Bonjour, je pense etre victime d'un malware. Je suis sur Debian Bullseye. Je n'ai plus d'acces a root, tous les /usr/bin sont des symlinks vers d'autres bin. J'ai de multiples connexions ssh intempestives et des processus malveillants qui utilise des fichiers supprmés (source rkhunter).
Mon DNS de base a été remplacé par mDNS de Avahi mais je n'ai pas les droits pour le modifier... J'ai codé en C un sniffer qui extrait les strings dans les paquets TCP/UDP. Tout est encrypté via TLS et passe par tor. J'ai un message d'erreur au demrrage disant que mes tables ACPI ACPI sont corrompues. J'ai reinstallé, flashé le BIOS, clear le CMOS, changer de carte mere et le probleme est toujours là. Voici le resultat pour quelques minutes :
Voici le scan nmap :# nmap -sV --version-intensity 5 192.168.1.1/24 --randomize-hosts
Code : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119 gem.gbc.criteo.com gbc4.fr.eu dnacdn.net cdn.ampproject.org fonts.googleapis.com fonts.googleapis.com tpc.googlesyndication.com tpc.googlesyndication.com safebrowsing.googleapis.com safebrowsing.googleapis.com ocsp.pki.goog pki-goog.l.google.com c}POST /gts1c3 HTTP/1.1..Host: ocsp.pki.goog..User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0..Accept: */*..Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3..Accept-Encoding: gzip, deflate..Content-Type: application/ocsp-request..Content-Length: 84..Connection: keep-alive....0R0P0N0L0J0...+... 7*POST /gts1c3 HTTP/1.1..Host: ocsp.pki.goog..User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0..Accept: */*..Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3..Accept-Encoding: gzip, deflate..Content-Type: application/ocsp-request..Content-Length: 84..Connection: keep-alive....0R0P0N0L0J0...+... POST /gts1c3 HTTP/1.1..Host: ocsp.pki.goog..User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0..Accept: */*..Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3..Accept-Encoding: gzip, deflate..Content-Type: application/ocsp-request..Content-Length: 84..Connection: keep-alive....0R0P0N0L0J0...+... POST /gts1c3 HTTP/1.1..Host: ocsp.pki.goog..User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0..Accept: */*..Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3..Accept-Encoding: gzip, deflate..Content-Type: application/ocsp-request..Content-Length: 84..Connection: keep-alive....0R0P0N0L0J0...+... HTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Sun, 26 Sep 2021 18:44:16 GMT..Cache-Control: public, max-age=86400..Server: ocsp_responder..Content-Length: 472..X-XSS-Protection: 0..X-Frame-Options: SAMEORIGIN....0 HTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Sun, 26 Sep 2021 18:44:16 GMT..Cache-Control: public, max-age=86400..Server: ocsp_responder..Content-Length: 472..X-XSS-Protection: 0..X-Frame-Options: SAMEORIGIN....0 POST /gts1c3 HTTP/1.1..Host: ocsp.pki.goog..User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0..Accept: */*..Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3..Accept-Encoding: gzip, deflate..Content-Type: application/ocsp-request..Content-Length: 84..Connection: keep-alive....0R0P0N0L0J0...+... HTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Sun, 26 Sep 2021 18:44:16 GMT..Cache-Control: public, max-age=86400..Server: ocsp_responder..Content-Length: 472..X-XSS-Protection: 0..X-Frame-Options: SAMEORIGIN....0 HTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Sun, 26 Sep 2021 18:44:16 GMT..Cache-Control: public, max-age=86400..Server: ocsp_responder..Content-Length: 472..X-XSS-Protection: 0..X-Frame-Options: SAMEORIGIN....0 HTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Sun, 26 Sep 2021 18:44:16 GMT..Cache-Control: public, max-age=86400..Server: ocsp_responder..Content-Length: 472..X-XSS-Protection: 0..X-Frame-Options: SAMEORIGIN....0 accounts.google.com mail.yahoo.com edge.gycpi.b.yahoodns.net dt.adsafeprotected.com dt.adsafeprotected.com dt-external-217593033.us-east-1.elb.amazonaws mail.yahoo.com edge.gycpi.b.yahoodns.net udc.yahoo.com .udc-ats.media.g03.yahoodns.net udc.yahoo.com .udc-ats.media.g03.yahoodns.net btlr.sharethrough.com btlr.sharethrough.com c.aaxads.com !.wildcard.aaxads.com.edgekey.net e12767.d.akamaiedge ib.adnxs.com g.geogslb hb-api.omnitagjs.com ads.servenobid.com bidder.criteo.com hbopenbid.pubmatic.com hbopenbid22000nfc hbopenbid22000nf tag.1rx.io 220219235959Z0^1.0...U....US1.0...U....New York1.0...U....New York1.0...U....Xandr Inc.1.0...U....*.adnxs.com0Y0...* 1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1 U....GoDaddy.com, Inc.1-0+..U...$http://certs.godaddy.com/repository/1301..U...*Go Daddy Secure Certificate Authority - G20 The Go Daddy Group, Inc.110/..U...(Go Daddy Class 2 Certification Authority0 U....GoDaddy.com, Inc.110/..U...(Go Daddy Root Certificate Authority - G20 Class 2 Certification Authority0 U....Sectigo Limited1705..U....Sectigo RSA Domain Validation Secure Server CA0 c.aaxads.com !.wildcard.aaxads.com.edgekey.net beap-bc.yahoo.com edge.gycpi.b.yahoodns.net csm.nl.eu.criteo.net csm.am5.vip.prod fra1-ib.adnxs.com cdn.adnxs.com prod.appnexus.map.fastly.net 220219235959Z0^1.0...U....US1.0...U....New York1.0...U....New York1.0...U....Xandr Inc.1.0...U....*.adnxs.com0Y0...* googleads.g.doubleclick.net googleads.g.doubleclick.net U....GlobalSign nv-sa1;09..U...2GlobalSign Organization Validated CA - SHA256 - G40 220611234713Z0`1.0...U....US1.0...U....New York1.0...U....New York1.0...U....Xandr Inc.1 POST / HTTP/1.1..Host: ocsp.digicert.com..User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0..Accept: */*..Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3..Accept-Encoding: gzip, deflate..Content-Type: application/ocsp-request..Content-Length: 83..Connection: keep-alive....0Q0O0M0K0I0...+... HTTP/1.1 200 OK..Accept-Ranges: bytes..Age: 5235..Cache-Control: max-age=160668..Content-Type: application/ocsp-response..Date: Sun, 26 Sep 2021 18:44:20 GMT..Etag: "61507bad-13a"..Expires: Tue, 28 Sep 2021 15:22:08 GMT..Last-Modified: Sun, 26 Sep 2021 13:54:53 GMT..Server: ECS (pab/6F8C)..X-Cache: HIT..Content-Length: 314....0 Xaj;POST / HTTP/1.1..Host: ocsp.digicert.com..User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0..Accept: */*..Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3..Accept-Encoding: gzip, deflate..Content-Type: application/ocsp-request..Content-Length: 83..Connection: keep-alive....0Q0O0M0K0I0...+... HTTP/1.1 200 OK..Accept-Ranges: bytes..Age: 874..Cache-Control: 'max-age=158059'..Content-Type: application/ocsp-response..Date: Sun, 26 Sep 2021 18:44:20 GMT..Last-Modified: Sun, 26 Sep 2021 18:29:46 GMT..Server: ECS (pab/6F9D)..X-Cache: HIT..Content-Length: 314....0 pagead2.googlesyndication.com pagead2.googlesyndication.com _services._dns-sd._udp.local www.googletagservices.com compteur.developpez.com quantcast.mgr.consensu.org secure.quantserve.com ssl.google-analytics.com www.googletagservices.com www.developpez.com www.developpez.net compteur.developpez.com ssl.google-analytics.com .ssl-google-analytics.l.google www.developpez.net secure.quantserve.com quantcast.mgr.consensu.org altsysimg.developpez.com altsysimg.developpez.com compt.developpez.com compt.developpez.com ads.themoneytizer.com ads.themoneytizer.com .ads-lfi3olnec7fr.stackpathdns securepubads.g.doubleclick.net securepubads.g.doubleclick.net rules.quantcount.com rules.quantcount.com d2fashanjl7d9f.cloudfront.net altsysimg.developpez.com altsysimg.developpez.com pixel.quantserve.com pixel.quantserve.com global.px M-SEARCH * HTTP/1.1..MX: 5..ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1..HOST: 239.255.255.250:1900..MAN: "ssdp:discover".... www.developpez.com forum.developpez.be gabarit.developpez.be gabarit.developpez.be forum.developpez.be U....www.digicert.com1/0-..U...&DigiCert SHA2 High Assurance Server CA0 images-na.ssl-images-amazon.com images-na.ssl-images-amazon.com safebrowsing.googleapis.com safebrowsing.googleapis.com
Qu'en pensez-vous ? Que dois-je faire ?
