Hacked by hydra. At wits end.

[scatman98]

Hi guys

Using an X1 carbon ThinkPad Gen3 8gb ram 256gb ssd.

As soon as I run an update on fresh install malware gets installed like hydra, squashfs-tools-ng, slack , tiger-otheros, unburden-home-dir , vagrant-sshsfs , vagrant-libvirt, vbackup , unionfs-fuse , python3-cinder, python-flufl, ruby-lockfile and many more.

Hacker likely somewhere in neighbourhood.maybe next door.

Before I can add a vpn the system runs an update and I get the same malware

Also for using dns over tls I need to run a sudo apt update and get in the same situation.

I'm attaching a pic for you to look at of the live log at install (usb is encrypted) and provide some feedback

Regards

[Eadwine Rose]

Please don't post screenshots of code output, they cannot be searched. You can post code on the forum like this:

[code]code output here[/code]



Also with all requests, as per forum rules (which, if you haven't, please read), please share your full Quick System Info, do not edit.
If need be, you can do this using the LiveUSB, thanks.

[j2mcgreg]

You need to post the output from the QSI utility. The Quick System Info (QSI) utility is located in MX Tools and its output is automatically formatted for use here in the forum. Run the QSI utility, click “Copy for Forum” at the bottom and then just paste it here in your thread.
Forum Rules

[Nokkaelaein]

What you are listing is not malware; they are just "regular" software packages, tools for different purposes. Why they get installed seemingly automatically on your system is something that will hopefully be cleared below, but a hacker next door causing this seems to be on the unlikely side of the possible causes here

[scatman98]

these are the programs installed on simply running sudo for the first time

Code: Select all

apt search 'nfs-*'
Sorting... Done
Full Text Search... Done
4pane/stable 8.0-1+b2 amd64
  four-pane detailed-list file manager

arch-install-scripts/stable,stable 28-1 all
  scripts aimed at automating some menial tasks

backuppc/stable 4.4.0-8 amd64
  high-performance, enterprise-grade system for backing up PCs

cinder-api/stable,stable,stable-security,stable-security 2:21.3.1-1~deb12u1 all
  OpenStack block storage system - API server

cinder-backup/stable,stable,stable-security,stable-security 2:21.3.1-1~deb12u1 all
  OpenStack block storage system - Backup server

cinder-common/stable,stable,stable-security,stable-security 2:21.3.1-1~deb12u1 all
  OpenStack block storage system - common files

cinder-doc/stable,stable,stable-security,stable-security 2:21.3.1-1~deb12u1 all
  OpenStack block storage system - doc

cinder-scheduler/stable,stable,stable-security,stable-security 2:21.3.1-1~deb12u1 all
  OpenStack block storage system - Scheduler server

cinder-volume/stable,stable,stable-security,stable-security 2:21.3.1-1~deb12u1 all
  OpenStack block storage system - Volume server

collectd-core/stable 5.12.0-14 amd64
  statistics collection and monitoring daemon (core system)

collectl/stable,stable 4.3.1-1 all
  Utility to collect Linux performance data

diod/stable 1.0.24-5 amd64
  I/O forwarding server for 9P

dracut-core/stable 059-4 amd64
  dracut is an event driven initramfs infrastructure (core tools)

dracut-network/stable,stable 059-4 all
  dracut is an event driven initramfs infrastructure (network modules)

dsniff/stable 2.4b1+debian-31 amd64
  Various tools to sniff network traffic for cleartext insecurities

fai-nfsroot/stable,stable 6.0.3+deb12u1 all
  Fully Automatic Installation nfsroot package

gfarm-client/stable 2.7.20+dfsg-1+b2 amd64
  Gfarm file system clients

gfarm-doc/stable,stable 2.7.20+dfsg-1 all
  Gfarm file system documentation

gfarm2fs/stable 1.2.16-1 amd64
  FUSE program to mount the Gfarm file system

gfmd/stable 2.7.20+dfsg-1+b2 amd64
  Gfarm file system metadata server

gfsd/stable 2.7.20+dfsg-1+b2 amd64
  Gfarm file system daemon

gnome-system-tools/stable 3.0.0-9.1 amd64
  Cross-platform configuration utilities

golang-github-d-tux-go-fstab-dev/stable,stable 0.0.0+git.2014.12.04.eb4090f265-3 all
  simple fstab parser

golang-github-hanwen-go-fuse-dev/stable,stable 2.1.0+git20220822.58a7e14-1 all
  Native Go bindings for the FUSE kernel module

hydra/stable 9.4-1 amd64
  very fast network logon cracker

hydra-gtk/stable 9.4-1 amd64
  very fast network logon cracker - GTK+ based GUI

jftp/stable,stable 1.60+dfsg-4 all
  Java GUI client for FTP, SMB, SFTP and NFS

kdenetwork-filesharing/stable 4:22.12.3-1 amd64
  network filesharing configuration module

kio/stable 5.103.0-1+deb12u1 amd64
  resource and network access abstraction

libfile-fcntllock-perl/stable 0.22-4+b1 amd64
  Perl module for file locking with fcntl(2)

libfile-nfslock-perl/stable,stable 1.29-2 all
  perl module to do NFS (or not) locking

libfst-dev/stable 1.7.9-5 amd64
  weighted finite-state transducers library (development)

libfst-tools/stable 1.7.9-5 amd64
  weighted finite-state transducers library (tools)

libfst22/stable 1.7.9-5 amd64
  weighted finite-state transducers library (runtime)

libfst22-plugins-base/stable 1.7.9-5 amd64
  weighted finite-state transducers library (base plugins)

libgfarm-dev/stable 2.7.20+dfsg-1+b2 amd64
  Gfarm file system development files

libgfarm1/stable 2.7.20+dfsg-1+b2 amd64
  Gfarm file system runtime library

libio-aio-perl/stable 4.80-1 amd64
  asynchronous IO module for Perl

libkf5kio-dev/stable 5.103.0-1+deb12u1 amd64
  resource and network access abstraction (development files)

libkf5kio-doc/stable,stable 5.103.0-1+deb12u1 all
  resource and network access abstraction (documentation)

libkf5kiocore5/stable 5.103.0-1+deb12u1 amd64
  resource and network access abstraction (KIO core library)

libkf5kiofilewidgets5/stable 5.103.0-1+deb12u1 amd64
  resource and network access abstraction (KIO file widgets library)

libkf5kiogui5/stable 5.103.0-1+deb12u1 amd64
  resource and network access abstraction (KIO gui library)

libkf5kiontlm5/stable 5.103.0-1+deb12u1 amd64
  resource and network access abstraction (KIO NTLM library)

libkf5kiowidgets5/stable 5.103.0-1+deb12u1 amd64
  resource and network access abstraction (KIO widgets library)

liblockfile1/stable,now 1.17-1+b1 amd64 [installed,automatic]
  NFS-safe locking library

libnfs-dev/stable 4.0.0-1 amd64
  NFS client library (development files)

libnfs-utils/stable 4.0.0-1 amd64
  NFS client library (binaries)

libnfs13/stable,now 4.0.0-1 amd64 [installed,automatic]
  NFS client library (shared library)

libnfsidmap-dev/stable 1:2.6.2-4+deb12u1 amd64
  header files and docs for libnfsidmap

libnfsidmap1/stable 1:2.6.2-4+deb12u1 amd64 [upgradable from: 1:2.6.2-4]
  NFS idmapping library

libntirpc-dev/stable 4.3-2 amd64
  new transport-independent RPC library - development files

libntirpc4.3/stable 4.3-2 amd64
  new transport-independent RPC library

libsquashfs-dev/stable 1.2.0-1 amd64
  New set of tools for working with SquashFS images - development

libsquashfs1/stable 1.2.0-1 amd64
  New set of tools for working with SquashFS images - shared library

libsys-gamin-perl/stable 0.1-3+b1 amd64
  Perl interface to Gamin (File Access Monitor implementation)

libtirpc-common/stable,stable,now 1.3.3+ds-1 all [installed]
  transport-independent RPC library - common files

libtirpc-dev/stable,now 1.3.3+ds-1 amd64 [installed,automatic]
  transport-independent RPC library - development files

