Sample Header Ad - 728x90

What process is accessing this laptops webcam? Is it a rootkit?

1 vote
0 answers
163 views
linux camera malware chkrootkit
Old laptop, running minecraft for the kids. Noticed the webcam light blinking for half a second randomly. Assumed it was a minecraft mod, nuked everything off and did a fresh Ubuntu install. Sure enough, the webcam light starting coming on randomly again on this fresh install. Nothing on it except bare bones Ubuntu (with LXDE), Java for Minecraft and the nvidia drivers. ausearch against /dev/video0 was showing this: 
----
time->Wed Sep 25 17:18:40 2019
type=PROCTITLE msg=audit(1569395920.450:4111): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
type=PATH msg=audit(1569395920.450:4111): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020600 ouid=0 ogid=0 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395920.450:4111): cwd="/"
type=SYSCALL msg=audit(1569395920.450:4111): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffe354c0f20 a2=0 a3=0 items=1 ppid=4586 pid=4594 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="v4l_id" exe="/lib/udev/v4l_id" key=(null)
----
time->Wed Sep 25 17:18:40 2019
type=PROCTITLE msg=audit(1569395920.454:4112): proctitle="/lib/systemd/systemd-udevd"
type=PATH msg=audit(1569395920.454:4112): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020660 ouid=0 ogid=44 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395920.454:4112): cwd="/"
type=SYSCALL msg=audit(1569395920.454:4112): arch=c000003e syscall=191 success=no exit=-61 a0=5575798fd820 a1=7f6717f12b5f a2=7ffcdd292950 a3=84 items=1 ppid=336 pid=4586 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/lib/systemd/systemd-udevd" key=(null)
----
time->Wed Sep 25 17:18:40 2019
type=CONFIG_CHANGE msg=audit(1569395920.418:4109): auid=4294967295 ses=4294967295op=updated_rules path="/dev/video0" key=(null) list=4 res=1
----
time->Wed Sep 25 17:18:48 2019
type=CONFIG_CHANGE msg=audit(1569395928.358:4115): auid=4294967295 ses=4294967295op=updated_rules path="/dev/video0" key=(null) list=4 res=1
----
time->Wed Sep 25 17:19:15 2019
type=CONFIG_CHANGE msg=audit(1569395955.686:4267): auid=4294967295 ses=4294967295op=updated_rules path="/dev/video0" key=(null) list=4 res=1
----
time->Wed Sep 25 17:19:15 2019
type=PROCTITLE msg=audit(1569395955.738:4269): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
type=PATH msg=audit(1569395955.738:4269): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020600 ouid=0 ogid=0 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395955.738:4269): cwd="/"
type=SYSCALL msg=audit(1569395955.738:4269): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffe60335f20 a2=0 a3=0 items=1 ppid=4673 pid=4681 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="v4l_id" exe="/lib/udev/v4l_id" key=(null)
----
time->Wed Sep 25 17:19:15 2019
type=PROCTITLE msg=audit(1569395955.750:4270): proctitle="/lib/systemd/systemd-udevd"
type=PATH msg=audit(1569395955.750:4270): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020660 ouid=0 ogid=44 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395955.750:4270): cwd="/"
type=SYSCALL msg=audit(1569395955.750:4270): arch=c000003e syscall=191 success=no exit=-61 a0=55757990d960 a1=7f6717f12b5f a2=7ffcdd292950 a3=84 items=1 ppid=336 pid=4673 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/lib/systemd/systemd-udevd" key=(null)
----
time->Wed Sep 25 17:19:18 2019
type=CONFIG_CHANGE msg=audit(1569395958.534:4273): auid=4294967295 ses=4294967295op=updated_rules path="/dev/video0" key=(null) list=4 res=1
----
time->Wed Sep 25 17:19:26 2019
type=PROCTITLE msg=audit(1569395966.278:4344): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
type=PATH msg=audit(1569395966.278:4344): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020600 ouid=0 ogid=0 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395966.278:4344): cwd="/"
type=SYSCALL msg=audit(1569395966.278:4344): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffedb72bf20 a2=0 a3=0 items=1 ppid=4712 pid=4721 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="v4l_id" exe="/lib/udev/v4l_id" key=(null)
----
time->Wed Sep 25 17:19:26 2019
type=PROCTITLE msg=audit(1569395966.298:4345): proctitle="/lib/systemd/systemd-udevd"
type=PATH msg=audit(1569395966.298:4345): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020660 ouid=0 ogid=44 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395966.298:4345): cwd="/"
type=SYSCALL msg=audit(1569395966.298:4345): arch=c000003e syscall=191 success=no exit=-61 a0=557579915450 a1=7f6717f12b5f a2=7ffcdd292950 a3=84 items=1 ppid=336 pid=4712 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/lib/systemd/systemd-udevd" key=(null)
----
of interest is the proctitle alternating between 2F6C69622F756465762F76346C5F6964002F6465762F766964656F30 and /lib/systemd/systemd-udevd Here's some more timestamps, showing the somewhat random access: 
grep -B1 proctitle /tmp/ausearch-output.txt 
time->Tue Sep 24 07:33:52 2019
type=PROCTITLE msg=audit(1569274432.897:65): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Tue Sep 24 07:33:52 2019
type=PROCTITLE msg=audit(1569274432.909:66): proctitle="/lib/systemd/systemd-udevd"
--
time->Tue Sep 24 07:34:18 2019
type=PROCTITLE msg=audit(1569274458.676:134): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Tue Sep 24 07:34:18 2019
type=PROCTITLE msg=audit(1569274458.692:135): proctitle="/lib/systemd/systemd-udevd"
--
time->Tue Sep 24 07:36:07 2019
type=PROCTITLE msg=audit(1569274567.921:190): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Tue Sep 24 07:36:07 2019
type=PROCTITLE msg=audit(1569274567.937:193): proctitle="/lib/systemd/systemd-udevd"
--
time->Tue Sep 24 09:28:22 2019
type=PROCTITLE msg=audit(1569281302.545:262): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Tue Sep 24 09:28:22 2019
type=PROCTITLE msg=audit(1569281302.549:263): proctitle="/lib/systemd/systemd-udevd"
--
time->Wed Sep 25 12:07:23 2019
type=PROCTITLE msg=audit(1569377243.215:324): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Wed Sep 25 12:07:23 2019
type=PROCTITLE msg=audit(1569377243.219:325): proctitle="/lib/systemd/systemd-udevd"
--
time->Wed Sep 25 12:07:37 2019
type=PROCTITLE msg=audit(1569377257.219:461): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Wed Sep 25 12:07:37 2019
type=PROCTITLE msg=audit(1569377257.231:462): proctitle="/lib/systemd/systemd-udevd"
--
time->Wed Sep 25 17:18:40 2019
type=PROCTITLE msg=audit(1569395920.450:4111): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Wed Sep 25 17:18:40 2019
type=PROCTITLE msg=audit(1569395920.454:4112): proctitle="/lib/systemd/systemd-udevd"
--
time->Wed Sep 25 17:19:15 2019
type=PROCTITLE msg=audit(1569395955.738:4269): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Wed Sep 25 17:19:15 2019
type=PROCTITLE msg=audit(1569395955.750:4270): proctitle="/lib/systemd/systemd-udevd"
--
time->Wed Sep 25 17:19:26 2019
type=PROCTITLE msg=audit(1569395966.278:4344): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Wed Sep 25 17:19:26 2019
type=PROCTITLE msg=audit(1569395966.298:4345): proctitle="/lib/systemd/systemd-udevd"
I have not yet run an offline rootkit search from a liveusb, but chkrootkit and rkhunter showed nothing in an online search. I'm curious as to what could be causing the webcam light to blink, and what is trying to access /dev/video0 How do I debug this further? Is this something in Ubuntu that is hunting for new devices, or is it something more sinister? Thanks!
Asked by dtbaker (111 rep)
Sep 25, 2019, 08:28 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "linux"
More questions tagged "camera"
More questions tagged "malware"
Footer Ad - 728x90