Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved]need help on judge if my server has been compromised
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1122

PostPosted: Tue Dec 17, 2019 5:29 pm    Post subject: [solved]need help on judge if my server has been compromised Reply with quote

My brother told me, he opened a word document within libreoffice-online on my nextcloud server which he received by mail. The same server is acting as mailserver setup with postfix/dovecot/rspamd/fail2ban/clamav/logcheck... He then realized that the sending adress was not ok, so he fortunately did not push the activate buttons on the top bar within libreoffice-online, and deleted the file. Now I am not sure wether my server was compromised. I checked with rkhunter and chkrootkit nothing found, and I also ran clamscan (with unofficial signatures) on the location where nextcloud files are saved, without finding anything. What bothers me is that I became aware of 1 of the 4 cpus being @100% with /usr/bin/loolforkit, and I dont know, if that is related or not. Crawling the net for "loolkit/loolforkit high cpu" I did not find anything reported that could be helpful to understand what's going on.

Code:
/usr/bin/loolforkit--losubpath=lo --systemplate=/var/lib/libreoffice-online/systemplate --lotemplate=/usr/lib64/libreoffice --childroot=/var/lib/libreoffice-online/jails/ --clientport?9980 --masterport=9981 --rlimits=limit_virt_mem_mb:0;limit_stack_mem_kb:8000;limit_file_size_mb:0;limit_num_open_files:0

Is there a way to check, what this thing is doing? What would be your suggestions / thoughts, do you think it's save to wait and see if it stops eventually eating / occupying 1 of the 4 cpus (its running for 3h now according to htop)? Or should I consider the server compromised thus restore to a state before above mentioned wordfile was opened? I would rather think, that those makro stuff would only be a problem on Microsoft Office and only if activating malicious Makros, but I don't know... :oops:

What do you think, is that related to the document opened, or just some other misbehavior of my libreoffice-online not leading to the conclusion that the server is compromised? What would you do if it were your server?
strace -p 24901
lsof -p 23808
The last line caught my attention, as I indeed opened this pdf file in my nextcloud. So maybe this cpu eating thing is attached to this?


Last edited by Elleni on Tue Dec 24, 2019 11:52 pm; edited 1 time in total
Back to top
View user's profile Send private message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1122

PostPosted: Mon Dec 23, 2019 9:25 pm    Post subject: Reply with quote

Did my checks inspired by this blogpost as I did not get any reply here yet:
https://bash-prompt.net/guides/server-hacked/

I guess everything should be ok, but I would nevertheless appreciate any comment/thought on this one, or maybe a hint on what else to do in order to improve my knowhow.
Back to top
View user's profile Send private message
gengreen
Tux's lil' helper
Tux's lil' helper


Joined: 23 Dec 2017
Posts: 125

PostPosted: Tue Dec 24, 2019 8:29 pm    Post subject: Reply with quote

with less 100 lines of code, you can hide a process from most of the admin tools

A rootkit / backdoor build with enough effort can persist almost forever and you won't see a thing. The only way to fix this, is a full rebuild of your system.

If you think you could have been compromised, then you are, this is how you should handle the problem.

It's not by using 3 sysadmin tools and trying to make an hazardous analysis of you server that will confirm if yes or no you are compromised...
Back to top
View user's profile Send private message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1122

PostPosted: Tue Dec 24, 2019 11:51 pm    Post subject: Reply with quote

I see what you mean. Thanks for your comment. I will have to think about rebuilding everything, as its quite some work. On the other side, I still hesitate as I don't believe that opening a document with libreoffice-online is enough to have the server compromised. Nevertheless, I might find the time to redo all work in order to have no doubt anymore.

At least I learned from this experience, how to examine a process to find out, what its doing while occupying one cpu @100%.

But you are certainly right, and I won't be able to trust my server before a full rebuild.
Back to top
View user's profile Send private message
etnull
Guru
Guru


Joined: 26 Mar 2019
Posts: 437
Location: Russia

PostPosted: Wed Dec 25, 2019 2:40 am    Post subject: Reply with quote

maybe a miner? you can sniff the traffic and see maybe it goes somewhere, still good learning experience, as long as it's not a corporate server :)
Back to top
View user's profile Send private message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1122

PostPosted: Thu Dec 26, 2019 11:15 pm    Post subject: Reply with quote

absolutely - thanks for the suggestion :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum