Oh oh - seems my Gentoo's been ransomwared!! Oh No!

[eohrnberger]

Now this is really troubling. Seems that my Gentoo system has been ransomwared.

So, yeah, I'm looking for some pointer as to how to detect where it's sitting, and eradicate it.

Came home from work yesterday, logged into my Gentoo machine and was greeted with this message:

[Schnulli]

Well, nearly same trouble here.....
YOU ARE HACKED !
Kick adobe-flash and take care what Websites you visit ^^
rkhunter and sharp firewall rules are usefull as well.
The firewall rules aoso should disable some outgoing ports whom arent used usually......
i disallowed all and only http, imap, ssh and ftp outgoing is allowed here, they hate it ^^
if destination port = 80 and so on allow and so on
I am trying to figure it since weeks out....
I gave up and installed on another drive a fresh Gentoo....
safed me alot greay hairs

Listen, you are not the only one who got hacked ^^
You can do also this.. safe your whole drive and send it to a Cybercrime Dapartment.... they will love to read out who and from where it was.....
Its well know that Gentoo is beeing attacked since a while also.... so take care and shutdown or lock your comp, shutdown net, when not at it

Regards

[eccerr0r]

It would be interesting on how they got in, but you do have a mess on your hands.

I'm not sure if python is your culprit program, it may just be the python interpreter which normally shows up whenever a python script is running - though it's still good to suspect that they are or have been trojaned. At this point you should assume everything is compromised and start a fresh build, copying the important stuff over. Especially when root has been compromised, this is the only way to safely eradicate this.

Note that you probably cannot run emerge, equery, etc. if you disabled python as they too require python. Equery is a good script to use as you can use it to check the integrity of files (provided the hacker did not muck with the checksums) -

# equery check packagename

and start from those files that fail checksum. Again, since they got root, these checksums may no longer be trustable.

Though adobe-flash is definitely an intrusion risk, unless they only took over your user account, it would be extremely unlikely they could take over root. My guess is it's one of those semi-recent bugs like shellshock or perhaps just those pesky bruteforce attacks that got your machines.

If you're not too embarrassed about it, curious how often/when was the last time the box was (completely) updated, along with which kernel you're using (like if you were vulnerable to dirtyc0w)? This would perhaps give some clues on what packages were used to exploit your box.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[Schnulli]

hi eccerr0r

they use python and crash it locally later.... they also load code from external....
remember the DNS Problem when infected years ago.. seems to me the same weird idea is behind maybe same guys
whole portage is trash than.... and they try to redirect to "somewhere"

nothing new that they attac Gentoo too lately.....
Be warned with Adobe-Flash the the first Door they use..... Wrong permissions and the "got ya"

seemed to me that also some layman repos got infected as well....
Who?? no idea still.....
I´ll setup a transparent bridge in a few an log the whole traffic to figure out

[eccerr0r]

Well we don't know if this is Gentoo specific or any Linux could have been vulnerable.

I'm not surprised they had a "intrusion intrusion detector" and crash your box when you find out that you've been exploited and try to fix your machine. Best thing to do when dealing with this kind of stuff is disconnect the network, cold reboot off a livecd and and go from there.

I'll knock on wood that I haven't seen any adobe-flash exploits on my box yet...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[eohrnberger]

Yeah, I'm guilty of running FireFox as root. Shame on me - I should have known better.

Well, pretty much flushed everything in the home directory, .mozilla, etc. figuring that it's not that important, and is already encrypted, so . . what am I going to do with it anyway?

Been thinking should be a list of file mtimes and see what's changed on the system as of a few days ago. See if that leads me to anything suspicious, although, that can easily programmatically be set backwards to any time desired. Still, you never know.

The Good News:
All the real important data is safe, as I'm using zfs, and have a grand-father-father-son snapshot script in cron (hourly, daily, weekly, monthly), and only very few files seem to have been encrypted, based on the ".enc" in the filename. If I find others, I have a year's worth of snapshots to restore from. Makes me think I need to learn how to configure a gentoo that uses zfs for the root file system as well. Been meaning to, just haven't had the time, because Gentoo just runs so reliably.

I have it's sister server (same patch config and software load), which appears to be non-infected, so I can clone that system disk and recover pretty quick, with some conf files I have in version control. Couple of hours I figure.

Interesting to note that another system, also a sister, seems to have caught the same, and I can't recall ever having run anything but VirtualBox VMs on that one, it's turned off right now until I figure out a recovery plan, so at least 2 systems to recover, and have one clean one to do so from.

The infected systems are internal systems, only access to the Internet is through a firewall, and yes, minimal ports open on the Linux firewall machine, and also an ssh port knocking log scan that injects an iptables drop for offending IPs (think a primitive fail2ban shell script).

So maybe not all that bad. Not sure as to the next step forward, but I appreciate the contribution and ideas.

Yeah, I know that the python interpreter is probably just running some code downloaded off of the Internet, and probably isn't a replaced binary, but that code that download the encrypter, that has to live someplace, if it's going to survive between reboots. Tracking that one down. Hmm.

Really sad to learn that there are Gentoo specific attackers. What'd Gentoo ever do to them? Guess there's no figuring some people out.

[eccerr0r]

Yeah shame shame, dont firefox as root.

However if it really is adobe-flash as the vector, this would not be Gentoo specific and would equally infect Ubuntu, Fedora, etc. -- but I don't know, is it really adobe-flash? Then again I don't know how pervasive firefoxing as root is...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[eohrnberger]

Well, the message is coming from the /etc/motd file. That's simple stuff.

[eccerr0r]

Now what else did they edit to keep them in the machine?

Did they ssh in?

I wonder if they were using a python script to encrypt your files instead of some compiled binary, that could slow down the encryption to reduce the amount of damage done... ha.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[eohrnberger]

[NeddySeagoon]

eohrnberger,

/etc/motd can only be edited by root. That means that they got root.
You can't clean that up, its a reinstall.

Either they gained access to root directly or broke in as another user and ran a privilege escalation exploit to gain root.
It doesn't matter much. Its a reinstall either way.

If you want to do forensics, make a disc image of the install and work on that. You need the filesystem free space too, as that's where the interesting stuff will be.

A few of these ransomware attacks have known decryption methods. If you are lucky, you might get the data back.
You can't salvage the install though.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[cboldt]

The attack isn't Gentoo specific. The exploit works against many distros.

I'm curious about the vector too, how they malicious code made its way onto your system. One of the remarks here has me working to regulate outgoing IP traffic - heretofore, I'd been concerned about incoming, but not outgoing. But I can see where closing off outgoing ports might stifle an attack.

On that front, I'm stuck at ftp, which includes outgoing NEW packets aimed at random, unprivileged ports.

[NeddySeagoon]

cboldt,

It helps to stop evil intruders phoning home if they do get in.
My firewall drops unwanted incoming packets and denies unwanted outgoing packets.
You need the logs to know what to allow out :)

I use shorewall and shorewall6 with similar rule sets.

For ftp, which is horribly insecure, you need to use passive mode.
sftp is preferred.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[eohrnberger]

[jonathan183]

It is worth trying to work out how you were compromised, a fresh install with identical configuration and use will probably have similar results in future ... surfing the net as root is not wise ... but you already know that
Knowing what binaries/logs were attacked would also be useful.

Was ssh open to the net with password access or key based?

[NeddySeagoon]

eohrnberger,

Is your normal user in the disk group?
That's a very bad thing. It gives the user raw access to the block devices, so they can do what they want, avoiding filesystem restrictions.

[eohrnberger]

[NeddySeagoon]

eohrnberger,

The block device node is correct. What does groups say for your normal user?

[eohrnberger]

[NeddySeagoon]

eohrnberger,

[cboldt]

[szatox]

[cboldt]

[Tony0945]

[eohrnberger]