Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Did someone log into my PC and edit auth.log entries to cover tracks?

  1. #1
    Join Date
    Apr 2021
    Beans
    6

    Did someone log into my PC and edit auth.log entries to cover tracks?

    Title says it all. I was looking at my log files and noticed something unsual, a gap between when I last shut down my PC and when I started it, doesn't show session closed or anything for when I shut it off, just stops at this "Failed to activate service 'org.bluez': message and that's it. Is it possible that someone knowing the password to my machine, can log in and change the log file to remove all traces that they got in? Below I have highlighted the 2 entries that caught my eye. Let me know if this looks unusual to you.



    Code:
    Apr  8 03:17:28 s-p7-1449 su: (to s) root on none
    Apr  8 03:17:28 s-p7-1449 su: pam_unix(su:session): session opened for user s by (uid=0)
    Apr  8 03:17:28 s-p7-1449 su: pam_unix(su:session): session closed for user s
    Apr  8 03:18:06 s-p7-1449 dbus-daemon[850]: [system] Failed to activate service 'org.bluez': timed out (service_start_timeout=25000ms)
    Apr  8 03:29:13 s-p7-1449 gdm-password]: pam_unix(gdm-password:auth): Couldn't open /etc/securetty: No such file or directory
    Apr  8 03:29:23 s-p7-1449 gdm-password]: pam_unix(gdm-password:auth): Couldn't open /etc/securetty: No such file or directory
    Apr  8 03:29:23 s-p7-1449 gdm-password]: gkr-pam: unlocked login keyring
    Apr  8 03:39:18 s-p7-1449 systemd-logind[876]: New seat seat0.
    Apr  8 03:39:18 s-p7-1449 systemd-logind[876]: Watching system buttons on /dev/input/event1 (Power Button)
    Apr  8 03:39:18 s-p7-1449 systemd-logind[876]: Watching system buttons on /dev/input/event0 (Power Button)
    Apr  8 03:39:18 s-p7-1449 systemd-logind[876]: Watching system buttons on /dev/input/event3 (Logitech USB Keyboard)
    Apr  8 03:39:18 s-p7-1449 systemd-logind[876]: Watching system buttons on /dev/input/event5 (Logitech USB Keyboard System Control)
    Apr  8 03:39:26 s-p7-1449 gdm-launch-environment]: pam_unix(gdm-launch-environment:session): session opened for user gdm by (uid=0)
    Apr  8 03:39:26 s-p7-1449 systemd-logind[876]: New session c1 of user gdm.
    Apr  8 03:39:26 s-p7-1449 systemd: pam_unix(systemd-user:session): session opened for user gdm by (uid=0)
    Apr  8 03:39:43 s-p7-1449 polkitd(authority=local): Registered Authentication Agent for unix-session:c1 (system bus name :1.41 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8)
    Apr  8 03:39:57 s-p7-1449 dbus-daemon[853]: [system] Failed to activate service 'org.bluez': timed out (service_start_timeout=25000ms)
    Apr  8 16:02:36 s-p7-1449 gdm-launch-environment]: pam_unix(gdm-launch-environment:session): session opened for user gdm by (uid=0)
    Apr  8 16:02:36 s-p7-1449 systemd-logind[864]: New session c1 of user gdm.
    Apr  8 16:02:36 s-p7-1449 systemd: pam_unix(systemd-user:session): session opened for user gdm by (uid=0)
    Apr  8 16:03:01 s-p7-1449 polkitd(authority=local): Registered Authentication Agent for unix-session:c1 (system bus name :1.42 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_CA.UTF-8)
    Apr  8 16:03:05 s-p7-1449 dbus-daemon[845]: [system] Failed to activate service 'org.bluez': timed out (service_start_timeout=25000ms)
    Apr  8 16:17:01 s-p7-1449 CRON[1774]: pam_unix(cron:session): session opened for user root by (uid=0)
    Apr  8 16:17:01 s-p7-1449 CRON[1774]: pam_unix(cron:session): session closed for user root
    Apr  8 16:26:09 s-p7-1449 gdm-password]: pam_unix(gdm-password:auth): Couldn't open /etc/securetty: No such file or directory
    Apr  8 16:26:18 s-p7-1449 gdm-password]: pam_unix(gdm-password:auth): Couldn't open /etc/securetty: No such file or directory
    Apr  8 16:26:18 s-p7-1449 gdm-password]: gkr-pam: unable to locate daemon control file
    Apr  8 16:26:18 s-p7-1449 gdm-password]: gkr-pam: stashed password to try later in open session
    Apr  8 16:26:18 s-p7-1449 gdm-password]: pam_unix(gdm-password:session): session opened for user s by (uid=0)
    Apr  8 16:26:18 s-p7-1449 systemd-logind[864]: New session 3 of user s.
    Last edited by hairyjew117; 3 Weeks Ago at 01:25 AM. Reason: Converting large graphics to link

  2. #2
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: Did someone log into my PC and edit auth.log entries to cover tracks?

    Please don't post large graphics to the forums. This is very problematic for helpers with low speeds, who are on limited data plans, or are viewing from smartphones or small screens. It is also unnecessary to post whole screenshots in most cases. Terminal output can be highlighted with the mouse, copied with a right click and pasted into the posting box between [CODE] and [/CODE] tags for clarity. Or highlight the output and use the button in the *Adv Reply* toolbar.

    If you must post resource-intensive images, please post them as attachments using the paperclip icon in the *Adv Reply* toolbar.

  3. #3
    Join Date
    Apr 2021
    Beans
    6

    Re: Did someone log into my PC and edit auth.log entries to cover tracks?

    Quote Originally Posted by DuckHook View Post
    Please don't post large graphics to the forums. This is very problematic for helpers with low speeds, who are on limited data plans, or are viewing from smartphones or small screens. It is also unnecessary to post whole screenshots in most cases. Terminal output can be highlighted with the mouse, copied with a right click and pasted into the posting box between [CODE] and [/CODE] tags for clarity. Or highlight the output and use the button in the *Adv Reply* toolbar.

    If you must post resource-intensive images, please post them as attachments using the paperclip icon in the *Adv Reply* toolbar.
    My apologies, converted it to text instead. Would like someone's opinion on this. Is this normal?

  4. #4
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: Did someone log into my PC and edit auth.log entries to cover tracks?

    Do you have VNC or Remote Desktop or SSH enabled?

    Is the gap in the logs the only reason you suspect someone tried to access your machine?
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  5. #5
    Join Date
    Apr 2021
    Beans
    6

    Re: Did someone log into my PC and edit auth.log entries to cover tracks?

    Quote Originally Posted by CharlesA View Post
    Do you have VNC or Remote Desktop or SSH enabled?

    Is the gap in the logs the only reason you suspect someone tried to access your machine?
    It's someone I live with that managed to get my password and tries to break into it when I'm not around. I've had my google account compromised too and this isn't the first time. Is it possible as a root user to delete these entries and hide that you deleted them? When i powered the laptop down I powered it down holding the button but it should still log that I powered it down?? I don't see any record of it being powered down between 3am and 4pm

  6. #6
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,220
    Distro
    Xubuntu 20.04 Focal Fossa

    Re: Did someone log into my PC and edit auth.log entries to cover tracks?

    On my laptop, a brief press on the power button brings up a dialogue asking if I want to power 0ff, suspend or reboot (I'm on Xubuntu, but I guess Ubuntu behaves similarly). A long press (maybe 10 Sec) powers the laptop down without warning the OS, and should only be used when it has crashed and cannot power itself down properly. It can cause disk corruption. So if you used the long-press, there's no surprise that the OS didn't log the loss of power.

    But yes, someone as root would be able to edit log files to hide evidence of their activity. In larger setups, computers are often configured to send all their log messages to a separate audit server that has the job of logging all events, and is suitably hardened and backed up. There are even append-only filesystems that do not allow deletion of logs once written.
    Last edited by The Cog; 3 Weeks Ago at 08:57 AM.

  7. #7
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Did someone log into my PC and edit auth.log entries to cover tracks?

    If you cannot restrict physical access to the system, then there isn't anything that can be done. With physical access, anything is possible.
    There is 1 way to fight that. Whole disk encryption using 2FA where you keep the 2FA device with you at all times. ALL TIMES. That includes in the toilet, shower. Get a Yubikey and setup 2FA to decrypt the LUKS encryption pre-boot using a challenge-response mode.

    But you still have to completely power down the system whenever you leave the room for this to be effective. When the system is running, the normal password is the only thing preventing local access and with a carefully crafted USB drive, it is possible to force new drivers, which run as root and can do anything, to be loaded when the USB drive is connected.

    On an unencrypted system, I could accomplish what you are seeing if I had 5 minutes ... perhaps 2 minutes. Less if I knew more about the system and had a custom built flash drive.

    Check dmesg to see if the box was rebooted. Can also use journalctl to look across all sorts of logs if your grep-fu is lacking. Rebooting a system leaves all sorts of traces around the file systems. I doubt someone could clean up all of them. Traces are in /dev, /sys, /var, /proc.
    Last edited by TheFu; 3 Weeks Ago at 07:58 PM.

  8. #8
    Join Date
    Jul 2008
    Location
    The Left Coast of the USA
    Beans
    Hidden!
    Distro
    Kubuntu

    Re: Did someone log into my PC and edit auth.log entries to cover tracks?

    2FA disk encryption as described is pretty much the key.

    Physical access is the mother of all security issues.
    Please read The Forum Rules and The Forum Posting Guidelines

    A thing discovered and kept to oneself must be discovered time and again by others. A thing discovered and shared with others need be discovered only the once.
    This universe is crazy. I'm going back to my own.

  9. #9
    Join Date
    Jun 2020
    Beans
    183

    Re: Did someone log into my PC and edit auth.log entries to cover tracks?

    It's someone I live with that managed to get my password and tries to break into it when I'm not around
    you need to check you're living arrangements lol
    xubuntu 20.04.2 LTS (focal fossa)

  10. #10
    Join Date
    Jul 2008
    Location
    The Left Coast of the USA
    Beans
    Hidden!
    Distro
    Kubuntu

    Re: Did someone log into my PC and edit auth.log entries to cover tracks?

    Quote Originally Posted by 3nd View Post
    you need to check you're living arrangements lol
    Dorms, apartment room mates ... sometimes hard to make sure everyone passes a security background check.
    Please read The Forum Rules and The Forum Posting Guidelines

    A thing discovered and kept to oneself must be discovered time and again by others. A thing discovered and shared with others need be discovered only the once.
    This universe is crazy. I'm going back to my own.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •