Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 112349 - Virus on installation cd - no one has ever heard of anything like this happening
Summary: Virus on installation cd - no one has ever heard of anything like this happening
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Release Media
Classification: Unclassified
Component: Everything (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-11-12 16:11 UTC by Paul Crinigan
Modified: 2005-11-13 07:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Paul Crinigan 2005-11-12 16:11:18 UTC 
Hello, I was fairly new to Gentoo but I have done about 10 installs in the 
past few weeks because it seems that a virus keeps finding its way in to my 
system and I believe it may have come from Gentoo itself. This is going to 
sound crazy, but I swear to you this happens every time and happens on 3 
different servers. Here is what happens :

First I lost all of my servers from a hidden directory being created in tmp 
that has its own proc and dev directories which are then automatically 
mounted, probably by a script in the system that I can not find. That part may 
not be unique, I have heard of that before. But here's the insain part. I 
started from scratch, deleted all my partions, formated everything multiple 
times. I even deleted all partions, clicked w in fdisk, rebooted and did it 
again. After I do my install (happened 5 out of 5 times on 2 different 
servers), and did all my emerges, I disconnect the network cable so that if 
someone got in to my router, they wouldn't be able to connect and I would be 
safe. So the only time I am connected is when I do my emerges and only when 
booted from the cd. After I set up everything and reboot, my boot partion is 
all messed up showing that my grub directory is gone, my kernel images are 
gone (basically everything I put in boot is gone) except now there is a new 
directory in there called boot. Inside that boot is another boot, inside that 
another, and so on. I went in to about 50 of these directories and the 
structure continues. Also, this is also crazy, there is a .initrd directory 
inside tmp. Thats the directory that caused all the problems before I lost my 
info. When I try to boot after the install, the system is read only, all my 
kernel stuff is long gone, grub seems to be unmerged, and the .initrd 
directory is back in tmp.

If I reboot 3 times, the system is basically destroyed by the time I start up 
and it is impossible to boot without the kernel (obviously). So this has been 
killing me, so I started over again and deleted all my partions. Now I am 
starting to think maybe the iso image that I download from your site may have 
had this on it because I have nothing at all on my hard drive, but everything 
is still there. I might not be able to explain this part well enough, but when 
the cd loads up, I do a cd / to get to root and then I look around. In /tmp 
the .initrd directory is there and in /boot/ there is that long chain of boot 
directories in there. Since I have nothing on my hard drive at all, where else 
could it come from ? I also am about 99% sure that /tmp/.initrd directory is 
th entire problem (or at least the start of it) because on my old systems that 
tmp directory was there and had its own proc and dev directories inside of it 
which were mounted (don't ask me how that happened, it wasn't me). My servers 
were up for a year with no problems, but one of servers had a controller fail 
so we needed to boot from cd to see if we could save the data. We were able to 
save it, so we did an rsync to my other server to copy the data. Then the next 
day that server started having problems, and it had never had even one problem 
before that. It happened again on a 3rd server, which is amd (the others I 
used x86). My data center has some of the best techs I have ever seen and one 
of them (I think) is an editor or tester for Gentoo. His name is Mark Irwin 
from Tampa Florida. My other tech who is even better than Mark is named Ken 
Sietz, who is known around here and a super genius and he has no idea 
whatsoever could have been able to get the kind of access this virus has. So 
my new theory is that it must have been on the cd. How else could it get on to 
a new install that I deleted the partions 3 times, formated 3 times and 
rebooted 3 times before I even started. I made no connections to any 
computers, I cleared my router and closed all incoming connections and it 
happens in my house and dat center. The only time the internet cable was 
connected was when I emerged and I didn't see how that could do this. Please 
don't think I am crazy, I am starting to feel crazy, but this is really 
happening. And this is the absolute nastiest virus I have ever seen in my 
life. It seems harmless at first, but it won't go away and it waits a while 
and then starts to delete stuff. My computer was booted from cd for 8 hours, I 
kept checking my back up and the files were all there. Then I looked again and 
it deleted the www directory in var, my databases and parts of etc. I losted 
all my data, my last back up was from 4 months ago so some of my clients got 
really hurt by this. I lost thousands of dollars, 3 servers, websites have 
been down for 4 days now and I haven't slept since it happened. I might try 
another version of linux, but that would really suck because I love Gentoo. 
Please Please Please Please help me, and check out your mirrors for any iso 
image that may have been attacked. This thing spreads as soon as it sees any 
type of connection to another server and immediately is on the connected 
server and then won't go away. My email is pretty much down, so if you guys 
want more info you can call me at 813 728 7093 if I forgot any info you need. 
Please, this is about to put me out of business, and I am a really really good 
developer.  

