I'm running Ubuntu bionic 16.04 LTS and there are being constantly added new files into the ~/.cache/gnome-software/ directory. I've uploaded all of them into this new GitLab repository, so that you can take a look yourself.
For example, in the ~/.cache/gnome-software/icons directory there are icons of apps I have never used (367 icons in total). It looks like the icons are synced from a Windows environment (DosBox, Skype, ResourceHacker, Powershell, ...) and the timestamp of creation reveals that once upon a time, a new one was added. Sounds like some hacker left traces after himself, right?
And there is like dozen of Nextcloud icons, which I presume the hacker takes part in developing it? Well guess what, I'm using Nextcloud.
Also, there are some screenshots left in ~/.cache/gnome-software/screenshots/ directory. Most screenshots capture InkScape, Spotify, Blender, PowerShell within Ubuntu shell & JetBrains IntelliJ in the middle of editing the source code of the community version. Whoa! I'm using JetBrains too!
From the Spotify screenshot I can see that the user was logged in Ubuntu environment under the account with name Sophie Germain with an profile image of mathematical integral. Can't say if the account is legitimate or was broken into.
But here is the one screenshot that made my day:
From the first note:
- this guys is probably part of the org.gnome.bijiben project and probably maintains it's GitLab (if not, why would he name the note Bijiben Roadmap?)
- it seems like he is capable of integrating Bijiben notes to Nextcloud, so I presume he knows Nextcloud API too and probably more
From the second note:
- looks like the hacker's username is
isaque - probably is Portugese (there is this error:
Erro ao obter informações para o)
From the third note:
- looks like he is tampering with the
libgdlibrary, which is a graphics library that ubuntu uses to draw images, text, cut and paster from images, etc .. - it's also required library for
gvfs, which is a userspace virtual filesystem - aha! - some kind of entry-focus-hack? I found something on GitHub about it. Isn't this some kind of expoit?
Last release of libgd was made in Aug 2017 ?! It seems no longer maintained, yet used for so vital ubuntu features like image processing? Can't it be that the hacker got into my Ubuntu using some yet publicly unknown libgd vulnerability through gvfs?
But there's more. In ~/.cache/gnome-software/shell-extensions/gnome.json is about a thousand plugins for a shell. Well, see yourself. To be clear, I don't use gnome shell, so these aren't mine for sure. But it's just too much plugins there to find out something relevant.
The icing on the cake is the ~/.cache/gnome-software/fwupd/ directory. Looks like somebody was messing the the definitions of firmware updates on my PC! It has PGP signature attached, sweet :). This is serious, right?
What do you guys think I should do to prevent this guy from connecting again? I've uninstalled gvfs and fwupdate packages from my system, but he's gotta have already installed other backdoors right?