libtirpc3/stable,now 1.3.3+ds-1 amd64 [installed]
  transport-independent RPC library

libuutil3linux/stable 2.1.11-1+deb12u1 amd64
  Solaris userland utility library for Linux

libyanfs-java/stable,stable 0.0+cvs20070825-4.1 all
  Yet Another NFS - a Java NFS library

manpages/stable,stable,now 6.03-2 all [installed]
  Manual pages about using a GNU/Linux system

manpages-cs/stable,stable 4.18.1-1 all
  Czech man pages

manpages-da/stable,stable 4.18.1-1 all
  Danish man pages

manpages-de/stable,stable 4.18.1-1 all
  German man pages

manpages-es/stable,stable 4.18.1-1 all
  Spanish man pages

manpages-fr/stable,stable 4.18.1-1 all
  French man pages

manpages-hu/stable,stable 1:4.18.1-1 all
  Hungarian man pages

manpages-it/stable,stable 4.18.1-1 all
  Italian man pages

manpages-nl/stable,stable 4.18.1-1 all
  Dutch man pages

manpages-pl/stable,stable 1:4.18.1-1 all
  Polish man pages

manpages-pt-br/stable,stable 4.18.1-1 all
  Brazilian Portuguese man pages

manpages-ru/stable,stable 4.18.1-1 all
  Russian man pages

manpages-tr/stable,stable 2.0.6-2 all
  Turkish version of the manual pages

mb2md/stable,stable 3.20-10 all
  Convert Mbox mailboxes to Maildir format

mergerfs/stable 2.33.5-1 amd64
  another FUSE union filesystem

mhddfs/stable 0.1.39+nmu2 amd64
  file system for unifying several mount points into one

monitoring-plugins-contrib/stable 42.20230308+deb12u1+b1 amd64
  Plugins for nagios compatible monitoring systems

nbd-client/stable 1:3.24-1.1 amd64
  Network Block Device protocol - client

nbd-server/stable 1:3.24-1.1 amd64
  Network Block Device protocol - server

nfs-common/stable 1:2.6.2-4+deb12u1 amd64 [upgradable from: 1:2.6.2-4]
  NFS support files common to client and server

nfs-common-modified-init/mx,mx,now 19.07.01 all [installed]
  modified nfs-common init script for mx and antiX linux

nfs-ganesha/stable 4.3-2 amd64
  NFS server in User Space

nfs-ganesha-ceph/stable 4.3-2 amd64
  nfs-ganesha fsal ceph libraries

nfs-ganesha-doc/stable,stable 4.3-2 all
  Documentation for nfs-ganesha

nfs-ganesha-gluster/stable 4.3-2 amd64
  nfs-ganesha fsal gluster libraries

nfs-ganesha-gpfs/stable 4.3-2 amd64
  nfs-ganesha fsal gpfs libraries

nfs-ganesha-mem/stable 4.3-2 amd64
  nfs-ganesha fsal mem libraries

nfs-ganesha-mount-9p/stable,stable 4.3-2 all
  nfs-ganesha mount.9P

nfs-ganesha-nullfs/stable 4.3-2 amd64
  nfs-ganesha fsal nullfs libraries

nfs-ganesha-proxy-v4/stable 4.3-2 amd64
  nfs-ganesha fsal proxy v4 libraries

nfs-ganesha-rados-grace/stable 4.3-2 amd64
  nfs-ganesha ganesha-rados-grace program

nfs-ganesha-rgw/stable 4.3-2 amd64
  nfs-ganesha fsal rgw libraries

nfs-ganesha-vfs/stable 4.3-2 amd64
  nfs-ganesha fsal vfs libraries

nfs-kernel-server/stable 1:2.6.2-4+deb12u1 amd64 [upgradable from: 1:2.6.2-4]
  support for NFS kernel server

nfs4-acl-tools/stable 0.3.7-1 amd64
  Commandline and GUI ACL utilities for the NFSv4 client

nfstrace/stable 0.4.3.2+git20200805+b220d04-2.2 amd64
  NFS tracing/monitoring/capturing/analyzing tool

nfstrace-doc/stable,stable 0.4.3.2+git20200805+b220d04-2.2 all
  NFS tracing/monitoring/capturing/analyzing tool (documentation)

nfswatch/stable 4.99.12-1 amd64
  Program to monitor NFS traffic for the console

nmon/stable 16n+debian-1+b1 amd64
  performance monitoring tool for Linux

portsentry/stable 1.2-14+b1 amd64
  Portscan detection daemon

python-flufl.lock-doc/stable,stable 5.0.1-4 all
  NFS-safe file-based lock with timeouts (common documentation)

python-tackerclient-doc/stable,stable 1.12.0-2 all
  CLI and Client Library for OpenStack Tacker - doc

python3-cinder/stable,stable,stable-security,stable-security 2:21.3.1-1~deb12u1 all
  OpenStack block storage system - Python libraries

python3-flufl.lock/stable,stable 5.0.1-4 all
  NFS-safe file-based lock with timeouts (Python 3)

python3-nfs-ganesha/stable,stable 4.3-2 all
  Python bindings for nfs-ganesha

python3-tackerclient/stable,stable 1.12.0-2 all
  CLI and Client Library for OpenStack Tacker - Python 3.x

quota/stable 4.06-1+b2 amd64
  disk quota management tools

resource-agents/stable 1:4.12.0-2 amd64
  Cluster Resource Agents

ruby-lockfile/stable,stable 2.1.3-1.1 all
  create NFS-safe lockfiles

ruby-spring-watcher-listen/stable,stable 2.0.1-1.1 all
  Makes spring watch files using the listen library

slack/stable,stable 1:0.15.2-11 all
  configuration management program for lazy admins

squashfs-tools-ng/stable 1.2.0-1 amd64
  New set of tools for working with SquashFS images

tcpdump/stable 4.99.3-1 amd64
  command-line network traffic analyzer

texlive-latex-base/stable,stable 2022.20230122-3 all
  TeX Live: LaTeX fundamental packages

texlive-latex-extra/stable,stable 2022.20230122-4 all
  TeX Live: LaTeX additional packages

texlive-luatex/stable,stable 2022.20230122-3 all
  TeX Live: LuaTeX packages

texlive-plain-generic/stable,stable 2022.20230122-4 all
  TeX Live: Plain (La)TeX packages

tiger-otheros/stable 1:3.2.4~rc1-3.2 amd64
  security auditing and intrusion detection scripts for Unix based systems

udpcast/stable 20120424-2+b1 amd64
  multicast file transfer tool

unburden-home-dir/stable,stable 0.4.2 all
  Remove or move cache files automatically from user's home

unionfs-fuse/stable 1.0-1+b1 amd64
  Fuse implementation of unionfs

vagrant-libvirt/stable,stable 0.11.2-1 all
  Vagrant plugin that adds an Libvirt provider to Vagrant

vagrant-sshfs/stable,stable 1.3.7-1 all
  vagrant plugin that adds synced folder support with sshfs

vbackup/stable,stable 1.0.1-1.1 all
  modular backup utility

[scatman98]

This is the QSI

Code: Select all

Snapshot created on: 20241215_1628
System:
  Kernel: 6.1.0-28-amd64 [6.1.119-1] arch: x86_64 bits: 64 compiler: gcc v: 12.2.0
    parameters: BOOT_IMAGE=/boot/vmlinuz-6.1.0-28-amd64 root=UUID=<filter> ro quiet splash
    init=/lib/systemd/systemd
  Desktop: Xfce v: 4.18.1 tk: Gtk v: 3.24.36 info: xfce4-panel wm: xfwm v: 4.18.0 vt: 7
    dm: LightDM v: 1.26.0 Distro: MX-23.4_x64 Libretto December 15  2024 base: Debian GNU/Linux 12
    (bookworm)
Machine:
  Type: Laptop System: LENOVO product: 20BTS0HJ10 v: ThinkPad X1 Carbon 3rd
    serial: <superuser required> Chassis: type: 10 serial: <superuser required>
  Mobo: LENOVO model: 20BTS0HJ10 v: SDK0E50510 WIN serial: <superuser required> UEFI: LENOVO
    v: N14ET56W (1.34 ) date: 08/31/2021
Battery:
  ID-1: BAT0 charge: 27.7 Wh (99.3%) condition: 27.9/50.0 Wh (55.9%) volts: 17.0 min: 15.0
    model: LGC 45N1707 type: Li-poly serial: <filter> status: not charging
CPU:
  Info: model: Intel Core i7-5600U bits: 64 type: MT MCP arch: Broadwell gen: core 5 level: v3
    note: check built: 2015-18 process: Intel 14nm family: 6 model-id: 0x3D (61) stepping: 4
    microcode: 0x2F
  Topology: cpus: 1x cores: 2 tpc: 2 threads: 4 smt: enabled cache: L1: 128 KiB
    desc: d-2x32 KiB; i-2x32 KiB L2: 512 KiB desc: 2x256 KiB L3: 4 MiB desc: 1x4 MiB
  Speed (MHz): avg: 843 high: 899 min/max: 500/3200 scaling: driver: intel_cpufreq
    governor: ondemand cores: 1: 899 2: 817 3: 851 4: 807 bogomips: 20750
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
  Vulnerabilities:
  Type: gather_data_sampling status: Not affected
  Type: itlb_multihit status: KVM: VMX disabled
  Type: l1tf mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
  Type: mds mitigation: Clear CPU buffers; SMT vulnerable
  Type: meltdown mitigation: PTI
  Type: mmio_stale_data status: Unknown: No mitigations
  Type: reg_file_data_sampling status: Not affected
  Type: retbleed status: Not affected
  Type: spec_rstack_overflow status: Not affected
  Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via prctl
  Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization
  Type: spectre_v2 mitigation: Retpolines; IBPB: conditional; IBRS_FW; STIBP: conditional; RSB
    filling; PBRSB-eIBRS: Not affected; BHI: Not affected
  Type: srbds mitigation: Microcode
  Type: tsx_async_abort mitigation: Clear CPU buffers; SMT vulnerable
Graphics:
  Device-1: Intel HD Graphics 5500 vendor: Lenovo driver: i915 v: kernel arch: Gen-8
    process: Intel 14nm built: 2014-15 ports: active: eDP-1 empty: DP-1, DP-2, HDMI-A-1, HDMI-A-2
    bus-ID: 00:02.0 chip-ID: 8086:1616 class-ID: 0300
  Display: x11 server: X.Org v: 1.21.1.7 compositor: xfwm v: 4.18.0 driver: X:
    loaded: modesetting unloaded: fbdev,vesa dri: iris gpu: i915 display-ID: :0.0 screens: 1
  Screen-1: 0 s-res: 2560x1440 s-dpi: 96 s-size: 677x381mm (26.65x15.00") s-diag: 777mm (30.58")
  Monitor-1: eDP-1 model: LG Display 0x0419 built: 2013 res: 2560x1440 hz: 60 dpi: 210 gamma: 1.2
    size: 310x174mm (12.2x6.85") diag: 355mm (14") ratio: 16:9 modes: 2560x1440
  API: OpenGL v: 4.6 Mesa 22.3.6 renderer: Mesa Intel HD Graphics 5500 (BDW GT2)
    direct-render: Yes
Audio:
  Device-1: Intel Broadwell-U Audio vendor: Lenovo driver: snd_hda_intel v: kernel bus-ID: 00:03.0
    chip-ID: 8086:160c class-ID: 0403
  Device-2: Intel Wildcat Point-LP High Definition Audio vendor: Lenovo driver: snd_hda_intel
    v: kernel bus-ID: 00:1b.0 chip-ID: 8086:9ca0 class-ID: 0403
  API: ALSA v: k6.1.0-28-amd64 status: kernel-api tools: alsamixer,amixer
  Server-1: PipeWire v: 1.0.0 status: active with: 1: pipewire-pulse status: active
    2: wireplumber status: active 3: pipewire-alsa type: plugin 4: pw-jack type: plugin
    tools: pactl,pw-cat,pw-cli,wpctl
Network:
  Device-1: Intel Ethernet I218-LM vendor: Lenovo driver: e1000e v: kernel port: 3080
    bus-ID: 00:19.0 chip-ID: 8086:15a2 class-ID: 0200
  IF: eth0 state: down mac: <filter>
  IF-ID-1: eth1 state: unknown speed: -1 duplex: half mac: <filter>
Bluetooth:
  Device-1: Samsung Galaxy series misc. (tethering mode) type: USB driver: rndis_host v: kernel
    bus-ID: 1-1:3 chip-ID: 04e8:6863 class-ID: 0a00 serial: <filter>
Drives:
  Local Storage: total: 238.47 GiB used: 9 GiB (3.8%)
  SMART Message: Unable to run smartctl. Root privileges required.
  ID-1: /dev/sda maj-min: 8:0 vendor: Samsung model: MZNTE256HMHP-000L7 size: 238.47 GiB
    block-size: physical: 512 B logical: 512 B speed: 6.0 Gb/s type: SSD serial: <filter> rev: 9L6Q
    scheme: GPT
Partition:
  ID-1: / raw-size: 12.62 GiB size: 12.32 GiB (97.63%) used: 9 GiB (73.0%) fs: ext4 dev: /dev/sda1
    maj-min: 8:1
  ID-2: /boot/efi raw-size: 677 MiB size: 675.6 MiB (99.80%) used: 288 KiB (0.0%) fs: vfat
    dev: /dev/sda3 maj-min: 8:3
Swap:
  Kernel: swappiness: 15 (default 60) cache-pressure: 100 (default)
  ID-1: swap-1 type: file size: 2 GiB used: 0 KiB (0.0%) priority: -2 file: /swap/swap
Sensors:
  System Temperatures: cpu: 42.0 C pch: 39.0 C mobo: N/A
  Fan Speeds (RPM): fan-1: 0
Repos:
  Packages: pm: dpkg pkgs: 2117 libs: 1052 tools: apt,apt-get,aptitude,nala,synaptic pm: rpm
    pkgs: 0 pm: flatpak pkgs: 0
  No active apt repos in: /etc/apt/sources.list
  Active apt repos in: /etc/apt/sources.list.d/debian-stable-updates.list
    1: deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
  Active apt repos in: /etc/apt/sources.list.d/debian.list
    1: deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
    2: deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
  Active apt repos in: /etc/apt/sources.list.d/mx.list
    1: deb https://mirror.kku.ac.th/mx-packages/mx/repo/ bookworm main non-free
Info:
  Processes: 230 Uptime: 19m wakeups: 1 Memory: 7.64 GiB used: 3.13 GiB (40.9%) Init: systemd
  v: 252 target: graphical (5) default: graphical tool: systemctl Compilers: gcc: 12.2.0 alt: 12
  Client: shell wrapper v: 5.2.15-release inxi: 3.3.26
Boot Mode: UEFI

