How to extract log files from a compromised distro
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to extract log files from a compromised distro
I am totally reluctant to post this as I fear a torrent of scorn and ridicule. Yes, I have installed - previously - an ISO that was insufficiently verified. I was still running Windows so it is harder to check the signature in particular. Obviously, if I had googled the significance of verifying the signature I would not be writing this post now.
The image had checked out and I finally decided to install it. I installed it without persistence using Rufus directly over Windows 7 and it seemed to have gone well. I am using a wireless connection with an adapter I especially ordered which works with Linux out of the box.
After I adjusted a few things I logged off but not before looking at Netstat where I saw several IP addresses connected to my computer. I copied them down and checked them on my Windows laptop with a special utility. All three addresses were universities, one of them in Europe.
I was puzzled by this. Subsequently I also noticed that my modem would show someone logged in to my wireless network after I had already logged off. Apparently there are some installations that come with malware that gives a hacker access every time the user is logged in.
I decided to download another ISO from a different place and install it over the old one. I used my Windows laptop for this, of course, and yes, this time I did manage to verify the signature. Unfortunately and quite stupidly I did not reset my modem and the hacker was back within a day or two.
The trouble is, I’m not sure how these types of malware work. Is it a Trojan, a worm, a keylogger? Would resetting the modem eliminate this issue?
But more importantly, how did they gain access to the new installation which was clean as far as verifiable with checksums and sig??
I need to export those system log files (all the logs actually) but how do I do this without exporting the virus as well? I have heard people say that once you’re hacked the log files can get altered to hide the evidence but in a post inUbuntu somewhere it says there are signs, including the attempts at obfuscating.
Thanks for reading. Any constructive feedback is appreciated.
I do not understand “Boot a live CD.” Can you please explain what you mean by that?
Do you mean I should boot the ISO that I installed on that laptop? That is on a USB, btw, not a disk. Is the reasoning that a clean copy of Linux Mint will load and be impervious to the virus? And will it have access to those logs? (I would think not.)
I’m sorry @Grobe maybe I should have anticipated this and explained that I can’t watch any YouTube videos right now.
I also don’t see anything inherently wrong with answering a pretty straightforward question with a straightforward answer that doesn’t require one to jump through any additional hoops?
I installed it without persistence using Rufus directly over Windows 7 and it seemed to have gone well. I am using a wireless connection with an adapter I especially ordered which works with Linux out of the box.
After I adjusted a few things I logged off but not before looking at Netstat where I saw several IP addresses connected to my computer. I copied them down and checked them on my Windows laptop with a special utility. All three addresses were universities, one of them in Europe.
would be nice to know more about it. It looks strange for me
Quote:
Originally Posted by liquidglass
Subsequently I also noticed that my modem would show someone logged in to my wireless network after I had already logged off. Apparently there are some installations that come with malware that gives a hacker access every time the user is logged in.
How do you know that? Can you give us some details?
Quote:
Originally Posted by liquidglass
I decided to download another ISO from a different place and install it over the old one. I used my Windows laptop for this, of course, and yes, this time I did manage to verify the signature. Unfortunately and quite stupidly I did not reset my modem and the hacker was back within a day or two.
And again, how do you know that?
Quote:
Originally Posted by liquidglass
The trouble is, I’m not sure how these types of malware work. Is it a Trojan, a worm, a keylogger? Would resetting the modem eliminate this issue?
But more importantly, how did they gain access to the new installation which was clean as far as verifiable with checksums and sig??
obviously we have no any idea, you gave no any real information or detail.
Quote:
Originally Posted by liquidglass
I need to export those system log files (all the logs actually) but how do I do this without exporting the virus as well? I have heard people say that once you’re hacked the log files can get altered to hide the evidence but in a post inUbuntu somewhere it says there are signs, including the attempts at obfuscating.
You can safely copy those log files (actually I don't know which files), that will not harm anything.
But first you need to boot another os, which is surely not infected. That's why was suggested to download and boot a live cd. And probably reset your modem.
Quote:
Originally Posted by liquidglass
I’m sorry @Grobe maybe I should have anticipated this and explained that I can’t watch any YouTube videos right now.
You have another windows laptop I guess you can use that to create that live cd (actually on an usb) and boot it. But probably not.
Quote:
Originally Posted by liquidglass
I also don’t see anything inherently wrong with answering a pretty straightforward question with a straightforward answer that doesn’t require one to jump through any additional hoops?
Believe me, much easier (and much more efficient) to send a link to a good page instead of copying that content or explaining that again in a few lines. Not only for me, but also for you.
