Virus found on two servers that have ZoneMinder installed.

[Legion4]

Hello All,

Last night two of my Ubuntu servers starting using more CPU than previously. I found that they have some sort of virus running. The only similarity between the two servers is that they run ZoneMinder. The servers are not exposed to the internet. Other Ubuntu servers are not impacted. Can someone else check their servers to see if it really is related to ZoneMinder? Here is what I found:
* Check the file /etc/ld.so.preload.
* Mine contains /usr/local/lib/libprocesshider.so
* Delete this line from /etc/ld.so.preload
* Do a 'top' and see that there is a 'bash' process running as root that takes up lots of CPU time.
* With the virus running my servers are doing a DNS lookup of xmr-rx0.pwndns.pw and pw.pwndns.pw

This occurred at around 10:30 AM UTC.

As a complete guess: Is it possible that update.zoneminder.com is serving malware?

--L4

[iconnor]

It is unlikely. Maybe not impossible, but I don't know why you would go there as a first place to look.

All ZM processes run as www-data, so should not be able to change root owned things. That being said historically there has been a LOT of bad advice about how to solve problems (chown a+wrx /usr/share/zoneminder for example)

You didn't mention what version you are running. There have been vulnerabilities where it would be possible to run things (as www-data) that maybe with another chained-exploit they got root.

The thing to do now is pull those drives, start from scratch, do forensics...

[Legion4]

I jumped to suspecting ZoneMinder since that was the only thing in common between the two servers that were compromised. They were running two different Ubuntu versions, two different ZoneMinder versions and both up-to-date on patches.

Since no one else chimed in with issues. We can delete this thread (I'm not sure if I can do it myself or not).

--L4.

[iconnor]

By all means, ZoneMinder is a likely thing to jump to, I meant update.zoneminder.com... there are so many other more vulnerable parts to ZoneMinder.

Are these servers public facing?

Please don't delete the thread, if there is a vulnerability, then we need to find it and fix it.

[Legion4]

The servers are not public facing. They are behind a NAT with no port forwarding to them. That made me suspect that some piece of software is making a call to a remote server (such as an update server) and getting back some malware. Reviewing my DNS logs I found ubuntu and zoneminder update connections. It is possible I may have missed other connections.

-L4

[iconnor]

Interesting.

The request to update.zoneminder.com just gets a version.txt file, which contains "1.36.34". Nothing else is done with it, so I can't imagine that being a way to get something onto your server.

You can also turn off the update check Options -> CHECK_FOR_UPDATES

Any ZoneMinder related things like update or telemetry should go to 158.69.226.113. So you can check your dns for poisoning.

[Quantum]

Other things can cause CPU. Install clamav and scan, or use a Live CD to do so. You don't have a virus.

[mikb]

Other things can cause CPU. Install clamav and scan, or use a Live CD to do so. You don't have a virus.

I disagree with this bald statement of fact.

Reading the original post -- libprocesshider was placed on the system to HIDE the process doing this activity.

The DNS lookups to xmr-rx0.pwndns.pw are suspect, if you aware what pwn stands for. Have you been pwned?

Searching on that DNS name gave, e.g. this script

https://gist.github.com/Bharat-B/6f8d22 ... eff78d2be7

and

https://unix.stackexchange.com/question ... so-preload

You may not have a "virus" in the strictest terms of replicating code blah blah, but you certainly seem to have malware.

[Quantum]

You sound like a frustrated individual, mikb. There is no call for such a tone. The public zeitgeist is becoming more and more course and callous. You are part of the problem.

Virustotal has this as a miner, probably picked up through malvertising. Certainly not ZM. OP, visit pr0n or crack sites?

[mikb]

You sound like a frustrated individual, mikb. There is no call for such a tone. The public zeitgeist is becoming more and more course and callous. You are part of the problem.

Virustotal has this as a miner, probably picked up through malvertising. Certainly not ZM. OP, visit pr0n or crack sites?

Not frustrated at all. There was no "tone" -- at least, not in my posting. Can't say the same about yours above, though. Casting aspersions on myself AND accusations against the OP who came here for help/guidance? Very nice.

Who is part of the problem, exactly?