Code : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105 Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-26 20:00 CEST Nmap scan report for 192.168.1.1 Host is up (0.0010s latency). Not shown: 992 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain dnsmasq gen_2.78_v0.1.6 80/tcp open http? 113/tcp closed ident 135/tcp closed msrpc 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 443/tcp open ssl/https? 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 631/tcp open ipp CUPS 2.3 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port80-TCP:V=7.80%I=5%D=9/26%Time=6150B534%P=x86_64-pc-linux-gnu%r(GetR SF:equest,70A,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20must-revalidate SF:\r\nSet-Cookie:\x2045b4c072/accept-language=;\x20path=/;\x20SameSite=St SF:rict\r\nETAG:\x2045b4c072\r\nX-Frame-Options:\x20SAMEORIGIN\r\nStrict-T SF:ransport-Security:\x20max-age=31536000;\x20includeSubDomains\r\nX-Conte SF:nt-Type-Options:\x20nosniff\r\nContent-Type:\x20text/html;\x20charset=u SF:tf-8\r\nCache-Control:\x20must-revalidate\r\nContent-Length:\x201451\r\ SF:n\r\n<!DOCTYPE\x20html>\n<!--\x20/ht\x20Paul\x20Irish\x20-\x20http://fr SF:ont\.ie/j5OMXi\x20-->\n<!--\[if\x20lt\x20IE\x207\x20\]>\x20<html\x20cla SF:ss=\"no-js\x20ie6\"\x20lang=\"fr\">\x20<!\[endif\]-->\n<!--\[if\x20IE\x SF:207\x20\]>\x20\x20\x20\x20<html\x20class=\"no-js\x20ie7\"\x20lang=\"fr\ SF:">\x20<!\[endif\]-->\n<!--\[if\x20IE\x208\x20\]>\x20\x20\x20\x20<html\x SF:20class=\"no-js\x20ie8\"\x20lang=\"fr\">\x20<!\[endif\]-->\n<!--\[if\x2 SF:0\(gte\x20IE\x209\)\|!\(IE\)\]><!-->\n<html\x20class=\"no-js\"\x20lang= SF:\"fr\">\n\x20\x20<!--<!\[endif\]-->\n\x20\x20<head>\n\x20\x20\x20\x20<t SF:itle\x20data-translation=\"common\.headtitlelogin\"></title>\n\x20\x20\ SF:x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"text/html;\x20 SF:charset=UTF-8\">\n\x20\x20\x20\x20<meta\x20http-equiv=\"x-dns-prefetch- SF:control\"\x20content=\"off\"")%r(HTTPOptions,82,"HTTP/1\.0\x20200\x20OK SF:\r\nAllow:\x20OPTIONS,PROPFIND,GET,PUT,POST,DELETE\r\nContent-Length:\x SF:200\r\nDAV:\x201,2,resumable-upload\r\nMS-Author-Via:\x20DAV\r\n\r\n")% SF:r(RTSPRequest,82,"HTTP/1\.0\x20200\x20OK\r\nAllow:\x20OPTIONS,PROPFIND, SF:GET,PUT,POST,DELETE\r\nContent-Length:\x200\r\nDAV:\x201,2,resumable-up SF:load\r\nMS-Author-Via:\x20DAV\r\n\r\n")%r(FourOhFourRequest,175,"HTTP/1 SF:\.0\x20404\x20Not\x20Found\r\nCache-Control:\x20public,max-age=31536000 SF:\r\nETAG:\x2045b4c072\r\nX-Frame-Options:\x20SAMEORIGIN\r\nStrict-Trans SF:port-Security:\x20max-age=31536000;\x20includeSubDomains\r\nX-Content-T SF:ype-Options:\x20nosniff\r\nTE:\x20chunked\r\nTransfer-Encoding:\x20chun SF:ked\r\nContent-Type:\x20text/html\r\n\r\n58\r\n<html><head><title>Not\x SF:20Found</title></head><body><h1>404\x20-\x20Not\x20Found</h1></body></h SF:tml>\n\r\n0\r\n\r\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port443-TCP:V=7.80%T=SSL%I=5%D=9/26%Time=6150B53C%P=x86_64-pc-linux-gnu SF:%r(GetRequest,70A,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20must-rev SF:alidate\r\nSet-Cookie:\x2045b4c072/accept-language=;\x20path=/;\x20Same SF:Site=Strict\r\nETAG:\x2045b4c072\r\nX-Frame-Options:\x20SAMEORIGIN\r\nS SF:trict-Transport-Security:\x20max-age=31536000;\x20includeSubDomains\r\n SF:X-Content-Type-Options:\x20nosniff\r\nContent-Type:\x20text/html;\x20ch SF:arset=utf-8\r\nCache-Control:\x20must-revalidate\r\nContent-Length:\x20 SF:1451\r\n\r\n<!DOCTYPE\x20html>\n<!