View Poll Results: Was my system being hacked?

Voters
11. You may not vote on this poll
  • Yes, definitely

    0 0%
  • No idea

    4 36.36%
  • No, this is more likely to be caused by something else

    7 63.64%
Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: Being hacked? Lost 3 days of information and no log files

  1. #11
    Join Date
    Apr 2006
    Beans
    Hidden!

    Re: Being hacked? Lost 3 days of information and no log files

    Thanks for the tip:

    I checked md5sum of the following files, all appear to be fine:

    Code:
    c052c7ef7eed49274a6f929ea46d80b8  vmlinuz-2.6.28-15-generic
    
    8c55cc2b4b9ab893fd17acf80f0ce8d7  /usr/sbin/exim4
    13408cbc2eb5c02107a94628e58ab496  /usr/lib/pt_chown
    8d7d52a76c726cac931906dcc1e4a2aa  /usr/lib/openssh/ssh-keysign
    6f194b76a4bd396ccd486c9423d0d249  /usr/bin/gpasswd
    ca8fde040c4f9e97656be7bbd2e38760  /usr/bin/sudoedit
    ca8fde040c4f9e97656be7bbd2e38760  /usr/bin/sudo
    534048d07fd501602fa229805a7586d1  /bin/su
    f799b022ccacd70f00b2343a6efb2ae9  /usr/bin/chsh
    d64cea605d137954196bc46ee56001e9  /usr/lib/eject/dmcrypt-get-device
    be6a4569264663afdd00f70545df0319  /usr/lib/policykit/polkit-resolve-exe-helper
    0adca5154514899d48a30b391bb63a4a  /usr/lib/policykit/polkit-grant-helper-pam
    caa511c650c544f12e830f2af3af2860  /usr/bin/X
    5cc4ff60e4058586aa5ca15833a646db  /usr/bin/lppasswd
    ---

    As further analysis tool I understand mactime might be useful. Unfortunately, I have not figured it out how to use it. I understand to use grave-robber first, but I get this error message to which I have not found any information on the Internet.

    Code:
    # grave-robber -v
    cannot exec /bin/hostname: No such file or directory
    cannot exec /bin/uname -n: No such file or directory
    cannot exec /bin/df: No such file or directory
    --
    One further remark, regarding running servers, there is also exim4 running but tied to 127.0.0.1.:

    netstat -tlnp

    tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2875/exim4

  2. #12
    Join Date
    Nov 2005
    Location
    Nashville, TN
    Beans
    437
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Being hacked? Lost 3 days of information and no log files

    Though missing a few days of logs does raise flags there's nothing to really indicate a compromise. Deleting the log files is a bit above script kiddie level as they don't tend to even be aware of logs or .bash_history files it's still far below someone skilled at linux hacking as they would "grep -v <their source address>" and write it out ot a file to remove all log entries specific to their ip. Then they overwrite the original log and touch it to match the date and time of the last log entry.

    If there is no backdoor then you could have someone logging in with ssh. There are thousands of ways to hide backdoors in *nix systems and a few of them are very hard to find even by experts. My advise is to remove your network cable from the machine, copy your important files off onto an external harddrive after booting the machine from the live CD and then reinstall being sure to change your passwords. I do security research and penetration testing for a living so I tend to lean on the safer side of things when it comes to a suspect machine or anomalous activity from a machine.
    -Chayak

  3. #13
    Join Date
    Apr 2009
    Location
    ~/
    Beans
    210

    Re: Being hacked? Lost 3 days of information and no log files

    You could make a script that searches log files and greps for matching entries (like "sudo:" etc).
    Put it in your crontab for daily execution, and send the output to a directory like ~/Public (for example).
    So you could possibly find and log some unauthorized activity on your computer.

    Here's an example of a script that does this. (don't hate, I made it)
    It searches Logs: system messages, auth.log, deamon.log, bash history.
    And outputs the results to ~/Public in the form of a txt file.

    Code:
    #!/bin/bash
    znet=`netstat -a | grep 'LISTEN'`
    zconn=`echo "$znet" | grep tcp`
    zconn2=`sudo netstat -tlnp`
    
    zombies=`ps aux | awk '{ print $8 " " $2 }' | grep -w Z`
    
    znewfile=`date +%b-%d-%T`
    zmonth=`date +%b`
    zday=`date +%e`
    
    zlog1=`cat /var/log/messages | grep "kernel:"`
    zlog2=`echo "$zlog1" | grep "$zmonth $zday"`
    
    zlog3=`cat /var/log/auth.log | grep "sudo:"`
    zlog8=`cat /var/log/auth.log | grep "dbus-daemon:"`
    zlog4=`echo "$zlog3" | grep "$zmonth $zday"`
    zlog9=`echo "$zlog8" | grep "$zmonth $zday"`
    
    zlog5=`cat /var/log/daemon.log | grep "init:"`
    zlog7A=`cat /var/log/daemon.log | grep "started"`
    zlog6=`echo "$zlog5" | grep "$zmonth $zday"`
    zlog7=`echo "$zlog7A" | grep "$zmonth $zday"`
    
    bashH=`cat ~/.bash_history`
    
    echo "This is a daily log check: $znewfile" > ~/Public/$znewfile.txt
    echo -e "Logs: Listening TCP ports, Zombies, system messages, auth.log, deamon.log, bash history: \r " >> ~/Public/$znewfile.txt
    echo "LISTENING TCP PORTS" >> ~/Public/$znewfile.txt
    echo "$zconn" >> ~/Public/$znewfile.txt
    echo "$zconn2" >> ~/Public/$znewfile.txt
    echo "ZOMBIES (there usually are none)" >> ~/Public/$znewfile.txt
    echo -e "$zombies\r" >> ~/Public/$znewfile.txt
    echo "MESSAGES LOG" >> ~/Public/$znewfile.txt
    echo -e "$zlog2\r" >> ~/Public/$znewfile.txt
    echo "AUTH.LOG" >> ~/Public/$znewfile.txt
    echo "$zlog4" >> ~/Public/$znewfile.txt
    echo -e "$zlog9\r" >> ~/Public/$znewfile.txt
    echo "DAEMON.LOG" >> ~/Public/$znewfile.txt
    echo "$zlog6" >> ~/Public/$znewfile.txt
    echo -e "$zlog7\r" >> ~/Public/$znewfile.txt
    echo "BASH HISTORY" >> ~/Public/$znewfile.txt
    echo "$bashH" >> ~/Public/$znewfile.txt
    EDIT: just figured out that date was wrong (should be +%b-%d-%T), and some other changes.
    Last edited by ApEkV2; October 3rd, 2009 at 12:40 AM.

  4. #14
    Join Date
    Apr 2006
    Beans
    Hidden!

    Re: Being hacked? Lost 3 days of information and no log files

    Thank you all for your replies!

    @ApEkV2: Thanks for your script - I have implemented it at my system.

  5. #15
    Join Date
    Apr 2009
    Location
    ~/
    Beans
    210

    Re: Being hacked? Lost 3 days of information and no log files

    No problem.

  6. #16
    Join Date
    Apr 2006
    Beans
    Hidden!

    Re: Being hacked? Lost 3 days of information and no log files

    Here a concluding update to the puzzling situation - when I finally got hands on the system physically, instead of remotely, I discovered more strange patterns: Emails that got pulled from the server twice, even though everything was downloaded the day before, files magically disappearing...

    The solution to the riddle was:

    * The system had 2 identicial partitions - cloned one's. Both partitions were sharing the same UUID and fstab used the UUID to identify the root parition. So, the good news is, there was no hacking or intrusion into the system. All syslogs are complete, however they were put on 2 separate root disk partitions.

    As the fstab was setup to boot via UUID, the system sort of randomly (or is there a logic pattern behind this?) chose the one or the other partition to boot from. On one day the original partition got booted, on the other day it was the cloned or fake original one. On a low usage system this kind of mirroring of drives caused only little irritation (email downloaded twice) but did not really cause any further confusion; until some day this September.

    For completeness, here are some links and commands that might come useful for handling a similar situation:

    Show UUID:
    ls -al /dev/disk/by-uuid
    blkid

    fstab - check if UUID is used
    # MyBook Partition 6 (Musik)
    UUID=123b0f18-456a-4a92-a17e-123ef2ec0456 /media/mymountname ext3 defaults,users,noatime,noauto 0 0

    tune2fs -U

    Links:
    http://www.cyberciti.biz/faq/linux-f...-update-fstab/
    http://wiki.linuxquestions.org/wiki/Tune2fs
    http://ubuntuforums.org/showthread.php?t=326871
    http://linux.byexamples.com/archives...tab-with-uuid/

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •