In the last few days I noticed that Chrome started to act weirdly. For example, it would ask whether I allow microphone for Google Search although I allowed it already. And then when I would click the allow button, I wouldn’t be able to click it (I click it but the computer doesn’t recognize it, and the dialogue doesn’t go away). Also, if a power crash occurs, and chrome offers me to restore the previous session tabs, when I click the restore button - nothing happens and previous session is not restored.
I started to suspect that there is a Trojan or virus in my computer, so I ran her rkunter. And it did find something very very suspicious. Here it is:
[16:23:56] Info: Starting test name 'passwd_changes'
[16:23:56] Checking for passwd file changes [ Warning ]
[16:23:56] Warning: User 'rpcuser' has been added to the passwd file.
[16:23:56] Warning: User 'rabbitmq' has been added to the passwd file.
[16:23:56]
[16:23:56] Info: Starting test name 'group_changes'
[16:23:56] Checking for group file changes [ Warning ]
[16:23:56] Warning: Group 'rpcuser' has been added to the group file.
[16:23:56] Warning: Group 'rabbitmq' has been added to the group file.
[16:23:56] Warning: Group 'vboxusers' has been added to the group file.
[16:23:56] Checking root account shell history files [ None found ]
[16:23:56]
[16:23:56] Info: Starting test name 'system_configs'
[16:23:56] Performing system configuration file checks
[16:23:57]
I don’t remember ever installing anything that has rabbitmq and rpcuser in its name. I recently installed genymotion and virtualbox, but I doubt that these programs create rabbitmq and rpcuser groups and passwords. Are these new users and password changes that are rkhunter warns me about a reason for concern?
EDIT: Also chkrootskit found this
Searching for Linux.Xor.DDoS ... /usr/bin/chkrootkit: command substitution: line 1287: syntax error near unexpected token `)'
/usr/bin/chkrootkit: command substitution: line 1287: `${ls} ${ROOTDIR}etc/cron.hourly/udev.sh ${ROOTDIR}etc/cron.hourly/gcc.sh 2> /dev/null)'
INFECTED: Possible Malicious Linux.Xor.DDoS installed
Are you absolutely sure that genymotion might have created those two users?
I Googled genymotion and rabbitmq group but couldn’t find anything.
Is there a way to see when these passwords and groups were created, I mean the exact date and time?
None of those files appear to exist on my computer. Here is the output
[ben71@ben-inspiron3521 chkrootkit-0.48]$ cat /etc/cron.hourly/gcc.sh
cat: /etc/cron.hourly/gcc.sh: No such file or directory
[ben71@ben-inspiron3521 chkrootkit-0.48]$ cat /etc/cron.hourly/udev.sh
cat: /etc/cron.hourly/udev.sh: No such file or directory
I know for certain that I didn’t install those two programs. However, I have reason to suspect that somebody physically entered my apartment while I was not at home and installed viruses on this computer. It has already happened several times unfortunately.
Congratulations you have installed a trojan VIRUS named rkhunter…
Linux does not need crap like that, if it would have needed it - it would have been installed by default on ALL Linux distros…
rkhunter is a tool which you need to know (or to learn) how to use
There certainly is a readme and/or a user guide - telling you what it does, how it does it.
What you see are warnings - about users/groups that rkhunter does not know to be part of a standard installation.
However, these are totally legitimate users/groups.
Whatever the “rabbitmq” group is or which program created it … only you know.
Having a group with any name is no sign of malware - what rights the members of that group have may be worth investigating.
You where asked to provide the output of: cat /etc/passwd
It lists the content of that file - no secrets get exposed …
What you gave instead is something completely different.
If you have trouble with chromium:
close the program
cp -a ~/.config/chromium ~/.config/chromium_backup
rm -rf ~/.config/chromium
restart chromium and re-import whatever you need from the backup that was created by the first command
My 2-3 cents:
I also have rpcuser resp. rpcbind. Among others like nfs-utils, it is an optional dependency of hplip for example, so if you have a HP printer with networking that can also come from there.
Besides, the last version of rkhunter is 5 years old. For a security related software this is ages, so i would not rely on it to do anything useful except providing false positives. Better scan with clamav. Or download some live cd on a clean computer, like Kaspersky rescue cd or something similar.
And finally, someone broke into your Apartment to install smth… you are watching too much movies. But in the future you can set a password for your hard drive or bios boot for example. Or encrypt everything with LUKS if you are that paranoid.
You asked for timestamps - I cannot give you that.
What I can do is tell you what users are created after you installed the system.
This is deducted from the passwd file.
If you look at the users created after your user - you will see they are system users - id below 1000 and they cannot login as the shell assigned is /usr/bin/nologin
If you want to know when the rabbitmq service user was created I suggest you open pamac (add remove programs) - then click on the menu and selelct view history - input rabbitmq in the search field.
spamd user is because you installed spamassasin - but that does not trigger rkhunter l- right - why not - if rkhunter is right - why not that too - and what about tss ?
If you want to know when the rabbitmq service user was created I suggest you open pamac (add remove programs) - then click on the menu and selelct view history - input rabbitmq in the search field.
spamd user is because you installed spamassasin - but that does not trigger rkhunter l- right - why not - if rkhunter is right - why not that too - and what about tss ?
Ok I followed your advice and here is when rabbitmq was installed
That is a lot earlier than when this strange chrome behaviors started to happen. So they are probably not related.
`
And as for spamassassin, I don’t remember installing that either. It is possible that some mailing program, such as sylpheed might have installed it, but I am not sure.