Beware of smxi - possible rootkit

Snap

After four long days of hard struggling trying to make my main hard disk to be able to boot a system again and researching a bit, I discovered that this HD had all the symptoms of a rootkit.

Apparently they like to live at the kernel level, they use to be injected while installing drivers, and they use to fuck up your MBR... exactly what I was doing and what happened. Plus, formating doesn't help. Exactly what happened to me. Installed like eight different systems with different grub options. Nothing worked even after a low level formating. Scanning and trying to discard damaged or faulty HD sectors reported nothing wrong in the entire disk. Everytime GRUB failed to boot. The systems were bootable from the GRUB in my second drive. The only solution I've found is going for GPT partition table. This has a smaller 64 MB efi_grub partition instead of the 446 or thereabouts for GRUB, or 512 MB in total including 64 MB for the partitions in a DOS partition table. This excluded the screwed up part from the equation altogether and finally the HD is bootable again. I was about to trash it and buying a new one... phew!

I cannot tell for sure if it's a rootkit there, but given my recent damned experience, be careful if you use smxi to instal Nvidia drivers. And better have rkhunter and/or chkrootkit on hand. I had no idea of this in advance and it gave no time to react. Chose to install the drivers and then all went south. No way to fix my system or booting it again. All destroyed and gone in seconds. Perhaps downloading only and running rkhunter before doing anything might be a wise option.

Well, I think I've had my first rootkit experience. I'm not a virgin anymore... but I don't recommend the experience to anyone. BTW, Fucking bastards! Why they do this?

jedi

Hey Snap...
Sorry to hear about your troubles.  VastOne and myself have personally worked with 'h2', the developer of 'smxi' in the past testing/troubleshooting different aspects of his script.  It would be hard for me to fathom there being a rootkit in 'smxi', or 'smxi' allowing a rootkit through operation of the 'smxi' script.  The 'smxi' family of scripts has been a default part of VSIDO since it's birth!
Also worth mentioning that rkhunter is famous for false positives and ubiquitous "Warning" messages.  Almost every time you can get a really good explanation for all the "Warning" messages at the rkhunter mail list archives.  Google will also give great explanations as well.
I've just installed the Nvidia driver via 'smxi' on my Asus lappy that has a GTX 660M Nvidia card.  Went without a hitch, and just as a precaution I ran rkhunter after and was informed that I am rootkit free!  (as a personal note, I had not installed or ran rkhunter before on this build.)
Forum Netiquette

"No matter how smart you are you can never convince someone stupid that they are stupid."  Anonymous

Snap

#2
Does the GTX 660 need the last Nvidia driver? Maybe it's only the latest one. Mine is a quite recent GTX 960. Or maybe it was my usual bad luck with smxi for who knows what reason. In the past the 304 drivers for my old Quadro FX-1500 never went through with smxi. But that was it. The only issue. Manual installation and done.

I'm on nouveau now, obviously. I'm a bit scared of trying it again. But they perform well. I don't know if the proprietary ones would improve the performance a lot. All is displayed much better and the video playback quality improved hugely. With the old card proprietary drivers were mandatory. Nouveau discarded my card support a year and a half ago and worked all wrong. But with this card maybe I'll keep going with Nouveau. I don't need the hdmi with or without audio. It's all displayport and DVI.

I have no idea about how rootkits are injected. if they live on the server in advance or jump in from somewhere else siffing while downloading. Maybe the server is clean and someone is trying to crap these tools out. I really don't know. But guys, be careful just in case... unless you are eager for a good tedious fight and fully building your system from the bottom up.  ::)

jedi

@Snap, I'm using the one pictured below, 355.11.  I installed a couple of days ago after reading your post here about 'smxi'.  I have only ever experienced issues with 'smxi' when using my own compiled Kernels.  I've been Linux only here for about 5 years, though I've "dabbled" since '94.  I've never seen a rootkit, malware, or virus in Linux.  I know they exist, and that they are possible, but I've never worried about them.  With Linux it is pretty simple to harden a system and never have to worry about things like that.  I'm not stupid enough to believe I'm invulnerable, no one is, but I figure why would anyone want to hack me?  I have no secrets on any of my computers, and never would have, just out of my own paranoia after working in the computer industry for about 30 years.

I really hate to mention this to you, but I'd sooner believe your having a hdd issue rather than that a specific attack has happened to your system.  I'd probably already have that drive replaced!  :'(  VastOne is really particular about what goes into the ISO's, and with guys like PackRat, yourself, and others that are always driving VSIDO fast and hard, one of us would have seen a rootkit by now if it was a possibility.  The 'smxi' guys are pretty straight up guys (gals?) and are very proud of their work, so I'd have to say your pretty safe with that family of scripts.

With all the hoops that hard-drive made you jump through, I'd be pretty suspicious of it.  I've installed the nouveau-xorg driver, and then switched it back to the Nvidia driver multiple times in the last 2 or 3 days using 'smxi' with no bad results.  I also downloaded and reinstalled the Nvidia driver from the Nvidia site manually with no ill effects.  Another thing I did was to get rid of 'smxi' and re-download it with the same results.  All worked perfectly.  Have you tried to manually download the Nvidia driver and install it?  It is super easy to do, and I'd be happy to walk you through it if you should need assistance.

One more thing, I had been using the 'nouveau-xorg' driver before you started having your issues.  It uses WAY less memory and for what I do on the computer works fine for me.  However, having said that, I am for sure noticing a much better looking screen using the Nvidia driver for this card.  Aamof, I'd have to say I've been stunned at the difference.  And, with 16 Gb of RAM, who cares how much memory it takes to run the Nvidia stuff!

I really hope your able to get it sorted out, and a big thank-you for making me get off my duff and install the Nvidia driver!  8)

Edit: Of course I forgot after all that typing to include the scrot...

Forum Netiquette

"No matter how smart you are you can never convince someone stupid that they are stupid."  Anonymous

jedi

Quote from: Snap on September 19, 2015, 10:42:27 AM
Does the GTX 660 need the last Nvidia driver? Maybe it's only the latest one.

I've ran so many Nvidia drivers with this card doing testing stuff for VastOne that I couldn't tell you all the version numbers!  At least everything from 304 onward.  I'm just thankful I'm not having to use Bumblebee anymore for the Optimus hybrid graphics crapola that used to be a part of every new laptop.  Well, almost every new laptop.  My Asus that I just did all this testing on has a dedicated graphics card, and is frankly the only reason I bought it!
Forum Netiquette

"No matter how smart you are you can never convince someone stupid that they are stupid."  Anonymous

Snap

Hey, jedi. Thanks for all the advice and tips. A faulty HD was my first thought, but all this coincidence... You know...

I was a Mac user before. I switched to Linux two years and a half ago. I've never seen (or cared) about virus, trojans, rootkits or whatever. Never seen one either. Nevertheless, I'm not convinced it's a faulty HD. Let's see how it behaves from now on. I don't discard it's faulty either besides being screwed up by a rootkit or not.

I guess I'll install the Nvidia drivers at a later moment. It already improved nicely with the GPU replacement that I'm so happy as is. But if it would improve further It's really something to consider. I don't care about memory usage. I also have 16 GB RAM, and I think the RAM is to use it. I don't like to waste resorces, but If I need to use a lot of them for something good (or something I need), i don't care how much it takes. If it eats up my memory I'll buy more.  :P  The same for HDs. I have 2x1TB + 1x3TB HDs in this machine. I hate to have useless or superfluous things on my disks (and in my life in general). But if I need something huge, it will go into them. Though somewhat spartan, I'm not a minimalistic geek. I like to have just what I use, like and need wether slim or not. In the era of Terabytes I don't care about kilobytes.  8)  I'm switching back to WMs not due to the size or RAM usage, it's matter of being tied to the DEs session management and arrangements. I wan't to manage my sessions and have my menus and panels arranged my own way. Also... I'm starting to like and prefer simple scripts over many fancy apps and GUI front-ends more and more. Going geeker in that respect.


Snap

Not Nvidia for now, I guess...

nvidia-detect
Detected NVIDIA GPUs:
01:00.0 VGA compatible controller [0300]: NVIDIA Corporation GM206 [GeForce GTX 960] [10de:1401] (rev a1)
Uh oh. Your card is not supported by any driver version up to 340.93.
A newer driver may add support for your card.
Newer driver releases may be available in backports.

hakerdefo

Quote from: Snap on September 25, 2015, 08:12:42 AM
Not Nvidia for now, I guess...

In '/etc/apt/sources.list' add following entry,

deb http://ftp.debian.org/debian experimental main contrib non-free

Save the file. Update APT cache,

sudo apt-get update

And install 'nvidia-driver' package,

sudo apt-get -t experimental install nvidia-driver

All the best!
Cheers!!!
You Can't Always Git What You Want

Snap

Is it already supported in the drivers from experimental? Cool. I'll check it. Thanks, hackerdefo.