Can malware run by a user without admin or sudo privileges harm my system?

Question

After a recent break in on a machine running Linux, I found an executable file in the home folder of a user with a weak password. I have cleaned up what appears to be all the damage, but am preparing a full wipe to be sure.

What can malware run by a NON-sudo or unprivileged user do? Is it just looking for files marked with world writable permission to infect? What threatening things can a non-admin user do on most Linux systems? Can you provide some examples of real world problems this kind of security breach can cause?

Answer 1

Most normal users can send mail, execute system utilities, and create network sockets listening on higher ports. This means an attacker could

• send spam or phishing mails,
• exploit any system misconfiguration only visible from within the system (think private key files with permissive read permissions),
• setup a service to distribute arbitrary contents (e.g. porn torrent).

What exactly this means depends on your setup. E.g. the attacker could send mail looking like it came from your company and abuse your servers mail reputation; even more so if mail authentication features like DKIM have been set up. This works till your server's rep is tainting and other mail servers start to blacklist the IP/domain.

Either way, restoring from backup is the right choice.

Answer 2

Most of the answers are missing the two key words: privilege escalation.

One an attacker has access to an unprivileged account, it's much easier for them to exploit bugs in the operating system and libraries to obtain privileged access to the system. You shouldn't assume that the attacker used only the unprivileged access they originally obtained.

Answer 3

A rm -rf ~ or something alike would be pretty catastrophic, and you don't need root privileges.

Answer 4

Ransomware

It doesn't apply to your situation, since you would have noticed it, but for the nowadays somewhat popular attacks of ransomware (encrypting all your documents and offering to sell the decryption key) it is completely sufficient to have unprivileged access.

It can't modify system files, but generally rebuilding a system from scratch is simple compared to recovery of valuable user data (business documents, family pictures, etc) from backups that often are obsolete or nonexistent.

Answer 5

Most common (in my POV, from my experience):

• Sending spam

• Sending more spam

• Infecting other computers

• Setup phishing sites

• ...

Answer 6

A virus can infect all the machines in your LAN network and elevate the privilege to get the root access wiki-Privilege_escalation

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

Answer 7

A lots of potential possibilities come to my mind:

• Denial of service: it could be on your machine or more probable, use your machine to attack a second one at the cost of your own resources.
• Mine bitcoins. Using your CPU for getting money seems atractive enough
• If the browser is vulnerable they will try to redirect you to every kind of sites, install bars or show pop-ups that will give them revenue. Fortutately this seems harder in Linux or the spammers are not as good at this.
• Get private data for comercial use and sell it to others. Only for the compromised user: date of birth, telephone, if it is in the browser caché.
• Access other files in the server that are readable.
• Create malicious scripts that might ask for the root password. For example, in your bash they may try to redirect sudo to other things to get your password.
• Getting your stored passwords in the browser or try to keylog your bank credencials. This might be harder but certainly will be dangerous. With gmail they may get facebook, stole your steam acount, amazon, etc.
• Install malicious certificates as valid for your user

Of course this is a worse case scenario so do not panic. Some of this might be blocked by other security measures and won't be trivial at all.

Answer 8

Information ^[1]

IMHO one of the most scaring thing that an exploit can do is to gather information and remain hidden to come back and strike when your attention will be less (each night or holiday period will be suitable).
The following are only the first reasons that come up in my mind, you can add others and others...

• Information about the services you are running, their version and their weaknesses, with special attention to the obsolete one that you may need to keep alive for compatibility reasons.
• Periodicity with which you update them and the security patches. To sit in front a bulletin and wait the right moment to try to come back.
• The habits of your users, to rise less suspects when it will be.
• The defences you set up.
• If gained even a partial root access the ssh-keys, authorized hosts and the passwords on this and other machines for each user (let's suppose someone executed a command with the password passed as a parameter it is not even needed the root privilege). It was possible to scan the memory and extract it. I say again: in both ways, to your machine and from your machine. With 2 sided ssh authorization between two machines they can continue to bounce in and out from the compromised account.

So flatten that machine and monitor the future passwords and keys, for these reasons above and all the other ones that you can read from the other answers.

---

^{[1] Quoting not literally Hitchcock: "A shot of a gun lasts a moment but an hand wielding a weapon can last a full movie"}