Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Did someone log into my PC and edit auth.log entries to cover tracks?

  1. #11
    Join Date
    Jun 2020
    Beans
    185

    Re: Did someone log into my PC and edit auth.log entries to cover tracks?

    Dorms, apartment room mates .
    yea ok my bad ,didn't think of that . I'm 50 so those living arrangements left me like 30yrs ago lol.

    instead of shutting down all the time when you go have a dump or whatever , maybe look into this ?

    just a thought that occurred to me , if someone cant access a USB port ...well...
    xubuntu 20.04.2 LTS (focal fossa)

  2. #12
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Did someone log into my PC and edit auth.log entries to cover tracks?

    If the attacker isn't just a normal roommate, but some sort of highly motivated "state actor", then any bus connection can be used - PCI, PCIe, firewire, USB, Thunderbolt - any bus can be abused. I'd bet SATA, eSATA, IDE can be used too. There are published attack techniques for USB, firewire, and thunderbolt connections.
    And if you use any wireless mouse, keyboard of any sort, game over. Currently, none of the wireless protocols are known to be secure. I've been hacked over bluetooth.

    For example:


    I'm not making this stuff up.
    Last edited by TheFu; 4 Weeks Ago at 11:16 PM.

  3. #13
    Join Date
    Jun 2020
    Beans
    185

    Re: Did someone log into my PC and edit auth.log entries to cover tracks?

    or ..
    to block:
    Code:
    sudo chmod 700 /media
    This will allow the root user only to mount the removable disks not the normal users

    to unblock:
    Code:
    sudo chmod 755 /media


    that's if your your 'attacker" is not a spy of some sorts like the fu said
    xubuntu 20.04.2 LTS (focal fossa)

  4. #14
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: Did someone log into my PC and edit auth.log entries to cover tracks?

    Quote Originally Posted by TheFu View Post
    If you cannot restrict physical access to the system, then there isn't anything that can be done. With physical access, anything is possible.
    There is 1 way to fight that. Whole disk encryption using 2FA where you keep the 2FA device with you at all times. ALL TIMES. That includes in the toilet, shower. Get a Yubikey and setup 2FA to decrypt the LUKS encryption pre-boot using a challenge-response mode.
    Agreed on the encryption bit. It's a layer of extra security, but it does have it's down sides as well.

    If you are in this sort of situation, enabling two-factor authentication can help immensely, but it won't stop everything if someone has physical access to your phone or email.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  5. #15
    Join Date
    May 2006
    Location
    Switzerland
    Beans
    2,672
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: Did someone log into my PC and edit auth.log entries to cover tracks?

    Quote Originally Posted by hairyjew117 View Post
    When i powered the laptop down I powered it down holding the button but it should still log that I powered it down??
    On the laptops I own (and I own several) pressing + holding the power button is NOT a graceful shutdown. It's a forced shutdown, the equivalent of suddenly pulling the power cord on a desktop PC. I would find it quite surprising if your Linux installation managed to log anything at all in that moment since you're basically violently pulling the rug from under its feet.

    Please stop doing that. A short press of the power button so the laptop initiates a graceful shutdown by itself (takes about 2 to 10 seconds) is OK, but not pressing + holding.


    As for the possibility of someone logging into your system:

    Did you check these commands?
    Code:
    sudo last
    sudo lastb
    Sometimes people (intruders too) forget that these files exist, e.g. they remove entries from "auth.log" but forget to erase the traces they left in places like /var/log/wtmp .... The other thing is that /var/log/btmp and /var/log/wtmp are in a binary format and thus harder to manipulate without completely messing them up. Most people trying to cover their tracks will simply resort to erasing those files right away or filling them with binary '0' so those files look empty.

    So if you check the outputs of
    Code:
    sudo lastb
    (the "bad" login attempts ... could well be empty if nobody ever tried anything) and
    Code:
    sudo last
    (the successful logins ... NO WAY this could ever be empty!!) is there any oddity there? Or nothing at all? e.g. you only get empty outputs from both commands?

    If the system was indeed tampered with then
    Code:
    sudo last
    will produce no output at all (e.g. the log was erased) or there should be strange time gaps, e.g. complete days missing.

    On a normal system where no tampering took place a "last" output should look something like this and you should be able to see both local and remote logins over a period of several months:

    Code:
    frodo      pts/1        192.168.1.6      Sat Apr 17 12:03   still logged in
    frodo      tty7         :0               Sat Apr 17 04:04 - 04:10  (00:05)
    frodo      tty7         :0               Sat Apr 17 03:56 - 04:04  (00:07)
    frodo      pts/1        192.168.1.6      Fri Apr 16 16:54 - 17:08  (00:14)
    frodo      pts/1        192.168.1.6      Fri Apr 16 15:41 - 15:41  (00:00)
    frodo      pts/1        192.168.1.6      Fri Apr 16 15:40 - 15:40  (00:00)
    frodo      pts/1        192.168.1.6      Fri Apr 16 15:19 - 15:19  (00:00)
    gollum     pts/1        10.106.77.10     Fri Apr 16 15:17 - 16:17  (01:00)
    frodo      pts/0        192.168.1.6      Fri Apr 16 14:15 - 14:15  (00:00)
    frodo      tty7         :0               Fri Apr 16 14:11 - 14:13  (00:01)
    frodo      tty7         :0               Fri Apr 16 13:58 - 14:11  (00:13)
    frodo      tty7         :0               Fri Apr 16 13:57 - 13:58  (00:01)
    frodo      pts/0        192.168.1.6      Fri Apr 16 13:17 - 13:56  (00:38)
    frodo      pts/0        192.168.1.6      Fri Apr 16 13:13 - 13:13  (00:00)
    frodo      pts/0        192.168.1.6      Fri Apr 16 13:06 - 13:06  (00:00)
    frodo      pts/0        192.168.1.108    Fri Apr 16 01:43 - 01:46  (00:03)
    reboot   system boot  5.4.0-72-generic   Fri Apr 16 01:09   still running
    frodo      pts/0        192.168.1.7      Fri Apr 16 01:07 - 01:08  (00:00)
    frodo      pts/0        192.168.1.7      Fri Apr 16 01:06 - 01:06  (00:00)
    frodo      pts/0        192.168.1.7      Fri Apr 16 01:06 - 01:06  (00:00)
    frodo      pts/0        192.168.1.7      Fri Apr 16 01:06 - 01:06  (00:00)
    frodo      pts/0        192.168.1.7      Fri Apr 16 01:02 - 01:06  (00:03)
    frodo      pts/0        192.168.1.7      Fri Apr 16 01:02 - 01:02  (00:00)
    frodo      pts/1        192.168.1.2      Fri Apr 16 01:01 - 01:03  (00:01)
    frodo      pts/0        192.168.1.7      Fri Apr 16 01:01 - 01:02  (00:00)
    frodo      pts/0        192.168.1.7      Fri Apr 16 01:01 - 01:01  (00:00)
    frodo      pts/0        192.168.1.2      Thu Apr 15 00:21 - 01:59  (01:38)
    frodo      pts/0        192.168.1.2      Thu Apr 15 00:04 - 00:08  (00:03)
    frodo      tty7         :0               Wed Apr 14 23:06 - 23:10  (00:03)
    gollum     pts/0        10.106.77.10     Wed Apr 14 16:50 - 16:56  (00:06)
    frodo      pts/0        192.168.1.43     Wed Apr 14 14:07 - 14:07  (00:00)
    reboot   system boot  5.4.0-71-generic   Wed Apr 14 14:05 - 01:08 (1+11:02)
    frodo      pts/0        192.168.1.6      Wed Apr 14 13:52 - 13:52  (00:00)
    frodo      pts/0        10.135.75.30     Wed Apr 14 12:02 - 12:12  (00:09)
    frodo      pts/0        10.135.75.30     Wed Apr 14 11:47 - 11:51  (00:04)
    frodo      pts/0        10.135.75.30     Wed Apr 14 11:39 - 11:41  (00:01)
    frodo      pts/0        10.135.75.30     Tue Apr 13 12:30 - 12:31  (00:00)
    frodo      pts/0        10.135.75.30     Tue Apr 13 12:11 - 12:13  (00:02)
    frodo      pts/0        10.135.75.30     Tue Apr 13 11:20 - 11:30  (00:09)
    frodo      pts/0        10.135.75.30     Tue Apr 13 10:23 - 10:30  (00:06)
    reboot   system boot  5.4.0-71-generic   Tue Apr 13 10:23 - 14:04 (1+03:41)
    frodo      pts/1        10.135.75.30     Tue Apr 13 10:17 - 10:22  (00:04)
    ...
    And here a small example output from "lastb"... in this case an Internet-facing SFTP server where only SSH key authentication is activated. But lots of people try anyway with all kinds of weird usernames (this is a manual selection; I removed all entries with identifiable IP addresses) :

    Code:
    randall  ssh:notty    vmi545853.contab Sat Apr 17 11:40 - 11:40  (00:00)
    randall  ssh:notty    vmi545853.contab Sat Apr 17 11:40 - 11:40  (00:00)
    pi       ssh:notty    mon75-h02-176-14 Sat Apr 17 10:54 - 10:54  (00:00)
    pi       ssh:notty    mon75-h02-176-14 Sat Apr 17 10:54 - 10:54  (00:00)
    pi       ssh:notty    mon75-h02-176-14 Sat Apr 17 10:54 - 10:54  (00:00)
    pi       ssh:notty    mon75-h02-176-14 Sat Apr 17 10:54 - 10:54  (00:00)
    admin    ssh:notty    this-is-a-tor-ex Sat Apr 17 07:18 - 07:18  (00:00)
    admin    ssh:notty    this-is-a-tor-ex Sat Apr 17 07:18 - 07:18  (00:00)
    sorin    ssh:notty    19010730120.ip71 Sat Apr 17 06:04 - 06:04  (00:00)
    sorin    ssh:notty    19010730120.ip71 Sat Apr 17 06:04 - 06:04  (00:00)
    ...
    Failed local logins would be visible too on this log if there had been any of those.

    Can you check what output you get on your laptop?

  6. #16
    Join Date
    Apr 2021
    Beans
    6

    Re: Did someone log into my PC and edit auth.log entries to cover tracks?

    Quote Originally Posted by scorp123 View Post

    Failed local logins would be visible too on this log if there had been any of those.

    Can you check what output you get on your laptop?

    I have checked last and was able to find several logs of logins from many months that looked normal. lastb didn't produce much just 1 entry that it begins on the 14th, I even tested putting the wrong password with sudo and on the lock login screen and didnt find any records anywhere of failed login attempts. Checking faillog only give me a long wall of text with "^@^@^@^@^@^@^@^@^@^@^@".


    This is what I got running lastb command

    Code:
    root     pts/0                         Wed Apr 14 18:54 - 18:54  (00:00)
    
    btmp begins Wed Apr 14 18:54:11 2021

    And this is what I get running faillog -a

    Code:
    Login       Failures Maximum Latest                   On
    
    root            0        0   12/31/69 18:00:00 -0600  
    daemon          0        0   12/31/69 18:00:00 -0600  
    bin             0        0   12/31/69 18:00:00 -0600  
    sys             0        0   12/31/69 18:00:00 -0600  
    sync            0        0   12/31/69 18:00:00 -0600  
    games           0        0   12/31/69 18:00:00 -0600  
    man             0        0   12/31/69 18:00:00 -0600  
    lp              0        0   12/31/69 18:00:00 -0600  
    mail            0        0   12/31/69 18:00:00 -0600  
    news            0        0   12/31/69 18:00:00 -0600  
    uucp            0        0   12/31/69 18:00:00 -0600  
    proxy           0        0   12/31/69 18:00:00 -0600  
    www-data        0        0   12/31/69 18:00:00 -0600  
    backup          0        0   12/31/69 18:00:00 -0600  
    list            0        0   12/31/69 18:00:00 -0600  
    irc             0        0   12/31/69 18:00:00 -0600  
    gnats           0        0   12/31/69 18:00:00 -0600  
    nobody          0        0   12/31/69 18:00:00 -0600  
    systemd-network       0        0   12/31/69 18:00:00 -0600  
    systemd-resolve       0        0   12/31/69 18:00:00 -0600  
    systemd-timesync       0        0   12/31/69 18:00:00 -0600  
    messagebus       0        0   12/31/69 18:00:00 -0600  
    syslog          0        0   12/31/69 18:00:00 -0600  
    _apt            0        0   12/31/69 18:00:00 -0600  
    tss             0        0   12/31/69 18:00:00 -0600  
    uuidd           0        0   12/31/69 18:00:00 -0600  
    tcpdump         0        0   12/31/69 18:00:00 -0600  
    avahi-autoipd       0        0   12/31/69 18:00:00 -0600  
    usbmux          0        0   12/31/69 18:00:00 -0600  
    rtkit           0        0   12/31/69 18:00:00 -0600  
    dnsmasq         0        0   12/31/69 18:00:00 -0600  
    cups-pk-helper       0        0   12/31/69 18:00:00 -0600  
    speech-dispatcher       0        0   12/31/69 18:00:00 -0600  
    avahi           0        0   12/31/69 18:00:00 -0600  
    kernoops        0        0   12/31/69 18:00:00 -0600  
    saned           0        0   12/31/69 18:00:00 -0600  
    nm-openvpn       0        0   12/31/69 18:00:00 -0600  
    hplip           0        0   12/31/69 18:00:00 -0600  
    whoopsie        0        0   12/31/69 18:00:00 -0600  
    colord          0        0   12/31/69 18:00:00 -0600  
    geoclue         0        0   12/31/69 18:00:00 -0600  
    pulse           0        0   12/31/69 18:00:00 -0600  
    gnome-initial-setup       0        0   12/31/69 18:00:00 -0600  
    gdm             0        0   12/31/69 18:00:00 -0600  
    s               0        0   12/31/69 18:00:00 -0600  
    systemd-coredump       0        0   12/31/69 18:00:00 -0600  
    clamav          0        0   12/31/69 18:00:00 -0600
    This is what I get running faillog -u (username)

    Code:
    Login       Failures Maximum Latest                   On
    
    Jeff               0        0   12/31/69 18:00:00 -0600
    Last edited by hairyjew117; 4 Weeks Ago at 08:58 AM.

  7. #17
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Did someone log into my PC and edit auth.log entries to cover tracks?

    Quote Originally Posted by CharlesA View Post
    Agreed on the encryption bit. It's a layer of extra security, but it does have it's down sides as well.

    If you are in this sort of situation, enabling two-factor authentication can help immensely, but it won't stop everything if someone has physical access to your phone or email.
    Actually, using LUKS with 2FA **does** stop access to the computer data, unless the LUKS encryption is unlocked when the attacker arrives. Since while disk encryption unlocks before booting/login, the protection is simple to understand.

    If the computer is useful, powered on, and you can type anything except a challenge, then it is NOT protected.

    But if the computer is either powered off or sitting at the LUKS 2FA challenge prompts, then it is protected and I double **any** nation actor could directly gain access without both beating the person who knows the correct response to the challenge AND has the 2FA device available. Also, I boot from a flash drive that is kept with me when traveling. I don't boot from the on-board storage ... look up "evil maid attack" for more information.

    I couldn't break into any of my LUKS encrypted systems without the correct 2FA device, regardless of what I might know. And someone with the 2FA device probably wouldn't know the correct challenge to enter to unlock the storage.

    Basically, whole disk encryption, as performed by Ubuntu, is only good when the computer is powered off. That applies to all encrypted systems that I know. The storage must be locked to be useful for securing data.

  8. #18
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Did someone log into my PC and edit auth.log entries to cover tracks?

    faillog output above doesn't show any attempts that failed.

  9. #19
    Join Date
    Apr 2021
    Beans
    6

    Re: Did someone log into my PC and edit auth.log entries to cover tracks?

    Quote Originally Posted by TheFu View Post
    faillog output above doesn't show any attempts that failed.
    Is it supposed to log them? I have entered my password incorrectly many times and it should show it but it doesn't.

  10. #20
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Did someone log into my PC and edit auth.log entries to cover tracks?

    Quote Originally Posted by hairyjew117 View Post
    Is it supposed to log them? I have entered my password incorrectly many times and it should show it but it doesn't.
    I'd have to read the manpage for that command to know.
    Code:
    NAME
           faillog - display faillog records or set login failure limits
    
    SYNOPSIS
           faillog [options]
    
    DESCRIPTION
           faillog displays the contents of the failure log database (/var/log/faillog). It can also
           set the failure counters and limits. When faillog is run without arguments, it only displays
           the faillog records of the users who had a login failure.
    ...
    Looks like it would see only failures related to login on a tty/ptty, not ssh or a screen saver.

Page 2 of 2 FirstFirst 12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •