[ubuntu-za] My Ubuntu 9.10 has been hacked. Need help
Jason Plank
plank.jason at gmail.com
Wed Jul 7 08:03:17 BST 2010
Hi Raoul
I don't think I have VNC activated. The file is attached. So far things
seems as if the problem may be over, but I'll keep an eye on it during the
day.
Jason
On Tue, Jul 6, 2010 at 4:10 PM, Raoul Snyman <
raoul.snyman at saturnlaboratories.co.za> wrote:
> On Tue, 6 Jul 2010 13:13:35 +0200, Jason Plank wrote:
> > Ubuntu has been hacked. Whoever it is periodically takes control of the
> > mouse and draws pictures in flames, browses network, opens and messes
> with
> > applications and leaves messages in text files, so it's pretty much a
> given
> > that Ubuntu has been hacked.
>
> This description makes me pretty positive that someone is playing a trick
> on you... Have you got something like VNC installed?
>
> Also, open a terminal, and type the following:
>
> ps -ef > ps.txt
>
> and then e-mail ps.txt to the list.
>
> --
> Raoul Snyman, B.Tech IT (Software Engineering)
> Saturn Laboratories
> m: 082 550 3754
> e: raoul.snyman at saturnlaboratories.co.za
> w: www.saturnlaboratories.co.za
> b: blog.saturnlaboratories.co.za
>
> --
> ubuntu-za mailing list
> ubuntu-za at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-za
>
--
Nothing is as wonderful as knowing Christ Jesus my Lord. I have given up
everything else and count it all as garbage. All I want is Christ -
Philippians 3:8 CEV
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-za/attachments/20100707/92104154/attachment.htm
-------------- next part --------------
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Jul06 ? 00:00:01 /sbin/init
root 2 0 0 Jul06 ? 00:00:00 [kthreadd]
root 3 2 0 Jul06 ? 00:00:00 [migration/0]
root 4 2 0 Jul06 ? 00:00:00 [ksoftirqd/0]
root 5 2 0 Jul06 ? 00:00:00 [watchdog/0]
root 6 2 0 Jul06 ? 00:00:00 [migration/1]
root 7 2 0 Jul06 ? 00:00:00 [ksoftirqd/1]
root 8 2 0 Jul06 ? 00:00:00 [watchdog/1]
root 9 2 0 Jul06 ? 00:00:00 [events/0]
root 10 2 0 Jul06 ? 00:00:00 [events/1]
root 11 2 0 Jul06 ? 00:00:00 [cpuset]
root 12 2 0 Jul06 ? 00:00:00 [khelper]
root 13 2 0 Jul06 ? 00:00:00 [netns]
root 14 2 0 Jul06 ? 00:00:00 [async/mgr]
root 15 2 0 Jul06 ? 00:00:00 [kintegrityd/0]
root 16 2 0 Jul06 ? 00:00:00 [kintegrityd/1]
root 17 2 0 Jul06 ? 00:00:00 [kblockd/0]
root 18 2 0 Jul06 ? 00:00:00 [kblockd/1]
root 19 2 0 Jul06 ? 00:00:00 [kacpid]
root 20 2 0 Jul06 ? 00:00:00 [kacpi_notify]
root 21 2 0 Jul06 ? 00:00:00 [kacpi_hotplug]
root 22 2 0 Jul06 ? 00:00:07 [ata/0]
root 23 2 0 Jul06 ? 00:00:00 [ata/1]
root 24 2 0 Jul06 ? 00:00:00 [ata_aux]
root 25 2 0 Jul06 ? 00:00:00 [ksuspend_usbd]
root 26 2 0 Jul06 ? 00:00:00 [khubd]
root 27 2 0 Jul06 ? 00:00:00 [kseriod]
root 28 2 0 Jul06 ? 00:00:00 [kmmcd]
root 29 2 0 Jul06 ? 00:00:00 [bluetooth]
root 30 2 0 Jul06 ? 00:00:00 [khungtaskd]
root 31 2 0 Jul06 ? 00:00:00 [pdflush]
root 32 2 0 Jul06 ? 00:00:00 [pdflush]
root 33 2 0 Jul06 ? 00:00:01 [kswapd0]
root 34 2 0 Jul06 ? 00:00:00 [aio/0]
root 35 2 0 Jul06 ? 00:00:00 [aio/1]
root 36 2 0 Jul06 ? 00:00:00 [ecryptfs-kthrea]
root 37 2 0 Jul06 ? 00:00:00 [crypto/0]
root 38 2 0 Jul06 ? 00:00:00 [crypto/1]
root 42 2 0 Jul06 ? 00:00:15 [scsi_eh_0]
root 43 2 0 Jul06 ? 00:00:00 [scsi_eh_1]
root 44 2 0 Jul06 ? 00:00:00 [scsi_eh_2]
root 46 2 0 Jul06 ? 00:00:00 [scsi_eh_3]
root 49 2 0 Jul06 ? 00:00:00 [kstriped]
root 50 2 0 Jul06 ? 00:00:00 [kmpathd/0]
root 51 2 0 Jul06 ? 00:00:00 [kmpathd/1]
root 52 2 0 Jul06 ? 00:00:00 [kmpath_handlerd]
root 53 2 0 Jul06 ? 00:00:00 [ksnapd]
root 54 2 0 Jul06 ? 00:00:00 [kondemand/0]
root 55 2 0 Jul06 ? 00:00:00 [kondemand/1]
root 56 2 0 Jul06 ? 00:00:00 [kconservative/0]
root 57 2 0 Jul06 ? 00:00:00 [kconservative/1]
root 58 2 0 Jul06 ? 00:00:00 [krfcommd]
root 389 2 0 Jul06 ? 00:00:01 [kjournald2]
root 390 2 0 Jul06 ? 00:00:00 [ext4-dio-unwrit]
root 391 2 0 Jul06 ? 00:00:00 [ext4-dio-unwrit]
root 451 1 0 Jul06 ? 00:00:00 upstart-udev-bridge --daemon
root 482 1 0 Jul06 ? 00:00:02 dd bs=1 if=/proc/kmsg of=/var/run/rsyslog/kmsg
syslog 484 1 0 Jul06 ? 00:00:04 rsyslogd -c4
root 485 1 0 Jul06 ? 00:00:00 udevd --daemon
root 696 2 0 Jul06 ? 00:00:00 [rpciod/0]
root 697 2 0 Jul06 ? 00:00:00 [rpciod/1]
root 699 2 0 Jul06 ? 00:00:00 [kpsmoused]
root 728 2 0 Jul06 ? 00:00:00 [kgameportd]
102 734 1 0 Jul06 ? 00:00:00 dbus-daemon --system --fork
107 763 1 0 Jul06 ? 00:00:00 hald --daemon=yes
avahi 772 1 0 Jul06 ? 00:00:00 avahi-daemon: running [training-desktop.local]
avahi 773 772 0 Jul06 ? 00:00:00 avahi-daemon: chroot helper
root 778 2 0 Jul06 ? 00:00:00 [nfsiod]
root 809 1 0 Jul06 ? 00:00:00 rpc.idmapd
root 820 1 0 Jul06 ? 00:00:00 /usr/sbin/console-kit-daemon
root 826 1 0 Jul06 ? 00:00:00 NetworkManager
root 828 1 0 Jul06 ? 00:00:00 /usr/sbin/modem-manager
root 895 763 0 Jul06 ? 00:00:00 hald-runner
daemon 964 1 0 Jul06 ? 00:00:00 portmap
statd 1117 1 0 Jul06 ? 00:00:00 rpc.statd -L
root 1130 1 0 Jul06 ? 00:00:00 /sbin/wpa_supplicant -u -s
root 1136 826 0 Jul06 ? 00:00:00 /sbin/dhclient -d -sf /usr/lib/NetworkManager/nm-dhcp-client.action -pf /var/run/dhclient-eth1.pid -lf /var/lib/dhcp3/dhclient-6e11d6e1-2ea5-4466-b2ee-af0b218c9cc0-eth1.lease -cf /var/run/nm-dhclient-eth1.conf eth1
root 1139 1 0 Jul06 ? 00:00:00 gdm-binary
root 1212 895 0 Jul06 ? 00:00:00 hald-addon-input: Listening on /dev/input/event3 /dev/input/event1 /dev/input/event0
root 1221 895 0 Jul06 ? 00:00:03 hald-addon-storage: polling /dev/sr0 (every 2 sec)
root 1224 895 0 Jul06 ? 00:00:00 hald-addon-storage: no polling on /dev/fd0 because it is explicitly disabled
107 1241 895 0 Jul06 ? 00:00:00 hald-addon-acpi: listening on acpid socket /var/run/acpid.socket
root 1316 1 0 Jul06 tty4 00:00:00 /sbin/getty -8 38400 tty4
root 1320 1 0 Jul06 tty5 00:00:00 /sbin/getty -8 38400 tty5
root 1326 1 0 Jul06 tty2 00:00:00 /sbin/getty -8 38400 tty2
root 1327 1 0 Jul06 tty3 00:00:00 /sbin/getty -8 38400 tty3
root 1329 1 0 Jul06 tty6 00:00:00 /sbin/getty -8 38400 tty6
root 1332 1 0 Jul06 ? 00:00:00 acpid -c /etc/acpi/events -s /var/run/acpid.socket
root 1337 1 0 Jul06 ? 00:00:00 cron
daemon 1338 1 0 Jul06 ? 00:00:00 atd
root 1339 1139 0 Jul06 ? 00:00:00 /usr/lib/gdm/gdm-simple-slave --display-id /org/gnome/DisplayManager/Display1
root 1340 1339 0 Jul06 tty7 00:04:48 /usr/bin/X :0 -br -verbose -auth /var/run/gdm/auth-for-gdm-twWwZY/database -nolisten tcp vt7
root 1396 1 0 Jul06 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe
mysql 1524 1396 0 Jul06 ? 00:00:20 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
root 1526 1396 0 Jul06 ? 00:00:00 logger -t mysqld -p daemon.error
root 1607 1339 0 Jul06 ? 00:00:00 /usr/lib/gdm/gdm-session-worker
training 1622 1607 0 Jul06 ? 00:00:00 gnome-session
clamav 1795 1 0 Jul06 ? 00:00:03 /usr/bin/freshclam -d --quiet
training 1862 1622 0 Jul06 ? 00:00:00 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session /usr/bin/pulse-session gnome-session
training 1905 1 0 Jul06 ? 00:00:00 /usr/bin/dbus-launch --exit-with-session /usr/bin/pulse-session gnome-session
training 1990 1 0 Jul06 ? 00:00:01 /bin/dbus-daemon --fork --print-pid 7 --print-address 9 --session
training 2063 1 0 Jul06 ? 00:00:03 /usr/bin/pulseaudio --start
root 2228 2 0 Jul06 ? 00:00:00 [lockd]
root 2231 2 0 Jul06 ? 00:00:00 [nfsd4]
root 2232 2 0 Jul06 ? 00:00:00 [nfsd]
root 2233 2 0 Jul06 ? 00:00:00 [nfsd]
root 2234 2 0 Jul06 ? 00:00:00 [nfsd]
root 2235 2 0 Jul06 ? 00:00:00 [nfsd]
root 2236 2 0 Jul06 ? 00:00:00 [nfsd]
root 2237 2 0 Jul06 ? 00:00:00 [nfsd]
root 2238 2 0 Jul06 ? 00:00:00 [nfsd]
root 2239 2 0 Jul06 ? 00:00:00 [nfsd]
training 2241 2063 0 Jul06 ? 00:00:00 /usr/lib/pulseaudio/pulse/gconf-helper
training 2244 1 0 Jul06 ? 00:00:02 /usr/lib/libgconf2-4/gconfd-2
root 2246 1 0 Jul06 ? 00:00:00 /usr/sbin/rpc.mountd --manage-gids
mail 2264 1 0 Jul06 ? 00:00:02 /usr/sbin/nullmailer-send -d
root 2284 1 0 Jul06 ? 00:00:00 /usr/sbin/inetd
root 2305 1 0 Jul06 ? 00:00:00 /usr/sbin/nmbd -D
root 2312 1 0 Jul06 ? 00:00:00 /usr/sbin/smbd -D
root 2316 2312 0 Jul06 ? 00:00:00 /usr/sbin/smbd -D
root 2346 1 0 Jul06 ? 00:00:00 /usr/lib/devicekit-power/devkit-power-daemon
root 2394 1 0 Jul06 ? 00:00:00 /usr/sbin/winbindd
root 2420 1 0 Jul06 ? 00:00:00 /usr/sbin/cupsd -C /etc/cups/cupsd.conf
root 2421 2394 0 Jul06 ? 00:00:00 /usr/sbin/winbindd
training 2425 1 0 Jul06 ? 00:00:04 /usr/lib/gnome-settings-daemon/gnome-settings-daemon
training 2428 1 0 Jul06 ? 00:00:00 gnome-keyring-daemon --start
training 2431 1 0 Jul06 ? 00:00:00 seahorse-daemon
training 2458 1 0 Jul06 ? 00:00:00 /usr/lib/gvfs/gvfsd
training 2511 1 0 Jul06 ? 00:00:00 /usr/lib/gvfs//gvfs-fuse-daemon /home/training/.gvfs
training 2556 1 0 Jul06 ? 00:00:00 /usr/lib/notify-osd/notify-osd
root 2557 1 0 Jul06 ? 00:00:01 /usr/sbin/apache2 -k start
www-data 2608 2557 0 Jul06 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 2609 2557 0 Jul06 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 2610 2557 0 Jul06 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 2611 2557 0 Jul06 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 2612 2557 0 Jul06 ? 00:00:00 /usr/sbin/apache2 -k start
training 2616 1622 0 Jul06 ? 00:00:24 metacity
root 2644 1 0 Jul06 tty1 00:00:00 /sbin/getty -8 38400 tty1
training 2645 1622 0 Jul06 ? 00:00:38 gnome-panel
training 2646 1622 0 Jul06 ? 00:01:05 nautilus
training 2648 1 0 Jul06 ? 00:00:00 /usr/lib/bonobo-activation/bonobo-activation-server --ac-activate --ior-output-fd=20
training 2652 1622 0 Jul06 ? 00:00:00 gnome-volume-control-applet
training 2654 1622 0 Jul06 ? 00:00:00 python /usr/share/system-config-printer/applet.py
training 2656 1622 0 Jul06 ? 00:00:00 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
training 2657 1622 0 Jul06 ? 00:00:00 bluetooth-applet
training 2658 1622 0 Jul06 ? 00:00:01 update-notifier --startup-delay=60
training 2659 1622 0 Jul06 ? 00:00:00 nm-applet --sm-disable
root 2661 1 0 Jul06 ? 00:00:00 /usr/lib/policykit-1/polkitd
training 2664 1622 0 Jul06 ? 00:00:00 /usr/lib/evolution/2.28/evolution-alarm-notify
training 2666 1622 0 Jul06 ? 00:00:00 gnome-power-manager
training 2672 1 0 Jul06 ? 00:00:00 /usr/lib/gnome-applets/trashapplet --oaf-activate-iid=OAFIID:GNOME_Panel_TrashApplet_Factory --oaf-ior-fd=18
root 2675 1 0 Jul06 ? 00:00:00 /usr/lib/devicekit-disks/devkit-disks-daemon
training 2676 1622 0 Jul06 ? 00:00:00 /usr/lib/gnome-disk-utility/gdu-notification-daemon
training 2678 1 0 Jul06 ? 00:00:00 /usr/lib/gvfs/gvfsd-trash --spawner :1.9 /org/gtk/gvfs/exec_spaw/0
root 2679 2675 0 Jul06 ? 00:00:08 devkit-disks-daemon: polling /dev/sr0
training 2680 1 0 Jul06 ? 00:00:01 gnome-screensaver
training 2681 1 0 Jul06 ? 00:00:35 /home/training/.dropbox-dist/dropbox
training 2685 1 0 Jul06 ? 00:00:00 /usr/lib/gvfs/gvfs-gdu-volume-monitor
training 2687 1 0 Jul06 ? 00:00:00 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
