2

I have noticed a virus on our machine. Symptoms it shows are

  1. It runs multiple process with the name camplz. If I kill the process it restarts
  2. The executable is present under /usr/bin directory. If I delete the executable it gets recreated.
  3. It creates files under /tmp with name config.f and ??af???a???mdkkkk.

  4. If I delete the files, they are recreated It ESTABLISH IP connections to China based IP addresses and starts sending bytes in MB, increasing my bandwidth utilization. 

    lsof -o shows camplz  26983    root    2u  IPv4 2380650457      0t0  TCP <mydomain.com>:18703->100.42.227.29:18888 (ESTABLISHED)

mydomain.com is a placeholder.

Although, I have found the source, I do not have idea on how to remove it and clean my machine. I do not want to change machine as much as possible. At present, I have written a simple script that kills the process and deletes the files created. This helps. However it is not a permanent solution. I used few virus scanning software. But they do not catch. Can someone suggest a solution.

    #!/bin/bash

    while true; do ps -ef | grep camplz | grep -v grep | awk '{print $2}' |  xargs kill; rm /usr/bin/camplz ; rm /tmp/config.f ; rm /tmp/??af???a???mdkkkk ;  done
Amol
  • 41
  • Ubuntu is free to install or reinstall, so backup data, and reinstall. – mikewhatever Aug 27 '16 at 17:32
  • 2
    As a stopgap, you might be able to remove /usr/bin/camplz, create a new file of your own creation in its place (even for example a zero-byte file), and then make it immutable with chattr +i /usr/bin/camplz. This will not clean out your system, but may at least stave off one of the symptoms while you seek a complete solution. – DopeGhoti Aug 27 '16 at 17:32
  • 2
    The number 26983 there is the proces ID. So try doing this: ps -e -o cmd,pid,ppid | grep 26983 . It will show you 3 things - command, it's PID, and its parent PID. Repeat this for parent PID. That way you know what starts that process and maybe will give you an idea how to stop it from reappearing. Of course, each time the PID number is different, so make sure you check with lsof fist – Sergiy Kolodyazhnyy Aug 27 '16 at 17:44
  • @Serg tried... Looks like it changes the parent process ID to 1. Output is ps -e -o cmd,pid,ppid | grep 12647 camplz 12647 1 grep --color=auto 12647 13126 2415 – Amol Aug 27 '16 at 17:49
  • @Amol OK, so it seems it's started by PID 1, which is init. That probably means it is in one of the system services. Probably you will need to recursively search folders with system scripts. What system version you have? 16.04 ? – Sergiy Kolodyazhnyy Aug 27 '16 at 17:59
  • @Serg Distributor ID: Ubuntu Description: Ubuntu 14.04.4 LTS Release: 14.04 Codename: trusty – Amol Aug 27 '16 at 18:02
  • OK , do this : sudo grep -iR 'campiz' /etc/init* . If you get any listing, you can paste it to paste.ubuntu.com and provide link here – Sergiy Kolodyazhnyy Aug 27 '16 at 18:14
  • @Serg grep -iR 'campiz' /etc/init* returned empty. Then I tried grep -rnw '/' -e "camplz" the output of the command is pasted on http://paste.ubuntu.com/23098918/ looks like /usr/share/man/man3/ast.gz and /usr/bin/.zip.swp are infected. Not sure about other two outputs. – Amol Aug 27 '16 at 18:38
  • @Amol indeed, those appear to be masqueraded as archives, but it's .zip, a hidden file, and there's no legitimate reason to have hidden files in /usr/bin/ I think you can safely remove them. – Sergiy Kolodyazhnyy Aug 27 '16 at 18:53
  • /usr/bin/acpid is somewhat suspicious too. What does file /usr/bin/acpid tell you ? – Sergiy Kolodyazhnyy Aug 27 '16 at 18:54
  • Ok. I deleted /usr/bin/.zip.swp and /usr/bin/.zip.swp... Now camplz does not restart. I am monitoring it. Hoping that this acts as a fix. – Amol Aug 27 '16 at 19:02
  • acpid seems to be system command 'Advanced Configuration and Power Interface event daemon' http://manpages.ubuntu.com/manpages/wily/man8/acpid.8.html – Amol Aug 27 '16 at 19:04
  • Intrestingly, while monitoring, I noticed cp command being run that copies ast.gz to camplz in bin folder. ps -ef | grep camplz root 7615 2415 1 Aug27 pts/1 00:01:04 grep --color=auto -rnw / -e camplz root 31947 27067 0 00:37 pts/7 00:00:00 grep --color=auto camplz root 31963 1049 0 00:37 ? 00:00:00 cp /usr/share/man/man3/ast.gz /usr/bin/camplz But it has failed... and 1049 is root 1049 1 0 Aug27 ? 00:07:02 bash /usr/bin/dbus/dbus-daemon-draw I killed it too. – Amol Aug 27 '16 at 19:12
  • More progress... Both acpid and dbus-daemon-draw are the scripts inserted by virus. They run in loop and copy /usr/share/man/man3/ast.gz to /usr/bin/camplz . @Serg you were right in suspecting acpid. The scripts are pasted on http://paste.ubuntu.com/23099095/ ... I have deleted all 4 files /usr/share/man/man3/ast.gz /usr/bin/acpid /usr/bin/camplz /usr/bin/.zip.swp /usr/bin/dbus/dbus-daemon-draw – Amol Aug 27 '16 at 19:32

