Hacked

Newtun

Storage is nice, especially if it doesn't rotate
Joined
Nov 21, 2002
Messages
465
Location
Virginia
Hello, all.

I have an Ubuntu 16.04 PC that seems to have been hacked.

I got a blackmail Email containing one of my passwords, wanting $3000. They claim to have installed an RDP with key logging from a video clip I viewed.

Is there any anti-malware software I could run to "clean" the install?

Or should I just erase the disks and install a new OS version (say, 18.04)?

Would it be safe to copy my /home directory to a flash drive and check it for viruses on a Windows PC using both Avast and Windows defender, and then copy that back /home once I get the new OS installed on the Ubuntu PC?

Thanks.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
16,624
Location
USA
Bummer. I thought the Macs and Linux were impermeable. I would not give anyone any money.
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,327
Location
Gold Coast Hinterland, Australia
There a few AV solutions for Linux, but most these target Win32/macOS viruses. You could try ClamAV, but it's best to "nuke it from orbit" and clean install... (copy your data from /home, scan and restore seems ok).

As for their claims, checking for an RDP server instance, you need to check for any applications with open listening ports ('netstat -a'), this will also detect any applications with open sockets (eg keylogger), but running 'ps aux' from a user with root will show all processes... filter out any unknowns and check their validity...

But a password? How many sites are breached these days, heaps... Best to change all passwords on all sites to be safe as well...

You can also validate your installation, by checking all installed files against their installation package (all deb's have MD5 hashes as a minimum for installed files).

FYI, Ubuntu ship a keylogger in their repositories - http://manpages.ubuntu.com/manpages/trusty/man8/logkeys.8.html
FYI, Ubuntu ship a RDP Server in their repositories as well - https://help.ubuntu.com/community/xrdp
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,327
Location
Gold Coast Hinterland, Australia
Bummer. I thought the Macs and Linux were impermeable. I would not give anyone any money.

LM, Mac's and Linux systems certainly do have malware. Anyone who says otherwise is very-very misinformed.

1, https://en.wikipedia.org/wiki/MacOS_malware
2, https://en.wikipedia.org/wiki/Linux_malware

malware of GNU/Linux systems is on the rise, due to the increased deployment of GNU/Linux on cloud services... Easy to grab a few Linux instances on Amazon, Azure, etc for cryptocurrency mining, spam relays, DDOS botnet node, etc...
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
16,624
Location
USA
They will try to use the payment info to steal more. Don't do it.
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
They will try to use the payment info to steal more. Don't do it.
Well of course he shouldn't do it. I'm just trying to figure out what they're promising to do in exchange for the $3k. There has to be some carrot they're dangling.
 

snowhiker

Storage Freak Apprentice
Joined
Jul 5, 2007
Messages
1,668
Is the hacked password used on your system or used to access another? This sounds like phishing to me, with a hacked password given to 'legitimize' the attack.
 

Newtun

Storage is nice, especially if it doesn't rotate
Joined
Nov 21, 2002
Messages
465
Location
Virginia
Thanks for your responses so far.

$3k for what? What are they promising in return? :scratch:pS: Nuke from orbit... :bomb:
$3K not to Email everyone in my Address Book tying me to the "naughty" video I viewed. Within 24 hours. Of course, I did not pay. But as I mentioned, they had one of my passwords, so I've had to change all of them.

Lunar said:
Bummer. I thought the Macs and Linux were impermeable.
As they would like us to believe. I am pretty paranoid about checking for and installing new security updates often, but that obviously didn't help.

Chewy said:
checking for an RDP server instance, you need to check for any applications with open listening ports ('netstat -a'), this will also detect any applications with open sockets (eg keylogger), but running 'ps aux' from a user with root will show all processes... filter out any unknowns and check their validity...
You can also validate your installation, by checking all installed files against their installation

I'm not that Linux savvy to know what apps would be "unknowns", etc.

Does anyone "here" know of a bootable CD that could do the virus scanning accurately?

Or should I just bite the bullet and nuke it, a major hassle involving reinstalling my apps, drivers, configs, etc. And then having to convert my usage patterns from Unity to Gnome.
 

Tannin

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
4,448
Location
Huon Valley, Tasmania
Website
www.redhill.net.au
I'll give you Sydney to a brick that their RDP keylogger runs only on Windows (if it even exists, which it almost certainly doesn't).

You could simply ignore the whole thing other than changing passwords and be 99% safe.

Are you happy with 99% Perhaps for peace of mind you could nuke it and reinstall.

Be aware that the compromised system (if indeed it is one of your systems at all, rather than a remote system somewhere that you logged into once) is very likely not your computer but your phone or tablet. Android is a minefield.
 

Newtun

Storage is nice, especially if it doesn't rotate
Joined
Nov 21, 2002
Messages
465
Location
Virginia
I'm pretty certain that the problem was on that one Ubuntu PC; it's the only device I viewed naughty videos on. So I'll take Sydney. ;)

I don't care that much about the blackmail aspect, but other than the password they Emailed me, I don't know what other passwords or info they might have gotten from the keylogger, and that's what scares me. And the possibility that it might still be running, along with whatever other malware they installed, even after a couple of reboots.

Anyway, thanks again, all, for your comments and suggestions.
 

Newtun

Storage is nice, especially if it doesn't rotate
Joined
Nov 21, 2002
Messages
465
Location
Virginia
Does anyone "here" know of a bootable CD that could do the virus scanning accurately?
I've found a couple of these:

  • Antivirus Live CD: this fully-generically-named software claims to be "an official 4MLinux fork including the ClamAV scanner." So, since it's official Open Source Software, it's got to be great.
  • Dr.Web LiveDisk: It's Russian, so it has to be world-class.
I may give those a try, just to see what I can see. Still grudgingly planning on the nuke and rebuild.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
16,624
Location
USA
I've found a couple of these:

  • Antivirus Live CD: this fully-generically-named software claims to be "an official 4MLinux fork including the ClamAV scanner." So, since it's official Open Source Software, it's got to be great.
  • Dr.Web LiveDisk: It's Russian, so it has to be world-class.
I may give those a try, just to see what I can see. Still grudgingly planning on the nuke and rebuild.

Aren't there backup and restore programs for the LINUX?
 

Striker

Learning Storage Performance
Joined
Sep 17, 2007
Messages
269
They probably got your email and password from one of the many websites that have been hacked, and emailed you threatening the rest. I doubt that they have accessed your personal machine at all, even if you use the same password on it.
That said, I would still change all passwords that are the same or similar, and any other important passwords while I was at it, and nuke the install from orbit. I would go ahead and copy /home but would probably scan it for malware and any virus.
While I was at it, I would run anti malware and anti virus scans on any other machines I use.
I really doubt you have been hacked personally, it just seems random, and a lot of work for low chance of any gain. Your email and password are probably on a list somewhere on the darkweb and this douchenozzel is emailing all the people on that list with the same form email hoping to get money.
 

fb

Storage is cool
Joined
Jan 31, 2003
Messages
708
Location
Östersund, Sweden
I read about an incident exactly like this with the same sums and so on, in swedish media. So it looks like this is a quite widespread scam at the moment.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
16,624
Location
USA
I read about an incident exactly like this with the same sums and so on, in swedish media. So it looks like this is a quite widespread scam at the moment.

So you were not hacked at all?
 

Newtun

Storage is nice, especially if it doesn't rotate
Joined
Nov 21, 2002
Messages
465
Location
Virginia
This was a total scam. As Striker suggested, the password came from a breach at one of the sites you have (or had) an account with. Password re-use is bad. More info:
https://nakedsecurity.sophos.com/20...cam-knows-your-password-but-dont-fall-for-it/
Thanks very much, that link was interesting. As it happens, a friend of mine seems to have gotten a similar Email, and I've just sent him your link. I bet his was quite similar to mine. So maybe I don't need to do a cosmic nuking of that one Ubuntu PC; I've been using another, Windows, PC for my confidential business.
 

Newtun

Storage is nice, especially if it doesn't rotate
Joined
Nov 21, 2002
Messages
465
Location
Virginia

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
16,624
Location
USA
What pixel? Would that be an HTML type with embroidered jpeg? Aren't jpegs disabled by default or can't you open a suspected email as text?
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
ROFLcopters...
Hello!

I'm a hacker who cracked your email and device a few months ago.
You entered a password on one of the sites you visited, and I intercepted it.
This is your password from xxxxxxxxxx@xxxxxxxxxx.edu on moment of hack: xxxxxxxx

Of course you can will change it, or already changed it.
But it doesn't matter, my malware updated it every time.

Do not try to contact me or find me, it is impossible, since I sent you an email from your account.

Through your email, I uploaded malicious code to your Operation System.
I saved all of your contacts with friends, colleagues, relatives and a complete history of visits to the Internet resources.
Also I installed a Trojan on your device and long tome spying for you.

You are not my only victim, I usually lock computers and ask for a ransom.
But I was struck by the sites of intimate content that you often visit.

I am in shock of your fantasies! I've never seen anything like this!

So, when you had fun on piquant sites (you know what I mean!)
I made screenshot with using my program from your camera of yours device.
After that, I combined them to the content of the currently viewed site.

There will be laughter when I send these photos to your contacts!
BUT I'm sure you don't want it.

Therefore, I expect payment from you for my silence.
I think $875 is an acceptable price for it!

Pay with Bitcoin.
My BTC wallet: (removed)

If you do not know how to do this - enter into Google "how to transfer money to a bitcoin wallet". It is not difficult.
After receiving the specified amount, all your data will be immediately destroyed automatically. My virus will also remove itself from your operating system.

My Trojan have auto alert, after this email is read, I will be know it!

I give you 2 days (48 hours) to make a payment.
If this does not happen - all your contacts will get crazy shots from your dark secret life!
And so that you do not obstruct, your device will be blocked (also after 48 hours)

Do not be silly!
Police or friends won't help you for sure ...

p.s. I can give you advice for the future. Do not enter your passwords on unsafe sites.

I hope for your prudence.
Farewell.
My only disappointment is that I can't reply to the e-mail.
 

Newtun

Storage is nice, especially if it doesn't rotate
Joined
Nov 21, 2002
Messages
465
Location
Virginia
I'm guessing that your faithful correspondent is not a native English speaker. BTW, I just got another blackEmail yesteday, from @list.ru. Their English was a little better, but only by about 62%. ;)
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
I'm guessing that your faithful correspondent is not a native English speaker. BTW, I just got another blackEmail yesteday, from @list.ru. Their English was a little better, but only by about 62%. ;)
The e-mail I got appears to come from the e-mail address they claim to have hacked. However, when I looked at the full headers it looks like it originates from a Google account if I'm reading it correctly.

It's laughable for many reasons. The first and foremost is that the e-mail account they claim to have compromised is not an actual e-mail account. It's simply a forwarder. Anything sent to that address just gets forwarded to another account. Second, the password they list isn't the password for the forwarder. :nono:
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
Nice... I got another one from a different "hacker" with the same basic shtick.
Hello!

I'm a programmer who cracked your email account and device about half year ago.
You entered a password on one of the insecure site you visited, and I catched it.
Your password from xxxxxxxxxx@xxxxxxxxxx.edu on moment of crack: xxxxxxxx

Of course you can will change your password, or already made it.
But it doesn't matter, my rat software update it every time.

Please don't try to contact me or find me, it is impossible, since I sent you an email from your email account.

Through your e-mail, I uploaded malicious code to your Operation System.
I saved all of your contacts with friends, colleagues, relatives and a complete history of visits to the Internet resources.
Also I installed a rat software on your device and long tome spying for you.

You are not my only victim, I usually lock devices and ask for a ransom.
But I was struck by the sites of intimate content that you very often visit.

I am in shock of your reach fantasies! Wow! I've never seen anything like this!
I did not even know that SUCH content could be so exciting!

So, when you had fun on intime sites (you know what I mean!)
I made screenshot with using my program from your camera of yours device.
After that, I jointed them to the content of the currently viewed site.

Will be funny when I send these photos to your contacts! And if your relatives see it?
BUT I'm sure you don't want it. I definitely would not want to ...

I will not do this if you pay me a little amount.
I think $860 is a nice price for it!

I accept only Bitcoins.
My BTC wallet: (removed)

If you have difficulty with this - Ask Google "how to make a payment on a bitcoin wallet". It's easy.
After receiving the above amount, all your data will be immediately removed automatically.
My virus will also will be destroy itself from your operating system.

My Trojan have auto alert, after this email is looked, I will be know it!

You have 2 days (48 hours) for make a payment.
If this does not happen - all your contacts will get crazy shots with your dirty life!
And so that you do not obstruct me, your device will be locked (also after 48 hours)

Do not take this frivolously! This is the last warning!
Various security services or antiviruses won't help you for sure (I have already collected all your data).

Here are the recommendations of a professional:
Antiviruses do not help against modern malicious code. Just do not enter your passwords on unsafe sites!

I hope you will be prudent.
Bye.
This one even sent a reminder / final warning e-mail. Yahoo send them both straight into the spam folder.
 

Striker

Learning Storage Performance
Joined
Sep 17, 2007
Messages
269
My wife gets dozens of them a day. Google is smart enough to send them to the spam folder.
I pointed out she needs to make sure to never use that password or anything like it again.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
16,624
Location
USA
I received a similar email. Oddly enough it is to and from an e-mail account that I only used a couple of times about 5-6 years ago.
Occasionally I receive offers for some software I tried as a demon back then.
There is no indication that the extortionists have any passwords, so the threat is less credible than the one mentioned above.
Perhaps that is the reason for the $1000 price compared to $3000 in 2018.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
16,624
Location
USA
I keep receiving similar messages with varying threats. It's even more annoying than my Japanese toe nail fungus problem.
The entire text is actually an image.
Unfortunately the messages come from my own email address so if I block it, I cannot send myself emails. :(
 
Top