62

Some fucker installed a keylogger on my Ubuntu laptop at home and registered it as a systemd service. From Wireshark, it's sending each keystroke to a server in France using irc. Tried accessing the server but the moron shut it down immediately. It's the last time am fucking installing code from prebuilt binaries. If I can't build it from source then fuck off your sniffing cunt. I was about to log in into a database from that machine.

UPDATE: I found the actual file sending the keystrokes but it's binary. Anyone know how I can decode a binary file?

Comments
  • 14
    What software was that?
  • 1
    Torrent?
  • 10
    Really want to know what software you were using man.
  • 9
    How did you know that a keylogger was there?
  • 2
  • 4
    Damn more info
  • 2
  • 8
    @AleCx04 @irene I am still investigating what software installed that binary file but am so enraged that I am thinking of starting to build from source even the operating system. The service even had permissions to start at boot time. Wtf is wrong with people!
  • 13
    @dudeking I usually run Wireshark at random times just to see the network traffic on my laptop, especially before doing sensitive actions like accessing a production database. I just saw this retransmission to a new IP whenever I click a key and started investigating the payload and source.
  • 12
    I actually don't know how long the keylogger might have been on it but I have reset all my passwords for most of my services. I usually don't work on the home laptop but this just scared me bad! I am very skeptical now.
  • 0
  • 3
    What software, and how did you obtain it? I'd like to avoid it.
  • 0
  • 0
    πŸ“Œ
  • 0
  • 5
    You may upload the malware on sites like virustotal to find out if it is a known malware. It will even show connections like 'malware families' and other common software pieces it is accompanied with.
    I hope you can find out more.
  • 7
    You could use Ghindra. It's software released by NSA for reverse engineering. I'd be delighted to cooperate if you'd like!
  • 0
    πŸ”–
  • 0
    πŸ“Œ
  • 0
    🍿
  • 1
    @meowxiik Thank you so much for this suggestion. I have never heard of it but just saw it's repo and it seems really helpful. I shall update after trying it out
  • 1
    🍿🍿🍿
  • 1
    βŒ¨οΈπŸ”¨
  • 0
    πŸ“Œ
  • 2
    Although not 100% conversant with the language you're using I'm certainly aware that a major clusterfuck security breach occurred whilst you were innocently rat-tat-tatting away. Long ago, I remembered to go to google when I saw an app I just *HAD* to have. I'd key in, "devrant safe?" or, as I do now, "devrant malware" and I have saved my arse so many times. Funnily enough, whilst using google chrome to clean out some temp files, I followed their instructions. In google chrome settings there's a link to clean up your hard drive's files that are completely unnecessary. Now, being inside of Google Chrome already I didn't think to ask about this clean up tool. It cleaned up the hard drive all right, by destroying it. And people wonder why I'd rather read something by Dickens in all its wordiness than hold a conversation wit dem??? Good luck with your search on this. Didn't mean to hijack the OP's tale with one minor one of me own.
  • 1
    Gentoo with OpenRC.
    -> no systemd
    -> everything compiled from source
    πŸ˜‰

    However, I'd like to know whether ClamAV would have detected that thing. Do you have it installed?
  • 1
    πŸ“ŒπŸŒ―πŸ₯€
  • 1
    πŸ“Œ
  • 1
    πŸ“
  • 1
  • 2
    πŸ“Œ pinned for updates
  • 1
  • 0
    depends on what language, how it was built, etc.
  • 0
  • 5
    @Yamakuzure source code could be poisoned with malware as well. Even building from source is not a warranty against malware distribution.
  • 1
  • 2
    @irene

    You'd have to totally understand the source code to be sure what it did !
  • 1
    @irene yes. I merely replied to the OP. πŸ˜‰
  • 0
    πŸ“
  • 0
    πŸ“Œ
  • 2
    WHAT SOFTWARE WAS THAT??? 😩😩😩
  • 4
    @irene I haven't been successful in reverse engineering the binary so far. I am working on it and this will be the first place I'll post once I get it. The syslogs are also no longer available for that period and the server shut down
  • 2
    I've heard a lot of people actually prefer IDA pro to ghidra. And plus.. You just installed software from the NSA.
    ..
    ..
    And then you wonder why you're getting keyloggers..
  • 1
    πŸ“Œ
  • 0
    @SecFreak I've heard the problem with IDA is no support for x64.
  • 1
    πŸ“
  • 1
    Mash your keyboard to overload the server
Your Job Suck?
Get a Better Job
Add Comment