Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hello everyone
I think I have been hacked because the network manager suddenly showed me as disconnected and also firestarter was disabled, even though I was still certainly online. I restarted and checked the log files and some entries looked suspicious. I read online that hackers can get temporary privileges without the password and I think that is what happened. Is there is a way to "fool" the computer into thinking we are disconnected as a way to disable firestarter.
When I open the log file viewer it allows me to read the logs, but gives the message that I don't have permission to read the files. It appears that the permissions were changed in btmp. I don't know if this btmp was added as a dependency with something I downloaded, but I know that I didn't intentionally download it and don't have it on another partition that I use.
Here is another log file. I actually don't know what category of files would show the clearest indication of a successful break in but I sent ones that looked suspicious to me.
I am using Ubuntu 10.04. This partition was installed 3 weeks ago. If there were any updates of networkmanager or firestarter they were through update manager and I didn't notice them.
(..) the network manager suddenly showed me as disconnected and also firestarter was disabled(..). I restarted and checked the log files and some entries looked suspicious.
Odd as it may seem crackers have a purpose and depending on the situation they will either not care (a machine deemed expendable as there's a gazillion other boxes to send spam from) or try to hide their presence. Opening CDROM trays or mucking with a graphical firewall configuration utility would rarely fit their purpose. That said none of your logs show suspicious entries. The only thing of worth, to me at least, is that you tried to access firestarter via means of sudo and failed to enter the root password thrice. Should you persist something is amiss we will help you investigate but as for now there is no evidence of that.
I have never tried to run firestarter with sudo. I have only provided the required password as prompted. I have only even fumbled the password a couple of times. It is very strange that you saw an indication that there was an attempt to run it with sudo. thanks for the reply.
I have never tried to run firestarter with sudo. I have only provided the required password as prompted.
I translate that as "I don't know what's going on under the hood and just do as asked". That's fine I'm sure if you're new to Linux or as seasoned user have no wish to get acquainted with system internals. On the other hand getting to know your system more intimately may increase independence, joy, security and even productivity: http://docs.fedoraproject.org/.
The only things that I can see is that your network manager looks a bit unstable. Losing connections, especially wireless, is something that seems to be common in Ubuntu. If you are having this problem, you might want to look into the wireless backport modules, but I would suggest doing some searching, especially in a place like ubuntuforums.org on this first. I had a real problem with one machine until I did this.
The auth log does indicate that your user tried to run firestarter, prefexied with sudo and botched the password. Since Ubuntu doesn't exactly have a root account as it is locked out, this would be how you would access firestarter. As far as it being 'disabled' one possibility would be that the settings didn't get captured in a persistent place and the rules got cleared on a reboot. Normally, iptables rules, which firestarter is a front end for, don't hold unless you specifically call a script that re-enables them on boot. I would think that firestarter would handle this part, but maybe something didn't go right.
In any case, I agree with unspawn. There are no signs of a compromise. I would look into updates and or bugs associated with the wireless, based upon past experience.
I thought that sudo was only used in the terminal. I have always started firestarter with Applications -> Internet -> Firestarter.
I realize I could be wrong about a good amount of things when using Ubuntu including with the use of sudo, since I am so new to it and have no prior experience with Linux. I am trying to learn, which has been a bit frustrating since a good amount of the information I have found online seems more directed at networks and I am only a home user with one computer.
As for me just following directions and not looking under the hood, if I do this in regards to using Ubuntu, this would be the first time I ever did it with anything.
I thought that sudo was only used in the terminal. I have always started firestarter with Applications -> Internet -> Firestarter.
This comment raises a very good question. In fact, the predominant use of sudo is through the terminal. The GUI is nothing more than a front end for the underlying tool and in this case, you are using to perform a privileged operation. There are three ways that I know of to provide the permissions required for an operation: 1 - use setuid to cause the application to execute with the permissions of the owner (root), 2 - change the permissions so that it is executable by either group or others, 3 - require authentication to elevate to root level privilege. It would seem that this is the approach taken in Ubuntu when it prompts you for authentication. Quite frankly, I haven't even given it thought, but that is likely what happens behind the scenes, the command is prefixed by sudo, which in Ubuntu is the defacto method of gaining root.
I interpret your last comment to mean that sudo is being applied by the application itself when we use the GUI. This is a good thing to know in general and also good news for me right now since if that wasn't the case, and firestarter was in fact started with sudo, that would mean it was done so by someone else.
As for the networkmanager being unstable, I believe that I have seen some indications of that being the case, but I am still far too much of a novice to be sure. As I said before it is frustrating learning about many aspects of Ubuntu -especially networkmanager- since so much of the information that I have found seems to be directed towards networks
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.