Weird SSH, Server security, I might have been hacked

I am not sure if I've been hacked or not.

I tried to log in through SSH and it wouldn't accept my password. Root login is disabled so I went to rescue and turned root login on and was able to log in as root. As root, I tried to change the password of the affected account with the same password with which I had tried to log in before, passwd replied with "password unchanged". I then changed the password to something else and was able to log in, then changed the password back to the original password and I was again able to log in.

I checked auth.log for password changes but didn't find anything useful.

I also scanned for viruses and rootkits and the server returned this:

ClamAV:

"/bin/busybox Unix.Trojan.Mirai-5607459-1 FOUND"

RKHunter:

"/usr/bin/lwp-request Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: a /usr/bin/perl -w script, ASCII text executable

Warning: Suspicious file types found in /dev:"

It should be noted that my server isn't widely known. I have also changed the SSH port and enabled 2-step verification.

I am worred I got hacked and someone is trying to fool me, "everything is fine don't worry about it".


Like J Rock, I think this is a false positive. I had the same experience.

I received an alarm from 6 different, disparate, geographically separated servers in a short time span. 4 of these servers only existed on a private network. The one thing they had in common was a recent daily.cld update.

So, after checking for some of the typical heuristics of this trojan without success, I booted a vagrant box with my known clean baseline and ran freshclam. This grabbed

"daily.cld is up to date (version: 22950, sigs: 1465879, f-level: 63, builder: neo)"

A subsequent clamav /bin/busybox returned the same "/bin/busybox Unix.Trojan.Mirai-5607459-1 FOUND" alert on the original servers.

Finally, for good measure, I also did a vagrant box from Ubuntu's official box and also got the same "/bin/busybox Unix.Trojan.Mirai-5607459-1 FOUND" (Note, I had to up the memory on this vagrant box from its default 512MB or clamscan failed with 'killed')

Full output from fresh Ubuntu 14.04.5 vagrant box.

root@vagrant-ubuntu-trusty-64:~# freshclam
ClamAV update process started at Fri Jan 27 03:28:30 2017
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
daily.cvd is up to date (version: 22950, sigs: 1465879, f-level: 63, builder: neo)
bytecode.cvd is up to date (version: 290, sigs: 55, f-level: 63, builder: neo)
root@vagrant-ubuntu-trusty-64:~# clamscan /bin/busybox
/bin/busybox: Unix.Trojan.Mirai-5607459-1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 5679215
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 1.84 MB
Data read: 1.83 MB (ratio 1.01:1)
Time: 7.556 sec (0 m 7 s)
root@vagrant-ubuntu-trusty-64:~#

So, I also believe this is likely to be a false positive.

I will say, rkhunter did not give me the: "/usr/bin/lwp-request Warning" reference, so maybe PhysiOS Quantum is having more than one issue.

EDIT: just noticed that I never explicitly said that all of these servers are Ubuntu 14.04. Other versions may vary?


The ClamAV signature for Unix.Trojan.Mirai-5607459-1 is definitely too broad, so it's likely a false positive, as noted by J Rock and cayleaf.

For example, any file that has all of the following properties will match the signature:

  • it's an ELF file;
  • it contains the string "watchdog" exactly twice;
  • it contains the string "/proc/self" at least once;
  • it contains the string "busybox" at least once.

(The whole signature is a bit more complicated, but the above conditions are sufficient for a match.)

For example, you can create such a file with:

$ echo 'main() {printf("watchdog watchdog /proc/self busybox");}' > innocent.c
$ gcc -o innocent innocent.c
$ clamscan --no-summary innocent
innocent: Unix.Trojan.Mirai-5607459-1 FOUND

Any busybox build (on Linux) will usually match the four properties I listed above. It's obviously an ELF file and it will definitely contain the string "busybox" many times. It executes "/proc/self/exe" to run certain applets. Finally, "watchdog" occurs twice: once as an applet name and once inside the string "/var/run/watchdog.pid".