Rich Freeman on 15 Jun 2018 07:45:01 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Hacked?

On Fri, Jun 15, 2018 at 10:09 AM Edmund Goppelt <> wrote:
> Hi.  I'm wondering if I've been hacked.

Anything is possible, but I'd look for simpler explanations as well.

> I set up an Ubuntu 18.04 Desktop system on 6/13, i.e., 2 days ago.  Can you Pluggers take a look at the evidence and give me your thoughts, opinions, advice?

Sure, just post your IP and we'll hack in and poke around.  :)   (Just

> As I understand it, log files are rotated automatically once a week, but for two log files, syslog and apport are being rotated much more frequently:

My guess is that your log rotator is set to rotate files based on size
and not just based on time.  If something is spamming those logs then
they'll get rotated frequently.

> The syslog files from the past two days are enormous! I did a little analysis on them to see which processes were generating all these messages:
>   97905 ureadahead[309]:
>   80455 ureadahead[313]:
> 19275520 org.gnome.Shell.desktop[1764]:
> 2407631 gnome-shell[1764]:
> 2144491 org.gnome.Shell.desktop[1502]:
>  268908 gnome-shell[1502]:
> 70605977 org.gnome.Shell.desktop[1764]:
> 8820877 gnome-shell[1764]:

(highly trimmed to the big offenders)

I think some actual log output would be helpful here (just post some
sample lines), but this seems more likely to be log spam than anything
else.  Maybe some service can't talk to some other service and wants
to let you know about it every millisecond or two.  I haven't used
ureadahead but if I had to guess it is probably verbosely logging
every file it goes to access, and during boot a lot of files probably
get accessed.

We're talking about stuff like gnome shell here - not exactly lean and
clean as software goes.  Not saying there is anything wrong with
desktop environments, but logfile purity probably isn't their main
design focus.

I'd look at the actual content of the logs to start.

Keep in mind that an actual intruder is going to want to avoid
spamming your logs, because they want to stay hidden.

I'm sure there are many on the list who could offer advice for logfile
parsing.  There might be tools that do a good job automating this.  JP
had good advice for doing it by hand (well, by script no doubt) - you
want a bunch of regexps divided into two classes - a whitelist and a
blacklist.  Anything on the whitelist gets ignored (so if it is gnome
shell spam it goes away), anything on the blacklist gets escalated,
and anything else gets displayed so that it can be added to either the
white/black list.  After iterating through this a few times you end up
with ideally nothing to review, but if anything does get escalated
then it is something you want to know about.

Programs can also be adjusted to not spam the log so much usually.  It
probably isn't worth worrying about for minor stuff (handle it in your
analyzer instead).  However, if somebody is literally dumping multiple
GB of log entries in a day then you need to address that otherwise you
either flood your disk or you risk rotating away stuff you want to
know about.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --