Edmund Goppelt on 15 Jun 2018 07:10:10 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Hacked?

Hi.  I'm wondering if I've been hacked.

I set up an Ubuntu 18.04 Desktop system on 6/13, i.e., 2 days ago.  Can you Pluggers take a look at the evidence and give me your thoughts, opinions, advice?  

Evidence #1

As I understand it, log files are rotated automatically once a week, but for two log files, syslog and apport are being rotated much more frequently:

ed@Honeypot03:/var/log$ ls -lh syslog*
-rw-r----- 1 syslog adm  11G Jun 15 09:49 syslog
-rw-r----- 1 syslog adm 3.2G Jun 15 00:08 syslog.1
-rw-r----- 1 syslog adm 298K Jun 14 11:49 syslog.2.gz
ed@Honeypot03:/var/log$ ls -lh apport*
-rw-r----- 1 root adm   0 Jun 15 00:08 apport.log
-rw-r----- 1 root adm 108 Jun 14 11:52 apport.log.1
-rw-r----- 1 root adm 153 Jun 13 10:31 apport.log.2.gz

Unless there is something I don't understand about logging (which is entirely possible), this implies the hand of man at work here and not my hand either.

Evidence #2

Check out how the syslog file is growing exponentially from 16 Meg on 6/14 to 3.2 Gig on 6/15 at just after midnight, to 11G at 9:49 6/15.  See above

The syslog files from the past two days are enormous! I did a little analysis on them to see which processes were generating all these messages:

ed@Honeypot03:~$ cut -d " " -f5 < syslog.2 | sort | uniq -c | sort -nr | head
  97905 ureadahead[309]:
  80455 ureadahead[313]:
   2421 kernel:
    981 /usr/lib/gdm3/gdm-x-session[2639]:
    542 /usr/lib/gdm3/gdm-x-session[1358]:
    516 systemd[1]:
    438 gnome-software[2997]:
    173 PackageKit:
    164 upowerd[824]:
     95 org.gnome.Shell.desktop[2793]:
ed@Honeypot03:~$ cut -d " " -f5 < syslog.1 | sort | uniq -c | sort -nr | head
19275520 org.gnome.Shell.desktop[1764]:
2407631 gnome-shell[1764]:
2144491 org.gnome.Shell.desktop[1502]:
 268908 gnome-shell[1502]:
  54967 /usr/lib/gdm3/gdm-x-session[1623]:
  18235 /usr/lib/gdm3/gdm-x-session[1358]:
   1554 gsd-color[1183]:
   1539 kernel:
    518 gsd-color[1031]:
    280 systemd[1]:
ed@Honeypot03:~$ cut -d " " -f5 < syslog | sort | uniq -c | sort -nr | head
70605977 org.gnome.Shell.desktop[1764]:
8820877 gnome-shell[1764]:
  63087 /usr/lib/gdm3/gdm-x-session[1623]:
   1801 gsd-color[1183]:
    251 kernel:
     48 systemd[1]:
     48 canonical-livepatch[1315]:
     32 org.gnome.Shell.desktop[1083]:
     18 snapd[981]:
     11 rsyslogd:

Thanks for your consideration.  I look forward to hearing from you.

Sincerely,

Ed Goppelt
 
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug