Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Oh oh - seems my Gentoo's been ransomwared!! Oh No!
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 2883
Location: Illinois, USA

PostPosted: Sun Mar 26, 2017 1:33 am    Post subject: Reply with quote

Hu wrote:
I could split out the philosophical posts, but some parts of the thread have posts that weave between philosophy and the original topic, so splitting could make the conversation harder to follow. If the philosophy debaters want to continue, I'll try to carve up the thread and leave appropriate cross-links. Otherwise, I'll leave the posts all in one thread.
Thank you, Hu. The discussion is interesting but getting away from the OP's problems.
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 308

PostPosted: Sun Mar 26, 2017 2:18 am    Post subject: Reply with quote

Hu wrote:
I could split out the philosophical posts, but some parts of the thread have posts that weave between philosophy and the original topic, so splitting could make the conversation harder to follow. If the philosophy debaters want to continue, I'll try to carve up the thread and leave appropriate cross-links. Otherwise, I'll leave the posts all in one thread.

For me
1. Establishing method of system compromise is interesting and of use to the community more generally, as is escape from VM.
2. Use of root, why that is a bad idea for things like surfing the net may be of use, what and whether software should provide mitigation is probably a separate topic.
3. Forensic investigation may be of use but is probably already better covered elsewhere - a simple don't trust anything on the system certainly applies in this case.
4. Recovery - again probably already covered elsewhere - a fresh install is the only way to be sure.

I am particularly interested in 1 above, so 3 is also relevant to help establish how. I think OP is already aware of 2 and appreciates 4 even though they may be painful.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Sun Mar 26, 2017 4:24 am    Post subject: Reply with quote

I'm only claiming that I have my doubts that root run firefox is the entry method, and I don't want the OP to give up assuming this is the rootcause because some people think "it's a bad idea, so, it must be the entry method." This is the whole reason why this philosophical problem exists.

Things we now understand:

1. Rotating backups are good and reinstall is only way to safely rid of contamination.
2. Running firefox / adobe flash as root is a very bad idea
2a. ...but is NOT a guarantee to get infected by malware.
3. Likely this is a privilege escalation (or "VM" escape) of some sort versus explicitly running a trojan horse.
4. Crowdsourcing forensic investigation is hard.
5. We still have no definitive entry method.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
eohrnberger
Apprentice
Apprentice


Joined: 09 Dec 2004
Posts: 191

PostPosted: Thu Mar 30, 2017 1:15 am    Post subject: Reply with quote

Just reporting in.

So far so good. Systems seem to be functioning as expected. MRTG is not noticing any spikes in outgoing traffic. All looks normal.
Back to top
View user's profile Send private message
radg
n00b
n00b


Joined: 14 Aug 2004
Posts: 33
Location: Edinburgh, UK

PostPosted: Fri Mar 31, 2017 1:45 pm    Post subject: Reply with quote

It's possible the malware is based on this proof of concept, as there is a similar /etc/motd message:

https://github.com/jdsecurity/CryptoTrooper

In which case, there are decryption tools provided.
Back to top
View user's profile Send private message
destroyedlolo
l33t
l33t


Joined: 17 Jun 2011
Posts: 683
Location: Close to Annecy (France)

PostPosted: Mon May 29, 2017 3:27 pm    Post subject: Reply with quote

Hello,

In order to detect intrusion and specifically system changes, do you think using inotifywatch to monitor system's critics parts is a good idea ?

Laurent
Back to top
View user's profile Send private message
Maitreya
Guru
Guru


Joined: 11 Jan 2006
Posts: 407

PostPosted: Sat Oct 21, 2017 4:37 pm    Post subject: Reply with quote

This post made it to HN...
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5801

PostPosted: Sat Oct 21, 2017 11:44 pm    Post subject: Reply with quote

It was there 7 months ago too. :roll:
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2, 3, 4, 5
Page 5 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum