LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   user reappears even if operating system is reinstalled and 3x formatted (https://www.linuxquestions.org/questions/linux-security-4/user-reappears-even-if-operating-system-is-reinstalled-and-3x-formatted-884666/)

robeich 06-05-2011 10:38 AM

user reappears even if operating system is reinstalled and 3x formatted
 
A few month ago one of my computers ( hp thin client ) was compromised.
I reformatted the harddrives and reinstalled MANDRIVA 2010 .

After a few days I had been prompted at login with a username robert
even if there was no more user robert ( I changed to use rob at new installation )

So I became nervous and formatted again 4x first ext3 than swap than ntfs than
reiserfs.
I kept this computer out of network ( used as standalone no LAN no WLAN )
I reformatted all my usb sticks and external hds.
And now a few days ago the clou, robert was back again at login !

But there is no user robert in /etc/shadow
Any suggestions where robert is hiding and how to stop him coming back ?

carltm 06-05-2011 10:51 AM

If there is no user robert, then robert cannot be logging in.
I'm wondering if someone or something is trying to log into
the device, and all you're seeing is the username of the last
log in attempt.

Another thought...is it possible that someone else is logging
in as root? Some thin clients allow administrative access
to the OS. Or you might be able to bring it up into runlevel
1 without being prompted for a password. If someone has found
a way in as root, they could be putting robert in the history
to try to cover their tracks.

robeich 06-05-2011 11:20 AM

thanks caritm,
but as I mentioned, this computer gots no connection to any network ( totally unplugged ).
Nobody else gots access to that computer.
In Control Center is ALLOW_USER_LIST set to no.
Actually no username should be displayed at all !
That is working, no list is displayed, there is just user robert in login.
Unfortunately I didn't kept the old password for user robert at former installation ( few month ago ),
so I could not try to login with old password to figure out if just the name does appear or there is somewhere
hidden the old user account.
very weird
robeich

unSpawn 06-05-2011 07:36 PM

Quote:

Originally Posted by robeich (Post 4376934)
A few month ago one of my computers ( hp thin client ) was compromised.

Was it? Any details?


Quote:

Originally Posted by robeich (Post 4376934)
And now a few days ago the clou, robert was back again at login ! But there is no user robert in /etc/shadow Any suggestions where robert is hiding and how to stop him coming back ?

If the machine was formatted zeroeing out partitions, and the username "robert" is not in /etc/{passwd,group,shadow} (meaning running '(lastb -adix; last -adix; lastlog)|grep robert' does not return anything) and you have not restored any system and user backups nor connected the machine to any network nor made any (login?) mistakes that could have made the system retain a list of user names (certainly far-fetched) then I'd first try running 'logwatch' if installed on your system logs to see if there's any errors slash clues and if there's none, go for a brute force approach: first 'grep robert -ar /home', then 'grep robert -ar /var' and finally 'grep robert -ar /etc /root /tmp'. Sure isn't efficient but if the string is somewhere it should show.

tallship 06-07-2011 03:35 AM

Quote:

Originally Posted by robeich (Post 4376934)
And now a few days ago the clou,

I have no idea what that means, whatsoever. What is a "clou"?

Quote:

Originally Posted by robeich (Post 4376934)
But there is no user robert in /etc/shadow

Of course there isn't. The name of your host is robert, and you are being presented with a login prompt.

This reminds me of something Jeff Spicoli said right before he crashed the trans-am he took for a joyride ;)

sundialsvcs 06-07-2011 10:09 AM

Quote:

Originally Posted by tallship (Post 4378532)
This reminds me of something Jeff Spicoli said right before he crashed the trans-am he took for a joyride ;)

I guess I missed that one? ("I don' watch much .. tee-vee .. you don' mean :eek: to me ...")

robeich 06-08-2011 08:22 AM

Hi tallship,
Thanks for asking, you don't know the old movie with Robert Redford and Paul Newman titled the clou ?
as well my host don't got the name robert !
in etc hosts is just 127.0.0.1 localhost .
If that is not the real hostname where does it take robert from ?
And as well who or better what is telling the computer to fill in the name robert into the field to use for loginname
that field has to empty determined by the settings of computer ( what he sis mostly doing ) if I'm booting the machine.
By the way, who is Jeff Spicoli, hope it's not a friend of you .

Thanks unspawn,
last -adix and lastb -adix don't gave me any robert.
With the grep i got lots of roberts in email addresses but that's not what we are looking for ?!
The problem with hp thin client started actually as I realized lots of traffic even if I did nothing at the machine.
Installed rkhunter and chkrootkit. One told me everynthing ok but had been warned about outdated OpenSSL GnuPGP and Apache,
but even after so called succesfull update I had same versions.
And rkhunter told me probably Xcibit infected.
After I realized that chkrootkit told me at prompt everything is ok and in var/log as well I realized in messages that
rows had been deleted and changed at chkrootkit.log
That was the reason for reinstallation.
But now I remember that while try to format one partition with ext4 even after formatted with ntfs before system told me there is
still data at partition something like /var and /usr and asked me if the files should be transferred to new partition.
I stopped removed harddrive and reformatted at a different computer.
hmm
robeich

tallship 06-08-2011 09:01 AM

Quote:

Originally Posted by robeich (Post 4379778)
Hi tallship,
Thanks for asking, you don't know the old movie with Robert Redford and Paul Newman titled the clou ?

Vaguely. I'll have to look that one up :)


Quote:

Originally Posted by robeich (Post 4379778)
in etc hosts is just 127.0.0.1 localhost . If that is not the real hostname where does it take robert from ?

Your hostname is in /etc/HOSTNAME


Quote:

Originally Posted by robeich (Post 4379778)
By the way, who is Jeff Spicoli,

He's one kewl dude ;)

I hope that helps :)

Kindest regards,

MS3FGX 06-08-2011 11:03 AM

Quote:

Originally Posted by tallship (Post 4379829)
Vaguely. I'll have to look that one up :)

FYI, it would appear that "The Clou" is the German name for "The Sting".

unSpawn 06-08-2011 06:43 PM

Quote:

Originally Posted by MS3FGX (Post 4379979)
FYI, it would appear that "The Clou" is the German name for "The Sting".

Y'all please keep things on topic. However droll and entertaining slinging movie references are them is definitely not in this forums scope.

unSpawn 06-08-2011 06:49 PM

Quote:

Originally Posted by robeich (Post 4379778)
The problem with hp thin client started actually as I realized lots of traffic even if I did nothing at the machine. Installed rkhunter and chkrootkit. One told me everynthing ok but had been warned about outdated OpenSSL GnuPGP and Apache, but even after so called succesfull update I had same versions. And rkhunter told me probably Xcibit infected. After I realized that chkrootkit told me at prompt everything is ok and in var/log as well I realized in messages that rows had been deleted and changed at chkrootkit.log That was the reason for reinstallation. (..) But now I remember that while try to format one partition with ext4 even after formatted with ntfs before system told me there is still data at partition something like /var and /usr and asked me if the files should be transferred to new partition. I stopped removed harddrive and reformatted at a different computer. hmm

While a healthy dose of paranoia may be good reviewing your previous threads tells me you're (too?) easily alarmed by things. Not all warnings are false positives but a lot of them may be. I suggest next time you try gather evidence and ask for suggestions before reformatting.


Quote:

Originally Posted by robeich (Post 4379778)
last -adix and lastb -adix don't gave me any robert. With the grep i got lots of roberts in email addresses but that's not what we are looking for ?!

No, that's not it. As there's no leads right now I suggest you wait for the next incident and post any data like check 'last' output and logs, and post log excerpts, screenshots etc.

Noway2 06-08-2011 09:11 PM

Kind of an off the wall suggestion, but based upon the symptom you are reporting and past experience, would it be possible for you to put, i.e. hide, a small camera to watch the physical activity on this machine?

robeich 06-10-2011 06:58 AM

Sorry, if the story sounds a little bit paranoid.
Probably I have to tell the story from beginning.

The paranoia story started some times last year as in KWrite while working all the text doubled up as
a kind of a shadow !
After investigating I realized that I could not use ls anymore but dir did the job in console.
So I had a look at my processes and realized a bluetooth process with high priority
that couldn't get killed .
So I tried to reboot, nothing happens.
So I used shutdown -h now , nothing happened !
So I pressed the ultimate power button.
After the computer was rebooted I could not use mouse either keyboard !
Had to remove hd and reinstall and and….
After that story happened again a few weeks later I joined linuxquestions because I realized
a big lack of knowledge at my side.

During my investigations what happened I stepped on a big security hole at my Netgear router
after month with very funny conversation with members of support team,
I was able over the netgear forum where I reported that incident ( I could login to my router with http://192.168.01 without password )
and could get in contact with a member of real netgear team.
Now I get every few month the first update of new versions to have a look on ( LOVELY I'M SO PROUD !! ).

And than I realized again that bluetooth process and all the other incidents with rkhunter and chkrootkit described in my earlier threads.
Since this happened I am very very careful, and really want to figure out what's on .
And than ( now 2 x ) in the morning, I am turning on my computer ( the configuration details about logon are mentioned earlier )
I found robert in the field that should be empty !

As well I found lots of entries like this :
May 20 10:45:04 Mac-Users-MacBook Firewall[55]: Stealth Mode
connection attempt to TCP 192.168.1.40:49279 from 209.85.143.99:80
May 20 10:45:12: --- last message repeated 3 times ---
In my macbook ( I kept the thin client with my apache off the net because I got rid of that to have reinstall every few weeks ).

Hmm, tell me the truth unSpawn is this paranoia or ?????
anyway, thanks to everybody he is looking after me.
robeich

Noway2 06-10-2011 09:05 AM

209.85.143.99 is google. To perform a verify of this yourself, do an nslookup. You can also go to their website. I really doubt they are trying to brute force access to your machine. The connection is from port 80, which is their web page port. The higher numbered port on your machine is likely the random port used by your browser to connect to google. Depending on your FW settings, you may have blocked ad or cookie traffic or something along those lines.

So far, you have posted brief excerpts from a firewall log and claims of a username appearing where it should not. Given the level of paranoia you are expressing on a public forum, I can only guess how you come across in person. It would not surprise me in the least to learn that someone is deliberately "yanking your chain" for lulz. As a reminder, LQ Security deals in facts, not fiction, not theories, not conjecture. If you think that you may truly be compromised, we can, and will help you investigate. Doing so would involve you performing a lot of tests to obtain information and then posting the results. It is an involved process and one not engaged upon lightly.

unSpawn 06-11-2011 07:15 AM

Quote:

Originally Posted by robeich (Post 4381750)
I am very very careful, and really want to figure out what's on .

That itself is a Good Thing however the outcome of drawing conclusions instantly, without knowledge and from incomplete data can not be good. Like Noway2 said we're willing to help you but you must provide exact and coherent data instead of feeding us possibly misinterpreted morsels of information.


All times are GMT -5. The time now is 01:15 PM.