4

I am facing a strange problem with avconv which is a tool for processing videos part of libav-tools package.

I am on a local ubuntu server 14.04.1 LTS.

What happens is that the avconv tool is getting corrupted, basically /usr/bin/avconv is getting modified by something.

This is the output the file command gives when the command is not yet corrupted

avconv: ELF 64-bit LSB  executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=66393d9b38a75978d8cd1838e7b163dda04df7b9, stripped

When it's corrupted this is the output of file command:

avconv-corrupted-copy-1: ELF 64-bit
avconv-corrupted-copy-2: ELF 64-bit LSB  no file type, SPARC

There is a beanstalkd worker which uses the avconv command.

Sometimes I can see bash fork bombs (:(){ :|: & };:) in bash history.

It looks like this vm is completely compromised. Do you've any suggestions on how to understand the cause of this problem?

Update 11-02-2015: now the same thing happens with beanstalkd:

/usr/bin/beanstalkd: ELF 64-bit LSB  no file type, SPARC

I've reported it on launchpad too.

jithujose
  • 241
  • 2
    The bash fork bombs are a dead giveaway. DISCONNECT THAT VM IMMEDIATELY. –  Feb 10 '15 at 20:40
  • As for understanding what's happening, you can already look at the bash history since it appears the attacker didn't care enough to cover his tracks, so you may see what he did on the machine, including what he installed that constantly overwrites avconv. –  Feb 10 '15 at 20:42
  • It's a local VM running on proxmox we use for development. – jithujose Feb 10 '15 at 21:24
  • Other than the fork bomb, there is nothing interesting in the bash history. I tried running clamav and rkhunter but nothing was found. – jithujose Feb 10 '15 at 21:28
  • 1
    No antimalware can detect a correctly executed targeted attack (antivirus evasion is trivial, and a rootkit running as root can always defeat antimalware running on the same machine). Bring the machine offline. –  Feb 10 '15 at 21:32
  • @jithujose: ok it's a local VM, but how did the fork bomb come there? Did a local user do it? – Ale Feb 11 '15 at 09:31
  • Just looked at your files on launchpad: the files are almost identical, except that there is a ^a string (hex 5e 61) inserted at byte 5, and a end-of-line character (hex 0a) at the end of the file. The file is corrupted, but there is nothing malicious inside. Are you sure that a script or other program didn't mess up the file in some way? Are you running any jobs or services as root? (supposing root is the only user who can modify the corrupted files) – Ale Feb 11 '15 at 09:38
  • @Ale beanstalkd worker was running as root, but not anymore. Now even the beanstalkd executable is broken. – jithujose Feb 11 '15 at 09:49
  • @Ale My local users says they are innocent. I am reinstalling it from scratch again. – jithujose Feb 11 '15 at 10:06
  • Does this answer your question? How do I deal with a compromised server? – Gerald Schneider Dec 17 '22 at 05:50

1 Answers1

0

The system clearly sounds compromised. The "cause of the problem" is likely either a virus or a rootkit installed using some compromised credentials.

Unless you're a security professional doing post-mortem analysis, the "cause" shouldn't matter. The "solution" is to wipe the VM and restore from a clean backup.

Dan Bonachea
  • 101