--\x20/ht\x20Paul\x20Irish\x20-\x20ht SF:tp://front\.ie/j5OMXi\x20-->\n<!--\[if\x20lt\x20IE\x207\x20\]>\x20<html SF:\x20class=\"no-js\x20ie6\"\x20lang=\"fr\">\x20<!\[endif\]-->\n<!--\[if\ SF:x20IE\x207\x20\]>\x20\x20\x20\x20<html\x20class=\"no-js\x20ie7\"\x20lan SF:g=\"fr\">\x20<!\[endif\]-->\n<!--\[if\x20IE\x208\x20\]>\x20\x20\x20\x20 SF:<html\x20class=\"no-js\x20ie8\"\x20lang=\"fr\">\x20<!\[endif\]-->\n<!-- SF:\[if\x20\(gte\x20IE\x209\)\|!\(IE\)\]><!-->\n<html\x20class=\"no-js\"\x SF:20lang=\"fr\">\n\x20\x20<!--<!\[endif\]-->\n\x20\x20<head>\n\x20\x20\x2 SF:0\x20<title\x20data-translation=\"common\.headtitlelogin\"></title>\n\x SF:20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"text/ht SF:ml;\x20charset=UTF-8\">\n\x20\x20\x20\x20<meta\x20http-equiv=\"x-dns-pr SF:efetch-control\"\x20content=\"off\"")%r(HTTPOptions,82,"HTTP/1\.0\x2020 SF:0\x20OK\r\nAllow:\x20OPTIONS,PROPFIND,GET,PUT,POST,DELETE\r\nContent-Le SF:ngth:\x200\r\nDAV:\x201,2,resumable-upload\r\nMS-Author-Via:\x20DAV\r\n SF:\r\n")%r(FourOhFourRequest,175,"HTTP/1\.0\x20404\x20Not\x20Found\r\nCac SF:he-Control:\x20public,max-age=31536000\r\nETAG:\x2045b4c072\r\nX-Frame- SF:Options:\x20SAMEORIGIN\r\nStrict-Transport-Security:\x20max-age=3153600 SF:0;\x20includeSubDomains\r\nX-Content-Type-Options:\x20nosniff\r\nTE:\x2 SF:0chunked\r\nTransfer-Encoding:\x20chunked\r\nContent-Type:\x20text/html SF:\r\n\r\n58\r\n<html><head><title>Not\x20Found</title></head><body><h1>4 SF:04\x20-\x20Not\x20Found</h1></body></html>\n\r\n0\r\n\r\n")%r(RTSPReque SF:st,82,"HTTP/1\.0\x20200\x20OK\r\nAllow:\x20OPTIONS,PROPFIND,GET,PUT,POS SF:T,DELETE\r\nContent-Length:\x200\r\nDAV:\x201,2,resumable-upload\r\nMS- SF:Author-Via:\x20DAV\r\n\r\n"); MAC Address: E8:D2:FF:E0:88:D0 (Unknown) Nmap scan report for 192.168.1.10 Host is up (0.00077s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 8080/tcp open http-proxy? 8443/tcp open ssl/https-alt? 9080/tcp open http Mongoose httpd 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8080-TCP:V=7.80%I=5%D=9/26%Time=6150B534%P=x86_64-pc-linux-gnu%r(Ge SF:tRequest,80,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Length:\x2020\ SF:r\nContent-Type:\x20text/html\r\nDate:\x20Sun,\x2026\x20Sep\x202021\x20 SF:18:00:20\x20GMT\r\n\r\n<b>404\x20Not\x20Found</b>")%r(FourOhFourRequest SF:,80,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Length:\x2020\r\nConte SF:nt-Type:\x20text/html\r\nDate:\x20Sun,\x2026\x20Sep\x202021\x2018:00:20 SF:\x20GMT\r\n\r\n<b>404\x20Not\x20Found</b>"); MAC Address: 30:24:78:AB:6E:3F (Sagemcom Broadband SAS) Nmap scan report for 192.168.1.13 Host is up (0.0000030s latency). All 1000 scanned ports on 192.168.1.13 are closed Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 256 IP addresses (3 hosts up) scanned in 49.66 seconds
Partager