Personal computer hacked: How do I block this user from logging in again? How do I find out how they are logging in?

ssh security passwd-file
6,865

Solution 1

It looks like someone opened a guest session on your laptop while you where away from your room. If I were you I'd ask around, that may be a friend.

The guest accounts you see in /etc/passwd and /etc/shadow are not suspicious to me, they are created by the system when someone open a guest session.

Apr 27 06:55:55 Rho su[23881]: Successful su for guest-g20zoo by root

This line means root has access to the guest account, which could be normal but should be investigated. I've tried on my ubuntu1404LTS and don't see this behaviour. You should try to login with a guest session and grep your auth.log to see if this line appear everytime a guest user logs in.

All the opened windows of chrome, that you've seen when you opened your laptop. Is it possible that you were seeing the guest session desktop ?

Solution 2

Wipe the hard drive and reinstall your operating system from scratch.

In any case of unauthorised access there is the possibility the attacker was able to get root privileges, so it is sensible to assume that it happened. In this case, auth.log appears to confirm this was indeed the case - unless this was you that switched user:

Apr 27 06:55:55 Rho su[23881]: Successful su for guest-g20zoo by root

With root privileges in particular, they may have messed with the system in ways which are practically impossible to fix without a reinstall, such as by modifying boot scripts or installing new scripts and applications that run at boot, and so on. These could do things like run unauthorised network software (ie to form part of a botnet), or leave backdoors into your system. Trying to detect and repair this sort of thing without a reinstall is messy at best, and not guaranteed to rid you of everything.

Solution 3

I just want to mention that "multiple browser tabs/windows open, Software Center open, files downloaded to desktop" is not very consistent with someone logging into your machine via SSH. An attacker logging via SSH would get a text console which is completely separate from what you see on your desktop. They also wouldn't need to google "how to install git" from your desktop session because they'd be sitting in front of their own computer, right? Even if they wanted to install Git (why?), they wouldn't need to download an installer because Git is in Ubuntu repositories, anyone who knows anything about Git or Ubuntu knows that. And why did they have to google how to customize bash prompt?

I also suspect that "There was a tab... open in my browser. It reopened several times after I closed it" was actually multiple identical tabs open so you had to close them one by one.

What I'm trying to say here is that the pattern of activity resembles a "monkey with a typewriter".

You also did not mention you even had SSH server installed - it is not installed by default.

So, if you're absolutely sure nobody had physical access your laptop without your knowledge, and your laptop has a touchscreen, and it doesn't suspend properly, and it spent some time in your backpack then I think it all can be simply a case of "pocket calling" - random screen touches combined with search suggestions and auto-correction opened multiple windows and performed google searches, clicking on random links and downloading random files.

As a personal anecdote - it happens from time to time with my smartphone in my pocket, including opening multiple apps, changing system settings, sending semi-coherent SMS messages and watching random youtube videos.

Solution 4

Do you have any friends that like to access your laptop remotely/physically while you're gone? If not:

Wipe the HDD with DBAN and reinstall the OS from scratch. Be sure to backup first.

Something may have been severely compromised within Ubuntu itself. When you reinstall:

Encrypt /home. If the HDD/laptop itself is ever physically stolen, they cannot gain access to the data within /home.

Encrypt the HDD. This prevents people from compromising /boot without logging in. You will also have to enter a boot-time password(I think).

Set a strong password. If someone figures out the HDD password, they cannot access /home or login.

Encrypt your WiFi. Someone may have gotten within the router's proximity and taken advantage of unencrypted Wifi and ssh'd into your laptop.

Disable the guest account. The attacker may have ssh'd into your laptop, gotten a remote connection, logged in via Guest, and elevated the Guest account to root. This is a dangerous situation. If this happened, the attacker could run this VERY DANGEROUS command: 

rm -rf --no-preserve-root /

This erases A LOT of data on the HDD, trashes /home, and even worse, leaves Ubuntu completely unable to even boot. You will just get thrown into grub rescue, and you will not be able to recover from this. The attacker could also completely destroy the /home directory, and so on. If you have a home network, the attacker could also all the other computers on that network unable to boot(if they run Linux).

I hope this helps. :)

Solution 5

The "suspicious" activity is explained by the following: my laptop no longer suspends when the lid is closed, the laptop is a touch screen and reacted to applied pressure (possibly my cats). The provided lines from /var/log/auth.log, and the output of the who command are consistent with a guest session login. While I disabled guest session login from the greeter, it is still accessible from the drop down menu in the upper right hand corner in the Unity DE. Ergo, a guest session can be opened while I am logged in.

I have tested the "applied pressure" theory; windows can and do open while the lid is closed. I also logged into a new guest session. Log lines identical to what I perceived as suspicious activity were present in /var/log/auth.log after I did this. I switched users, back to my account, and ran the who command - the output indicated there was a guest logged into the system.

