| Rich Freeman on 15 Jun 2018 07:45:01 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Hacked? |
On Fri, Jun 15, 2018 at 10:09 AM Edmund Goppelt <goppelt@gmail.com> wrote: > > Hi. I'm wondering if I've been hacked. > Anything is possible, but I'd look for simpler explanations as well. > I set up an Ubuntu 18.04 Desktop system on 6/13, i.e., 2 days ago. Can you Pluggers take a look at the evidence and give me your thoughts, opinions, advice? Sure, just post your IP and we'll hack in and poke around. :) (Just kidding...) > > As I understand it, log files are rotated automatically once a week, but for two log files, syslog and apport are being rotated much more frequently: > My guess is that your log rotator is set to rotate files based on size and not just based on time. If something is spamming those logs then they'll get rotated frequently. > > The syslog files from the past two days are enormous! I did a little analysis on them to see which processes were generating all these messages: > > 97905 ureadahead[309]: > 80455 ureadahead[313]: > 19275520 org.gnome.Shell.desktop[1764]: > 2407631 gnome-shell[1764]: > 2144491 org.gnome.Shell.desktop[1502]: > 268908 gnome-shell[1502]: > 70605977 org.gnome.Shell.desktop[1764]: > 8820877 gnome-shell[1764]: (highly trimmed to the big offenders) I think some actual log output would be helpful here (just post some sample lines), but this seems more likely to be log spam than anything else. Maybe some service can't talk to some other service and wants to let you know about it every millisecond or two. I haven't used ureadahead but if I had to guess it is probably verbosely logging every file it goes to access, and during boot a lot of files probably get accessed. We're talking about stuff like gnome shell here - not exactly lean and clean as software goes. Not saying there is anything wrong with desktop environments, but logfile purity probably isn't their main design focus. I'd look at the actual content of the logs to start. Keep in mind that an actual intruder is going to want to avoid spamming your logs, because they want to stay hidden. I'm sure there are many on the list who could offer advice for logfile parsing. There might be tools that do a good job automating this. JP had good advice for doing it by hand (well, by script no doubt) - you want a bunch of regexps divided into two classes - a whitelist and a blacklist. Anything on the whitelist gets ignored (so if it is gnome shell spam it goes away), anything on the blacklist gets escalated, and anything else gets displayed so that it can be added to either the white/black list. After iterating through this a few times you end up with ideally nothing to review, but if anything does get escalated then it is something you want to know about. Programs can also be adjusted to not spam the log so much usually. It probably isn't worth worrying about for minor stuff (handle it in your analyzer instead). However, if somebody is literally dumping multiple GB of log entries in a day then you need to address that otherwise you either flood your disk or you risk rotating away stuff you want to know about. -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug