Какой-то весельчак «подобрал» (для этого нужен только емейл и пару минут времени) пару брошенных пакетов, в том числе acroread (довольно популярный когда-то) и встроил в них загрузку и запуск малвари (via curl | bash
). С ошибкой. Как пишут, пока без деструктива (и даже без майнера), только сбор и отправка информации:
- Machine ID.
- The output of uname -a.
- CPU Information.
- Pacman (package management utility) Information.
- The output of systemctl list-units.
На то, что AUR — это только хранилище скриптов, зачастую непонятно откуда (но есть там и Trusted Users), и постоянные сообщения о том, что нужно смотреть в PKGBUILD и install-script, почти никто из пользователей сего внимание не обращает.
https://sensorstechforum.com/arch-linux-aur-repository-found-contain-malware/
The Arch Linux user-maintained software repository called AUR has been found to host malware. The discovery was made after a change in one of the package installation instructions was made. This is yet another incident that showcases that Linux users should not explicitly trust user-controlled repositories.
...
There are several hypotheses that are currently considered as possible. A reddit user (xanaxdroid_) mentioned online that “xeactor” has posted several cryptocurrency miner packages which shows that infection with them was a probable next step. The obtained system information can be used to choose a generic miner instance that would be compatible with most of the infected hosts. The other idea is that the nick name belongs to a hacker group that may target the infected hosts with ransomware or other advanced viruses.
https://aur.archlinux.org/packages/acroread/
[Edited again to provide more information: This package was compromised between the hours of 02:31 and 5:55 UTC on 2018-07-08. The PKGBUILD was modified to execute (via curl | bash) a script https://ptpb.pw/~x which in turn executed https://ptpb.pw/~u, an attempt to upload system details to a pastebin-type site. The script, however, contains a typo (calling $uploader when the function was actually upload()) so shouldn't actually do anything. The PKGBUILD also tried to install a systemd timer. Check for /usr/lib/xeactor, /usr/lib/systemd/system/xeactor.timer, /usr/lib/systemd/system/xeactor.service. The problematic commit to the PKGBUILD, which was reverted by a TU, can still be read here: https://aur.archlinux.org/cgit/aur.git/commit/?h=acroread&id=b3fec9f2f167 ]
UPDATE1: Список пакетов, в PKGBUILD которых была встроена малварь:
- acrored 9.5.5-8
- balz 1.20-3
- minergate 8.1-2