The up-down arrow WiFi logo has reverted to the standard WiFi logo, and all the available connections are visible. This was a problem with our network, and is unrelated.

Share:
6,865

Related videos on Youtube

Rosemary S
Author by

Rosemary S

Updated on September 18, 2022

Comments

  • Rosemary S
    Rosemary S over 1 year

    I am 99.9% sure that my system on my personal computer has been infiltrated. Allow me to first give my reasoning so the situation will be clear:

    Rough timeline of suspicious activity and subsequent actions taken:

    4-26 23:00
    I ended all programs and closed my laptop.

    4-27 12:00
    I opened my laptop after it had been in suspend mode for about 13 hours. Multiple windows were open including: Two chrome windows, system settings, software center. On my desktop there was a git installer (I checked, it has not been installed).

    4-27 13:00
    Chrome history displayed logins to my email, and other search history that I did not initiate (between 01:00 and 03:00 on 4-27), including "installing git". There was a tab, Digital Ocean "How to customize your bash prompt" open in my browser. It reopened several times after I closed it. I tightened security in Chrome.

    I disconnected from WiFi, but when I reconnected there was an up-down arrow symbol instead of the standard symbol, and there was no longer a list of networks in the drop down menu for Wifi
    Under 'Edit Connections' I noticed my laptop had connected to a network called "GFiberSetup 1802" at ~05:30 on 4-27. My neighbors at 1802 xx Drive just had google fiber installed, so I'm guessing it's related.

    4-27 20:30
    The who command revealed that a second user named guest-g20zoo was logged into my system. This is my private laptop that runs Ubuntu, there should not be anyone else on my system. Panicking, I ran sudo pkill -9 -u guest-g20zoo and disabled Networking and Wifi

    I looked in /var/log/auth.log and found this:

    Apr 27 06:55:55 Rho useradd[23872]: new group: name=guest-g20zoo, GID=999  
Apr 27 06:55:55 Rho useradd[23872]: new user: name=guest-g20zoo, UID=999, GID=999, home=/tmp/guest-g20zoo, shell=/bin/bash    
Apr 27 06:55:55 Rho su[23881]: Successful su for guest-g20zoo by root  
Apr 27 06:55:55 Rho su[23881]: + ??? root:guest-g20zoo  
Apr 27 06:55:55 Rho su[23881]: pam_unix(su:session): session opened for user guest-g20zoo by (uid=0)  
Apr 27 06:55:56 Rho systemd: pam_unix(systemd-user:session): session opened for user guest-g20zoo by (uid=0)  
Apr 27 06:55:56 Rho systemd-logind[767]: New session c3 of user guest-g20zoo.  
Apr 27 06:55:56 Rho su[23881]: pam_unix(su:session): session closed for user guest-g20zoo  
Apr 27 06:55:56 Rho systemd-logind[767]: Removed session c3.  
Apr 27 06:55:56 Rho lightdm: pam_unix(lightdm-autologin:session): session opened for user guest-g20zoo by (uid=0)  
Apr 27 06:55:56 Rho systemd: pam_unix(systemd-user:session): session closed for user guest-g20zoo  
Apr 27 06:55:56 Rho systemd-logind[767]: New session c4 of user guest-g20zoo.  
Apr 27 06:55:56 Rho systemd: pam_unix(systemd-user:session): session opened for user guest-g20zoo by (uid=0)  
Apr 27 06:56:51 Rho pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=1000)  
Apr 27 06:56:51 Rho pkexec: pam_systemd(polkit-1:session): Cannot create session: Already running in a session

    Sorry it's a lot of output, but that's the bulk of activity from guest-g20zoo in the log, all within a couple of minutes.

    I also checked /etc/passwd:

    guest-G4J7WQ:x:120:132:Guest,,,:/tmp/guest-G4J7WQ:/bin/bash

    And /etc/shadow:

    root:!:16669:0:99999:7:::  
daemon:*:16547:0:99999:7:::  
.  
.  
.   
nobody:*:16547:0:99999:7:::  
rhobot:$6$encrypted-passwd-cut-for-length.:16918:0:99999:7:::  
guest-G4J7WQ:*:16689:0:99999:7:::  
.  
.

    I don't entirely understand what this output means for my situation. Are guest-g20zoo and guest-G4J7WQ the same user?

    lastlog shows: 

    guest-G4J7WQ      Never logged in

    However, last shows:

    guest-g20zoo      Wed Apr 27 06:55 - 20:33 (13:37)

    So it seems like they are not the same user, but guest-g20zoo was nowhere to be found in the output of lastlog.

    I would like to block access for user guest-g20zoo but since (s)he doesn't appear in /etc/shadow and I'm assuming doesn't use a password to login, but uses ssh, will passwd -l guest-g20zoo work?

