Firefox randomly shuts down and at the same time the cpu usage increments heavily.
I noticed that when I check what is happening with htop, there appear four new processes each of them named /var/tmp/sic/sic that take away all the cpu usage.
I checked in my /var/tmp/sic folder and discovered a package.json file that looks very suspicious to me, as it has attributes named "donate-level" and "donate-over-proxy" as well as a part '"coin":"monero"'.
I am not very experienced with linux yet and would be very thankful on any suggestions on how to further investigate this matter. I am also happy to provide any kind of logs if needed.
From reading this, it would come from a Firefox add-on that include a cryptominer. So checking your add-ons would be indeed a good first step.
Also, the use of package.json notes a pre-WebExtension add-on, which are not supported since Firefox 57. If you are still holding on an old Firefox (like firefox-esr52 i spot in AUR), i think it's time you switch to the latest version.
This will only use cpu ressources if the site is open in your browser.
I did some more research by googling parts of that package.json file,
especially one long hash, and now I am pretty sure I got hijacked
because I misconfigured docker and afterwards stupidly exposed some
ports in a public network. Everything is very well explained in this
article, that even names the specific hash I found in my
package.json. It points to a crypto currency wallet:
I think Firefox "noticed" this in some way and therefore shut down?
So I now have the problem that I do not know how to get rid of this
Every now and then four very cpu intensive processes start themselves,
this is one sample outputs of one of them on htop:
holy crap. that script is quite evil. It disables the firewall, adds a user with root permissions, starts sshd, etc...
It made a some cron entries which execute every xx minutes. Those are actually downloading the initiating it again and again.
You could try to reverse everything in this script (starting with removing the cron jobs), but my advice would be to reinstall your system.
Once compromised you can never be sure if you really got rid of everything.
(Also the script could have been different in the past and it could have done other nasty stuff...)
This is why I think Linux is not as safe as people think. There are millions of scripts, extensions, what can harm easier them on other platform. Linux has only advantage which is that no one is using it (0,05%) do not count servers etc.
looking through that script will hint you towards repairing and not having to reinstall, but re-installing would definitely take care of it. your /home directories should be fine to re-use since that whole script is about adding groups/users with root privilege and changing file attributes
According to @moson this script has root access. Before blaming Linux we should know how this root access was achieved. Was is a security hole in Linux or was root access granted by other means, e.g. the malware is run with user privileges but the user has sudo rights on ALL without password. Some people have that setup. This would be a misconfiguration by the admin.
Before you make a judgement like this you should first know how this script got root access
From what I understood @ruderngespra exposed the docker REST api endpoint:
Docker provides REST APIs for management of its service, including the ability to create and start/stop containers. By default, Docker only enables Unix socket access to its REST APIs. To enable remote access to the Docker service’s REST APIs, one has to configure Docker to listen on TCP ports. The conventional ports used by Docker are 2375 and 2376 which, when enabled, would by default provide unencrypted and unauthenticated access to the docker REST APIs.