user reappears even if operating system is reinstalled and 3x formatted
A few month ago one of my computers ( hp thin client ) was compromised.
I reformatted the harddrives and reinstalled MANDRIVA 2010 . After a few days I had been prompted at login with a username robert even if there was no more user robert ( I changed to use rob at new installation ) So I became nervous and formatted again 4x first ext3 than swap than ntfs than reiserfs. I kept this computer out of network ( used as standalone no LAN no WLAN ) I reformatted all my usb sticks and external hds. And now a few days ago the clou, robert was back again at login ! But there is no user robert in /etc/shadow Any suggestions where robert is hiding and how to stop him coming back ? |
If there is no user robert, then robert cannot be logging in.
I'm wondering if someone or something is trying to log into the device, and all you're seeing is the username of the last log in attempt. Another thought...is it possible that someone else is logging in as root? Some thin clients allow administrative access to the OS. Or you might be able to bring it up into runlevel 1 without being prompted for a password. If someone has found a way in as root, they could be putting robert in the history to try to cover their tracks. |
thanks caritm,
but as I mentioned, this computer gots no connection to any network ( totally unplugged ). Nobody else gots access to that computer. In Control Center is ALLOW_USER_LIST set to no. Actually no username should be displayed at all ! That is working, no list is displayed, there is just user robert in login. Unfortunately I didn't kept the old password for user robert at former installation ( few month ago ), so I could not try to login with old password to figure out if just the name does appear or there is somewhere hidden the old user account. very weird robeich |
Quote:
Quote:
|
Quote:
Quote:
This reminds me of something Jeff Spicoli said right before he crashed the trans-am he took for a joyride ;) |
Quote:
|
Hi tallship,
Thanks for asking, you don't know the old movie with Robert Redford and Paul Newman titled the clou ? as well my host don't got the name robert ! in etc hosts is just 127.0.0.1 localhost . If that is not the real hostname where does it take robert from ? And as well who or better what is telling the computer to fill in the name robert into the field to use for loginname that field has to empty determined by the settings of computer ( what he sis mostly doing ) if I'm booting the machine. By the way, who is Jeff Spicoli, hope it's not a friend of you . Thanks unspawn, last -adix and lastb -adix don't gave me any robert. With the grep i got lots of roberts in email addresses but that's not what we are looking for ?! The problem with hp thin client started actually as I realized lots of traffic even if I did nothing at the machine. Installed rkhunter and chkrootkit. One told me everynthing ok but had been warned about outdated OpenSSL GnuPGP and Apache, but even after so called succesfull update I had same versions. And rkhunter told me probably Xcibit infected. After I realized that chkrootkit told me at prompt everything is ok and in var/log as well I realized in messages that rows had been deleted and changed at chkrootkit.log That was the reason for reinstallation. But now I remember that while try to format one partition with ext4 even after formatted with ntfs before system told me there is still data at partition something like /var and /usr and asked me if the files should be transferred to new partition. I stopped removed harddrive and reformatted at a different computer. hmm robeich |
Quote:
Quote:
Quote:
I hope that helps :) Kindest regards, |
Quote:
|
Quote:
|
Quote:
Quote:
|
Kind of an off the wall suggestion, but based upon the symptom you are reporting and past experience, would it be possible for you to put, i.e. hide, a small camera to watch the physical activity on this machine?
|
Sorry, if the story sounds a little bit paranoid.
Probably I have to tell the story from beginning. The paranoia story started some times last year as in KWrite while working all the text doubled up as a kind of a shadow ! After investigating I realized that I could not use ls anymore but dir did the job in console. So I had a look at my processes and realized a bluetooth process with high priority that couldn't get killed . So I tried to reboot, nothing happens. So I used shutdown -h now , nothing happened ! So I pressed the ultimate power button. After the computer was rebooted I could not use mouse either keyboard ! Had to remove hd and reinstall and and…. After that story happened again a few weeks later I joined linuxquestions because I realized a big lack of knowledge at my side. During my investigations what happened I stepped on a big security hole at my Netgear router after month with very funny conversation with members of support team, I was able over the netgear forum where I reported that incident ( I could login to my router with http://192.168.01 without password ) and could get in contact with a member of real netgear team. Now I get every few month the first update of new versions to have a look on ( LOVELY I'M SO PROUD !! ). And than I realized again that bluetooth process and all the other incidents with rkhunter and chkrootkit described in my earlier threads. Since this happened I am very very careful, and really want to figure out what's on . And than ( now 2 x ) in the morning, I am turning on my computer ( the configuration details about logon are mentioned earlier ) I found robert in the field that should be empty ! As well I found lots of entries like this : May 20 10:45:04 Mac-Users-MacBook Firewall[55]: Stealth Mode connection attempt to TCP 192.168.1.40:49279 from 209.85.143.99:80 May 20 10:45:12: --- last message repeated 3 times --- In my macbook ( I kept the thin client with my apache off the net because I got rid of that to have reinstall every few weeks ). Hmm, tell me the truth unSpawn is this paranoia or ????? anyway, thanks to everybody he is looking after me. robeich |
209.85.143.99 is google. To perform a verify of this yourself, do an nslookup. You can also go to their website. I really doubt they are trying to brute force access to your machine. The connection is from port 80, which is their web page port. The higher numbered port on your machine is likely the random port used by your browser to connect to google. Depending on your FW settings, you may have blocked ad or cookie traffic or something along those lines.
So far, you have posted brief excerpts from a firewall log and claims of a username appearing where it should not. Given the level of paranoia you are expressing on a public forum, I can only guess how you come across in person. It would not surprise me in the least to learn that someone is deliberately "yanking your chain" for lulz. As a reminder, LQ Security deals in facts, not fiction, not theories, not conjecture. If you think that you may truly be compromised, we can, and will help you investigate. Doing so would involve you performing a lot of tests to obtain information and then posting the results. It is an involved process and one not engaged upon lightly. |
Quote:
|
All times are GMT -5. The time now is 12:09 AM. |