How to identify whether my Linux computer was hacked?

I doubt you have anything to worry about. It was more than likely a JavaScript attack that tried to do a drive by download. If you are concerned about this happening start using NoScript and AdBlock Plus Firefox Add-Ons.

Even visiting trustworthy sites you are not safe because they run JavaScript code from third-party advertisers that can be malicious.

I grabbed it and ran it in a VM. It installed mirc and this is the status log... http://pastebin.com/Mn85akMk

It is an automated attack that is trying to get you to download mIRC and join a botnet that will turn you into a spambot... It had my VM join and make a connection to a number of different remote addresses one of which is autoemail-119.west320.com.

Running it in Windows 7 I had to accept the UAC prompt and allow it access through the firewall.

There seems to be tons of reports of this exact command on other forums, and someone even says that a torrent file tried to execute it when it was finished downloading... I am not sure how that would be possible though.

I haven't used this myself, but it should be able to show you the current network connections so you can see if you are connected to something out of the norm: http://netactview.sourceforge.net/download.html


I agree with @jb48394 that it's probably a JavaScript exploit, like everything else these days.

The fact that it tried to open a cmd window (see @torbengb's comment) and run a malicious command, rather than just downloading the trojan discreetly in the background, suggests that it exploits some vulnerability in Firefox which allows it to enter key-strokes, but not run code.

This also explains why this exploit, which was clearly written exclusively for Windows, would also work in Linux: Firefox runs JavaScript the same way in all OS'es (at least, it tries to :) ). If it were caused by a buffer-overflow or similar exploit meant for Windows, it would have just crashed the program.

As for where the JavaScript code came from - probably a malicious Google advert (ads cycle in Gmail throughout the day). It wouldn't be the first time.


I found a similar attack on another Linux machine. It seems it's some kind of FTP command for Windows.