Let me start out with a confession-- I do not have a secure box. For one thing, it's Ubuntu, which does not offer the option of a separate root password. I do not currently have a firewall blocking any ports, my password consists of a dictionary word and two numbers, and I have only one partition on this entire hard disk-- no separate /home, or /var, or what have you.

In my defense I have been using Ubuntu for a year with absolutely no security breaches of any sort, and thus my guard was low when I made the transition from Linux n00b to mildly competent user.

All that aside, here's what happened:

I was downloading a torrent (I know, I know) and everything was going okay until I shut Transmission down for a bit to surf the web. When I was ready I opened Transmission again and waited for the torrent to start. However, I was greeted only with an error message about /home being read-only.

With much head-scratching I attempted to open /home and see what was going on. Before I could do so, little padlock symbols appeared beside every icon on my desktop. I semi-panicked and went for a hard reboot then and there, a security compromise forefront on my mind (guilty conscience about the simple password? Perhaps...).

Everything appeared to be in order upon hard reboot.

How can I find out if my system was compromised? And outside of a firewall, separate and more complex root password, and separate partitions, are there any additional security measures I can take?

Check first your (/var/log/syslog, /var/log/auth.log) to see if there's something unusual happening on your computer and netstat -tap command to check current connections connected to your system. You can also try installing rkhunter or chkrootkit to detect rootkits if you kinda doubt that someone cracked your box. You also have to close ports that you are not using e.g. port 25, 21, 445 etc... or better yet uninstall the program using it. I also suggest you to backup important files in case...

Hope those tips will help you somehow.. you may also be interested with this blog about [MODERATED]

Doesn't sound like a breach to me. Sounds like a hard drive problem. Look for evidence of I/O errors in /var/log/messages or /var/log/syslog (I don't recall what ubuntu uses...)

You should start by isolating your system from the network, which will allow you to investigate in relative security. Either unplug the network cable or put up a firewall and only allow ssh access via a safe local port. There are lots of things you can and should check if you suspect a compromise. Rather than go into the entire list, here is a recent thread that covered this topic: http://www.linuxquestions.org/questi...nvaded-830707/ This step may be overkill, but it is better to harmlessly error on the side of safety.

Once you isolate the machine, given your symptoms, one of the first things I would look for is hard drive problems. I agree with Jiml8 here. Ubuntu will make the file system read only if it detects a problem with the disks. Sometimes running a disk check (fschk) can fix this, which may happen on a reboot. Look at your syslog and the output of dmesg and see if you are getting things like IO errors.

I may be wrong here, but I doubt if running transmission itself was enough to result in a compromise. Others may have thoughts on this. Other more likely vectors would include things like running Ubuntu's remote desktop, VNC, or SSH servers, especially if you had week passwords.

I agree with Noway's approach to this, and also with the thought that simply downloading a torrent isn't a particularly risky move. I think that if you can provide a better indication of what was running on this machine at the time, it would be helpful. I would also have a look in the administrator .bash_history file and see if there are any commands there that don't look right.

This sort of thread is absolutely, positively NOT the place to be promoting your blog, particularly if it is about something of such dubious value as penetration testing. That is of zero help in this case and please don't do it again.

Thanks, everyone, for your replies.

There were only two applications running, VLC and Transmission. I often have VLC in overdrive (200% volume) because I use it to play white noise to calm my colicky baby, and it needs to be fairly loud to have effect (unborn babies are constantly exposed to sound louder than a vacuum cleaner in utero). I will say that I usually refrain from running other applications while having VLC doing some much work because I notice a significant reduction in my machine's performance.

Obstetrics aside, I will isolate my machine and go log hunting to see if I can dig up anything.

A machine that was (perceived to be) compromised should not receive unintentional software updates or intentional configuration changes or software installations as this may thwart investigation.


I have removed your web log promotion. Please do not do that unless you have anything authoritative to say on the subject or can point to a post whose specific contents aid incident response and analysis. Just stating your web log is about [insert popular term] (and then not writing in detail about it) or posting a list of tools (like one can find on any pen-testing CD) without specific usage examples clearly does not apply.

In cases where the OP thinks a machine is compromised s/he should provide details and (learn to) do the analysis and let the results speak for themselves. So even if it does not in this forum please consider pointing people to standard docs, just in case, TIA.

Auch! That's a rather big thread. Maybe you intended to but next time it would be better to point to a specific post?


Linux will remount,ro on file system errors so indeed (--dry-)running fsck in the single runlevel on unmounted partitions would seem more efficient to me before investigating HW problems unless the machines HW is old or already has known problems.


Not SSH AFAIK but definitely remote desktop was (is?) a problem with Ubuntu. Other fora have been flooded with it.

I see your point and agree with you. Noted for future reference. My main concern was to try and direct the OP toward a thread that had some additional details on exactly what steps to take and this was the thread that came to mind. This thread has given me an idea that I would like to discuss with you, but I don't think the middle of the thread is the best place. With your permission, I will contact you separately.

One question I have on this one is whether or not it can / will switch the file system to RO after it has been (initially) mounted. I ran into trouble once while testing a raid and I am pretty certain that the file system went RO on me after I had done a few things.

Upon re-read of the thread, I realized it may have been wise to put a warning about running a file system check with repair, which done on a mounted system can cause additional issues, not to mention the concept of making minimal modifications on a system under investigation. Unspawn is absolutely correct, that a dry run to look for errors would be best. I looked at the man page for fsck and it looks like the -N option may be the ticket here, but would like to suggest (and request) some clarification assistance on this test.

True on both accounts. My main concern here was the statement about using admittedly weak passwords. If the OP wasn't running server applications, like SSH, this becomes less likely to be part of the problem.

Please correct me if I'm wrong, but I suspect those two weren't the only ones running. I'm assuming you started only VLC and Transmission, but wouldn't there be a number of servers running as well such as SSH or have you shut down all the services like that? In the thread Noway2 linked to there are three commands that give a pretty good snapshot of what is running on the machine:

ps -afxwwwe
lsof -Pwn
netstat -pane

It also would be nice to have an idea of how your machine is connected to the intertubes and what other machines (if any) exist on your LAN (if you have one). For example, is there a router between this machine and the Internet and if so, are any ports forwarded to this machine?

While applicable to only Ext.* filesystems the tune2fs "error-behavior" flag is evidence the kernel decides what to do on fs error (continue, remount read-only or panic). I don't remember what it defaults to but I always ensure it's tuned for "remount,ro".
* BTW no LQ member ever needs prior permission to contact me or any moderator: we're here to serve the LQ community.
I'll get out of the way and let you all handle this case w/o further interruptions.

I suppose that whether this approach to diagnosing a problem is a valid one or not depends on the OP's goals.

If the OP wishes to learn about security, then what you suggest may make sense. If, on the other hand, the OP merely wishes to figure out what is wrong with the computer and solve the problem, then the approach you advocate is most probably a waste of OP's time, given that the symptoms don't point to what the OP fears they point to.

And I would no more point to standard docs on securing a linux system when the symptoms suggest a hardware or filesystem problem than I would recommend a treatment regimen for cancer when the patient has heart disease.

YWIA.

Please concentrate on analyzing the facts. After all that is what troubleshooting should be based. Since the OP posted a question in the Linux Security forum about a (perceived) compromise assessment should start with as wide a scope as possible, only to be narrowed down after the OP has posted information from which one can conclude it is not related to security but other aspects. Providing clarity and structure helps the OP and others that follow. That's how I want incident response to be performed in this forum. If you feel you are not able to see the reasons for doing things this way then at least try to avoid distractive, retaliatory and argumentative responses, TIA.

Two identical episodes have occurred over the past few days, and my logs indicate I/O errors. I may have to scoot over to the Hardware forum...