Fred Stluka on 21 Jun 2018 10:55:06 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Hacked?

Oops!  Just realized that my reply went only to Edmund, not to the
list.  Here it is, for those who may be interested.

Fred Stluka -- Bristle Software, Inc. --
#DontBeATrump -- Make America Honorable Again!

-------- Forwarded Message --------
Subject: 	Re: [PLUG] Hacked?
Date: 	Fri, 15 Jun 2018 10:36:52 -0400
From: 	Fred Stluka <>
Organization: 	Bristle Software, Inc.
To: 	Edmund Goppelt <>


The more frequent rotation is probably caused by the larger size.

Check the file /etc/logrotate.d/syslog.  It controls how often the
syslog file rotates.  Compare to other files in /etc/logrotate.d/*
which rotate other log files.  Also to /etc/logrotate.conf.  Check
out "man logrotate" to see the full syntax.  Different files can be
set to rotate at different triggers, including size, time, etc.

So, the only real question is why the log file is so growing so fast
that it's triggering so many rotations.  Instead of just filtering to
see what process, you might want to view the logfile directly with
"less /var/log/logfile".  If there are hundreds or thousands of
lines that are all similar to each other, it should jump right out at
you.  It may be logging a persistent hacking attempt, rather than
a successful hack.  Or may be just some sort of runaway process.

Also, I suggest you install and configure:
- logwatch -- who's trying to break in?
- fail2bans -- block those who try
- tripwire -- tell me if anyone succeeded

See how at:

Fred Stluka -- Bristle Software, Inc. --
#DontBeATrump -- Make America Honorable Again!

On 6/15/18 10:09 AM, Edmund Goppelt wrote:
Hi.  I'm wondering if I've been hacked.

I set up an Ubuntu 18.04 Desktop system on 6/13, i.e., 2 days ago.  Can you Pluggers take a look at the evidence and give me your thoughts, opinions, advice?

Evidence #1

As I understand it, log files are rotated automatically once a week, but for two log files, syslog and apport are being rotated much more frequently:

    ed@Honeypot03:/var/log$ ls -lh syslog*
    -rw-r----- 1 syslog adm  11G Jun 15 09:49 syslog
    -rw-r----- 1 syslog adm 3.2G Jun 15 00:08 syslog.1
    -rw-r----- 1 syslog adm 298K Jun 14 11:49 syslog.2.gz
    ed@Honeypot03:/var/log$ ls -lh apport*
    -rw-r----- 1 root adm   0 Jun 15 00:08 apport.log
    -rw-r----- 1 root adm 108 Jun 14 11:52 apport.log.1
    -rw-r----- 1 root adm 153 Jun 13 10:31 apport.log.2.gz

Unless there is something I don't understand about logging (which is entirely possible), this implies the hand of man at work here and not my hand either.

Evidence #2

Check out how the syslog file is growing exponentially from 16 Meg on 6/14 to 3.2 Gig on 6/15 at just after midnight, to 11G at 9:49 6/15.  See above

The syslog files from the past two days are enormous! I did a little analysis on them to see which processes were generating all these messages:

ed@Honeypot03:~$ cut -d " " -f5 < syslog.2 | sort | uniq -c | sort -nr | head
  97905 ureadahead[309]:
  80455 ureadahead[313]:
   2421 kernel:
    981 /usr/lib/gdm3/gdm-x-session[2639]:
    542 /usr/lib/gdm3/gdm-x-session[1358]:
    516 systemd[1]:
    438 gnome-software[2997]:
    173 PackageKit:
    164 upowerd[824]:
     95 org.gnome.Shell.desktop[2793]:
ed@Honeypot03:~$ cut -d " " -f5 < syslog.1 | sort | uniq -c | sort -nr | head
19275520 org.gnome.Shell.desktop[1764]:
2407631 gnome-shell[1764]:
2144491 org.gnome.Shell.desktop[1502]:
 268908 gnome-shell[1502]:
  54967 /usr/lib/gdm3/gdm-x-session[1623]:
  18235 /usr/lib/gdm3/gdm-x-session[1358]:
   1554 gsd-color[1183]:
   1539 kernel:
    518 gsd-color[1031]:
    280 systemd[1]:
ed@Honeypot03:~$ cut -d " " -f5 < syslog | sort | uniq -c | sort -nr | head
70605977 org.gnome.Shell.desktop[1764]:
8820877 gnome-shell[1764]:
  63087 /usr/lib/gdm3/gdm-x-session[1623]:
   1801 gsd-color[1183]:
    251 kernel:
     48 systemd[1]:
     48 canonical-livepatch[1315]:
     32 org.gnome.Shell.desktop[1083]:
     18 snapd[981]:
     11 rsyslogd:

Thanks for your consideration.  I look forward to hearing from you.


Ed Goppelt

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --