Virus run by postgres user?

Question

I've found a program named wipefs run by the postgres user. The server is a Ubuntu 12.04.

When I did ps ax|grep wipefs I've got:

10209 ? Sl 1:04 /var/tmp/.ICE-unix/-l/.db/wipefs --library-path /var/tmp/.ICE-unix/-l/.db /var/tmp/.ICE-unix/-l/.db/x

Then I did this:

ls -lah /var/tmp/.ICE-unix/-l/.db/ total 14M drwxr-xr-x 2 postgres postgres 4.0K Jun 11 19:24 . drwxr-xr-x 3 postgres postgres 4.0K Jul 17 21:00 .. -rwxr-xr-x 1 postgres postgres 1.8M Nov 20 2017 libc.so.6 -rwxr-xr-x 1 postgres postgres 2.3M Nov 20 2017 libcrypto.so.1.0.0 -rwxr-xr-x 1 postgres postgres 15K Nov 20 2017 libdl.so.2 -rwxr-xr-x 1 postgres postgres 31K Nov 20 2017 libffi.so.6 -rwxr-xr-x 1 postgres postgres 88K Nov 20 2017 libgcc_s.so.1 -rwxr-xr-x 1 postgres postgres 898K Nov 20 2017 libgcrypt.so.20 -rwxr-xr-x 1 postgres postgres 511K Nov 20 2017 libgmp.so.10 -rwxr-xr-x 1 postgres postgres 1.2M Nov 20 2017 libgnutls.so.30 -rwxr-xr-x 1 postgres postgres 79K Nov 20 2017 libgpg-error.so.0 -rwxr-xr-x 1 postgres postgres 203K Nov 20 2017 libhogweed.so.4 -rwxr-xr-x 1 postgres postgres 232K Nov 20 2017 libhwloc.so.5 -rwxr-xr-x 1 postgres postgres 203K Nov 20 2017 libidn.so.11 -rwxr-xr-x 1 postgres postgres 39K Nov 20 2017 libltdl.so.7 -rwxr-xr-x 1 postgres postgres 1.1M Nov 20 2017 libm.so.6 -rwxr-xr-x 1 postgres postgres 95K Nov 20 2017 libmicrohttpd.so.10 -rwxr-xr-x 1 postgres postgres 215K Nov 20 2017 libnettle.so.6 -rwxr-xr-x 1 postgres postgres 43K Nov 20 2017 libnuma.so.1 -rwxr-xr-x 1 postgres postgres 399K Nov 20 2017 libp11-kit.so.0 -rwxr-xr-x 1 postgres postgres 136K Nov 20 2017 libpthread.so.0 -rwxr-xr-x 1 postgres postgres 77 Jun 11 19:21 libq.so.1 -rwxr-xr-x 1 postgres postgres 31K Nov 20 2017 librt.so.1 -rwxr-xr-x 1 postgres postgres 280 May 15 19:52 libs.so.1 -rwxr-xr-x 1 postgres postgres 419K Nov 20 2017 libssl.so.1.0.0 -rwxr-xr-x 1 postgres postgres 1.5M Nov 20 2017 libstdc++.so.6 -rwxr-xr-x 1 postgres postgres 75K Nov 20 2017 libtasn1.so.6 -rwxr-xr-x 1 postgres postgres 103K Nov 20 2017 libz.so.1 -rwxr-xr-x 1 postgres postgres 159K Nov 20 2017 wipefs -rwxr-xr-x 1 postgres postgres 2.1M Jun 3 15:04 x In other systems running PostgreSql the directory /tmp/.ICE-unix is empty.

Is this a virus?.

Answer 1

It definitely looks like a piece of malware; but since it does not seem to attach itself to other programs, but instead "lives" as an independent entity, it is not technically a virus but possibly a worm.

See this question for recommended next steps.

/tmp/.ICE-unix would be the normal directory for UNIX sockets used for communicating with a X11 GUI session manager. /var/tmp/.ICE-unix has nothing to do with it, but is clearly using similar naming to make the malware's directories appear uninteresting to casual notice.

The fact that it's running as the postgres user suggests it might have got in through the Postgres database engine, and inherited the user identity of Postgres processes as a result.

If the library names are genuine, this malware sure seems to carry a lot of encryption implementations with it: libssl and libcrypto are OpenSSL, then there is libgnutls, the pair of libhogweed and libnettle, and also libgcrypt. It also has libmicrohttpd, which suggests it could be running some sort of HTTP-based network service, possibly an encrypted one.

If it consumes a lot of CPU power but does not seem to be doing much with any files, my first guess would be a coin miner. But this is just a guess; it might be something worse.

By running lsof -p 10209 as root, you might be able to see which files this process is touching and what network connections it has. If some files are marked as (deleted), you might be able to still access them via /proc/10209/fd/ as long as the files are still held open by the process.

If you want to investigate further, grab a copy of the malware's files and scan them with some virus scanner.

Anyway, if you have other similar systems, you should be seriously thinking about restricting access to them from Internet to the minimum required, and updating them. Ubuntu 12.04's support ended in April 2017, more than a year ago.

For this particular system: you should treat it as contaminated and no longer secure. It might be that this is the only piece of malware on the system, but it's very difficult to really confirm that: wiping the system and restoring from backups is usually much quicker and easier.