1 Answers1

2

Friends, Monitored the system last night and found it stable. Thought of sharing my experience on how the problem was solved.

Problem statement Got email from hosting provider that bandwidth usage has increased multifold.

Hunting for source

  1. Ran iftop -n to find out the flow of data. Clearly my machine was sending data out.
  2. Ran lsof -i and lsof -o to find out which process are sending data out.

  3. Got the PID from output of lsof -o

  4. Ran ps -e -o cmd,pid,ppid | grep <pid> to understand the parent process id. It was found to be 1

  5. Ran grep -rnw '/' -e "camplz" to find out all the files that had presence of name of the process
  6. Opened the files to read how the scripts were behaving
  7. Ultimately deleted all the infectious files and killed their running process

More specific information points are in the comments. I believe they could defer for individuals though.

Wrote few scripts during this process. Hope you find them useful.

Script to kill the process whenever it appears

    #!/bin/bash

    while true; do ps -ef | grep camplz | grep -v grep | awk '{print $2}' |  xargs kill; rm /usr/bin/camplz ; rm /tmp/config.f ; rm /tmp/??af???a???mdkkkk ;  done

Script to monitor bandwidth usage and send email in case it jumps

    #!/bin/bash
    log="/root/net.log"
    current_time=$(date "+%Y.%m.%d-%H.%M.%S")
    if [ -z "$1" ]; then
            echo
            echo usage: $0 network-interface
            echo
            echo e.g. $0 eth0
            echo
            echo shows packets-per-second
            exit
    fi

    IF=$1

    while :;
    do
            R1=`cat /sys/class/net/$1/statistics/rx_bytes`
            T1=`cat /sys/class/net/$1/statistics/tx_bytes`
            sleep 10
            R2=`cat /sys/class/net/$1/statistics/rx_bytes`
            T2=`cat /sys/class/net/$1/statistics/tx_bytes`
            TXPPS=`expr $T2 - $T1`
            RXPPS=`expr $R2 - $R1`
            echo "tx $1: $TXPPS bytes/s rx $1: $RXPPS bytes/s"
                    if [ "$TXPPS" -gt 100000000 ]; then
                    mail -s "Data is being transmitted above 100 MB. Please Check" <put your email id here. e.g. me@mycompany.com> < /dev/null
                            echo "$current_time Mail send successfully" >>$log
                    fi
    done

Thanks to @mikewhatever @DopeGhoti and special thanks to @Serg

Amol
  • 41