LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   [LinuxMint17.1] am I hacked? suddenly I saw a lot of text files opened under "Recent" (https://www.linuxquestions.org/questions/linux-security-4/%5Blinuxmint17-1%5D-am-i-hacked-suddenly-i-saw-a-lot-of-text-files-opened-under-recent-4175528857/)

unnamed1 12-20-2014 10:10 AM

[LinuxMint17.1] am I hacked? suddenly I saw a lot of text files opened under "Recent"
 
Hi,
I am noobed with linux (I was more "windows" guy for a long time)

am I hacked? suddenly I saw a lot of text files opened under "Recent".

The files were in a specific folder under NTFS partition.
I remember clearly that I mount and opened one file but I don't remember the other files!! I think it wasn't me.
It was pretty strange! all my text files in the same folder were opened (I assume because I saw them under "Recent" folder.

Is the a way to confirm who "hacked" my machine? if that really happened?

thanks all :)

unSpawn 12-20-2014 07:29 PM

Quote:

Originally Posted by unnamed1 (Post 5288082)
am I hacked? suddenly I saw a lot of text files opened under "Recent".

The fact something happened you can't immediately explain does not automagically mean your computer is compromised. Most of the times there are good, simple explanations for certain behaviour.


Quote:

Originally Posted by unnamed1 (Post 5288082)
The files were in a specific folder under NTFS partition. I remember clearly that I mount and opened one file but I don't remember the other files!! I think it wasn't me. It was pretty strange! all my text files in the same folder were opened (I assume because I saw them under "Recent" folder. Is the a way to confirm who "hacked" my machine? if that really happened?

- What account was this? Root or an unprivileged user account?
- Is this NTFS partition partition mounted automagically?
- Do you share your account with anybody?
- What does 'last -wai30' return?
- Were these files modified? If so when?
- Do you make backups?
* Anything else you want to add?

unnamed1 12-21-2014 02:11 AM

Quote:

Originally Posted by unSpawn (Post 5288287)
The fact something happened you can't immediately explain does not automagically mean your computer is compromised. Most of the times there are good, simple explanations for certain behaviour.



- What account was this? Root or an unprivileged user account?
- Is this NTFS partition partition mounted automagically?
- Do you share your account with anybody?
- What does 'last -wai30' return?
- Were these files modified? If so when?
- Do you make backups?
* Anything else you want to add?

Hi!! first of all thanks for the replay (very detailed reply :) very pro).

- I don't know what is my account I just installed linux mint lately.
-this NTFS I think it called automatically? I pressed on it and it show me an option to "EJECT" like CDROM and show me the information inside.
-no i dont share my account.
-coool!! I didn't know this command "last -wai30" it show me when I was with my account and when I reboot the system !! very cool.
- I don't do backup (maybe I should!).
- I thought of using the application LOGGEDFS(although I don't really know how because I came from WINDOWS I only know to click things lol) , so I can see a detailed information of what being done on my computer behind the scene
-do you have any idea how to A) Enable / Disable this application) I am talking about LoggedFS to CSV, AND B) how to log all partitions.
C) where do I find the CSV file location? (I don't really understand the stacture of linux folder (look very alien to me compare to windows)).

many thanks!!

unSpawn 12-21-2014 06:08 AM

Quote:

Originally Posted by unnamed1 (Post 5288399)
I don't know what is my account I just installed linux mint lately.

Open a terminal windowd and type 'id'.


Quote:

Originally Posted by unnamed1 (Post 5288399)
This NTFS I think it called automatically? I pressed on it and it show me an option to "EJECT" like CDROM and show me the information inside.

Hmm. OK...


Quote:

Originally Posted by unnamed1 (Post 5288399)
I don't do backup (maybe I should!).

Yes, you should make backups. At least of your personal, valuable data.


Quote:

Originally Posted by unnamed1 (Post 5288399)
(..) so I can see a detailed information of what being done on my computer behind the scene

There are a few things to be said here:

Familiarize yourself with what you use.
Coming from a Windows background you have experienced Linux does things differently. For example you can choose what software you install and you don't have to pay for say drivers for your video card. More importantly Linux is a Real Life community where users and developers interact. This means reciprocity the act of (actively) paying it forward is not only about you doing "good deeds" but vital for the development of Linux. So if you for example find a bug then please report it so we all benefit from that. Back to differences, if you learn what they are and how to use them, the reward will be (more or less) total Freedom and total control. Take your time to read the documentation. Start with what your Linux distribution of choice offers you. A gentle introduction will help.

Be safe
Linux does things differently and that goes for security as well. While viruses are not a Real Life threat, total control appeals to miscreants as well and abuse comes in many disguises. Don't be greedy: install only what you need. Use common sense: if something looks like it's too good to be true then it probably is. Harden your installation: check your Linux distributions documentation to see where to start. Proper, regular hardening and auditing will make your machine safer to use, trustworthy. And please don't procrastinate: if you have a gut feeling something is wrong, if you notice odd connections, high resource usage or if a warning is shown then act on it.

Beware of Hanlon's Razor
As in "do not attribute to malice what can be attributed to stupidity." You're new to Linux. There may be simple explanations for what (you think) you're seeing. First let's check if you have a firewall and if you've got any services running that you shouldn't have. As root run:
Code:

(iptables-save; netstat -antulpe)
If unsure what these (or other) commands do type
Code:

whatis iptables-save; man iptables; whatis netstat; man netstat
before executing those commands.


Quote:

Originally Posted by unnamed1 (Post 5288399)
do you have any idea how to A) Enable / Disable this application) I am talking about LoggedFS to CSV, AND B) how to log all partitions. C) where do I find the CSV file location?

That's really a question for your other thread on that subject. On Linuxquestions.org (LQ for short) we don't like duplicate threads and questions as that's highly inefficient to say the least.


All times are GMT -5. The time now is 10:11 AM.