I tried logging in to my admin account and it said password incorrect. There is no way it could have been incorrect since I copy-pasted it from a usb drive. I reset my password, installed chkrootkit and found out that I've been infected with a rootkit. So what do I do, just delete the files chkrootkit reported? Here is the terminal output:
Powerful Tools for Home or Office! Parted Magic is a complete hard disk management solution. Easiest way to create a bootable CD/DVD/USB drive from ISO files for Windows 10 and you can use the bootable disk to reset Windows 10 Admin and other users’ password. How to Make A Bootable CD for Windows 10 to Reset Password. Download and install Windows Password Recovery Tool on another accessible Windows computer and insert a. IsoBuster Pro 3.2 Build 3.1.9.00 with Key full. free download. Access data from older sessions, access data that your OS (e.g. Windows) does not see or hides from you etc. USB Disk Security v6.3.0.30 free. download full Ver. Photoscape 3.6.5 Free Download.
Sorry about the messed up formatting, I don't know how to get it to display properly. Anyways, these files are infected:
I also changed the firewalls settings so that it logs any suspicious action. I'm on Windows right now; I hope it can't spread to my Windows partition?
EDIT: I'm using Linux Mint as my personal OS so no networks are affected. I'll just wipe the drive.
6 Answers
In general, you don't have to worry about a Linux rootkit spreading to a Windows system, but you have to be aware that a compromised network can open any system on it up to similar problems.
Don't delete /sbin/init! It controls your boot/shutdown, so deleting it will leave you with an unbootable system.
chkrootkit only looks for signatures, it doesn't check for the presence of known rootkit files, making it prone to false positives. Java is notorious for triggering these false positives, as are many other programming tools.
You're going to want to install rkhunter and scan your system, as it looks for signature files, but it's also prone to false positives, so don't be too quick to remove files without double-checking whether they belong there or not.
If your distro has a livecd, you can often copy that /sbin/init to the system, and it should boot okay, but no guarantees.
Personally, if you're certain your password is compromised on a system acting as a firewall for a network, I'd opt for a fresh install and do a more thorough job securing the system.
Tools like chkrootkit and rkhunter tend to be more useful for endpoint systems, especially for home users, rather than for primary entrance points, mainly because by nature, they're always chasing new developments in the security realm, so they'll never block the newest exploits.
Once a firewall is rooted, it's important to check all the systems on the network, as well. A Linux firewall may have it's password changed to lock you out, but a Windows system is an easy target, too.
It's possible that such a blatant attack means that the attacker intended to blackmail you for access into your locked out system, so check your mail logs, there might be a message in there asking for money, and preferably report the problem to the authorities in your area, so they can assist in tracking down these groups.
A bit of internet search shows that it may well be a false positive.Check your chkrootkit version:
If it's below version 0.50, it can return false positive for Suckit, see here for the bug report.
Also, it was pointed that the Mint website was compromised on the 20th of Feb 2016 with a backdoor placed in the ISO image, not sure this has anything to do with what you reported. But you can still give it a shot:
How to check if your ISO is compromised?
If you still have the ISO file, check its MD5 signature with the command “md5sum yourfile.iso” (where yourfile.iso is the name of the ISO).
The valid signatures are below:
Windows 10 Usb Boot
If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.
Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.
Finally, I would not be confidant with MD5 or SHA-1 sums for validating files integrity as these have been broken for years now, better checking against SHA-256 or higher.
You may wish to consider taking an image of the infected disk and use Autopsy from sleuthkit on an offline copy of the image to create a timeline and look for file system changes at the time the /sbin/init file was changed. The perp/rootkit could have STOMPed the modified, accessed and created time stamps, but at least you can get a feel for what they were after. - turning your device into a bot, ransomware or searching for an in to your network.
Alternatively hire in a local certified cyber forensic specialist who possibly can let you know what actually happened.
It is highly unlikely that, a rootkit written for Linux platform to spread into a windows partition or host, but again, considering the speed of advancements in the malware development, one can never be sure if it has an attack vector for neighboring windows instances.
Coming to how to fight it, there is no better solution than wiping and reinstalling the OS. Otherwise, one can never be sure if you caught everything or there was one straggler that you left behind.
The best way I was tought to deal with root kits is to wipe the drive. However; depending on how important your data is. You could make another SU / root account and disable / deprivilege the account running the rootkit.
Recovery Disk Windows 10 Usb Iso Download Rkhunter Pc
Have you double checked for false positives?
Linux mint servers were hacked recently and someone placed infected ISO files in their download servers. Situation is back to normal now.
It is most likely you were hit by that. It's highly unlikely that you get hacked by a so pro unless you annoyed NSA/mafia very very bad.
Sadly, the only good way here is wipe the linux partition and reinstall.
Recovery Disk Windows 10 Usb Iso Download Rkhunter Version
Linux malware per-se cannot spread to windows, but linux malware is a program, so once it has root access it can do pretty much anything it wants, like downloading malware for windows from its own download server.
Download Windows 10 Recovery Usb
Run a scan with a Rescue CD, special linux distros made by antivirus companies so you can scan windows from a vantage point (it's unlikely that the antivirus installed in windows can do anything now), format linux mint partitions and reinstall with a NEW iso file you download now that they replaced the infected ones.
here the blog post of Linux Mint Teamhttp://blog.linuxmint.com/?p=2994
Comments are closed.