Did someone log into my PC and edit auth.log entries to cover tracks?

**hairyjew117** · April 15th, 2021

Title says it all. I was looking at my log files and noticed something unsual, a gap between when I last shut down my PC and when I started it, doesn't show session closed or anything for when I shut it off, just stops at this "Failed to activate service 'org.bluez': message and that's it. Is it possible that someone knowing the password to my machine, can log in and change the log file to remove all traces that they got in? Below I have highlighted the 2 entries that caught my eye. Let me know if this looks unusual to you.

Code:

Apr  8 03:17:28 s-p7-1449 su: (to s) root on none
Apr  8 03:17:28 s-p7-1449 su: pam_unix(su:session): session opened for user s by (uid=0)
Apr  8 03:17:28 s-p7-1449 su: pam_unix(su:session): session closed for user s
Apr  8 03:18:06 s-p7-1449 dbus-daemon[850]: [system] Failed to activate service 'org.bluez': timed out (service_start_timeout=25000ms)
Apr  8 03:29:13 s-p7-1449 gdm-password]: pam_unix(gdm-password:auth): Couldn't open /etc/securetty: No such file or directory
Apr  8 03:29:23 s-p7-1449 gdm-password]: pam_unix(gdm-password:auth): Couldn't open /etc/securetty: No such file or directory
Apr  8 03:29:23 s-p7-1449 gdm-password]: gkr-pam: unlocked login keyring
Apr  8 03:39:18 s-p7-1449 systemd-logind[876]: New seat seat0.
Apr  8 03:39:18 s-p7-1449 systemd-logind[876]: Watching system buttons on /dev/input/event1 (Power Button)
Apr  8 03:39:18 s-p7-1449 systemd-logind[876]: Watching system buttons on /dev/input/event0 (Power Button)
Apr  8 03:39:18 s-p7-1449 systemd-logind[876]: Watching system buttons on /dev/input/event3 (Logitech USB Keyboard)
Apr  8 03:39:18 s-p7-1449 systemd-logind[876]: Watching system buttons on /dev/input/event5 (Logitech USB Keyboard System Control)
Apr  8 03:39:26 s-p7-1449 gdm-launch-environment]: pam_unix(gdm-launch-environment:session): session opened for user gdm by (uid=0)
Apr  8 03:39:26 s-p7-1449 systemd-logind[876]: New session c1 of user gdm.
Apr  8 03:39:26 s-p7-1449 systemd: pam_unix(systemd-user:session): session opened for user gdm by (uid=0)
Apr  8 03:39:43 s-p7-1449 polkitd(authority=local): Registered Authentication Agent for unix-session:c1 (system bus name :1.41 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8)
Apr  8 03:39:57 s-p7-1449 dbus-daemon[853]: [system] Failed to activate service 'org.bluez': timed out (service_start_timeout=25000ms)
Apr  8 16:02:36 s-p7-1449 gdm-launch-environment]: pam_unix(gdm-launch-environment:session): session opened for user gdm by (uid=0)
Apr  8 16:02:36 s-p7-1449 systemd-logind[864]: New session c1 of user gdm.
Apr  8 16:02:36 s-p7-1449 systemd: pam_unix(systemd-user:session): session opened for user gdm by (uid=0)
Apr  8 16:03:01 s-p7-1449 polkitd(authority=local): Registered Authentication Agent for unix-session:c1 (system bus name :1.42 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8)
Apr  8 16:03:05 s-p7-1449 dbus-daemon[845]: [system] Failed to activate service 'org.bluez': timed out (service_start_timeout=25000ms)
Apr  8 16:17:01 s-p7-1449 CRON[1774]: pam_unix(cron:session): session opened for user root by (uid=0)
Apr  8 16:17:01 s-p7-1449 CRON[1774]: pam_unix(cron:session): session closed for user root
Apr  8 16:26:09 s-p7-1449 gdm-password]: pam_unix(gdm-password:auth): Couldn't open /etc/securetty: No such file or directory
Apr  8 16:26:18 s-p7-1449 gdm-password]: pam_unix(gdm-password:auth): Couldn't open /etc/securetty: No such file or directory
Apr  8 16:26:18 s-p7-1449 gdm-password]: gkr-pam: unable to locate daemon control file
Apr  8 16:26:18 s-p7-1449 gdm-password]: gkr-pam: stashed password to try later in open session
Apr  8 16:26:18 s-p7-1449 gdm-password]: pam_unix(gdm-password:session): session opened for user s by (uid=0)
Apr  8 16:26:18 s-p7-1449 systemd-logind[864]: New session 3 of user s.

**DuckHook** · April 15th, 2021

Please don't post large graphics to the forums. This is very problematic for helpers with low speeds, who are on limited data plans, or are viewing from smartphones or small screens. It is also unnecessary to post whole screenshots in most cases. Terminal output can be highlighted with the mouse, copied with a right click and pasted into the posting box between [CODE] and [/CODE] tags for clarity. Or highlight the output and use the button in the *Adv Reply* toolbar.

If you must post resource-intensive images, please post them as attachments using the paperclip icon in the *Adv Reply* toolbar.

**hairyjew117** · April 16th, 2021

Originally Posted by DuckHook

Please don't post large graphics to the forums. This is very problematic for helpers with low speeds, who are on limited data plans, or are viewing from smartphones or small screens. It is also unnecessary to post whole screenshots in most cases. Terminal output can be highlighted with the mouse, copied with a right click and pasted into the posting box between [CODE] and [/CODE] tags for clarity. Or highlight the output and use the button in the *Adv Reply* toolbar.

If you must post resource-intensive images, please post them as attachments using the paperclip icon in the *Adv Reply* toolbar.

My apologies, converted it to text instead. Would like someone's opinion on this. Is this normal?

**CharlesA** · April 16th, 2021

Do you have VNC or Remote Desktop or SSH enabled?

Is the gap in the logs the only reason you suspect someone tried to access your machine?

**hairyjew117** · April 16th, 2021

Originally Posted by CharlesA

Do you have VNC or Remote Desktop or SSH enabled?

Is the gap in the logs the only reason you suspect someone tried to access your machine?

It's someone I live with that managed to get my password and tries to break into it when I'm not around. I've had my google account compromised too and this isn't the first time. Is it possible as a root user to delete these entries and hide that you deleted them? When i powered the laptop down I powered it down holding the button but it should still log that I powered it down?? I don't see any record of it being powered down between 3am and 4pm

**The Cog** · April 16th, 2021

On my laptop, a brief press on the power button brings up a dialogue asking if I want to power 0ff, suspend or reboot (I'm on Xubuntu, but I guess Ubuntu behaves similarly). A long press (maybe 10 Sec) powers the laptop down without warning the OS, and should only be used when it has crashed and cannot power itself down properly. It can cause disk corruption. So if you used the long-press, there's no surprise that the OS didn't log the loss of power.

But yes, someone as root would be able to edit log files to hide evidence of their activity. In larger setups, computers are often configured to send all their log messages to a separate audit server that has the job of logging all events, and is suitably hardened and backed up. There are even append-only filesystems that do not allow deletion of logs once written.

**TheFu** · April 16th, 2021

If you cannot restrict physical access to the system, then there isn't anything that can be done. With physical access, anything is possible.
There is 1 way to fight that. Whole disk encryption using 2FA where you keep the 2FA device with you at all times. ALL TIMES. That includes in the toilet, shower. Get a Yubikey and setup 2FA to decrypt the LUKS encryption pre-boot using a challenge-response mode.

But you still have to completely power down the system whenever you leave the room for this to be effective. When the system is running, the normal password is the only thing preventing local access and with a carefully crafted USB drive, it is possible to force new drivers, which run as root and can do anything, to be loaded when the USB drive is connected.

On an unencrypted system, I could accomplish what you are seeing if I had 5 minutes ... perhaps 2 minutes. Less if I knew more about the system and had a custom built flash drive.

Check dmesg to see if the box was rebooted. Can also use journalctl to look across all sorts of logs if your grep-fu is lacking. Rebooting a system leaves all sorts of traces around the file systems. I doubt someone could clean up all of them. Traces are in /dev, /sys, /var, /proc.

**QIII** · April 16th, 2021

2FA disk encryption as described is pretty much the key.

Physical access is the mother of all security issues.

**T6&sfpER35%** · April 16th, 2021

It's someone I live with that managed to get my password and tries to break into it when I'm not around

you need to check you're living arrangements lol

**QIII** · April 16th, 2021

Originally Posted by 3nd

you need to check you're living arrangements lol

Dorms, apartment room mates ... sometimes hard to make sure everyone passes a security background check.

Thread: Did someone log into my PC and edit auth.log entries to cover tracks?

Thread Tools

Display

Did someone log into my PC and edit auth.log entries to cover tracks?

Re: Did someone log into my PC and edit auth.log entries to cover tracks?

Re: Did someone log into my PC and edit auth.log entries to cover tracks?

Re: Did someone log into my PC and edit auth.log entries to cover tracks?

Re: Did someone log into my PC and edit auth.log entries to cover tracks?

Re: Did someone log into my PC and edit auth.log entries to cover tracks?

Re: Did someone log into my PC and edit auth.log entries to cover tracks?

Re: Did someone log into my PC and edit auth.log entries to cover tracks?

Re: Did someone log into my PC and edit auth.log entries to cover tracks?

Re: Did someone log into my PC and edit auth.log entries to cover tracks?

Bookmarks

Bookmarks

Posting Permissions