Reproducible: Always
Steps to Reproduce:
1. Just install from cd and its there when you reboot
2.
3.

Actual Results:  
see details above
Comment 1 Seemant Kulleen (RETIRED) gentoo-dev 2005-11-12 16:17:38 UTC 
ok, first of all the myth about boot directories within boot directories -- if
you do an ls -al /boot you'll see that it contains a symlink like so:

boot -> .

in other words, /boot/boot is just a symlink to /boot/ itself.  Nothing to worry
about there, honest, but yes, you can definitely keep going to 50 times cd'ing
into the same place via that symlink.
Comment 2 roger55 (RETIRED) gentoo-dev 2005-11-12 19:00:35 UTC 
The handbook's fstab example suggests noauto option for /boot if you followed 
this example you'll have to mount /boot to make the kernels and grub/grub.conf 
appear. 
 
You haven't provided any info about the cd you are talking about. 
 
Which cd image did you burn? 
Which mirror did you download it from? 
What md5sum does that image have?
Comment 3 Paul Crinigan 2005-11-12 21:26:07 UTC 
Hi Everyone,

I am really sorry for this bug report, I did get rocked by some malware 
getting on to 3 of my servers and I think that I thought I saw signs of it 
happening again with a new install. I am 99% sure now that I was wrong about 
the problem being from Gentoo.

I feel pretty dumb about posting it here, I have my own open source shopping 
cart project and I hate when someone can't figure something out and reports it 
as a bug. In my defense, from how I saw things it made sense. The directory 
that was in /tmp/.initrd/ was where the malware was attacking from and when i 
saw it was there again I really believed the malware had gotten in to my fresh 
install. I also didn't understand at that time how to view my boot partition's 
files, so I thought the kernel images were deleted, which is also what that 
malware was doing to my system so it wouldn't boot. I had a 1 character typo 
in my grub.conf so I couldn't boot without the cd, so it all seemed like it 
was happening again. I also didn't realize that /boot/boot was a symbolic 
link. So all those inexperienced mistakes made me jump to conclusions, plus 
the fact that haven't slept for 3 days and am pretty paranoid now. I think I 
got my install complete, we'll see in a little while if the server will show 
web pages. If anyone knows anything about what hit me or how to prevent it 
again, please share.

I really really appreciate that some of you answered and it seems that if I 
wasn't resolving this ticket that more of you would have responded in time. So 
thank you, its nice knowing there is help when you need it. I really respect 
the Gentoo project and really enjoy all the great documentation your editors 
have produced.

I might be a newbie with linux, but I am a pretty good php developer / 
algorithm writter. I have my own shopping cart software and have written an 
entire flash website builder (www.amazingflash.com), so if you guys want 
another developer to help in any way let me know. I like to add to things that 
truly help the internet. I planned on making myself a command line installer 
and I have some really nice condensed install steps that work great for me. I 
have it down to about 15 steps that take up about 3 sheets of paper hand 
written. So its short and sweet. Let me know if you guys want it.

Paul
Comment 4 Chris Gianelloni (RETIRED) gentoo-dev 2005-11-13 07:24:07 UTC 
I apologize for the bug spam here, but I'm changing the location of this one to
its proper place.
Comment 5 Chris Gianelloni (RETIRED) gentoo-dev 2005-11-13 07:25:02 UTC 
Changing resolution code.