[scatman98]

What you are listing is not malware; they are just "regular" software packages, tools for different purposes. Why they get installed seemingly automatically on your system is something that will hopefully be cleared below, but a hacker next door causing this seems to be on the unlikely side of the possible causes here

it says cracker in the description , i think cracker is malware, has no business to be on a new os install!

Code: Select all

hydra-gtk/stable 9.4-1 amd64  very fast network logon cracker - GTK+ based GUI[/code[]]

[Nokkaelaein]

it says cracker in the description , i think cracker is malware, has no business to be on a new os install!

No, it's not malware, it's a security tool developed for breaching login passwords. Why it is installed on your system is hopefully discovered later in this thread. Similarly, your listed other software packages are just that, software packages for various different purposes (readily available in official repositories).

[scatman98]

it says cracker in the description , i think cracker is malware, has no business to be on a new os install!

No, it's not malware, it's a security tool developed for breaching login passwords. Why it is installed on your system is hopefully discovered later in this thread. Similarly, your listed other software packages are just that, software packages for various different purposes (readily available in official repositories).

i did spot some in the repos, but they don't show as installed in the GUI of mx- installer. Image attached.

[Nokkaelaein]

That's because they are not installed. Checked your used command more closely, and you are doing an "apt search" - this searches for all suitable available packages, not merely packages that are installed.