0

I'm running Ubuntu bionic 16.04 LTS and there are being constantly added new files into the ~/.cache/gnome-software/ directory. I've uploaded all of them into this new GitLab repository, so that you can take a look yourself.

For example, in the ~/.cache/gnome-software/icons directory there are icons of apps I have never used (367 icons in total). It looks like the icons are synced from a Windows environment (DosBox, Skype, ResourceHacker, Powershell, ...) and the timestamp of creation reveals that once upon a time, a new one was added. Sounds like some hacker left traces after himself, right?

And there is like dozen of Nextcloud icons, which I presume the hacker takes part in developing it? Well guess what, I'm using Nextcloud.

Also, there are some screenshots left in ~/.cache/gnome-software/screenshots/ directory. Most screenshots capture InkScape, Spotify, Blender, PowerShell within Ubuntu shell & JetBrains IntelliJ in the middle of editing the source code of the community version. Whoa! I'm using JetBrains too!

From the Spotify screenshot I can see that the user was logged in Ubuntu environment under the account with name Sophie Germain with an profile image of mathematical integral. Can't say if the account is legitimate or was broken into.

But here is the one screenshot that made my day: enter image description here

From the first note:

  • this guys is probably part of the org.gnome.bijiben project and probably maintains it's GitLab (if not, why would he name the note Bijiben Roadmap?)
  • it seems like he is capable of integrating Bijiben notes to Nextcloud, so I presume he knows Nextcloud API too and probably more

From the second note:

  • looks like the hacker's username is isaque
  • probably is Portugese (there is this error: Erro ao obter informações para o)

From the third note:

  • looks like he is tampering with the libgd library, which is a graphics library that ubuntu uses to draw images, text, cut and paster from images, etc ..
  • it's also required library for gvfs, which is a userspace virtual filesystem - aha!
  • some kind of entry-focus-hack? I found something on GitHub about it. Isn't this some kind of expoit?

Last release of libgd was made in Aug 2017 ?! It seems no longer maintained, yet used for so vital ubuntu features like image processing? Can't it be that the hacker got into my Ubuntu using some yet publicly unknown libgd vulnerability through gvfs?

But there's more. In ~/.cache/gnome-software/shell-extensions/gnome.json is about a thousand plugins for a shell. Well, see yourself. To be clear, I don't use gnome shell, so these aren't mine for sure. But it's just too much plugins there to find out something relevant.

The icing on the cake is the ~/.cache/gnome-software/fwupd/ directory. Looks like somebody was messing the the definitions of firmware updates on my PC! It has PGP signature attached, sweet :). This is serious, right?

What do you guys think I should do to prevent this guy from connecting again? I've uninstalled gvfs and fwupdate packages from my system, but he's gotta have already installed other backdoors right?

jirislav
  • 121
  • 4
  • I'm also going to uninstall whoopsie as I found out it's sending contents of `/var/log/syslog` to basically anyone who wants, which may be the way the attacker found out about the hardware I use and used it to run an exploit. – jirislav Feb 15 '19 at 10:47
  • IT doesn't sound like a hack, it sounds like your first hypothesis: your accounts are linked and getting synced. – schroeder Feb 15 '19 at 10:47
  • Can we assume you changed all your passwords for all services used on that machine? – schroeder Feb 15 '19 at 10:48
  • How would they be synced since I didn't configure anything? – jirislav Feb 15 '19 at 10:48
  • @schroeder yes, it was the first thing I've done – jirislav Feb 15 '19 at 10:50
  • First step, chase down the theory that the accounts are inadvertently synced. Confirm or contradict that premise. Then start tracing form there. – schroeder Feb 15 '19 at 10:50
  • Please [continue this discussion in chat](https://chat.stackexchange.com/rooms/89766/discussion-between-jirislav-and-schroeder). I have lots of questions :) – jirislav Feb 15 '19 at 10:50

0 Answers0