访问此笔记本电脑网络摄像头的进程是什么？它是rootkit吗？

2024-6-4 • tag-icon

旧笔记本电脑，为孩子们运行《我的世界》。注意到网络摄像头指示灯随机闪烁半秒。假设它是一个《我的世界》模组，把所有东西都关掉并重新安装 Ubuntu。

果然，在这个全新安装中，网络摄像头灯再次开始随机亮起。除了最基本的 Ubuntu（带有 LXDE）、用于 Minecraft 的 Java 和 nvidia 驱动程序之外，什么都没有。

ausearch反对/dev/video0正在表明这一点：

----
time->Wed Sep 25 17:18:40 2019
type=PROCTITLE msg=audit(1569395920.450:4111): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
type=PATH msg=audit(1569395920.450:4111): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020600 ouid=0 ogid=0 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395920.450:4111): cwd="/"
type=SYSCALL msg=audit(1569395920.450:4111): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffe354c0f20 a2=0 a3=0 items=1 ppid=4586 pid=4594 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="v4l_id" exe="/lib/udev/v4l_id" key=(null)
----
time->Wed Sep 25 17:18:40 2019
type=PROCTITLE msg=audit(1569395920.454:4112): proctitle="/lib/systemd/systemd-udevd"
type=PATH msg=audit(1569395920.454:4112): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020660 ouid=0 ogid=44 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395920.454:4112): cwd="/"
type=SYSCALL msg=audit(1569395920.454:4112): arch=c000003e syscall=191 success=no exit=-61 a0=5575798fd820 a1=7f6717f12b5f a2=7ffcdd292950 a3=84 items=1 ppid=336 pid=4586 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/lib/systemd/systemd-udevd" key=(null)
----
time->Wed Sep 25 17:18:40 2019
type=CONFIG_CHANGE msg=audit(1569395920.418:4109): auid=4294967295 ses=4294967295op=updated_rules path="/dev/video0" key=(null) list=4 res=1
----
time->Wed Sep 25 17:18:48 2019
type=CONFIG_CHANGE msg=audit(1569395928.358:4115): auid=4294967295 ses=4294967295op=updated_rules path="/dev/video0" key=(null) list=4 res=1
----
time->Wed Sep 25 17:19:15 2019
type=CONFIG_CHANGE msg=audit(1569395955.686:4267): auid=4294967295 ses=4294967295op=updated_rules path="/dev/video0" key=(null) list=4 res=1
----
time->Wed Sep 25 17:19:15 2019
type=PROCTITLE msg=audit(1569395955.738:4269): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
type=PATH msg=audit(1569395955.738:4269): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020600 ouid=0 ogid=0 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395955.738:4269): cwd="/"
type=SYSCALL msg=audit(1569395955.738:4269): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffe60335f20 a2=0 a3=0 items=1 ppid=4673 pid=4681 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="v4l_id" exe="/lib/udev/v4l_id" key=(null)
----
time->Wed Sep 25 17:19:15 2019
type=PROCTITLE msg=audit(1569395955.750:4270): proctitle="/lib/systemd/systemd-udevd"
type=PATH msg=audit(1569395955.750:4270): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020660 ouid=0 ogid=44 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395955.750:4270): cwd="/"
type=SYSCALL msg=audit(1569395955.750:4270): arch=c000003e syscall=191 success=no exit=-61 a0=55757990d960 a1=7f6717f12b5f a2=7ffcdd292950 a3=84 items=1 ppid=336 pid=4673 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/lib/systemd/systemd-udevd" key=(null)
----
time->Wed Sep 25 17:19:18 2019
type=CONFIG_CHANGE msg=audit(1569395958.534:4273): auid=4294967295 ses=4294967295op=updated_rules path="/dev/video0" key=(null) list=4 res=1
----
time->Wed Sep 25 17:19:26 2019
type=PROCTITLE msg=audit(1569395966.278:4344): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
type=PATH msg=audit(1569395966.278:4344): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020600 ouid=0 ogid=0 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395966.278:4344): cwd="/"
type=SYSCALL msg=audit(1569395966.278:4344): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffedb72bf20 a2=0 a3=0 items=1 ppid=4712 pid=4721 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="v4l_id" exe="/lib/udev/v4l_id" key=(null)
----
time->Wed Sep 25 17:19:26 2019
type=PROCTITLE msg=audit(1569395966.298:4345): proctitle="/lib/systemd/systemd-udevd"
type=PATH msg=audit(1569395966.298:4345): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020660 ouid=0 ogid=44 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395966.298:4345): cwd="/"
type=SYSCALL msg=audit(1569395966.298:4345): arch=c000003e syscall=191 success=no exit=-61 a0=557579915450 a1=7f6717f12b5f a2=7ffcdd292950 a3=84 items=1 ppid=336 pid=4712 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/lib/systemd/systemd-udevd" key=(null)
----

有趣的是和proctitle之间的交替2F6C69622F756465762F76346C5F6964002F6465762F766964656F30/lib/systemd/systemd-udevd

这是更多的时间戳，显示了一定程度的随机访问：

grep -B1 proctitle /tmp/ausearch-output.txt 
time->Tue Sep 24 07:33:52 2019
type=PROCTITLE msg=audit(1569274432.897:65): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Tue Sep 24 07:33:52 2019
type=PROCTITLE msg=audit(1569274432.909:66): proctitle="/lib/systemd/systemd-udevd"
--
time->Tue Sep 24 07:34:18 2019
type=PROCTITLE msg=audit(1569274458.676:134): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Tue Sep 24 07:34:18 2019
type=PROCTITLE msg=audit(1569274458.692:135): proctitle="/lib/systemd/systemd-udevd"
--
time->Tue Sep 24 07:36:07 2019
type=PROCTITLE msg=audit(1569274567.921:190): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Tue Sep 24 07:36:07 2019
type=PROCTITLE msg=audit(1569274567.937:193): proctitle="/lib/systemd/systemd-udevd"
--
time->Tue Sep 24 09:28:22 2019
type=PROCTITLE msg=audit(1569281302.545:262): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Tue Sep 24 09:28:22 2019
type=PROCTITLE msg=audit(1569281302.549:263): proctitle="/lib/systemd/systemd-udevd"
--
time->Wed Sep 25 12:07:23 2019
type=PROCTITLE msg=audit(1569377243.215:324): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Wed Sep 25 12:07:23 2019
type=PROCTITLE msg=audit(1569377243.219:325): proctitle="/lib/systemd/systemd-udevd"
--
time->Wed Sep 25 12:07:37 2019
type=PROCTITLE msg=audit(1569377257.219:461): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Wed Sep 25 12:07:37 2019
type=PROCTITLE msg=audit(1569377257.231:462): proctitle="/lib/systemd/systemd-udevd"
--
time->Wed Sep 25 17:18:40 2019
type=PROCTITLE msg=audit(1569395920.450:4111): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Wed Sep 25 17:18:40 2019
type=PROCTITLE msg=audit(1569395920.454:4112): proctitle="/lib/systemd/systemd-udevd"
--
time->Wed Sep 25 17:19:15 2019
type=PROCTITLE msg=audit(1569395955.738:4269): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Wed Sep 25 17:19:15 2019
type=PROCTITLE msg=audit(1569395955.750:4270): proctitle="/lib/systemd/systemd-udevd"
--
time->Wed Sep 25 17:19:26 2019
type=PROCTITLE msg=audit(1569395966.278:4344): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Wed Sep 25 17:19:26 2019
type=PROCTITLE msg=audit(1569395966.298:4345): proctitle="/lib/systemd/systemd-udevd"

我还没有从 liveusb 运行离线 Rootkit 搜索，但在线搜索中没有显示任何内容chkrootkit。rkhunter

我很好奇是什么导致网络摄像头灯闪烁，以及是什么试图访问 /dev/video0

我如何进一步调试这个？这是 Ubuntu 中正在寻找新设备的东西，还是更险恶的东西？

谢谢！

相关内容