you connecting to a router at home or public wifi? If you're at home, then as long as you set up your wifi with decent security I don't see MITM being much of an issue. If you're on public wifi doing banking then you need to secure shell (ssh) or virtual private network (VPN) (or even vpn over ssh) to an off-site computer & browse on it remotely.
  24. Ulysses_
    Offline

    Ulysses_ Registered Member

    Thanks, this is a lot of useful info. The frustrating thing is I need the scripts enabled in some sites, already have NoScript on firefox but I end up disabling its protection on some sites otherwise significant features of those sites are missing. If a site is malicious, it might as well force you to enable scripts this way.

    Getting off-topic though. Check out my thread on mitm countermeasures.
    Last edited: Mar 9, 2012
  25. BrandiCandi
    Offline

    BrandiCandi Guest

    the mitm thread is interesting, I'll have to check it out.

    I hope you mean you're enabling scripts, you're not just turning NoScripts off. I block scripts on all web pages. If a website is broken by that, then I temporarily allow one script at a time. As soon as it functions well enough then I quit allowing scripts. Even if you "temporarily allow all this page" you're not really allowing every single scripts.

    Do you use a new browser for each website you're visiting? Might be worth considering. Don't surf on one page all day, visiting tons of websites. Use something like bleachbits to erase everything. When you log out of wilders, close the browser (which you should configure to erase all history anyway) & bleachbits will run. Then open a new browser for the next website. If your browser gets cracked then at least they'll only get your creds for the one site you're visiting.

    But seriously, if your browser is getting cracked even when you're running NoScripts, then you are visiting some righteously malicious websites. The easiest solution for that is also the solution you probably won't like: quit going there.
Thread Status:
Not open for further replies.