Fresh installed Ubuntu infected - help

[rogeriopvl]

Man, that is really the weirdest thing I've ever heard. I think you should really try another distro to check if the same happens. Try something like fedora.

You can also try the hardcore OpenBSD, it's a excellent OS, but very limited for desktop use. FreeBSD might be a better option.

As a last resort, you should also try to change ISP...

[ekh]

My conclusions on the security of Ubuntu:

1. If someone skilled in the art want to abuse your system via an internet connection they can in less than 4 hours.
2. The intruders patch the binary files normally invisibly, so everything looks normal.
3. They are in total control of your system, and they can monitor individual keystrokes in real time.
4. If you employ Ossec to try detecting when (not "if" you loose control) they first try to stop Ossec from working.
5. When the stop is countered, then Ossec is "accepted" but permissions are changed, so it gets difficult to access the logs.
6. They prevent the copy of the log files to a removable media. I found a workaround though.
7. They make multiple attempts to configure the WiFi interface, maybe because that could ease their attempt to get non-interrupted access to the system.
8. The initial attack was for surveillance only.
9. But monitoring the attack with Ossec, the attack changed strategy, to stopping me from accessing the net.
10. I do not have the skills to stop the attackers from compromising my system using Ubuntu.
11. If you are too successful detecting the attack, your LUKS password becomes unusable, and the attack evidence definitely hidden, unless great efforts are used. I think I know how the disk contents can be reestablished in less than 2 days, not tested though.

--------------

These conclusions is based on a base installed system 8.04.1
This disk was downloaded long before I got attacked, and the checksum was verified then.

The system, a Lenovo t41 has been installed with no internet connection.
Then /etc/apt/sources.list has been edited to enable the repositories disabled by the initial install without net.
Then the system has been updated via the internet.
Ossec (with correct checksums) has been installed, initialized and started.
Then the system has been used for surfing only + watching logs.

In less than 4 hours the system gets infected. It has now happened 4 times within a week on a reinstalled system.

I have used Linux for more than 4 years, and Ubuntu for more than 2 years, and made more than 25 Ubuntu installs.

I'm an EE, and has worked as an embedded SW developer for 26 years.

As I previously mentioned, I don't consider myself a security expert, although I have been part of a team developing a system not intended for, but anyway well suitable for surveillance. The attacks on my Ubuntu box goes beyond my skills, patience, and resources. One week of heavy reading on security issues has not been successful.

I do not participate in illegal activities, but despite this, I consider my civil rights for privacy important, my thoughts are mine, and mine only, also when stored an a computer.
Whether Ubuntu is constructed with well hidden handles for surveillance, or this is not intended, I can not tell.

Surveillance is not bad in all cases, ie. I'm glad the special police have an incredible success rate at identifying possible terrorists in the western world. To tell how skilled the police is, I can tell there has been 3 big terror cases in Denmark. In the first two, the evidence was weak, and there was problems getting convictions. When a 3'rd case emerged, the police learned the lesson from previous mistakes. They wired and mounted cameras in every room of the suspects apartments, and actually got videos of the suspects producing (the b word, you know what i mean, like London an Madrid ). That is a very strong evidence in court !

This issue however has other solutions not necessarily inflicting civil rights, but possibly the greed of powerful people.

Using a system open for surveillance is not a problem, if no persons exist wishing to harm you in any way.
This can however not be considered true, neither from governments nor ordinary criminals.

Unless any from the Ubuntu community considers this important to follow up trying to improve the system, this is my final post in this thread.

[tw33k@]

While seaching a solution for a 'problem' I had I came across this thread and the closely related <<How do I use Ubuntu without Ubuntu>>.

Now I must say that I'm a bit of an anarchist punk at heart but I think we should stay to the purpose of these forums, a technical resource that supports an opensource product.

That brings me to the point that I feel I should make. You (ekh) have stated that you are not a security expert. That describes the majority of the people that use the good old internet, and a fairly large portion of Gnu/Linux users also. Unless you work in the IT&C and security industries there is no need to be an expert.

All you need to do is make an effort to remain up to date with the applications/services that you use. If you need to set up servers such as samba/cups, NIS, NFS, DNS and so on, then you only need to try and be well aquainted with those services and their vulnerabilities. Then disable/uninstall/block anything you don't need (this includes ports aswell as software). That is the reason why properly set up servers have no X windowing, multimedia or such like. Keep it to a bare minimum and know what you need to.

For example my home network consists of only a router, a PPC set up as an SMB file server, my Gnu/Linux box and my housemates' WinXP box. The file server is installed with Gentoo, a hardened kernel I compiled (its easier than most people assume) the very basic utilities for operation/admin, samba and ssh.

Just keep it simple and up to date. No degree or doctorate required for that.

You have so many options available in distributions, configurations and applications. And the benefit of all Gnu/Linux systems is that if you are willing to put a bit of effort into it, you can control everything yourself (not dependent on any one group or company...)