Troubleshooting my malware infestation

You are the victim of a "man-in-the-middle" DHCP attack. See:


(scroll down to the section titled "Security".)

Telling you how to harden your network against such attacks are beyond the scope of this forum. In fact, it is a very costly contract job for most businesses. There are usually additional monitoring charges.

Here is an example of the amount of attempts per 24 hours:

Chain BLKLOG (14 references)
 pkts bytes target     prot opt in     out     source               destination         
  942 41672 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 6 prefix "Block/TCP: "
  506  270K DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:67:68
  404 53289 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:137:138
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5353
   54  5975 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 6 prefix "Block/UDP: "
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 6 prefix "Block/ICMP: "
 1007 48155 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

506 attempts to port 67 and 68 in 24 hours yesterday!

djb

1 Like

To follow up to the answers of my queries:

BIOS / Kernel Errors

Thanks for the screenshots and pointing how what you see in the kernel log. The Dell BIOS screenshot in particular helps me understand what you're seeing.

I just looked up these errors:

kernel: [    0.001396] mtrr_cleanup: can not find optimal value
kernel: [    0.001397] please specify mtrr_gran_size/mtrr_chunk_size
kernel: [    0.001310] *BAD*gran_size: 64K 	chunk_size: 2G 	num_reg: 10  	lose cover RAM: -1472M

This is your answer - pass some parameters to the kernel:

https://askubuntu.com/questions/244473/how-and-why-should-i-specify-mtrr-gran-size-mtrr-chunk-size

This has something to do with some inner workings of the CPU/Memory caches. It may have relevance to your video card warning, as it's onboard graphics which shares memory with the system:

Intel Corporation Xeon E3-1200 v2/3rd Gen Core processor Graphics Controller [8086:0152]

:warning: You may want to use memtest86+ (from the live CD/USB) to test for faulty RAM.


ACPI: Early table checksum verification disabled

I can only find resources suggesting it may be a buggy vendor implementation of ACPI or potentially a bug in newer versions of the kernel.


Calgary: Unable to locate Rio Grande table in EBDA - bailing!

Something to do with IOMMU. Not something I know much about. It can be used for virtualisation technologies it seems

https://en.wikipedia.org/wiki/Input–output_memory_management_unit


x2apic: IRQ remapping doesn't support X2APIC mode

Searching for this brings up lots of kernel code and discussions. IRQ is Interrupt Request, a low-level part of the PC architecture.

https://en.wikipedia.org/wiki/Interrupt_request_(PC_architecture)

:heavy_check_mark: So, these errors in my opinion, do not indicate anything out of the ordinary or suspicious with the BIOS.

I was just summarising your post (#7) about your 4 questions relating to firmware. I think flashing your Dell BIOS with the latest version and I'd be tempted to say it's "clean".


Dell Event Log

I looked up your error codes and the codes suggest to "remove and reinstall" the hardware. To me, that could indicate hardware failure. There's no harm reseating and cleaning the hardware if it's dusty or not getting enough ventilation. Heat is a killer.


ClamAV

PUA stands for "Potentially Unwanted Application" - it may not necessarily be something nasty. I've read before that ClamAV is very sensitive to potential threats and produces a lot of "false positives", hence why no action is taken.


nmap Results

:heavy_check_mark: Your nmap scan for the router looks good and expected. Even my router has more ports open! nmap can be inaccurate with OS detection, so that's nothing to worry about.

I was wondering about your other hardware, like the smart TV, and Android phone, if they had a port open when they shouldn't. I did an intensive scan on my phone earlier, and found it has no ports open. :slight_smile:


DNS / Router

So now the router is cleared, reflashed and isn't exposing any unusual ports. I'm convinced it's clean. Be sure to have a secure password. As for Ubuntu, DHCP should acquire the settings from the router (normally, the DNS points to the router, i.e. 192.168.2.1)

You can keep checks on the /etc/hosts file (and in Windows, C:\Windows\system32\etc\hosts I believe). It shouldn't have any other addresses to websites besides localhost and your computer's hostname. The hosts file will override any DNS queries.

:point_up: See the post above in case DHCP is being tampered with.


Network activity analysis

The aforementioned switch sounds like a standard network hub. A switch makes me think of industrial equipment that handles various networking routes..... advanced stuff. I don't think a 4 port hub will be of any concern.

The reality could be that lots of applications do "call home" for analytical purposes and make connections to servers that may not seem obvious at first.

Concerns should only be made if there is a continuous stream of traffic, like a SSH session without your knowledge.

To know if the iSCSI protocol was used, filter your logs for iscsi .

Some unusual network activity may not be as a result of hackers. My router right now is spamming ARP requests ("Who has 192.168.1.xx IP?") again like it's stuck in a loop. A reboot is in order... I do need to look into that.

1 Like

@dmabe .. you see the previous answer from @lah7.
I have same opinion with him, there is no hacking, are just usually things in Linux.

My opinion is just trust him, I know that you pass through hard moments in your life, divorce, no job,... but things on this earth are not as bad, just think positively and if you think positively, (trust people around you) you will get again a job, and other good staffs might come back to you...

Relax yourself, think on good staffs, and try hard to find a job, without it your life can't be good, be stronger, think positively, don't tell to people bull.s.hit like this, that you are hacked, they will not like it, they will look wired on you, and for sure you don't want this because they might avoid you.... and not last this is not true, so why should you say something like this...

Success in finding a job @dmabe

And I forgot to mention:
A lot of respect from my side to @lah7 for what is he doing here ...

1 Like

@dmabe I believe that you are experiencing difficulties with your home network. Also your stated goal to focus on just the UM infected machine is worthy. There are way too many devices mentioned to trouble shoot as a whole. Many years of computer security tell me that isolation is the only method that will enable you to discover the cause (es) of your network symptoms. Below is a strategy that I would use if this were my problem to solve.

  • focus on the UM machine only
  • find a friend with a good solid internet connection who would be willing let me use it
  • purchase a new router / cable modem for use at friend's home
  • wipe out the UM machine off line and securely erase the HD
  • power it off, if laptop remove main battery, let it sit for at least 2 hours
  • at friend's home on their pc download UM for install it subject PC
  • install UM on subject PC not internet connected
  • evaluate subject PC for evidence of the suspected malware behavior- if present the bios is highly suspect
  • if ok disconect friemd's router, install new router without connecting any of friend's devices
  • connect subject PC to internet, update UM and re-evaluate.
  • insure that there's only a single point for internet connectivity in house
  • Take new router and tested PC home; disconnect existing router and install new router with just the subject PC.
  • Evaluate for malware behavior - if found there' s a decent chance that an external source is causing this as a hoax by using the external ip address.
  • if clean add one device at a time evaluating behavior , at some point the behavior might manifest itself.
  • OTOH once all devices have been added and no malware behavior is noted the original router is highly suspect.

Good luck

2 Likes

My Apache Webserver logs used to show approximately 30 attempts /day back in the mid 1990's. The internet has certainly changed since a bit since then.

Hello. I'd just like to take a second before i begin replying to the comments and questions that were posted yesterday, to say that I really appreciate all the help and time people within this community are dedicating and have already dedicated to this topic. I know this is a very time consuming and slow process, especially when it comes to helping someone who is new to Ubuntu-Mate and Linux in general. I want you to know that I think what you guys are doing here to help me and in also just in general, is awesome.

I've been dealing with this for two and a half years and have only been scratching the surface over the past couple days with what I've written on this topic. There is no question in my mind that this is malware at work and that it was delivered as I explained in the beginning of the original post.

Not being a professional in this industry, makes it very difficult to describe a problem I don't know much about. In addition to that, trying to explain and convince a group of people who have the technical background needed to understand it, that there is a hidden program installed on my computers (but not installed by me), which has an agenda to steal my personal information, money and cause me strife, at the same time, stripping me of all privacy and preventing me from starting a business. It leaves me feeling hopeless most of the time, because I keep hitting roadblocks of skepticism or people more interested in trying to explain problems seen as anything other than what it is.....malware.

I understand this process isn't just difficult and frustrating but very time consuming, so I ask that you please bear with me, have patients and try to keep an open mind. I know how much knowledge and experience is in this community and I have no doubt that if there isn't one person who can help me figure this out, then as a group, you guys can do it collectively. If there are log files, configuration settings, applications to be run for generating reports, experiments, anything......I will be more than happy to learn from it and get what is needed.

3 Likes

I think it would be worthwhile to take photos and record video of the malware in action, to help us understand what you see. :camera_flash:

:date: I'm going on a break from now so I personally will be unavailable to provide any more assistance from this point onwards. Best of luck! :slight_smile:

I applaud his courage in reaching out for help with serious real world adult problems in a room that seems to be populated by quite a few children. Sometimes it is better to be silent and thought a fool, than to foolishly open ones mouth and remove all doubt.

6 Likes

Bravo!
The issues detailed need to be addressed!

1 Like

dmabe...

Earlier, you stated "No, this has been done out of anger because of what I said to whoever I busted hacking my phone. There is nothing more to it than that because that IS the only motivation as I'm not rich, I'm not in politics, I don't work for a prestigious high end company where trade secrets are at stake and i don't have anything of considerable value per-say. i don't think this is the NSA either but who knows right?"

And now, you mention that various other family members have experienced problems similar to yours. Have you considered that perhaps one of them (or someone they know) may be the primary target? It could well be that you were merely one of many contacts of the primary target to be hacked in this way. After all, thanks to Edward Snowden, we know that tracking connections, contacts and relationships (the metadata) is often more valuable intel for entities like the NSA, than being able to actually read the communications themselves. And then, when you caught them in the act, you managed to ■■■■ off the hacker (I'd love to know what you said to them!) to the point where they then decided to make your life a misery.

tldr; Is it possible that someone you know is the real target here, and you just got caught in the crossfire?

Rev. 1 - Included RKHunter Log at bottom of this post.

**Note: I had this reply just about completed a couple of days ago and have new information but still wanted to share this reply. I will be working on the next reply with the new info I've found and should have that completed soon.

Ironically, at least in the past, that file and the other mem testing files have been flagged as malware and by more than one engine on more than one instance. In fact ClamAV detects it on a regular basis and removes it. I have however ran memory scans using other tools, without a single detection of false play. On the customer tower I built, which has an ASUS motherboard and GSkill RAM, I noticed a long time ago that all the information pertaining to the RAM, shown in the BIOS, was visible but the serial numbers for each DIMM were filled with 0's. I asked about this on superuser.com but never got an answer to my satisfaction althought it was a hot topic for a while

@Dave_Barnes can you tell me how...exactly, that you arrived at that conclusion and with what data? I'm not doubting you and have questioned that as a possibility in the past, but would like to better understand, because I believe there are other tactics that would yield the same results. After a few hours with the Sophos XG firewall in place, it was shown in the logs I was getting hammered with TCP flooding and there were also issues with ICMP flood attacks, coming in AND going out. That tells me I'm part of a botnet if I'm not mistaken.
I don't know what changed but in the beginning (first 6-12months) my data on my PC's and phones was going through the rough but it wasn't my doing. I was told I has used 60Gb of data with the phone in one months time and exceeded well over 600Gb with the PCs through my ISP. Never now or then , would I use that kind of data via either interface. I don't stream movies or videos and only grab updates and apps, etc to try and deal with this problem. I don't know why it would have changed but that dropped off after two or three months of bills skyrocketing and me complaining to the service providers but every other problem remained.
I have seen indication of cross scripting attacks, but to be frank, I'm was not familiar of such attack vectors until the beginning of the year.

@lah7 Were you able to review the remainder of the kernel log I posted on Paste Bin and if so, did you see anything out of the ordinary? Is the 40+ pages of embedded code in the CPU normal is indicated? Also, there are 14 other system log files that have many things that would raise a red flag to me if not specifically state there are errors recorded.

I have only seen this error with the video memory two times and both have been directly after some combination of file removal and a hard reset but not causing permanent OS corruptions as the machine rebooted just fine. I still have not figured out how to get the scenario to repeat but I also haven't tried much as this is a fairly recent discovery.
One other thing worth mentioning is the original computer I had infected out of the blue one day quit displaying anything. I know it that doesn't prove anything but at the time and under the circumstances, I remember it seemed odd and abnormal. I have another Dell, which is identical to the one being examined for this topic and will try to see if a similar error is generated. I have uploaded the gpu-manager.log file to my Past Bin for review as well because the entries just don't seem normal but I'm new to Ubuntu and Linux in general, so I'm not familiar with the quirks and bugs. To point out ahead of time if you didn't already catch it, this machine being used as the example for this topic has integrated graphics anyone is wondering.

----Dually noted and agreed. Heat is a killer to electrical components and wreaks havoc quickly, so I decided to completely disassembled both Dell boxes yesterday, cleaning and inspecting each. All seemed well after I was finished and don't have an reasons to believe there is issues with heat dissipation. I keep the PC's in a fairly open and ventilated environment but I am aware how these machines are like dust magnets and that cleaning them is a frequent requirement of owning one.

Not ever having dealt with malware like this, where it is undetectable by traditional methods, leaves me with the questions: Wouldn't a firmware infection give similar if not the same results as a beginning hardware failure? Cant infected firmware cause catastrophic hardware failure, it isn't specifically designed for the machine. How could you distinguish between a firmware infection and symptoms of initial hardware failure?

After my last post, I decided to review my routers settings because I was certain I had disabled . What I found was intriguing. There were several discrepancies, the first of which was a data and time difference first noticed in the log files. Then I also saw where it said that I had disabled UPnP but that was not the case based on the nmap scan if i recall correctly. Then I started seeing other discrepancies but didn't take the time to confirm all of them after seeing some major ones like the UPnP, time and date variance, etc. What I 'm having a tough time discerning is where the deception is coming from and I think its the browser. I have seen lots and lots of red flags, errors etc on top of the redirects, faulty/spoofed DNS, SSID, DHCP poisoning, when opening ANY browser and poking around with the dev tools.
I also checked out the modems setting and logs to find strange errors but I don't know if it is anything to get excited over without getting confirmation from the manufacture or someone else who can translate the meaning.
After noticing the differences in router settings and errors with the modem, I started having all sorts of issues where I was straight out being denied to copy files to my usb drive and while being signed in as root. I was also seeing locations/paths that wasn't making much sense to me where the locations of normal folders and file was being refered to a shared network folder. I'm having difficulties gaining access to Imgur and other websites, so i am unable to post screen shots at the moment and will post them when I can. The router log where I notices discrepancies is posted below.
I think I'm about 70-80% confident that this isn't in the BIOS but my confidence level is nowhere near that high as far as other component and my biggest suspects are the onboard video adapters firmware, the onboard network adapter's firmware, the optical drive firmware, hard drive firmware and the keyboard/mouse firmware having seen too much that points in the direction of possible infection of those components but don't know how to approach a few of them in order to rule that possibility out. I have been denied several times when trying update the firmware of my Samsung 850 EVO SSD's and the same with BIOS flash attempts. I am constantly fighting these machines whenever I try to do an update of that nature,.......if I am even able to at all without being denied in one way or another, like what happened yesterday when trying to write to the USB. Another similar instance of denial happened not too long back but I am now on a different install from yesterday.

    *Router Log File Where Discrepancies Were 1st seen*
1970-01-01 07:00:08 [5] System: Enable firewall
1970-01-01 07:00:10 [5] DHCPC: Send DISCOVER with request ip 0.0.0.0 and unicast flag 0
1970-01-01 07:00:10 [5] DHCPD: Recv REQUEST from “MY MAC Address”
1970-01-01 07:00:11 [5] DHCPD: Send ACK to 192.168.2.101
1970-01-01 07:00:12 [5] DHCPC: Send DISCOVER with request ip 0.0.0.0 and unicast flag 0
1970-01-01 07:00:15 [5] DHCPC: Send DISCOVER with request ip 0.0.0.0 and unicast flag 0
1970-01-01 07:00:20 [5] DHCPC: Send DISCOVER with request ip 0.0.0.0 and unicast flag 1
1970-01-01 07:00:23 [5] DHCPC: Send DISCOVER with request ip 0.0.0.0 and unicast flag 1
1970-01-01 00:00:37 [5] DHCPC: Send DISCOVER with request ip 0.0.0.0 and unicast flag 1
1970-01-01 00:00:40 [5] DHCPC: Send DISCOVER with request ip 0.0.0.0 and unicast flag 1
1970-01-01 00:00:43 [5] DHCPC: Send DISCOVER with request ip 0.0.0.0 and unicast flag 1
1970-01-01 00:00:48 [5] DHCPC: Send DISCOVER with request ip 0.0.0.0 and unicast flag 0
1970-01-01 00:00:51 [5] DHCPC: Send DISCOVER with request ip 0.0.0.0 and unicast flag 0
1970-01-01 00:00:51 [5] DHCPC: Recv OFFER from server 192.168.100.1 with ip 192.168.100.20
1970-01-01 00:00:52 [5] DHCPC: Send REQUEST to server 192.168.100.1 with request ip 192.168.100.20
1970-01-01 00:00:53 [5] DHCPC: Recv ACK from server 192.168.100.1 with ip 192.168.100.20 lease time 20
1970-01-01 00:00:53 [5] DHCPC: Recv DNS server address 192.168.100.1,0,0,0,0
1970-01-01 00:01:03 [5] DHCPC: Send REQUEST to server 192.168.100.1 with request ip 192.168.100.20
1970-01-01 00:01:04 [5] DHCPC: Recv ACK from server 192.168.100.1 with ip 192.168.100.20 lease time 20
1970-01-01 00:01:04 [5] DHCPC: Recv DNS server address 192.168.100.1,0,0,0,0
1970-01-01 00:01:14 [5] DHCPC: Send REQUEST to server 192.168.100.1 with request ip 192.168.100.20
1970-01-01 00:01:15 [5] DHCPC: Recv ACK from server 192.168.100.1 with ip 192.168.100.20 lease time 20
1970-01-01 00:01:15 [5] DHCPC: Recv DNS server address 192.168.100.1,0,0,0,0
1970-01-01 00:01:25 [5] DHCPC: Send REQUEST to server 192.168.100.1 with request ip 192.168.100.20
1970-01-01 00:01:28 [5] DHCPC: Send REQUEST to server 192.168.100.1 with request ip 192.168.100.20
1970-01-01 00:01:30 [5] DHCPC: Send REQUEST to server 192.168.100.1 with request ip 192.168.100.20
1970-01-01 00:01:33 [5] DHCPC: Broadcast REQUEST with request ip 192.168.100.20
1970-01-01 00:01:33 [5] DHCPC: Broadcast REQUEST with request ip 192.168.100.20
1970-01-01 00:01:35 [5] DHCPC: Send DISCOVER with request ip 192.168.100.20 and unicast flag 0
1970-01-01 00:01:35 [5] DHCPC: Recv OFFER from server 10.192.79.124 with ip 160.2.80.103
1970-01-01 00:01:36 [5] DHCPC: Send REQUEST to server 10.192.79.124 with request ip 160.2.80.103
1970-01-01 00:01:37 [5] DHCPC: Recv ACK from server 10.192.79.124 with ip 160.2.80.103 lease time 86400
1970-01-01 00:01:37 [5] DHCPC: Recv DNS server address 24.116.0.53,24.116.2.50
1970-01-01 08:00:09 [5] DHCPC: Send DISCOVER with request ip 0.0.0.0 and unicast flag 0
1970-01-01 08:00:11 [5] DHCPD: Recv REQUEST from 34:17:EB:A5:8A:91
1970-01-01 08:00:11 [5] DHCPD: Send ACK to 192.168.0.100
1970-01-01 08:00:21 [5] DHCPC: Send DISCOVER with request ip 0.0.0.0 and unicast flag 0
1970-01-01 00:00:25 [5] DHCPC: Recv OFFER from server 10.192.79.124 with ip 160.2.66.176
1970-01-01 00:00:25 [5] DHCPC: Send REQUEST to server 10.192.79.124 with request ip 160.2.66.176
1970-01-01 00:00:25 [5] DHCPC: Recv ACK from server 10.192.79.124 with ip 160.2.66.176 lease time 86400
1970-01-01 00:00:25 [5] DHCPC: Recv DNS server address 24.116.0.53,24.116.2.50
1970-01-01 00:08:01 [6] DHCPC: Unicasting a release of 160.2.66.176 to 10.192.79.124

  RKHunter Log

/etc# rkhunter --check --configfile /etc/rkhunter.conf --cronjob --sk --vl --rwo 
Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/which' has been replaced by a script: /usr/bin/which: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable
Warning: The following suspicious (large) shared memory segments have been found:
         Process: /usr/bin/caja    PID: 2190    Owner: dmabe    Size: 4.0MB (configured size allowed: 1.0MB)
         Process: /usr/bin/evolution    PID: 11885    Owner: dmabe    Size: 16MB (configured size allowed: 1.0MB)
         Process: /usr/bin/marco    PID: 2155    Owner: dmabe    Size: 2.0MB (configured size allowed: 1.0MB)
         Process: /usr/bin/caja    PID: 2190    Owner: dmabe    Size: 64MB (configured size allowed: 1.0MB)
         Process: /usr/bin/marco    PID: 2155    Owner: dmabe    Size: 1.0MB (configured size allowed: 1.0MB)
         Process: /usr/bin/mate-terminal    PID: 4882    Owner: dmabe    Size: 4.0MB (configured size allowed: 1.0MB)
         Process: /usr/lib/mate-applets/trashapplet    PID: 2237    Owner: dmabe    Size: 4.0MB (configured size allowed: 1.0MB)
         Process: /usr/bin/evolution    PID: 11885    Owner: dmabe    Size: 4.0MB (configured size allowed: 1.0MB)
         Process: /usr/bin/evolution    PID: 11885    Owner: dmabe    Size: 32MB (configured size allowed: 1.0MB)
         Process: /usr/bin/veracrypt    PID: 23162    Owner: dmabe    Size: 4.0MB (configured size allowed: 1.0MB)
         Process: /usr/lib/firefox/firefox    PID: 8773    Owner: dmabe    Size: 4.5MB (configured size allowed: 1.0MB)
         Process: /usr/lib/firefox/firefox    PID: 8773    Owner: dmabe    Size: 4.5MB (configured size allowed: 1.0MB)
Warning: Suspicious file types found in /dev:
         /dev/shm/PostgreSQL.1017893596: data
Warning: Hidden directory found: /etc/.java

unless you have whitelisted some files already I was expected more false positives for replacement as per my log

cat rkhunter.log | grep "replaced by a script"
[19:03:05] Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: Perl script text executable
[19:03:08] Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
[19:03:09] Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
[19:03:10] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable
[19:03:13] Warning: The command '/usr/bin/which' has been replaced by a script: /usr/bin/which: POSIX shell script, ASCII text executable
[19:03:13] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable

IMHO you "should" not be doing any whitelisting until you have
done a clean install with no net
with RKH tarball on a usb stick or similar
run your first scan such as
sudo rkhunter -c -sk

I don't run a server....also I am not a security expert but LQ post mentions rootkit detected in past but unclear if you have RKH detecting any rootkits?

log for me similar to you....will look at my config file shortly before editting

Info: The minimum shared memory segment size to be checked (in bytes): 1048576 (1.0MB)
[19:03:39] Checking for suspicious (large) shared memory segments [ Warning ]
[19:03:39] Warning: The following suspicious (large) shared memory segments have been found:
[19:03:39] Process: /usr/bin/caja PID: 2166 Owner: gordon Size: 4.0MB (configured size allowed: 1.0MB)
[19:03:39] Process: /usr/bin/caja PID: 2166 Owner: gordon Size: 64MB (configured size allowed: 1.0MB)
[19:03:39] Process: /usr/bin/python3.7 PID: 2347 Owner: gordon Size: 4.0MB (configured size allowed: 1.0MB)
[19:03:39] Process: /usr/bin/marco PID: 2122 Owner: gordon Size: 2.0MB (configured size allowed: 1.0MB)
[19:03:39] Process: /home/gordon/firefox/firefox-bin PID: 2401 Owner: gordon Size: 7.5MB (configured size allowed: 1.0MB)
[19:03:39] Process: /home/gordon/firefox/firefox-bin PID: 2401 Owner: gordon Size: 7.5MB (configured size allowed: 1.0MB)
[19:03:39] Process: /usr/bin/lxterminal PID: 2946 Owner: gordon Size: 1.0MB (configured size allowed: 1.0MB)
[19:03:39] Process: /usr/bin/pluma PID: 3032 Owner: gordon Size: 4.0MB (configured size allowed: 1.0MB)

edit OK config file can be editted to white out reports over 1.0 Mb size
but not sure if I will do this....

edit
just tried edit of config....I need to read better...sorry so post deleted
I made a mistake....but fixed up mistake by checking my config by

sudo rkhunter -C

OK so assuming you did a clean install .....all hits are false positives
however....if your sha256 hashes are similar to mine that might give you some
confidence to whitelist?
[email protected]:/# sha256sum /usr/bin/egrep
f7c621ae0ceb26a76802743830bc469288996f64342901ae5292950ff713e981 /usr/bin/egrep
[email protected]:/# sha256sum /usr/bin/fgrep
5c8b1486de899cdd010d3cacde94579999cb82d0be9ec8c131b1b56886cfd36b /usr/bin/fgrep
[email protected]:/# sha256sum /usr/bin/which
7bdde142dc5cb004ab82f55adba0c56fc78430a6f6b23afd33be491d4c7c238b /usr/bin/which
[email protected]:/# sha256sum /usr/bin/lwp-request
f8b9706e49fc6faabec5b8fe6f77b3d1665c5e11b84251029b83ac92d07e8dcd /usr/bin/lwp-request

and the lines of config .....I suggest you add them to the bottom of the config file
rather than at their info lines

SCRIPTWHITELIST=/usr/bin/egrep
SCRIPTWHITELIST=/usr/bin/fgrep
SCRIPTWHITELIST=/usr/bin/which
SCRIPTWHITELIST=/usr/bin/lwp-request

@pfeiffep I think I can safely say that is an understatement.. Over the past couple of days, I have spent what little time I have had to work on this issue, trying to become more familiar with nmap, wireshark and networking in general. I have also been trying to persue some of the information I last found with regard to the discrepancies I mentioned with the router settings.

What I found, or at least I believe I've found is that my phone has a lot larger role in all this than I originallly thought" but if I'm wrong, I'm not off by a long shot. However, the fact remains that there is Malware on the PC's which I still can't get ride of and which is responsible for opening the appropiate networking channels and to prevent access to clean, removable media and networking resources.

After exploring more from the command line and running scans with nmap, the information I found provided in the form of more logs and reports found by running fwts-frontend-text output and creash reports located in the /var/crash directory. Please see the links below to My Paste Bin for clarity with the lspci.log and six crash report logs. I've tried to arrange the logs/crash reports in order of most signicant to least useful.

Information: Logs/Crash Reports
  1. kernel.log <------------LOOK
  2. DMI.log (partial)
  3. initramfs-tools.crash 1/2
  4. initramfs-tools.crash 2/2
  5. _usr_bin_fwupdate.0.crash
  6. lspci.log
  7. _usr_bin_rfdump.1000.crash
  8. _usr_share_terminator.1000.crash 1/3
  9. _usr_share_terminator.1000.crash 2/3
  10. _usr_share_terminator.1000.crash 3/3
Information: Networking/NMap Scans

24.116.124.161 -<---Unknown address appearing in router logs

my.cableone.biz (24.116.124.161) <-----This an NMap scan of the same address above but nmap resolved it to "my.cableone.biz". My ISP is cableone.net and I'm pretty sure this isn't their webpage

ScreenShots](https://imgur.com/a/6hH7Yz7) <----my.cableone.biz nmap scan information

tracepath 24.116.124.161 <----Results from running "tracepath" on the address

Modem & Router Discrepancies

When I opened up the settings for my modem in the web browser, low and behold I was greeted with the netgear config page for a router.....not my modem! I checked 3 time to make sure I hadn't made a mistake and I had not. After resetting the modem, I was again able to see the correct information.

When I ran an NMap scan on my phones mobile IP, I got the results shown in the screen shot of this link (on my Imgur page), which is the same IP as my router was at the time with the name of "_gateway". Is it safe to conclude either the modem and/or router are infected?

The new information seems to supply more understanding as a whole but only provides more confusion at the same time because it seems everything is affected. The biggest thing that troubles me is not replacing the equipment......I have done this 5 TIMES and would gladly do it again if it gave a resolution. Everytime I've done it, the new equipment becomes infected with no justification for it because I had anything internet/wifi related (including phones) either powered off or unplugged the 5 times this has happened. Within 1 hour of normal use and not connected to the net or having insered/connected any removable media, bagan to see sypmtoms or signs, typical to what I see today.

Questions

From what I can tell, is the OS is booted with systemd and the networking addresses are being resolved via systemd-resolve but I'm not very proficient with networking config in Ubuntu yet.

Q1: How can I deconfigure the current network settings.
Q2: Which method is going to be the most effecient and simple way to begin reconfiguring and hardending the new settings? If someone knows of a good reference, will the please share it?
Q3. From I can decipher, the main bulk of the malware is located in the initrd.img and snaps/loop devices, which are both write protected. How can these be accessed with write permissions? I believe the malware is also using encryption (crypto-luks) to protect itself and may be running in the hypervisor too). Reading about "Blue Pill" and comparing the traits of that malware with my infection, shows many of the same or similiar characteristics.
Q4: Is there a way to remove and replace an active kernel in a live environment? if so, would this work to remediate the problem allowing for firmware updates I know a lot of the bad code is in the kernel from what I've seen so far poking arround in kernel configuration files but everytime I attemp to remove the active kernel in a live setting, I am either unsucessfull at removal or I crash the system and can't figure out how to recover it.

---Or we aren't as ignorant as we once were. I know I've learn a lot over the past two years and can appreciate the saying more now than ever........ignorance is bliss! :grin:

@aus9 I have not done any whitelisting. The only think I have done is install some applications selected from the software boutique and apt/apt-get and performed the initial configuration. I haven't altered the repositories from what the OS defaulted to during install either, although I can't figure out how to reconfigure the settings so the updates I get arent laced with malware and if you or anyone else can help with that, I would appreciate it.

 **My /etc/apt/sources.list file contents**

# deb cdrom:[Ubuntu-MATE 19.04 _Disco Dingo_ - Release amd64 (20190416)]/ disco main multiverse restricted universe

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://us.archive.ubuntu.com/ubuntu/ disco main restricted
# deb-src http://us.archive.ubuntu.com/ubuntu/ disco main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://us.archive.ubuntu.com/ubuntu/ disco-updates main restricted
# deb-src http://us.archive.ubuntu.com/ubuntu/ disco-updates main restricted

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://us.archive.ubuntu.com/ubuntu/ disco universe
# deb-src http://us.archive.ubuntu.com/ubuntu/ disco universe
deb http://us.archive.ubuntu.com/ubuntu/ disco-updates universe
# deb-src http://us.archive.ubuntu.com/ubuntu/ disco-updates universe

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://us.archive.ubuntu.com/ubuntu/ disco multiverse
# deb-src http://us.archive.ubuntu.com/ubuntu/ disco multiverse
deb http://us.archive.ubuntu.com/ubuntu/ disco-updates multiverse
# deb-src http://us.archive.ubuntu.com/ubuntu/ disco-updates multiverse

## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://us.archive.ubuntu.com/ubuntu/ disco-backports main restricted universe multiverse
# deb-src http://us.archive.ubuntu.com/ubuntu/ disco-backports main restricted universe multiverse

## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu disco partner
# deb-src http://archive.canonical.com/ubuntu disco partner

deb http://security.ubuntu.com/ubuntu disco-security main restricted
# deb-src http://security.ubuntu.com/ubuntu disco-security main restricted
deb http://security.ubuntu.com/ubuntu disco-security universe
# deb-src http://security.ubuntu.com/ubuntu disco-security universe
deb http://security.ubuntu.com/ubuntu disco-security multiverse
# deb-src http://security.ubuntu.com/ubuntu disco-security multiverse

# This system was installed using small removable media
# (e.g. netinst, live or single CD). The matching "deb cdrom"
# entries were disabled at the end of the installation process.
# For information about how to configure apt package sources,
# see the sources.list(5) manual.
deb http://archive.ubuntu.com/ubuntu/ artful main

@JAFO I can't honestly remember what it was that I said......it wasn't nice though. :rofl:

Yes, I did a clean install. As clean as I can get it anyway. My results are posted below.

My Results
[email protected]:~$ sha256sum /usr/bin/egrep
f7c621ae0ceb26a76802743830bc469288996f64342901ae5292950ff713e981  <--- ***Mine***
f7c621ae0ceb26a76802743830bc469288996f64342901ae5292950ff713e981  <--- ***Yours***
[email protected]:~$ sha256sum /usr/bin/fgrep
5c8b1486de899cdd010d3cacde94579999cb82d0be9ec8c131b1b56886cfd36b  <--- ***Mine***
5c8b1486de899cdd010d3cacde94579999cb82d0be9ec8c131b1b56886cfd36b   <--- ***Yours***
[email protected]:~$ sha256sum /usr/bin/which
7bdde142dc5cb004ab82f55adba0c56fc78430a6f6b23afd33be491d4c7c238b  <---***Mine***
7bdde142dc5cb004ab82f55adba0c56fc78430a6f6b23afd33be491d4c7c238b  <--- ***Yours***
[email protected]:~$ sha256sum /usr/bin/lwp-request
f8b9706e49fc6faabec5b8fe6f77b3d1665c5e11b84251029b83ac92d07e8dcd   <--- ***Mine***
f8b9706e49fc6faabec5b8fe6f77b3d1665c5e11b84251029b83ac92d07e8dcd   <--- ***Yours***

They match!

I've also included the results from CHKRootKit for reference.
CHKRootKit Results
[email protected]:~$ sudo chkrootkit
ROOTDIR is `/'
Checking `amd'...                                           not found
Checking `basename'...                                      not infected
Checking `biff'...                                          not found
Checking `chfn'...                                          not infected
Checking `chsh'...                                          not infected
Checking `cron'...                                          not infected
Checking `crontab'...                                       not infected
Checking `date'...                                          not infected
Checking `du'...                                            not infected
Checking `dirname'...                                       not infected
Checking `echo'...                                          not infected
Checking `egrep'...                                         not infected
Checking `env'...                                           not infected
Checking `find'...                                          not infected
Checking `fingerd'...                                       not found
Checking `gpm'...                                           not found
Checking `grep'...                                          not infected
Checking `hdparm'...                                        not infected
Checking `su'...                                            not infected
Checking `ifconfig'...                                      not infected
Checking `inetd'...                                         not infected
Checking `inetdconf'...                                     not found
Checking `identd'...                                        not found
Checking `init'...                                          not infected
Checking `killall'...                                       not infected
Checking `ldsopreload'...                                   not infected
Checking `login'...                                         not infected
Checking `ls'...                                            not infected
Checking `lsof'...                                          not infected
Checking `mail'...                                          not infected
Checking `mingetty'...                                      not found
Checking `netstat'...                                       not infected
Checking `named'...                                         not found
Checking `passwd'...                                        not infected
Checking `pidof'...                                         not infected
Checking `pop2'...                                          not found
Checking `pop3'...                                          not found
Checking `ps'...                                            not infected
Checking `pstree'...                                        not infected
Checking `rpcinfo'...                                       not found
Checking `rlogind'...                                       not found
Checking `rshd'...                                          not found
Checking `slogin'...                                        not infected
Checking `sendmail'...                                      not infected
Checking `sshd'...                                          not found
Checking `syslogd'...                                       not tested
Checking `tar'...                                           not infected
Checking `tcpd'...                                          not found
Checking `tcpdump'...                                       not infected
Checking `top'...                                           not infected
Checking `telnetd'...                                       not found
Checking `timed'...                                         not found
Checking `traceroute'...                                    not found
Checking `vdir'...                                          not infected
Checking `w'...                                             not infected
Checking `write'...                                         not infected
Checking `aliens'...                                        no suspect files
Searching for sniffer's logs, it may take a while...        nothing found
Searching for rootkit HiDrootkit's default files...         nothing found
Searching for rootkit t0rn's default files...               nothing found
Searching for t0rn's v8 defaults...                         nothing found
Searching for rootkit Lion's default files...               nothing found
Searching for rootkit RSHA's default files...               nothing found
Searching for rootkit RH-Sharpe's default files...          nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:  
/usr/lib/python3/dist-packages/matplotlib/tests/baseline_images/.keep /usr/lib/python3/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/python3/dist-packages/PyQt5/uic/widget-plugins/.noinit /usr/lib/debug/.build-id /usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo /usr/lib/modules/5.0.0-20-generic/vdso/.build-id /usr/lib/python2.7/dist-packages/openpyxl/.constants.json
/usr/lib/debug/.build-id /usr/lib/modules/5.0.0-20-generic/vdso/.build-id
Searching for LPD Worm files and dirs...                    nothing found
Searching for Ramen Worm files and dirs...                  nothing found
Searching for Maniac files and dirs...                      nothing found
Searching for RK17 files and dirs...                        nothing found
Searching for Ducoci rootkit...                             nothing found
Searching for Adore Worm...                                 nothing found
Searching for ShitC Worm...                                 nothing found
Searching for Omega Worm...                                 nothing found
Searching for Sadmind/IIS Worm...                           nothing found
Searching for MonKit...                                     nothing found
Searching for Showtee...                                    nothing found
Searching for OpticKit...                                   nothing found
Searching for T.R.K...                                      nothing found
Searching for Mithra...                                     nothing found
Searching for LOC rootkit...                                nothing found
Searching for Romanian rootkit...                           nothing found
Searching for Suckit rootkit...                             nothing found
Searching for Volc rootkit...                               nothing found
Searching for Gold2 rootkit...                              nothing found
Searching for TC2 Worm default files and dirs...            nothing found
Searching for Anonoying rootkit default files and dirs...   nothing found
Searching for ZK rootkit default files and dirs...          nothing found
Searching for ShKit rootkit default files and dirs...       nothing found
Searching for AjaKit rootkit default files and dirs...      nothing found
Searching for zaRwT rootkit default files and dirs...       nothing found
Searching for Madalin rootkit default files...              nothing found
Searching for Fu rootkit default files...                   nothing found
Searching for ESRK rootkit default files...                 nothing found
Searching for rootedoor...                                  nothing found
Searching for ENYELKM rootkit default files...              nothing found
Searching for common ssh-scanners default files...          nothing found
Searching for Linux/Ebury - Operation Windigo ssh...        not tested
Searching for 64-bit Linux Rootkit ...                      nothing found
Searching for 64-bit Linux Rootkit modules...               nothing found
Searching for Mumblehard Linux ...                          nothing found
Searching for Backdoor.Linux.Mokes.a ...                    nothing found
Searching for Malicious TinyDNS ...                         nothing found
Searching for Linux.Xor.DDoS ...                            INFECTED: Possible Malicious Linux.Xor.DDoS installed
/tmp/.veracrypt_aux_mnt1/volume
/tmp/.veracrypt_aux_mnt1/control
Searching for Linux.Proxy.1.0 ...                           nothing found
Searching for suspect PHP files...                          nothing found
Searching for anomalies in shell history files...           nothing found
Checking `asp'...                                           not infected
Checking `bindshell'...                                     not infected
Checking `lkm'...                                           find: ‘/proc/27207/task/27207/net’: Invalid argument
find: ‘/proc/27207/net’: Invalid argument
chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'...                                       not found
Checking `sniffer'...                                       lo: not promisc and no packet sniffer sockets
enp3s0: PACKET SNIFFER(/usr/sbin/dhclient[22770], /usr/bin/dumpcap[10154])
Checking `w55808'...                                        not infected
Checking `wted'...                                          chkwtmp: nothing deleted
Checking `scalper'...                                       not infected
Checking `slapper'...                                       not infected
Checking `z2'...                                            user dmabe deleted or never logged from lastlog!
Checking `chkutmp'...                                        The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! dmabe        9234 pts/0  /bin/bash
! root        10154 pts/0  /usr/bin/dumpcap -n -i enp3s0 -y EN10MB -Z none
! root        10097 pts/0  sudo wireshark-gtk -i enp3s0
! root        10103 pts/0  wireshark-gtk -i enp3s0
! dmabe       24466 pts/1  /bin/bash
! root        27890 pts/1  /bin/sh /usr/sbin/chkrootkit
! root        28568 pts/1  ./chkutmp
! root        28570 pts/1  ps axk tty,ruser,args -o tty,pid,ruser,args
! root        28569 pts/1  sh -c ps axk "tty,ruser,args" -o "tty,pid,ruser,args"
! root        27889 pts/1  sudo chkrootkit
! dmabe       27046 pts/2  /bin/bash
chkutmp: nothing deleted
Checking `OSX_RSPLUG'...                                    not tested  

@dmabe
Continuing to trouble shoot an infected network is a thankless task. Your statement "What I found, or at least I believe I've found is that my phone has a lot larger role in all this than I originallly thought" but if I'm wrong, I'm not off by a long shot. " is a clear indication to me that ...

I S O L A T I O N ... is the best method to resolve your issues.

Let's assume that every device on your network is somehow compromised; then I have a hard time believing any manipulation of a single device remaining in the network can be fixed. I know that my proposed strategy is not a simple nor a fast solution but I firmly believe it will result in a clean UM PC and a clean router.

Good luck

@pfeiffep Please don't get me wrong, I am in total agreement with the isolation requirement. It's the only way. What I'm still concerned about is if this malware is VPN or similar malware which is not removable or if it is something like Spectre Meltdown, then I have been beating my head against the wall for the past two years and don't want to keep doing that. I am also of the opinion ( please correct me if my train of thought is bypassing something ) but In essence, I have side stepped all the necessary, time consuming steps as you outlined, when I brought new equipment in the home and had all networking capable devices powered off or completely disconnected form a power source and the results remained the same. That is what has me absolutely 100% baffled. Is there enough power in the small battery of a router (the power source for retaining settings and config data) that could project a signal a very minimal distance? (it seem absurd but this is what I'm left with to question unless I have an unknowing neighbor who has been hacked and their equipment is the rogue device. I've even gone to the extent of pulling batteries out of all IR remote controls I own when testing. The only thing left for me to try now is build a massive Faraday cage and lock my self in until I can put my thumb on it. What i am I missing?

Wireless connectivity.

Reconnecting devices to a questionable network.

There are methods to remotely turn on equipment.

Using a different ISP and or different external IP address.

There was an earlier post mentioning Man-In-The-Middle; if you have a new router and a completely clean PC this step 100% eliminates this.

In the security area in which I was employed we had a saying "You'll always have time to do it correctly the SECOND time."

I'm at a loss as to what to say or do. I have already done everything you've listed more than a half a dozen times each year. Whatever is going on is completely escaping me. Back to square one with a new ISP this time. I like the saying................very true and real. I appreciate your input.

Another struggle with all this seems to be able to find someone that can come in with the experence and education, know what is going on and fix it. I live in Idaho and we just don't have a lof of resources with good qualifications in this industry and I don't know if it can be delt with remotely. Can anyone make a recommendation for third party support located in the north-west of the states that I may be able to reach out to.