If you're posting because you think you have been cracked, hacked , or your system's security has otherwise been compromised please consider including the following information. This will help those trying to support you streamline the process and get you to your solution more quickly.
Prior to posting -- make sure you have a current back up of your system. Often times in the event of a compromised system a full reinstall is the only solution.
1: What version of Ubuntu are you running? Are you dual booting, and is this system networked with other machines, if so what operating platform and versions are they running?
2 : Why do you think you were cracked? Please post a paste from the log file or a screenshot, or written description of what you are experiencing.
Examples include : auth.log snippets, syslog snippets, av alerts, rkhunter/chkrootkit reports, odd browser behavior, IDS logs, etc.
3: If this machine is networked with other machines is the same behavior observed there?
4: Is this machine shared between multiple users, or is it for your use only. Also, is it using strong credentials for all forms of authentication?
5: What services are the machine in question running? Also are any other network services running on other machines on the network? If so what are they?
Examples : SSH, VNC, FTP, MySQL, Apache HTTP, etc.
6: Did you recently download or install anything from an untrusted source? (IE: PPA, or from the internet, including bash scripts)
7: Is the compromised machine or network in question on a wireless network? If so what type of security measures are in place? WEP/WPA/WPA2/Open ?
8: What other security measures are you utilizing on your sytem? Apparmor? UFW? Firestarter? etc...
9: Have you added, modified, damaged or replaced any hardware in the system recently?
10: Is the noticed activity repeatable?
Example : If I try to visit facebook on my Ubuntu machine I am always redirected to another site.
Example2: My server runs a cron job I did not create every night.
Please note that you may not know all of this information, it is perfectly acceptable , and encouraged to ask for clarification. However, try to give as much information as you can at the start below you will find an example of a post that would follow this format.
----------------------------------------------------------------------------------------------------------------------------
Could someone please help me, I'm pretty sure my system has been cracked. Here is the information suggested in the thread.
1. I'm running Ubuntu 11.04 Natty, it is the only operating system on the computer and it is connected directly to the internet, there is no router.
2. I noticed in my /etc/passwd file there is a user that I did not create. Below is an exerpt from my passwd file.
Code:
dangertux:x:1000:1000:dangertux:/home/dangertux:/bin/bash
qemu:x:107:107:qemu user:/:/sbin/nologin
badguy:x:1001:1001:get owned:/dev/null:/bin/sh
Additionally there is this line in my auth.log
Code:
Dec 12 18:43:16 server sshd[1577]: Accepted password for dangertux from 3.13.3.7 port 59274 ssh2
This is not an ip I use.
3. There are no other machines.
4. I use a 10 character password based on a dictionary word for my login.
5. My machine runs an SSH server so that I can tunnel from public wifi back to my machine. It is using password authentication.
6. No I haven't.
7. Not on a wireless network it is directly connected.
8. UFW is enabled however port 22 is allowed.
9. No it's a brand new machine still under factory warranty (minus the fact that I installed Ubuntu)
10. The activity is persistent, and I have not noticed other side effects what should I look for?
------------------------------------------------------------------------------------------------------------------------
As you can see the information provided here clearly helps those troubleshooting the issue realize that the system was cracked via weak SSH credentials and an additional user was created. At this point it would be acceptable to recommend a full reinstall since the user in question UID 1000 (if settings are default) is a sudoer. If the user is not a sudoer recommendation for removal of the offending account, change of credentials as well as hardening of SSH would be recommended.
This is just one example, and they may not all fit this mold. Just remember that the more information that can be posted in the thread initially the better your chances of getting a fast answer.
Bookmarks