Image magic Malware on 3.4

[Redchief]

Hello folks,

Yesterday plugged in a usb drive with some type malware that took over my LL 3.4 64. Pretty sure it was this drive that started the problem. I saw an application running called image magic. It took over my settings and everything before I could shut down. After restart all of my settings had been changed. I found out this application is being used as a backdoor for other malware.

After reinstall from DVD notice the application is pre-installed in synaptic.

Should I bother to repair drive or should I save me a lot trouble and get new hdd?

Thanks
Shannon

[bitsnpcs]

Hello Shannon,

I dont know if it is preinstalled, it does come with openshot I installed. It has info here of the patches for it, https://usn.ubuntu.com/usn/usn-3363-1/
If you have used Menu>Install Updates it should be patched, you can check the updates and do a file search for the file names on the link.
Recommended check you Firewall rules Menu>All>Firewall Configuration  delete any rules shown under "rules tab" it should be blank, unless you chose to add a rule. If you didnt choose to add a rule or agree to a rule it is the classic definition of a backdoor, delete it.

Don't need to buy new hdd for this, unless you want a new one.

[trinidad]

https://www.debian.org/security/2017/dsa-3914

This is a modern (recently discovered hack) that was not possible on older versions of Deb. As systems evolve new features new ways to compromise them evolve as well. The best reason to run stable systems linked to the security update path. LL has a simple efficient update application. Don't disable it.

TC

[Redchief]

Fresh reinstall from DVD with updates. No software was installed after reinstall. Nothing in list firewall.

Thank you,

Hello Shannon,

I dont know if it is preinstalled, it does come with openshot I installed. It has info here of the patches for it, https://usn.ubuntu.com/usn/usn-3363-1/
If you have used Menu>Install Updates it should be patched, you can check the updates and do a file search for the file names on the link.
Recommended check you Firewall rules Menu>All>Firewall Configuration  delete any rules shown under "rules tab" it should be blank, unless you chose to add a rule. If you didnt choose to add a rule or agree to a rule it is the classic definition of a backdoor, delete it.

Don't need to buy new hdd for this, unless you want a new one.

[Redchief]

Fresh reinstall from DVD with updates. This package is pre-installed in synaptic. My guess may be off but believe this malware can leave code on hdd the stays there after reinstall. When first compromised had fresh updates also.

Hmm.
Thank you.

https://www.debian.org/security/2017/dsa-3914

This is a modern (recently discovered hack) that was not possible on older versions of Deb. As systems evolve new features new ways to compromise them evolve as well. The best reason to run stable systems linked to the security update path. LL has a simple efficient update application. Don't disable it.

TC

[bitsnpcs]

Hello,

check after a while for new updates, regularly do updates.

Menu>System>Resource usage

Observing the activity for "command", Time+, cpu usage, memory usage, to do this with no Firefox/browser and no web apps open, observe few minutes, repeat with web apps open, report back any unusual observances/the details of command being used, and % of resource use.

Hold down Ctrl and Alt keys press T (ctrl+alt+t) to open your terminal.

enter this

Code:

sudo ufw status verbose

does the reply confirm UFW is running with these settings ? -

Code:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

If no enter into your terminal -

Code:

sudo ufw enable

repeat

Code:

sudo ufw status verbose

If UFW firewall is not enabling correctly report back this details.

If yes close terminal and check this -

Menu>Settings>Firewall Configuration
tab "log" look for unusual
tab "Report" application column, does it show imagemagic ?
If it shows in application column imagemagic , report back port number and protocol it is using.

It shall match from Resource Usage and application column, if only resource usage and not report UFW needs adjusting the logging to high to find its port use and protocol.
Then we to block/deny it next.

[Redchief]

Frankly, I was not willing to connect this machine back up to the internet other than for system updates. After that I pull cable and look for things, ask questions here and maybe try to understand what happened before attempting any fixes. Not a pro IT guy to say the least. I guess what my first question should be is should this image magic package be preinstalled? Another question should be what packages rely on image magic software that I cannot do without? If possible remove completely would be a better option if possible.

Thanks,
Shannon

Hello,

check after a while for new updates, regularly do updates.

Menu>System>Resource usage

Observing the activity for "command", Time+, cpu usage, memory usage, to do this with no Firefox/browser and no web apps open, observe few minutes, repeat with web apps open, report back any unusual observances/the details of command being used, and % of resource use.

Hold down Ctrl and Alt keys press T (ctrl+alt+t) to open your terminal.

enter this

Code:

sudo ufw status verbose

does the reply confirm UFW is running with these settings ? -

Code:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

If no enter into your terminal -

Code:

sudo ufw enable

repeat

Code:

sudo ufw status verbose

If UFW firewall is not enabling correctly report back this details.

If yes close terminal and check this -

Menu>Settings>Firewall Configuration
tab "log" look for unusual
tab "Report" application column, does it show imagemagic ?
If it shows in application column imagemagic , report back port number and protocol it is using.

It shall match from Resource Usage and application column, if only resource usage and not report UFW needs adjusting the logging to high to find its port use and protocol.
Then we to block/deny it next.

[bitsnpcs]

Yes it is preinstalled. There is some info here about it and dependencies on it. https://askubuntu.com/questions/794588/h...pendencies

[Redchief]

"For the oldstable distribution (jessie), these problems have been fixed in version 8:6.8.9.9-5+deb8u10."

Looks like this distro install shows imagemagick ubuntu package list as version 8.6.8.9.9-7

Accordingly this version should be ok?
Also, previously did updates either the same day before or the same day event occurred not sure. Puzzling.

Thank you,

Fresh reinstall from DVD with updates. This package is pre-installed in synaptic. My guess may be off but believe this malware can leave code on hdd the stays there after reinstall. When first compromised had fresh updates also.

Hmm.
Thank you.

[quote author=trinidad link=topic=4464.msg33948#msg33948 date=1501426560]
https://www.debian.org/security/2017/dsa-3914

This is a modern (recently discovered hack) that was not possible on older versions of Deb. As systems evolve new features new ways to compromise them evolve as well. The best reason to run stable systems linked to the security update path. LL has a simple efficient update application. Don't disable it.

TC

[/quote]

[Redchief]

I think the current version i'm running is ok. Still shy about plugging in drive. I left somewhere overnight plugged into a Win7 machine :0 No telln what got on it.

Funny thread.

Thank you.

Yes it is preinstalled. There is some info here about it and dependencies on it. https://askubuntu.com/questions/794588/h...pendencies