Could presence of the string “_CONSOLE” in multiple files indicate a hack?

I run a combination of Linux & Windows machines with Dropbox.

Many "selective sync conflicts" occurred, for unknown reasons. Meaning two copies of the same folder appear on dropbox – each copy should be identical.

I will pick one example folder: a music album, folder contains 12 .mp3 files, and a number of .jpg’s.

All files are the exact same file size between the two copies, butdiff clearly shows the contents are different.

Running linux strings on the newer version, every file contains the string _CONSOLE, and the majority of the file has been zero’d out, i.e the data is gone.

Uploading the file’s to virustotal.com for a scan yields a completely clean scan.

Question: is this likely to be malicious? What does the string "_CONSOLE" indicate? Can anyone advise if it is common string for a windows or linux executables?

restore mysql database from ibdata1 and frm files

I am trying to restore some database data from my tables frm files. I am running a mariadb database. The data structure works fine and i can see the tables etc. But as soon as i add the ibdata1 and logfiles i run into trouble and get the errors below. I’ve tried to follow recommendations of the other similar posts but nothing seems to work… Any ideas? BR Lukas

my my.cnf config file:

[client-server]  # # This group is read by the server # [mysqld] # Disabling symbolic-links is recommended to prevent assorted security risks innodb_log_file_size=170M innodb_force_recovery = 1 symbolic-links=0  # # include all files from the config directory # !includedir /etc/my.cnf.d 

Journalctl -xe error:

jun 09 01:29:04 ipx.eu-central-1.compute.internal sudo[15322]: pam_unix(sudo:session): session opened for user root by ec2-user(uid=0) jun 09 01:29:04 ipx.eu-central-1.compute.internal systemd[1]: Starting MariaDB 10.2 database server... -- Subject: Unit mariadb.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel --  -- Unit mariadb.service has begun starting up. jun 09 01:29:04 ipx.eu-central-1.compute.internal mysql-prepare-db-dir[15360]: Database MariaDB is probably initialized in /var/lib/mysql already, nothing is done. jun 09 01:29:04 ipx.eu-central-1.compute.internal mysql-prepare-db-dir[15360]: If this is not the case, make sure the /var/lib/mysql is empty before running mysql-prepare-db-dir. jun 09 01:29:05 ipx.eu-central-1.compute.internal mysqld[15399]: 2020-06-09  1:29:05 140284526120768 [Note] /usr/libexec/mysqld (mysqld 10.2.10-MariaDB) starting as process 15399 ... jun 09 01:29:05 ipx.eu-central-1.compute.internal mysqld[15399]: 2020-06-09  1:29:05 140284526120768 [Warning] Changed limits: max_open_files: 1024  max_connections: 151  table_cache: 431 jun 09 01:29:05 ipx.eu-central-1.compute.internal systemd[1]: Started MariaDB 10.2 database server. -- Subject: Unit mariadb.service has finished start-up -- Defined-By: systemd --  -- Unit mariadb.service has finished starting up. --  -- The start-up result is done. jun 09 01:29:05 ipx.eu-central-1.compute.internal sudo[15322]: pam_unix(sudo:session): session closed for user root 

mariadb.log file:

2020-06-09  1:17:36 140094574546752 [ERROR] InnoDB: Page [page id: space=0, page number=308] log sequence number 41316604 is in the future! Current system log sequence number 1620080.     2020-06-09  1:17:36 140094574546752 [ERROR] InnoDB: Your database may be corrupt or you may have copied the InnoDB tablespace but not the InnoDB log files. Please refer to http://dev.mysql.com/doc/refman$       2020-06-09  1:17:36 140094574546752 [ERROR] InnoDB: Operating system error number 13 in a file operation.     2020-06-09  1:17:36 140094574546752 [ERROR] InnoDB: The error means mysqld does not have the access rights to the directory.     2020-06-09 01:17:36 0x7f6a4f59cf40  InnoDB: Assertion failure in file /builddir/build/BUILD/mariadb-10.2.10/storage/innobase/fil/fil0fil.cc line 752 

Comparing two Linux system clones – what about non-regular files?

Could you please help me to understand the best approach to compare two filesystems / hard disks?

As a practical learning exercise I created a clone of whole hard drive a month ago and again yesterday (it’s Ubuntu Server and I cloned it on Debian just using DD on disconnected hard drive). The point is to compare known state and unknown that was potentially compromised.

After DDing (sudo dd if=/dev/sdX of=/tmp/my_image1) I attached both clones:

sudo losetup --partscan --find --show /tmp/my_image1

I changed FSID so I can mount it and I mounted it:

sudo mount /dev/loop0p3 /mnt/0a -o ro

sudo mount /dev/loop1p3 /mnt/0a -o ro

After that I simply compared both filesystems to find possible change / malware:

sudo diff --no-dereference --brief --recursive /mnt/0a /mnt/0b

It was just for learning, I didn’t assume to find anything else then new logs, Bash history…

But strange thing that I discovered are non-regular files:

sudo find /mnt/0a -not -type f,d,l -exec ls -l '{}' \; 
crw-rw-rw- 1 root root 5, 1 Apr 23 07:32 /mnt/0a/dev/console crw-rw-rw- 1 root root 1, 7 Apr 23 07:32 /mnt/0a/dev/full crw-rw-rw- 1 root root 1, 3 Apr 23 07:32 /mnt/0a/dev/null crw-rw-rw- 1 root root 5, 2 Apr 23 07:32 /mnt/0a/dev/ptmx crw-rw-rw- 1 root root 1, 8 Apr 23 07:32 /mnt/0a/dev/random crw-rw-rw- 1 root root 5, 0 Apr 23 07:32 /mnt/0a/dev/tty crw-rw-rw- 1 root root 1, 9 Apr 23 07:32 /mnt/0a/dev/urandom crw-rw-rw- 1 root root 1, 5 Apr 23 07:32 /mnt/0a/dev/zero crw------- 1 root root 10, 236 Apr 23 07:34 /mnt/0a/dev/mapper/control 

Could anyone please help me understand:

1) Hurpose of character devices on disconnected hard drive – system is not running, I thought that these files are created by system when it’s running (like files in /prod and /dev) and the purpose is to interface with the system, not to store data

2) How am I suppose to compare it? I can compare standard file (bit by bit), I can compare directory names and I can compare symbolic link (by comparing targets) but I have no idea how to compare this…

Thank you.

Lukas V.

Attacked by ransomware that has encrypted and renamed all files with a .makop extension

I’ve spent several hours searching the internet to see if anyone has cracked this encryption yet, but without any luck. I don’t want to reward criminals for their activity, but I do have a few files that I absolutely need. Besides finding a decryptor or paying the ransom, do I have any other options for recovering my files? I have been able to successfully restore a couple of systems from backups, but my personal system wasn’t backed up and has temporarily housed important files.

I’m somewhat familiar with best practices of backing up important files and/or saving to the cloud, but I will definitely be more vigilant in the future. It was mostly due to the ‘it will never happen to me’ mindset.

Relevant information:

  • I’ve identified how they got in, and have reset the password on that account (and all other accounts just in case).
  • I did have malware bytes and sophos installed. Looking at the Event Viewer, there are logs of both of these software being successfully uninstalled.
  • The files are renamed like this: originalFileName.orig.[8-digit-hex].[ruthlessencry@qq.com].makop
  • The ransom note file says to contact them at ruthlessencry@qq.com to pay them in bitcoins.
  • They’ll decrypt a couple of files for free, and then send me a scanner-decoder program after being paid.

Parallelize import of many files

I’m trying to speed up the import of a large number of files, using ParallelTable to store them in a indexed variable, eqDump. The files are in the folder “Frames” and are named “Conf_Run.1000”, “Conf_Run.2000”, … Here is what I’ve tried,

    Clear[eqDump];         SetSharedFunction[eqDump];     ParallelTable[       eqDump[t] = Import["Frames/Conf_Run." <> ToString[t]                     ,"Table"                     ,HeaderLines -> 9]     ,{t, 5000, 1000000, 5000}]; 

But the execution doesn’t even seems to start, the kernels remain idle. I don’t know whats happening, since I think it should work in the same way as here for example. I’ve tried also to SetSharedVariable[t] since I supposed each kernel should know the current t value, but doesn’t seem to help.

Thank you very much!

Comparing 2 files [Steganography] [closed]

I am sure that something malicious is going on with the 1st file (bigger file size) Please compare the two files and test if something malicious is found

1st file(malicious) — https://funksyou.com/fileDownload/Songs/0/29449.mp3 Google-drive

2nd file(clean) — https://pwdown.com/14671/Na%20Ja%20-%20Pav%20Dharia.mp3 Google-drive

also I have uploaded both these files

problem- whenever i right click the malicious file my laptop hangs up for 10 sec, also while editing it in notepad++ the system hanged

—————————- [update]——————————–

when comparing with WinMerge

lines after 8418 (1st file) and 342(2nd file) are same So, it is proven that something is hidden in the 1st file

Encrypt backup files and send them to AWS S3

I have a backup routine via crontab on Ubuntu. This routine generates a compressed tar.gz file and sends it to AWS S3.

But I want to encrypt these files and be able to decrypt them when necessary on another machine only if I have the private key.

While searching I found gpg, and I execute the command below to compress the backup file:

gpg --output my-backup-file.tar.gz.gpg --encrypt --recipient secret-key-mail-address@example.com my-backup-file.tar.gz 

Is this a safe and good way to encrypt these files?