LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-05-2011, 10:38 AM   #1
robeich
Member
 
Registered: Aug 2010
Location: Millstreet, Co. Cork, Ireland
Distribution: Linux Mint
Posts: 37

Rep: Reputation: 0
user reappears even if operating system is reinstalled and 3x formatted


A few month ago one of my computers ( hp thin client ) was compromised.
I reformatted the harddrives and reinstalled MANDRIVA 2010 .

After a few days I had been prompted at login with a username robert
even if there was no more user robert ( I changed to use rob at new installation )

So I became nervous and formatted again 4x first ext3 than swap than ntfs than
reiserfs.
I kept this computer out of network ( used as standalone no LAN no WLAN )
I reformatted all my usb sticks and external hds.
And now a few days ago the clou, robert was back again at login !

But there is no user robert in /etc/shadow
Any suggestions where robert is hiding and how to stop him coming back ?
 
Old 06-05-2011, 10:51 AM   #2
carltm
Member
 
Registered: Jan 2007
Location: Canton, MI
Distribution: CentOS, SuSE, Red Hat, Debian, etc.
Posts: 703

Rep: Reputation: 97
If there is no user robert, then robert cannot be logging in.
I'm wondering if someone or something is trying to log into
the device, and all you're seeing is the username of the last
log in attempt.

Another thought...is it possible that someone else is logging
in as root? Some thin clients allow administrative access
to the OS. Or you might be able to bring it up into runlevel
1 without being prompted for a password. If someone has found
a way in as root, they could be putting robert in the history
to try to cover their tracks.
 
Old 06-05-2011, 11:20 AM   #3
robeich
Member
 
Registered: Aug 2010
Location: Millstreet, Co. Cork, Ireland
Distribution: Linux Mint
Posts: 37

Original Poster
Rep: Reputation: 0
thanks caritm,
but as I mentioned, this computer gots no connection to any network ( totally unplugged ).
Nobody else gots access to that computer.
In Control Center is ALLOW_USER_LIST set to no.
Actually no username should be displayed at all !
That is working, no list is displayed, there is just user robert in login.
Unfortunately I didn't kept the old password for user robert at former installation ( few month ago ),
so I could not try to login with old password to figure out if just the name does appear or there is somewhere
hidden the old user account.
very weird
robeich
 
Old 06-05-2011, 07:36 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by robeich View Post
A few month ago one of my computers ( hp thin client ) was compromised.
Was it? Any details?


Quote:
Originally Posted by robeich View Post
And now a few days ago the clou, robert was back again at login ! But there is no user robert in /etc/shadow Any suggestions where robert is hiding and how to stop him coming back ?
If the machine was formatted zeroeing out partitions, and the username "robert" is not in /etc/{passwd,group,shadow} (meaning running '(lastb -adix; last -adix; lastlog)|grep robert' does not return anything) and you have not restored any system and user backups nor connected the machine to any network nor made any (login?) mistakes that could have made the system retain a list of user names (certainly far-fetched) then I'd first try running 'logwatch' if installed on your system logs to see if there's any errors slash clues and if there's none, go for a brute force approach: first 'grep robert -ar /home', then 'grep robert -ar /var' and finally 'grep robert -ar /etc /root /tmp'. Sure isn't efficient but if the string is somewhere it should show.
 
0 members found this post helpful.
Old 06-07-2011, 03:35 AM   #5
tallship
Member
 
Registered: Jul 2003
Location: On the Beaches of Super Sunny Southern San Clemente, California USA
Distribution: Slackware - duh!
Posts: 534
Blog Entries: 3

Rep: Reputation: 118Reputation: 118
Cool

Quote:
Originally Posted by robeich View Post
And now a few days ago the clou,
I have no idea what that means, whatsoever. What is a "clou"?

Quote:
Originally Posted by robeich View Post
But there is no user robert in /etc/shadow
Of course there isn't. The name of your host is robert, and you are being presented with a login prompt.

This reminds me of something Jeff Spicoli said right before he crashed the trans-am he took for a joyride
 
1 members found this post helpful.
Old 06-07-2011, 10:09 AM   #6
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177
Quote:
Originally Posted by tallship View Post
This reminds me of something Jeff Spicoli said right before he crashed the trans-am he took for a joyride
I guess I missed that one? ("I don' watch much .. tee-vee .. you don' mean to me ...")
 
Old 06-08-2011, 08:22 AM   #7
robeich
Member
 
Registered: Aug 2010
Location: Millstreet, Co. Cork, Ireland
Distribution: Linux Mint
Posts: 37

Original Poster
Rep: Reputation: 0
Hi tallship,
Thanks for asking, you don't know the old movie with Robert Redford and Paul Newman titled the clou ?
as well my host don't got the name robert !
in etc hosts is just 127.0.0.1 localhost .
If that is not the real hostname where does it take robert from ?
And as well who or better what is telling the computer to fill in the name robert into the field to use for loginname
that field has to empty determined by the settings of computer ( what he sis mostly doing ) if I'm booting the machine.
By the way, who is Jeff Spicoli, hope it's not a friend of you .

Thanks unspawn,
last -adix and lastb -adix don't gave me any robert.
With the grep i got lots of roberts in email addresses but that's not what we are looking for ?!
The problem with hp thin client started actually as I realized lots of traffic even if I did nothing at the machine.
Installed rkhunter and chkrootkit. One told me everynthing ok but had been warned about outdated OpenSSL GnuPGP and Apache,
but even after so called succesfull update I had same versions.
And rkhunter told me probably Xcibit infected.
After I realized that chkrootkit told me at prompt everything is ok and in var/log as well I realized in messages that
rows had been deleted and changed at chkrootkit.log
That was the reason for reinstallation.
But now I remember that while try to format one partition with ext4 even after formatted with ntfs before system told me there is
still data at partition something like /var and /usr and asked me if the files should be transferred to new partition.
I stopped removed harddrive and reformatted at a different computer.
hmm
robeich
 
Old 06-08-2011, 09:01 AM   #8
tallship
Member
 
Registered: Jul 2003
Location: On the Beaches of Super Sunny Southern San Clemente, California USA
Distribution: Slackware - duh!
Posts: 534
Blog Entries: 3

Rep: Reputation: 118Reputation: 118
Cool

Quote:
Originally Posted by robeich View Post
Hi tallship,
Thanks for asking, you don't know the old movie with Robert Redford and Paul Newman titled the clou ?
Vaguely. I'll have to look that one up


Quote:
Originally Posted by robeich View Post
in etc hosts is just 127.0.0.1 localhost . If that is not the real hostname where does it take robert from ?
Your hostname is in /etc/HOSTNAME


Quote:
Originally Posted by robeich View Post
By the way, who is Jeff Spicoli,
He's one kewl dude

I hope that helps

Kindest regards,
 
Old 06-08-2011, 11:03 AM   #9
MS3FGX
LQ Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 357Reputation: 357Reputation: 357Reputation: 357
Quote:
Originally Posted by tallship View Post
Vaguely. I'll have to look that one up
FYI, it would appear that "The Clou" is the German name for "The Sting".
 
Old 06-08-2011, 06:43 PM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by MS3FGX View Post
FYI, it would appear that "The Clou" is the German name for "The Sting".
Y'all please keep things on topic. However droll and entertaining slinging movie references are them is definitely not in this forums scope.
 
Old 06-08-2011, 06:49 PM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by robeich View Post
The problem with hp thin client started actually as I realized lots of traffic even if I did nothing at the machine. Installed rkhunter and chkrootkit. One told me everynthing ok but had been warned about outdated OpenSSL GnuPGP and Apache, but even after so called succesfull update I had same versions. And rkhunter told me probably Xcibit infected. After I realized that chkrootkit told me at prompt everything is ok and in var/log as well I realized in messages that rows had been deleted and changed at chkrootkit.log That was the reason for reinstallation. (..) But now I remember that while try to format one partition with ext4 even after formatted with ntfs before system told me there is still data at partition something like /var and /usr and asked me if the files should be transferred to new partition. I stopped removed harddrive and reformatted at a different computer. hmm
While a healthy dose of paranoia may be good reviewing your previous threads tells me you're (too?) easily alarmed by things. Not all warnings are false positives but a lot of them may be. I suggest next time you try gather evidence and ask for suggestions before reformatting.


Quote:
Originally Posted by robeich View Post
last -adix and lastb -adix don't gave me any robert. With the grep i got lots of roberts in email addresses but that's not what we are looking for ?!
No, that's not it. As there's no leads right now I suggest you wait for the next incident and post any data like check 'last' output and logs, and post log excerpts, screenshots etc.
 
Old 06-08-2011, 09:11 PM   #12
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
Kind of an off the wall suggestion, but based upon the symptom you are reporting and past experience, would it be possible for you to put, i.e. hide, a small camera to watch the physical activity on this machine?
 
Old 06-10-2011, 06:58 AM   #13
robeich
Member
 
Registered: Aug 2010
Location: Millstreet, Co. Cork, Ireland
Distribution: Linux Mint
Posts: 37

Original Poster
Rep: Reputation: 0
Sorry, if the story sounds a little bit paranoid.
Probably I have to tell the story from beginning.

The paranoia story started some times last year as in KWrite while working all the text doubled up as
a kind of a shadow !
After investigating I realized that I could not use ls anymore but dir did the job in console.
So I had a look at my processes and realized a bluetooth process with high priority
that couldn't get killed .
So I tried to reboot, nothing happens.
So I used shutdown -h now , nothing happened !
So I pressed the ultimate power button.
After the computer was rebooted I could not use mouse either keyboard !
Had to remove hd and reinstall and and….
After that story happened again a few weeks later I joined linuxquestions because I realized
a big lack of knowledge at my side.

During my investigations what happened I stepped on a big security hole at my Netgear router
after month with very funny conversation with members of support team,
I was able over the netgear forum where I reported that incident ( I could login to my router with http://192.168.01 without password )
and could get in contact with a member of real netgear team.
Now I get every few month the first update of new versions to have a look on ( LOVELY I'M SO PROUD !! ).

And than I realized again that bluetooth process and all the other incidents with rkhunter and chkrootkit described in my earlier threads.
Since this happened I am very very careful, and really want to figure out what's on .
And than ( now 2 x ) in the morning, I am turning on my computer ( the configuration details about logon are mentioned earlier )
I found robert in the field that should be empty !

As well I found lots of entries like this :
May 20 10:45:04 Mac-Users-MacBook Firewall[55]: Stealth Mode
connection attempt to TCP 192.168.1.40:49279 from 209.85.143.99:80
May 20 10:45:12: --- last message repeated 3 times ---
In my macbook ( I kept the thin client with my apache off the net because I got rid of that to have reinstall every few weeks ).

Hmm, tell me the truth unSpawn is this paranoia or ?????
anyway, thanks to everybody he is looking after me.
robeich

Last edited by robeich; 06-10-2011 at 07:00 AM.
 
Old 06-10-2011, 09:05 AM   #14
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
209.85.143.99 is google. To perform a verify of this yourself, do an nslookup. You can also go to their website. I really doubt they are trying to brute force access to your machine. The connection is from port 80, which is their web page port. The higher numbered port on your machine is likely the random port used by your browser to connect to google. Depending on your FW settings, you may have blocked ad or cookie traffic or something along those lines.

So far, you have posted brief excerpts from a firewall log and claims of a username appearing where it should not. Given the level of paranoia you are expressing on a public forum, I can only guess how you come across in person. It would not surprise me in the least to learn that someone is deliberately "yanking your chain" for lulz. As a reminder, LQ Security deals in facts, not fiction, not theories, not conjecture. If you think that you may truly be compromised, we can, and will help you investigate. Doing so would involve you performing a lot of tests to obtain information and then posting the results. It is an involved process and one not engaged upon lightly.
 
Old 06-11-2011, 07:15 AM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by robeich View Post
I am very very careful, and really want to figure out what's on .
That itself is a Good Thing however the outcome of drawing conclusions instantly, without knowledge and from incomplete data can not be good. Like Noway2 said we're willing to help you but you must provide exact and coherent data instead of feeding us possibly misinterpreted morsels of information.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Hi new user to Linux here - getting error loading operating system jthelin@csc.com Linux - Newbie 2 02-15-2009 01:28 AM
'Operating system not found' Any operating system installed wont work. TechniSlave Linux - Newbie 55 02-09-2009 12:02 PM
Default user accounts in Unix Operating system srihariv Linux - General 2 03-31-2008 07:43 AM
LVM: Deleted my system VG0 and reinstalled system, can't find VG1 CoolAJ86 Linux - Software 0 10-29-2007 04:06 PM
LXer: OpenVZ User Community Enthusiastic About Operating System Virtualization Project LXer Syndicated Linux News 0 05-21-2006 03:21 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:03 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration