| Fred Stluka on 21 Jun 2018 10:55:06 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Hacked? |
Oops! Just realized that my reply went only to Edmund, not to the list. Here it is, for those who may be interested. --Fred ------------------------------------------------------------------------ Fred Stluka -- Bristle Software, Inc. -- http://bristle.com #DontBeATrump -- Make America Honorable Again! ------------------------------------------------------------------------ -------- Forwarded Message -------- Subject: Re: [PLUG] Hacked? Date: Fri, 15 Jun 2018 10:36:52 -0400 From: Fred Stluka <fred@bristle.com> Organization: Bristle Software, Inc. To: Edmund Goppelt <goppelt@gmail.com> Edmund, The more frequent rotation is probably caused by the larger size. Check the file /etc/logrotate.d/syslog. It controls how often the syslog file rotates. Compare to other files in /etc/logrotate.d/* which rotate other log files. Also to /etc/logrotate.conf. Check out "man logrotate" to see the full syntax. Different files can be set to rotate at different triggers, including size, time, etc. So, the only real question is why the log file is so growing so fast that it's triggering so many rotations. Instead of just filtering to see what process, you might want to view the logfile directly with "less /var/log/logfile". If there are hundreds or thousands of lines that are all similar to each other, it should jump right out at you. It may be logging a persistent hacking attempt, rather than a successful hack. Or may be just some sort of runaway process. Also, I suggest you install and configure: - logwatch -- who's trying to break in? - fail2bans -- block those who try - tripwire -- tell me if anyone succeeded See how at: - http://bristle.com/Tips/Unix.htm#unix_security --Fred ------------------------------------------------------------------------ Fred Stluka -- Bristle Software, Inc. -- http://bristle.com #DontBeATrump -- Make America Honorable Again! ------------------------------------------------------------------------ On 6/15/18 10:09 AM, Edmund Goppelt wrote:
Hi. I'm wondering if I've been hacked.I set up an Ubuntu 18.04 Desktop system on 6/13, i.e., 2 days ago. Can you Pluggers take a look at the evidence and give me your thoughts, opinions, advice?Evidence #1As I understand it, log files are rotated automatically once a week, but for two log files, syslog and apport are being rotated much more frequently:ed@Honeypot03:/var/log$ ls -lh syslog* -rw-r----- 1 syslog adm 11G Jun 15 09:49 syslog -rw-r----- 1 syslog adm 3.2G Jun 15 00:08 syslog.1 -rw-r----- 1 syslog adm 298K Jun 14 11:49 syslog.2.gz ed@Honeypot03:/var/log$ ls -lh apport* -rw-r----- 1 root adm 0 Jun 15 00:08 apport.log -rw-r----- 1 root adm 108 Jun 14 11:52 apport.log.1 -rw-r----- 1 root adm 153 Jun 13 10:31 apport.log.2.gzUnless there is something I don't understand about logging (which is entirely possible), this implies the hand of man at work here and not my hand either.Evidence #2Check out how the syslog file is growing exponentially from 16 Meg on 6/14 to 3.2 Gig on 6/15 at just after midnight, to 11G at 9:49 6/15. See aboveThe syslog files from the past two days are enormous! I did a little analysis on them to see which processes were generating all these messages:ed@Honeypot03:~$ cut -d " " -f5 < syslog.2 | sort | uniq -c | sort -nr | head97905 ureadahead[309]: 80455 ureadahead[313]: 2421 kernel: 981 /usr/lib/gdm3/gdm-x-session[2639]: 542 /usr/lib/gdm3/gdm-x-session[1358]: 516 systemd[1]: 438 gnome-software[2997]: 173 PackageKit: 164 upowerd[824]: 95 org.gnome.Shell.desktop[2793]:ed@Honeypot03:~$ cut -d " " -f5 < syslog.1 | sort | uniq -c | sort -nr | head19275520 org.gnome.Shell.desktop[1764]: 2407631 gnome-shell[1764]: 2144491 org.gnome.Shell.desktop[1502]: 268908 gnome-shell[1502]: 54967 /usr/lib/gdm3/gdm-x-session[1623]: 18235 /usr/lib/gdm3/gdm-x-session[1358]: 1554 gsd-color[1183]: 1539 kernel: 518 gsd-color[1031]: 280 systemd[1]:ed@Honeypot03:~$ cut -d " " -f5 < syslog | sort | uniq -c | sort -nr | head70605977 org.gnome.Shell.desktop[1764]: 8820877 gnome-shell[1764]: 63087 /usr/lib/gdm3/gdm-x-session[1623]: 1801 gsd-color[1183]: 251 kernel: 48 systemd[1]: 48 canonical-livepatch[1315]: 32 org.gnome.Shell.desktop[1083]: 18 snapd[981]: 11 rsyslogd: Thanks for your consideration. I look forward to hearing from you. Sincerely, Ed Goppelt ___________________________________________________________________________ Philadelphia Linux Users Group --http://www.phillylinux.org Announcements -http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion --http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug