Possible virus on my B3

Got problems with your B2 or B3? Share and get helped!
Post Reply
PartyShades
Posts: 2
Joined: 17 Apr 2015, 13:07

Possible virus on my B3

Post by PartyShades » 17 Apr 2015, 14:13

I got a call from ISP today telling me, that from my IP address there has been some attack and also some spam activity. I got information, that the attack from my IP happened April 15th 12.27.

I´m totally unexperienced with linux and I´m sorry for the lack of information. I checked different logs from browser view, but had no idea what to look for. I tried to find something with that time stamp, but couldn´t find anything.

Mail.log shows some activity, though I haven´t used the mail at all.

Code: Select all

Apr 14 03:15:49 b3 postfix/master[1694]: reload -- version 2.7.1, configuration /etc/postfix
Apr 14 03:16:21 b3 postfix/master[1694]: reload -- version 2.7.1, configuration /etc/postfix
Apr 14 21:24:51 b3 dovecot: dovecot: Killed with signal 15 (by pid=16825 uid=0 code=kill)
Apr 14 21:24:52 b3 postfix/master[1694]: terminating on signal 15
Apr 14 21:25:54 b3 dovecot: Dovecot v1.2.15 starting up (core dumps disabled)
Apr 14 21:25:58 b3 postfix/master[1658]: daemon started -- version 2.7.1, configuration /etc/postfix
Apr 14 21:26:01 b3 postfix/master[1658]: reload -- version 2.7.1, configuration /etc/postfix
Apr 15 17:09:15 b3 postfix/master[1658]: reload -- version 2.7.1, configuration /etc/postfix
Apr 15 17:09:49 b3 postfix/master[1658]: reload -- version 2.7.1, configuration /etc/postfix
Apr 15 20:47:13 b3 dovecot: Killed with signal 15 (by pid=7028 uid=0 code=kill)
Apr 15 20:47:15 b3 postfix/master[1658]: terminating on signal 15
Apr 15 20:48:06 b3 dovecot: Dovecot v1.2.15 starting up (core dumps disabled)
Apr 15 20:48:10 b3 postfix/master[1656]: daemon started -- version 2.7.1, configuration /etc/postfix
Apr 15 20:48:13 b3 postfix/master[1656]: reload -- version 2.7.1, configuration /etc/postfix
Apr 17 19:07:40 b3 dovecot: Killed with signal 15 (by pid=14854 uid=0 code=kill)
Apr 17 19:07:41 b3 postfix/master[1656]: terminating on signal 15
Apr 17 19:08:22 b3 dovecot: Dovecot v1.2.15 starting up (core dumps disabled)
Apr 17 19:08:26 b3 postfix/master[1660]: daemon started -- version 2.7.1, configuration /etc/postfix
Apr 17 19:08:31 b3 postfix/master[1660]: reload -- version 2.7.1, configuration /etc/postfix
On the error log there are these kind of events:

Code: Select all

[Tue Apr 14 21:24:52 2015] [notice] caught SIGTERM, shutting down
[Tue Apr 14 21:25:47 2015] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Apr 14 21:25:47 2015] [notice] FastCGI: process manager initialized (pid 1126)
[Tue Apr 14 21:25:53 2015] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Apr 14 21:25:53 2015] [notice] Apache/2.2.16 (Debian) mod_fastcgi/2.4.6 PHP/5.3.3-7+squeeze4ex1 with Suhosin-Patch mod_ssl/2.2.16 OpenSSL/0.9.8o configured -- resuming normal operations

What logs I should check and what kind of activity I should try to seek from there to find out if there is something wrong?

Any and all help is much appreciated. Thank you in advance.

Stryker
Posts: 55
Joined: 17 Oct 2013, 11:03

Re: Possible virus on my B3

Post by Stryker » 17 Apr 2015, 19:56

a) you should disconnect your B3 from the internet immediately, so that there are no new outgoing attacks
b) Check /var/log/auth.log (lists all logins on the machine) for a successful login of root or admin or any other user that was not initiated by you.
Maybe the attacker simply guessed a bad password instead of exploiting a bug.

Next thing, you should probably tell us about your current setup.
How is your network setup up, which device is connected to which, do you use your B3 as a gateway to the internet or are there any port-forwardings that allow for remote access to your B3 from the internet?

Gordon
Posts: 1346
Joined: 10 Aug 2011, 03:18

Re: Possible virus on my B3

Post by Gordon » 18 Apr 2015, 04:08

You could be interested in this thread: http://forum.mybubba.org/viewtopic.php?f=9&t=4633

Of course the issue could also originate from your laptop/desktop/workstation. It may even have been a visitor if you're using an ISP provided router and they set up a roaming wifi network for their customers.

PartyShades
Posts: 2
Joined: 17 Apr 2015, 13:07

Re: Possible virus on my B3

Post by PartyShades » 18 Apr 2015, 14:53

I wrote a similar post, but can´t see it, so I will post again.

Last night I did the security part on wiki. Also tried take some quick lessons to get a bit familiar with the system.
Stryker wrote:a) you should disconnect your B3 from the internet immediately, so that there are no new outgoing attacks
b) Check /var/log/auth.log (lists all logins on the machine) for a successful login of root or admin or any other user that was not initiated by you.
Maybe the attacker simply guessed a bad password instead of exploiting a bug.

Next thing, you should probably tell us about your current setup.
How is your network setup up, which device is connected to which, do you use your B3 as a gateway to the internet or are there any port-forwardings that allow for remote access to your B3 from the internet?
There isn´t ongoing attacks, there was just attack on that date. ISP said on the call, it looked like Linux activity.

I tried the var/log/auth.log got access denied. Tried logged with my username and then after logging on the root.

My network setup:
ADSL modem/router is Zyxel (can´t access to it, because it´s from my company and they set it up)
One Windows laptop
Boxee by D-link
Samsung smart TV
and most of the day, there is 1 android phone and 1 iphone in the network.
Gordon wrote:You could be interested in this thread:

Of course the issue could also originate from your laptop/desktop/workstation. It may even have been a visitor if you're using an ISP provided router and they set up a roaming wifi network for their customers.
I read this last night and tried to find some hints. I will return to this thread tonight.

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Possible virus on my B3

Post by Ubi » 18 Apr 2015, 15:48

dovecot is for receiving mail, so you can ignore those log entries (the restarts of dovecot are a little weird though). Kinda odd that you seem to send so much mail without postfix (the mail send server) giving you log entries. THis suggests the (apparent) attach is using a direct mailer (i.e. the software connects straight to the victims server and doesnt go via the local postfix server). But it seems your logs are mostly empty.

Now as Gordon mentions: it is very well possible that it is your windows machine that is compromised. Personally Id check that machine first. And indeed, fix your PHP as mentioned in the link by Gordon as well.

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Possible virus on my B3

Post by Ubi » 18 Apr 2015, 15:50

oh and isnt all that log activity around 21:25 not just coming from logrotate?

Post Reply