I have a new dir in /home/magnus, /home/magnus/cbt and I have not put it
there. It contains cbt/lib/libcbtsysinfo_0.so and google draws a blank
on that filename. Has my system been compromised (theres is nothing out
of the ordinary anywhere else) or is there something I have missed?

/Magnus


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Fri, Jul 27, 2007 at 04:43:28PM +0200, Magnus Pedersen wrote:
> I have a new dir in /home/magnus, /home/magnus/cbt and I have not put it
> there. It contains cbt/lib/libcbtsysinfo_0.so and google draws a blank on
> that filename. Has my system been compromised (theres is nothing out of the
> ordinary anywhere else) or is there something I have missed?

I run google with the "cbtsysinfo" and came up with this:

http://spywarefiles.prevx.com/RRHGED...NFO-0.DLL.html

which while its obviously for windows, show the same storage path
($HOME/cbt/lib/). It looks to be a very new thing, so if it is some
sort of malware and is so new (July 12) then perhaps it does exist for
multiple platforms and just hasn't been reported yet...

A

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGqiCJaIeIEqwil4YRAlSEAJ9H/x9mi/pqcvsCCQhNM+WzoVxx1wCeOoJr
DIbkfNUtsk04tHVdIalxZ1I=
=KkYP
-----END PGP SIGNATURE-----

On Fri, Jul 27, 2007 at 10:19:38PM +0200, Magnus Pedersen wrote:
>
> >which while its obviously for windows, show the same storage path
> >($HOME/cbt/lib/). It looks to be a very new thing, so if it is some
> >sort of malware and is so new (July 12) then perhaps it does exist for
> >multiple platforms and just hasn't been reported yet...
> >
> >A
> Very wierd... I have no idea where it came from browser, mail or
> something else... But since that article is about windows i might be
> from iceweasel.
>
> /Magnus
>

Sorry Magnus for my recent post. You may be compromised but I missed
the fact that the strange /home/magnus directory ("is there a user
magnus") is of course your own.

What is the timestamp of the file? What were you doing then?

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Andrew Sackville-West wrote:
> On Fri, Jul 27, 2007 at 04:43:28PM +0200, Magnus Pedersen wrote:
>> I have a new dir in /home/magnus, /home/magnus/cbt and I have not put it
>> there. It contains cbt/lib/libcbtsysinfo_0.so and google draws a blank on
>> that filename. Has my system been compromised (theres is nothing out of the
>> ordinary anywhere else) or is there something I have missed?
>
> I run google with the "cbtsysinfo" and came up with this:
>
> http://spywarefiles.prevx.com/RRHGED...NFO-0.DLL.html
>
> which while its obviously for windows, show the same storage path
> ($HOME/cbt/lib/). It looks to be a very new thing, so if it is some
> sort of malware and is so new (July 12) then perhaps it does exist for
> multiple platforms and just hasn't been reported yet...
>
> A
Very wierd... I have no idea where it came from browser, mail or
something else... But since that article is about windows i might be
from iceweasel.

/Magnus


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Fri, Jul 27, 2007 at 09:42:49AM -0700, Andrew Sackville-West wrote:
> On Fri, Jul 27, 2007 at 04:43:28PM +0200, Magnus Pedersen wrote:
> > I have a new dir in /home/magnus, /home/magnus/cbt and I have not put it
> > there. It contains cbt/lib/libcbtsysinfo_0.so and google draws a blank on
> > that filename. Has my system been compromised (theres is nothing out of the
> > ordinary anywhere else) or is there something I have missed?
>
> I run google with the "cbtsysinfo" and came up with this:
>
> http://spywarefiles.prevx.com/RRHGED...NFO-0.DLL.html
>
> which while its obviously for windows, show the same storage path
> ($HOME/cbt/lib/). It looks to be a very new thing, so if it is some
> sort of malware and is so new (July 12) then perhaps it does exist for
> multiple platforms and just hasn't been reported yet...

If you haven't installed or upgraded any packages recently, and apt-file
search libcbt doesn't give any output (which it doesn't), then its safe
to assume that something other than a debian package or yourself put it
there.

Since there is a chance that the system has been compromised, pull the
plug. That may sound drastic but its possible for malware to sense a
shutdown in progress and do something nasty. Ditto if you pull the
network cable. Pull the plug then access that drive from either a
live-cd or installing the drive in a known-safe system. Mount the drive
read only, noexec, nosuid etc.

Look at /etc/passwd: is there a username magnus?

Then decide if you want to try to figure out what happend or if you want
to wipe the disk and reinstall.

The bottom line is that on a suspected system, you can't rely on any
executable or even any log files.

Good luck,

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Douglas Allan Tutty wrote:
> On Fri, Jul 27, 2007 at 10:19:38PM +0200, Magnus Pedersen wrote:
> >
>>> which while its obviously for windows, show the same storage path
>>> ($HOME/cbt/lib/). It looks to be a very new thing, so if it is some
>>> sort of malware and is so new (July 12) then perhaps it does exist for
>>> multiple platforms and just hasn't been reported yet...
>>>
>>> A
>> Very wierd... I have no idea where it came from browser, mail or
>> something else... But since that article is about windows i might be
>> from iceweasel.
>>
>> /Magnus
>>
>
> Sorry Magnus for my recent post. You may be compromised but I missed
> the fact that the strange /home/magnus directory ("is there a user
> magnus") is of course your own.
>
> What is the timestamp of the file? What were you doing then?
>
> Doug.
>
>
The file is from the 24th of this month, where the computer was off, so
that is no , unfortunately :-/ And the new directory showed up today.

Yes, there is a user "magnus" thats me, the directory showed up in my
homedirectory, sorry I could have been a bit more clear about that.

I'm upgrading iceweasel to 2.0.0.5 right now, have been running the one
from testing (2.0.0.3) just in case it is a securityhole in the browser
(not at all sure it is).

/Magnus


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Fri, Jul 27, 2007 at 10:38:46PM +0200, Magnus Pedersen wrote:
>
> >What is the timestamp of the file? What were you doing then?
> >
> The file is from the 24th of this month, where the computer was off, so
> that is no , unfortunately :-/ And the new directory showed up today.
>
> Yes, there is a user "magnus" thats me, the directory showed up in my
> homedirectory, sorry I could have been a bit more clear about that.
>
> I'm upgrading iceweasel to 2.0.0.5 right now, have been running the one
> from testing (2.0.0.3) just in case it is a securityhole in the browser
> (not at all sure it is).

The fact that a file got touched so that it appears to have been created
while it was off raises all kinds of red flags. If it was a security
hole in a browser, you have no guarantee that replacing the browser will
fix the problem. You may have malware running amok now.

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Douglas Allan Tutty wrote:
> On Fri, Jul 27, 2007 at 10:38:46PM +0200, Magnus Pedersen wrote:
> >
>>> What is the timestamp of the file? What were you doing then?
>>>
>> The file is from the 24th of this month, where the computer was off, so
>> that is no , unfortunately :-/ And the new directory showed up today.
>>
>> Yes, there is a user "magnus" thats me, the directory showed up in my
>> homedirectory, sorry I could have been a bit more clear about that.
>>
>> I'm upgrading iceweasel to 2.0.0.5 right now, have been running the one
>> from testing (2.0.0.3) just in case it is a securityhole in the browser
>> (not at all sure it is).
>
> The fact that a file got touched so that it appears to have been created
> while it was off raises all kinds of red flags. If it was a security
> hole in a browser, you have no guarantee that replacing the browser will
> fix the problem. You may have malware running amok now.
>
> Doug.
>
>
I know, there is nothing suspect in top though, it seems that it is only
this one useraccount that is affected. There are no weird directories in
the other accounts or in otherplaces on the system.

/Magnus


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Fri, 27 Jul 2007, Magnus Pedersen wrote:

> Douglas Allan Tutty wrote:
>> On Fri, Jul 27, 2007 at 10:38:46PM +0200, Magnus Pedersen wrote:
>> >
>>>> What is the timestamp of the file? What were you doing then?
>>>>
>>> The file is from the 24th of this month, where the computer was off, so
>>> that is no , unfortunately :-/ And the new directory showed up today.
>>>
>>> Yes, there is a user "magnus" thats me, the directory showed up in my
>>> homedirectory, sorry I could have been a bit more clear about that.
>>>
>>> I'm upgrading iceweasel to 2.0.0.5 right now, have been running the one
>>> from testing (2.0.0.3) just in case it is a securityhole in the browser
>>> (not at all sure it is).
>>
>> The fact that a file got touched so that it appears to have been created
>> while it was off raises all kinds of red flags. If it was a security
>> hole in a browser, you have no guarantee that replacing the browser will
>> fix the problem. You may have malware running amok now.
>> Doug.
>>
>>
> I know, there is nothing suspect in top though, it seems that it is only this
> one useraccount that is affected. There are no weird directories in the other
> accounts or in otherplaces on the system.
>
> /Magnus
>
>
> --

lsof might be of some . but, if your system has been compromised, you
can't really trust any of your binaries to tell you the truth anyway.