But first of all without details we cannot help you further.
I also don’t see anything inherently wrong with answering a pretty straightforward question with a straightforward answer that doesn’t require one to jump through any additional hoops?
No, nothing wrong, but this is subjects that under normal circumstances can be searched up on internet on google, duckduckgo, etc that require little effort.
Also, nobody pays me anything to participate in this forum so I don't see what is wrong about not wasting my time on simple tasks that one must expect the thread starter to perform him/herself.
It's like - I don't do your homework, if you se what I mean.
Sorry, what?
I understand “copy the logs to a USB stick.”
I do not understand “Boot a live CD.” Can you please explain what you mean by that? Do you mean I should boot the ISO that I installed on that laptop? That is on a USB, btw, not a disk. Is the reasoning that a clean copy of Linux Mint will load and be impervious to the virus? And will it have access to those logs? (I would think not.)
Also, is WiFi needed to download the logs?
I'm seeing an oft-repeated pattern in these posts, one that's been recurring for about a year or so. Hoping this isn't yet another in that long line, but what you're posting and saying isn't adding up logically.
You loaded Linux; so you obviously know how to not only download Linux, but create bootable media...yet don't understand how to boot from it? How did you install Linux if you can't boot? You claim 'malware that gives hackers access' to your modem. What evidence do you have? How did you see this? And is it more likely some 'hacker' got in through 'malware', or that you have a neighbor using your wifi? Or a device in your house is logged into your network??
You say yourself:
Quote:
Originally Posted by liquidglass
I also don’t see anything inherently wrong with answering a pretty straightforward question with a straightforward answer that doesn’t require one to jump through any additional hoops?
...yet you still haven't said what you downloaded, from where, despite being asked. Seems like a pretty straightforward question with a straightforward answer.
You're at once claiming to be knowledgeable (asking about UFW/firewall settings, which ports are open, able to track wifi 'hackers', reset modems, etc.), and also so inexperienced that you don't know how to boot from external media.
I'm with pan64; provide some evidence, answer some easy questions that you've been asked, and provide details and we can try to help. Otherwise, there is nothing we can tell you.
I also don’t see anything inherently wrong with answering a pretty straightforward question with a straightforward answer that doesn’t require one to jump through any additional hoops?
I'm going to reiterate my question: Please tell us what you downloaded and from where. The kind of incidents you're referring to are not common in Linux distributions or Open Source software in general.
As can be seen with the Audacity debacle, 'phoning home' is a practice which is routinely condemned, and software which does so is all but admonished from the community. The developers of Audacity have had to back down, and have now modified theirs to be an 'opt-in' system, instead of 'opt-out' by default.
Hence my curiosity about what you downloaded and where you got it.
I am totally reluctant to post this as I fear a torrent of scorn and ridicule. Yes, I have installed - previously - an ISO that was insufficiently verified. I was still running Windows so it is harder to check the signature in particular. Obviously, if I had googled the significance of verifying the signature I would not be writing this post now.
The image had checked out and I finally decided to install it. I installed it without persistence using Rufus directly over Windows 7 and it seemed to have gone well. I am using a wireless connection with an adapter I especially ordered which works with Linux out of the box.
After I adjusted a few things I logged off but not before looking at Netstat where I saw several IP addresses connected to my computer. I copied them down and checked them on my Windows laptop with a special utility. All three addresses were universities, one of them in Europe.
I was puzzled by this. Subsequently I also noticed that my modem would show someone logged in to my wireless network after I had already logged off. Apparently there are some installations that come with malware that gives a hacker access every time the user is logged in.
I decided to download another ISO from a different place and install it over the old one. I used my Windows laptop for this, of course, and yes, this time I did manage to verify the signature. Unfortunately and quite stupidly I did not reset my modem and the hacker was back within a day or two.
The trouble is, I’m not sure how these types of malware work. Is it a Trojan, a worm, a keylogger? Would resetting the modem eliminate this issue?
But more importantly, how did they gain access to the new installation which was clean as far as verifiable with checksums and sig??
I need to export those system log files (all the logs actually) but how do I do this without exporting the virus as well? I have heard people say that once you’re hacked the log files can get altered to hide the evidence but in a post inUbuntu somewhere it says there are signs, including the attempts at obfuscating.
Thanks for reading. Any constructive feedback is appreciated.
All this seems very unlikely.
I just answered another post where you broke your system (essentially turning a stable release into a testing release, rebooting, getting weird glitches) ans suspected you got infected.
Now it's something to do with image file verification?
As others said, take a deep breath and do not rush to conclusions until you have some proof.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.