training 2700 1 0 Jul06 ? 00:00:32 /usr/lib/gnome-applets/multiload-applet-2 --oaf-activate-iid=OAFIID:GNOME_MultiLoadApplet_Factory --oaf-ior-fd=19
training 2702 1 0 Jul06 ? 00:00:00 /usr/lib/indicator-applet/indicator-applet-session --oaf-activate-iid=OAFIID:GNOME_FastUserSwitchApplet_Factory --oaf-ior-fd=26
training 2704 1 0 Jul06 ? 00:00:00 /usr/lib/indicator-applet/indicator-applet --oaf-activate-iid=OAFIID:GNOME_IndicatorApplet_Factory --oaf-ior-fd=32
training 2739 1 0 Jul06 ? 00:00:00 /usr/lib/indicator-session/indicator-status-service
training 2741 1 0 Jul06 ? 00:00:00 /usr/lib/indicator-session/indicator-users-service
training 2743 1 0 Jul06 ? 00:00:00 /usr/lib/indicator-session/indicator-session-service
training 2746 1 0 Jul06 ? 00:00:00 /usr/lib/indicator-messages/indicator-messages-service
training 2760 1 0 Jul06 ? 00:00:00 /usr/lib/gvfs/gvfsd-burn --spawner :1.9 /org/gtk/gvfs/exec_spaw/1
root 2767 2394 0 Jul06 ? 00:00:00 /usr/sbin/winbindd
root 2768 2394 0 Jul06 ? 00:00:00 /usr/sbin/winbindd
training 2775 1 0 Jul06 ? 00:00:00 /usr/lib/gvfs/gvfsd-metadata
training 2781 1 0 Jul06 ? 00:00:00 /usr/lib/evolution/2.28/evolution-exchange-storage --oaf-activate-iid=OAFIID:GNOME_Evolution_Exchange_Connector_CalFactory:1.2 --oaf-ior-fd=28
training 2785 1 0 Jul06 ? 00:00:00 /usr/lib/evolution/evolution-data-server-2.28 --oaf-activate-iid=OAFIID:GNOME_Evolution_DataServer_CalFactory:1.2 --oaf-ior-fd=29
training 2814 1 0 Jul06 ? 00:00:00 /usr/lib/gvfs/gvfsd-computer --spawner :1.9 /org/gtk/gvfs/exec_spaw/2
root 2839 1 0 Jul06 ? 00:00:00 /usr/bin/python /usr/lib/system-service/system-service-d
training 2986 1 0 Jul06 ? 00:00:12 /usr/lib/vino/vino-server
www-data 3520 2557 0 Jul06 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 3522 2557 0 Jul06 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 3525 2557 0 Jul06 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 3526 2557 0 Jul06 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 3527 2557 0 Jul06 ? 00:00:00 /usr/sbin/apache2 -k start
root 4704 1 0 Jul06 ? 00:00:00 dbus-launch --autolaunch f3aacbd8ad932c5976e138864bfa8557 --binary-syntax --close-stderr
root 4705 1 0 Jul06 ? 00:00:00 /bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
root 5011 1 0 Jul06 ? 00:00:00 /opt/nessus/sbin/nessus-service -D -q
root 5012 5011 0 Jul06 ? 00:07:45 nessusd -q
root 14507 2 0 Jul06 ? 00:00:00 [usbhid_resumer]
root 14508 485 0 Jul06 ? 00:00:00 udevd --daemon
root 14509 485 0 Jul06 ? 00:00:00 udevd --daemon
training 23850 1 2 09:00 ? 00:00:00 gnome-terminal
training 23851 23850 0 09:00 ? 00:00:00 gnome-pty-helper
training 23852 23850 1 09:00 pts/0 00:00:00 bash
training 23872 23852 0 09:00 pts/0 00:00:00 ps -ef
More information about the ubuntu-za
mailing list