Ask Your Question

Possible infection of Linux.BtcMine.174

asked 2018-11-26 14:52:28 -0500

B4lder gravatar image

Any users found Linux.BtcMine.174 on their system? I got infected, but removed it by the use ov Comodo. Where the h* did it come from, which repo?

edit retag flag offensive close merge delete



What Fedora version you running? What is your kernel version? can you provide a list of repositories you have installed?

aeperezt gravatar imageaeperezt ( 2018-11-26 20:29:08 -0500 )edit

Yeah sure. And the vector of this formidable, almost superhuman script is?

ed209 gravatar imageed209 ( 2018-11-26 20:37:01 -0500 )edit

Fedora 29 workstation :)

B4lder gravatar imageB4lder ( 2018-11-27 13:16:01 -0500 )edit

That proofs you're trolling.

ed209 gravatar imageed209 ( 2018-11-27 13:48:07 -0500 )edit

Well since you have Fedora 29, you may get the file but nothing else happen as this particular Trojan uses DirtyCow security issue to scale and get privileges, DirtyCow was patched on Fedora 10, it could get privilege. You should not install software from unreliable source, use or try to use official repositories. More information on this previews anwser

aeperezt gravatar imageaeperezt ( 2018-11-27 14:03:52 -0500 )edit

3 Answers

Sort by ยป oldest newest most voted

answered 2018-11-26 21:17:07 -0500

davidva gravatar image

A crypto trojan with DDOS atacks? touching the kernel... Its bad! Do you installed a bundle binary, script, flatpak? Because a rpm is difficult hide a trojan... Avoid install/open from untrusted sources...

Here some news about the trojan in the next hours...

edit flag offensive delete link more


Yep, I will avoid that, my bad. Culprit was most likely Kismet, but not from Github... Thanks

B4lder gravatar imageB4lder ( 2018-11-27 13:20:31 -0500 )edit

answered 2018-11-26 20:29:18 -0500

Panther gravatar image

What makes you think you got this from the fedora repos?

To see if a particular file is provided by a package in the repos, use the provides option with dnf

sudo dnf provides \*/Linux.BtcMine.174ee


And for details and additional dnf features including search options and history.

As far as that file see

I am not sure from what you posted how you were affected by this, but the fedora repos are probably not the source

edit flag offensive delete link more


Probably from Kismet, thanks for great answer! See answer further down.

B4lder gravatar imageB4lder ( 2018-11-27 13:17:54 -0500 )edit

answered 2018-11-27 13:14:50 -0500

B4lder gravatar image

I ran " sudo dnf provides */Linux.BtcMine.174ee " No hits. But... snapd could be it... But no. Kismet most likely, because it will no longer load... after Comodo identified it, cleaned it, and removed it's directories. Kismet not installed from repo -ofcourse- Bye Kismet!

I was probably not too affected, since my box is a laptop and not a server, but I got a heads-up on the malware from a company I used to work for. Since I hate malware on my computer I run GNU/Linux on 3 out of 4 laptops ;) Hence I checked. I just don't like other ppl using my computer. Whithout my knowledge.

Just a huge wakeup-call for me, who was more or less relaxed about malware on GNU/Linux, this one got me! Big time. Anyway, thanks for tips and help. And good hunting, stay safe.


edit flag offensive delete link more



Why did you install it not from Fedora repo in the first place?

It would be also good if you reported or warned others about source through which you were infected.

ozeszty gravatar imageozeszty ( 2018-11-27 13:49:02 -0500 )edit

Question Tools

1 follower


Asked: 2018-11-26 14:50:16 -0500

Seen: 449 times

Last updated: Nov 27 '18