I installed Trisquel 8 on 01/12/2017.
Soon, I think it was the first day but am not sure, I had a problem with
Abrowser and the Trisquel site which I posted here -
https://trisquel.info/en/forum/flidas-and-abrowser
I ended up without Abrowser and was pretty happy using dooble except I didn't
figure out how to download with it. I think it might be a 'save link'
function but that didn't occur to me
Yesterday,
I downloaded, unpacked and did a dd to thumbdrive of GuixSD.
Later I installed bleachbit -
http://archive.trisquel.info/trisquel/pool/main/b/bleachbit/bleachbit_1.0-1_all.deb
but also tried to install the latest version -
https://www.bleachbit.org/download/file/t?file=bleachbit_1.12_all_ubuntu1604.deb
I was using the terminal due to the browser issue, wget and maybe ftp, the
terminal's history function and copying and pasting. I screwed up and got my
commands mixed up at some point during the bleachbit story and suddenly the
terminal filled up with a bunch of binary looking stuff. It might have
happened when I ran something like this command 'sudo dpkg -i
bleachbit_1.0-1_all.deb' I mean I screwed up and maybe entered 'wget sudo
dpkg -i bleachbit_1.0-1_all.deb' in the terminal.
Anyway, I don't know what happened but it was unsettling so a little while
later I downloaded chkrootkit and ran it. Got the result below.
Searching for Linux/Ebury - Operation Windigo ssh... Possible
Linux/Ebury - Operation Windigo installetd
Looking up further info saw the possibilty of a false positive but follow up
tests didn't turn out well.
I think I flunked every test listed here:
https://www.cert-bund.de/ebury-faq
# ipcs -m
------ Shared Memory Segments --------
key shmid owner perms bytes nattch
0x000006e0 65538 root 666 3283128 0
(that is an exact match to the example on the cert-bund website, the good
news was this, "Please note that the SHMs are only created on the first event
of data exfiltration – so immediately after a reboot of the system, the
malicious SHMs will probably not show up in the output of 'ipcs -m'." So
maybe I caught it before it got to do its dasterdly deeds.)
Cert-bund says, "On Linux-based systems, an additional shared library file
'libns2.so' is installed and the existing libkeyutils file is patched to link
against this library instead of libc6. The malicious 'libns2.so' file can be
located by running the following command, which should not return any results
on clean systems. "
I had it:
# find /lib* -type f -name libns2.so
/lib64/libns2.so
I think this is like a backdoor waiting to be knocked on
netstat -nap | grep "@/proc/udevd"
george@Trisquel:~/myScripts$ unix 2 [ ACC ] STREAM LISTENING
5597 2529/atd @/proc/udevd
Based on the results of 'ipcs -m', 'find /lib* -type f -name libns2.so' and
netstat -nap | grep "@/proc/udevd" I figured it was a high probabilty I was
infected and trying to clean wasn't an option.
So I reformatted and reinstalled.
Currently Abrowser works like it should and haven't had any problem with
Trisquel's certificate.
chkrootkit still comes back with:
Searching for Linux/Ebury - Operation Windigo ssh... Possible
Linux/Ebury - Operation Windigo installetd
This file is mentioned (I'm not sure what I saw yesterday before
reformating):
find /lib* -type f -name libkeyutils.so* -exec ls -la {} \;
-rw-r--r-- 1 root root 14256 Dec 10 2015
/lib/x86_64-linux-gnu/libkeyutils.so.1.5
but according to the cert-bund, "If any file is larger than 25 kilobytes in
size, it is most probably a malicious version of the library," and mine is
only around 14 kb.
ls -als | grep libkeyutils*
Binary file libkeyutils.so.1.5 matches
and a simple 'ls -als' shows:
0 lrwxrwxrwx 1 root root 18 Jan 17 21:56 libkeyutils.so.1 ->
libkeyutils.so.1.5
16 -rw-r--r-- 1 root root 14256 Dec 10 2015 libkeyutils.so.1.5
in the list.
but this comes up clean:
find /lib* -type f -name libns2.so
and this comes back empty as well:
sudo netstat -nap | grep "@/proc/udevd"
So now I think there is a good chance I am not infected, but still am wary.
From what I've read this 'libkeyutils.so.1 -> libkeyutils.so.1.5' is really
important. How does one verify they have a good version? Any other
recommendations? Maybe I am just paranoid?
I skimmed through a 69 page pdf called Operation Windigo yesterday and this
is a serious threat. People often say Linux is secure but reading this
document would have made my hair curl if I had any. That's here if anyone is
interested:
http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf
But even so I am really liking Flidas