-+-
8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

<SNIP>
> > fix the problem. You may have malware running amok now.
> >
> > Doug.
>
> I know, there is nothing suspect in top though, it seems that it is only
> this one useraccount that is affected. There are no weird directories in
> the other accounts or in otherplaces on the system.
>
> /Magnus

While I'm not yet convinced that you've been rooted, the fact that top doesn't
show anything suspect is a moot point. If you have in fact been compromised
there's not a single binary on the system that you can trust, including top.

Regards,

Anson Gardner


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Anson Gardner wrote:
> <SNIP>
>>> fix the problem. You may have malware running amok now.
>>>
>>> Doug.
>> I know, there is nothing suspect in top though, it seems that it is only
>> this one useraccount that is affected. There are no weird directories in
>> the other accounts or in otherplaces on the system.
>>
>> /Magnus
>
> While I'm not yet convinced that you've been rooted, the fact that top doesn't
> show anything suspect is a moot point. If you have in fact been compromised
> there's not a single binary on the system that you can trust, including top.
>
> Regards,
>
> Anson Gardner
>
>
I don't think I've been rooted, but there is definitely something fishy
going on with my useraccount. But you are of course right, everything
could have been patched if I have been rooted...

/Magnus


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Fri, Jul 27, 2007 at 11:49:55PM +0200, Magnus Pedersen wrote:
> Anson Gardner wrote:
>> <SNIP>
>>>> fix the problem. You may have malware running amok now.
>>>>
>>>> Doug.
>>> I know, there is nothing suspect in top though, it seems that it is only
>>> this one useraccount that is affected. There are no weird directories in
>>> the other accounts or in otherplaces on the system.
>>>
>>> /Magnus
>> While I'm not yet convinced that you've been rooted, the fact that top
>> doesn't show anything suspect is a moot point. If you have in fact been
>> compromised there's not a single binary on the system that you can trust,
>> including top.
>> Regards,
>> Anson Gardner
> I don't think I've been rooted, but there is definitely something fishy
> going on with my useraccount. But you are of course right, everything could
> have been patched if I have been rooted...

if you really need to get a handle on these things, without taking
your box down, you could (using a known clean box) build statically
linked copies of the appropriate utilities and then run them from some
r-o media (cd or something). That would at least eliminate those
utilities from suspicion.

A

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGqnauaIeIEqwil4YRAkM/AKDluT2ilQPOSgA17PZz+h8MUTXjSACgtsH5
lhsKn+UZe1WnR1bLUaijCbY=
=DZVT
-----END PGP SIGNATURE-----

Andrew Sackville-West wrote:
>> I don't think I've been rooted, but there is definitely something fishy
>> going on with my useraccount. But you are of course right, everything could
>> have been patched if I have been rooted...
>
> if you really need to get a handle on these things, without taking
> your box down, you could (using a known clean box) build statically
> linked copies of the appropriate utilities and then run them from some
> r-o media (cd or something). That would at least eliminate those
> utilities from suspicion.
>
> A
>
Good idea, I will try that.

/Magnus


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Fri, Jul 27, 2007 at 04:43:28PM +0200, Magnus Pedersen wrote:
> I have a new dir in /home/magnus, /home/magnus/cbt and I have not put it
> there. It contains cbt/lib/libcbtsysinfo_0.so and google draws a blank on
> that filename. Has my system been compromised (theres is nothing out of the
> ordinary anywhere else) or is there something I have missed?

I noticed yesterday I too had the cbt directory with the same contents. As it turns out, it is created when I log into my web bank, skandiabanken.dk, so it is either benign og extremely nasty...
But I tried it out on a fairly fresh Ubuntu Feisty install where I have never used the web bank before, and 'cbt' appeared in my home dir moments after I hit enter after entering my password.
So it is probably harmless. Nevertheless I am going to contact the bank and ask them.

Best regards,
Jacob Nielsen


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org