[opensuse] mingetty - security breach?
Hi ListMates, I'm not sure what's going on and I was hoping that someone could shed some light on this issue. I recently did a (netstat -tupan) to see what ports are open on my system and I got a curious line: tcp 0 0 192.168.0.5:44379 95.211.60.8:8070 ESTABLISHED 4521/mingetty tty4 and when I do a (ps -ef | grep 4521) I get: root 4521 1 0 10:44 ? 00:00:02 /sbin/mingetty tty4 To be on the safe side I killed process 4521 (kill -9 4521) and that got rid of the process. My question though is "where is this mingetty coming from?". I checked the system high and low and can't find /sbin/mingetty nor can I find mingetty anywhere on the system!!?? And I can't find which process at boot time started it up - can anyone shed some light on this issue?? It seems this process gets started EVERY time the system gets booted - and it seems to be a part of OpenSuse 13.1. I tried this on a fresh install (in vmware) and indeed the process gets started by OpenSuse. I also did a check on ip: 95.211.60.8 and it seems to come from LeaseWeb, P.O. Box 93054, 1090BB AMSTERDAM, Netherlands, www.leaseweb.com. Does anyone else see this on their systems? Is it something I need be worried about? Thanks and best regards. Otto. BTW: I'm running Opensuse 13.1 3.11.10-21-default x86_64 (with all the latest updates). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 29/09/14 a las #4, Otto Rodusek escribió:
Does anyone else see this on their systems?
No. Is it something I need be
worried about?
Yes, you have been owned.. legit mingetty does not use socket() and therefore is unable to open tcp connections by itself.. also systemd does not call mingetty for any console setup at boottime neither the mingetty package contains systemd units to do it by itself. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 29/09/14 a las #4, Otto Rodusek escribió: I tried this on a fresh
install (in vmware) and indeed the process gets started by OpenSuse.
what media are using ? that's strange.. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 29/09/14 a las #4, Cristian Rodríguez escribió:
El 29/09/14 a las #4, Otto Rodusek escribió: I tried this on a fresh
install (in vmware) and indeed the process gets started by OpenSuse.
what media are using ? that's strange..
Ok.. did some googling..it is your fault. you got a shady trojanized vmware workstation installed in the host system..nothing to do with opensuse. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 29/9/14 11:59, Cristian Rodríguez wrote:
El 29/09/14 a las #4, Cristian Rodríguez escribió:
El 29/09/14 a las #4, Otto Rodusek escribió: I tried this on a fresh
install (in vmware) and indeed the process gets started by OpenSuse.
what media are using ? that's strange..
Ok.. did some googling..it is your fault. you got a shady trojanized vmware workstation installed in the host system..nothing to do with opensuse.
Hi Cristian, Thanks for your feedback. Yes I do have VMware Workstation 10.0.3 running - BUT - it is a legit purchased version from VMware and properly licensed. Can you give me the link you found? I tried googling but couldn't find it. Thanks for your help - at least I now know where to look - I will download a fresh install from VMware and re-install and see where this leads to. Thanks and best regards. Otto. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 29/09/14 a las #4, Otto Rodusek escribió:
Thanks for your feedback. Yes I do have VMware Workstation 10.0.3 running - BUT - it is a legit purchased version from VMware and properly licensed. Can you give me the link you found? I tried googling but couldn't find it.
It is in spanish: http://bitacoraderedes.wordpress.com/2013/11/19/un-caso-real-un-linux-troyan... describes exactly your problem, same ip address of the bot director, same executables poisoned.. The analysis is only partial so it might be slightly wrong. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 29/9/14 12:29, Cristian Rodríguez wrote:
El 29/09/14 a las #4, Otto Rodusek escribió:
Thanks for your feedback. Yes I do have VMware Workstation 10.0.3 running - BUT - it is a legit purchased version from VMware and properly licensed. Can you give me the link you found? I tried googling but couldn't find it.
It is in spanish:
http://bitacoraderedes.wordpress.com/2013/11/19/un-caso-real-un-linux-troyan...
describes exactly your problem, same ip address of the bot director, same executables poisoned.. The analysis is only partial so it might be slightly wrong.
Hi Cristian, Thanks for the link - checking now. Thanks for your help. (Going to do a complete uninstall of vmware, download a fresh install from vmware, check md5sum and sha1sum, and do a re-install and see the results). Again, thanks! Best regards. Otto. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 29/09/14 a las #4, Otto Rodusek escribió:
On 29/9/14 12:29, Cristian Rodríguez wrote:
El 29/09/14 a las #4, Otto Rodusek escribió:
Thanks for your feedback. Yes I do have VMware Workstation 10.0.3 running - BUT - it is a legit purchased version from VMware and properly licensed. Can you give me the link you found? I tried googling but couldn't find it.
It is in spanish:
http://bitacoraderedes.wordpress.com/2013/11/19/un-caso-real-un-linux-troyan...
describes exactly your problem, same ip address of the bot director, same executables poisoned.. The analysis is only partial so it might be slightly wrong.
Hi Cristian,
Thanks for the link - checking now. Thanks for your help. (Going to do a complete uninstall of vmware, download a fresh install from vmware, check md5sum and sha1sum, and do a re-install and see the results).
Nooope, that's not the way you have to do it.. the machine has been compromised and can no longer be trusted to perform any task. clean os install and restoring known clean backups comes next. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 29/9/14 12:55, Cristian Rodríguez wrote:
El 29/09/14 a las #4, Otto Rodusek escribió:
On 29/9/14 12:29, Cristian Rodríguez wrote:
El 29/09/14 a las #4, Otto Rodusek escribió:
Thanks for your feedback. Yes I do have VMware Workstation 10.0.3 running - BUT - it is a legit purchased version from VMware and properly licensed. Can you give me the link you found? I tried googling but couldn't find it.
It is in spanish:
http://bitacoraderedes.wordpress.com/2013/11/19/un-caso-real-un-linux-troyan...
describes exactly your problem, same ip address of the bot director, same executables poisoned.. The analysis is only partial so it might be slightly wrong.
Hi Cristian,
Thanks for the link - checking now. Thanks for your help. (Going to do a complete uninstall of vmware, download a fresh install from vmware, check md5sum and sha1sum, and do a re-install and see the results).
Nooope, that's not the way you have to do it.. the machine has been compromised and can no longer be trusted to perform any task. clean os install and restoring known clean backups comes next.
Hi Cristian, Ok, that sounds the best way to go. Thanks and best regards. Otto. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 29/9/14 11:53, Cristian Rodríguez wrote:
El 29/09/14 a las #4, Otto Rodusek escribió: I tried this on a fresh
install (in vmware) and indeed the process gets started by OpenSuse.
what media are using ? that's strange..
Thanks for the feedback - looks like I need to do some searching... The media I use is the downloaded iso from Opensuse - check the md5sums and they match. I'm doing investigations now - will revert back if I find anything!! Best regards. Otto. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 29/09/14 a las #4, Otto Rodusek escribió:
I'm doing investigations now - will revert back if I find anything!!
TL:DR - shady vmware-ifconfig - troyanized mingetty contains an ircbot - you got owned. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Cristian Rodríguez -
Otto Rodusek