Ask Your Question
1

Possible infection of Linux.BtcMine.174

asked 2018-11-26 14:52:28 -0600

B4lder gravatar image

Any users found Linux.BtcMine.174 on their system? I got infected, but removed it by the use ov Comodo. Where the h* did it come from, which repo?

edit retag flag offensive close merge delete

Comments

1

What Fedora version you running? What is your kernel version? can you provide a list of repositories you have installed?

aeperezt gravatar imageaeperezt ( 2018-11-26 20:29:08 -0600 )edit

Yeah sure. And the vector of this formidable, almost superhuman script is?

ed209 gravatar imageed209 ( 2018-11-26 20:37:01 -0600 )edit

Fedora 29 workstation :)

B4lder gravatar imageB4lder ( 2018-11-27 13:16:01 -0600 )edit

That proofs you're trolling.

ed209 gravatar imageed209 ( 2018-11-27 13:48:07 -0600 )edit

Well since you have Fedora 29, you may get the file but nothing else happen as this particular Trojan uses DirtyCow security issue to scale and get privileges, DirtyCow was patched on Fedora 10, it could get privilege. You should not install software from unreliable source, use or try to use official repositories. More information on this previews anwser

aeperezt gravatar imageaeperezt ( 2018-11-27 14:03:52 -0600 )edit

3 Answers

Sort by ยป oldest newest most voted
2

answered 2018-11-26 21:17:07 -0600

davidva gravatar image

A crypto trojan with DDOS atacks? touching the kernel... Its bad! Do you installed a bundle binary, script, flatpak? Because a rpm is difficult hide a trojan... Avoid install/open from untrusted sources...

Here some news about the trojan in the next hours...

https://brica.de/alerts/alert/public/...

https://thebitcoinnews.com/linux-btcm...

https://securityaffairs.co/wordpress/...

edit flag offensive delete link more

Comments

Yep, I will avoid that, my bad. Culprit was most likely Kismet, but not from Github... Thanks

B4lder gravatar imageB4lder ( 2018-11-27 13:20:31 -0600 )edit
1

answered 2018-11-26 20:29:18 -0600

Panther gravatar image

What makes you think you got this from the fedora repos?

To see if a particular file is provided by a package in the repos, use the provides option with dnf

sudo dnf provides \*/Linux.BtcMine.174ee

See https://ask.fedoraproject.org/en/ques...

And

https://dnf.readthedocs.io/en/latest/... for details and additional dnf features including search options and history.

As far as that file see https://sensorstechforum.com/cve-2013...

https://access.redhat.com/security/cv...

https://access.redhat.com/security/cv...

I am not sure from what you posted how you were affected by this, but the fedora repos are probably not the source

edit flag offensive delete link more

Comments

Probably from Kismet, thanks for great answer! See answer further down.

B4lder gravatar imageB4lder ( 2018-11-27 13:17:54 -0600 )edit
0

answered 2018-11-27 13:14:50 -0600

B4lder gravatar image

I ran " sudo dnf provides */Linux.BtcMine.174ee " No hits. But... snapd could be it... But no. Kismet most likely, because it will no longer load... after Comodo identified it, cleaned it, and removed it's directories. Kismet not installed from repo -ofcourse- Bye Kismet!

I was probably not too affected, since my box is a laptop and not a server, but I got a heads-up on the malware from a company I used to work for. Since I hate malware on my computer I run GNU/Linux on 3 out of 4 laptops ;) Hence I checked. I just don't like other ppl using my computer. Whithout my knowledge.

Just a huge wakeup-call for me, who was more or less relaxed about malware on GNU/Linux, this one got me! Big time. Anyway, thanks for tips and help. And good hunting, stay safe.

B4lder

edit flag offensive delete link more

Comments

1

Why did you install it not from Fedora repo in the first place? https://apps.fedoraproject.org/packag...

It would be also good if you reported or warned others about source through which you were infected.

ozeszty gravatar imageozeszty ( 2018-11-27 13:49:02 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-11-26 14:50:16 -0600

Seen: 330 times

Last updated: Nov 27