Weird SSH, Server security, I might have been hacked

Solution 1

Like J Rock, I think this is a false positive. I had the same experience.

I received an alarm from 6 different, disparate, geographically separated servers in a short time span. 4 of these servers only existed on a private network. The one thing they had in common was a recent daily.cld update.

So, after checking for some of the typical heuristics of this trojan without success, I booted a vagrant box with my known clean baseline and ran freshclam. This grabbed

"daily.cld is up to date (version: 22950, sigs: 1465879, f-level: 63, builder: neo)"

A subsequent clamav /bin/busybox returned the same "/bin/busybox Unix.Trojan.Mirai-5607459-1 FOUND" alert on the original servers.

Finally, for good measure, I also did a vagrant box from Ubuntu's official box and also got the same "/bin/busybox Unix.Trojan.Mirai-5607459-1 FOUND" (Note, I had to up the memory on this vagrant box from its default 512MB or clamscan failed with 'killed')

Full output from fresh Ubuntu 14.04.5 vagrant box.

root@vagrant-ubuntu-trusty-64:~# freshclam
ClamAV update process started at Fri Jan 27 03:28:30 2017
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
daily.cvd is up to date (version: 22950, sigs: 1465879, f-level: 63, builder: neo)
bytecode.cvd is up to date (version: 290, sigs: 55, f-level: 63, builder: neo)
root@vagrant-ubuntu-trusty-64:~# clamscan /bin/busybox
/bin/busybox: Unix.Trojan.Mirai-5607459-1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 5679215
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 1.84 MB
Data read: 1.83 MB (ratio 1.01:1)
Time: 7.556 sec (0 m 7 s)
root@vagrant-ubuntu-trusty-64:~#

So, I also believe this is likely to be a false positive.

I will say, rkhunter did not give me the: "/usr/bin/lwp-request Warning" reference, so maybe PhysiOS Quantum is having more than one issue.

EDIT: just noticed that I never explicitly said that all of these servers are Ubuntu 14.04. Other versions may vary?

Solution 2

The ClamAV signature for Unix.Trojan.Mirai-5607459-1 is definitely too broad, so it's likely a false positive, as noted by J Rock and cayleaf.

For example, any file that has all of the following properties will match the signature:

• it's an ELF file;
• it contains the string "watchdog" exactly twice;
• it contains the string "/proc/self" at least once;
• it contains the string "busybox" at least once.

(The whole signature is a bit more complicated, but the above conditions are sufficient for a match.)

For example, you can create such a file with:

$ echo 'main() {printf("watchdog watchdog /proc/self busybox");}' > innocent.c
$ gcc -o innocent innocent.c
$ clamscan --no-summary innocent
innocent: Unix.Trojan.Mirai-5607459-1 FOUND

Any busybox build (on Linux) will usually match the four properties I listed above. It's obviously an ELF file and it will definitely contain the string "busybox" many times. It executes "/proc/self/exe" to run certain applets. Finally, "watchdog" occurs twice: once as an applet name and once inside the string "/var/run/watchdog.pid".

Solution 3

This just showed up today for me as well in my ClamAV scan for /bin/busybox. I'm wondering if the updated database has an error.

Related videos on Youtube

05 : 33

How to Check If Your iPhone Has Been Hacked and How to Remove Hacks

TenorshareOfficial

973

23 : 15

5 Steps to Secure Linux (protect from hackers)

NetworkChuck

408

03 : 26

Ethical hacker shows us how easily smart devices can be hacked and give access to your personal info

News 5 Cleveland

185

03 : 40

How to tell if your windows 10 or 11 computer has been hacked

The Geek Page

168

03 : 51

DevOps & SysAdmins: Weird SSH, Server security, I might have been hacked (4 Solutions!!)

Roel Van de Paar

1

Author by

PhysiOS

Updated on September 18, 2022