    I tried systemctl stop sshd, but got this error message:

    Failed to stop sshd.service: Unit sshd.service not loaded

    Does this mean remote login was already disabled on my system, and therefore the above command is redundant?

    I have tried to find more information about this new user, like what ip address they logged in from, but I can't seem to find anything.

    Some potentially relevant information:
    Currently I'm connected to my university's network, and my WiFi icon looks fine, I can see all my network options, and there aren't any weird browsers popping up on their own. Does this indicate that whoever is logging into my system is within range of my WiFi router at my home?

    I ran chkrootkit and everything seemed fine, but I also don't know how to interpret all the output. I don't really know what to do here. I just want to be absolutely sure this person (or anyone else for that matter) will never be able to access my system again and I want to find and remove any hidden files created by them. Please and Thank You!

    P.S. - I already changed my password and encrypted my important files while WiFi and Networking were disabled.

    • Arronical
      Arronical about 8 years
      Are there any entries in the auth log which have sshd after the server name? If not then there's definitely been no ssh access.. unless they cleaned up that part of the log, and didn't bother cleaning the other entries, which would be strange.
    • Boris the Spider
      Boris the Spider about 8 years
    • njzk2
      njzk2 about 8 years
      and then change all your passwords
    • Rosemary S
      Rosemary S about 8 years
      @Arronical There are no entries which have sshd after the server name, but I agree that removing that information but still leaving traces of themselves is odd. Is there any other way to check for a trace that my someone has ssh'd into my system?
    • muru
      muru about 8 years
      If you have a solution, please post it as an answer and mark it as accepted.
  • John Dvorak
    John Dvorak about 8 years
    Not even this will work if they installed some malware into the hardware, such as if they flashed the hard drive's firmware.
  • Dmitry Grigoryev
    Dmitry Grigoryev about 8 years
    That log line you're citing means that root user switched to guest-g20zoo, not the other way around.
  • Dmitry Grigoryev
    Dmitry Grigoryev about 8 years
    @JanDvorak Do you have an example of HDD firmware acting as Linux backdoor?
  • GMasucci
    GMasucci about 8 years
    I would have to agree, if you are at all unsure about the reliability of your os, and fear you may miss something, simply backup your data and re-install the os, personally I would switch hdds, but only so I could pull information off the old OS and find out who hacked me:)
  • Léo Lam
    Léo Lam about 8 years
    @DmitryGrigoryev but if they can su to another account from root, that means they are root.
  • Dmitry Grigoryev
    Dmitry Grigoryev about 8 years
    @LéoLam I have tons of processes which run as root on my PC. Such lines are unlikely to disappear even after the OP reinstalls his system.
  • thomasrutter
    thomasrutter about 8 years
    @DmitryGrigoryev ah I see, so that line may have been OP rather than attacker, if it was attacker then they already had root.
  • Léo Lam
    Léo Lam about 8 years
    @DmitryGrigoryev I was not referring to such entry logs in general, but to the one with guest-g20zoo in particular. On an 15.10 install, switching to a guest account does not produce that entry. Nor on 14.04 according to Daniel's answer. But yes, Thomas got it right, if it was OP then it's fine, otherwise it means the attacker already had root.
  • Joshua
    Joshua about 8 years
    Due to the tight-packing of the logs it's some kind of script at this point. Either it's the create-user script logging on as the user to set something up or its his exploit script. For one noisy as this I'd say it's non-expert and cleaning up is actually possible; but you must close the hole first.
  • Keith M
    Keith M about 8 years
    Why would he want to look at the wifi card traces... ?
  • gronostaj
    gronostaj about 8 years
    Why DBAN? Recreating partition table should be entirely sufficient, not to mention that DBAN would severely hurt a SSD if OP has one.
  • Keith M
    Keith M about 8 years
    For that matter, why would he pull out his wifi card at all
  • 0xcaff
    0xcaff about 8 years
  • pipe
    pipe about 8 years
    This is the only sensible, informed, and non-kneejerk answer.
  • Rosemary S
    Rosemary S about 8 years
    The only other person who has access to my laptop is my husband, I never leave it unattended at school or in public. Also, I modified the lightdm.conf.d file to disallow Guest Session login a while ago. I think I was seeing the guest session desktop. However, I realized my laptop no longer suspends when the lid shuts, and it's a touch screen. So is it possible that windows on my desktop (not tabs in chrome) could be opened if areas of the screen were being pushed against while it was closed? Just trying to figure out what is what here.
  • LittleByBlue
    LittleByBlue about 8 years
    why should a hacker run rm -rf /? he is going to grab all your data. wiping out data does not make any sense.
  • LittleByBlue
    LittleByBlue about 8 years
    btw. NEVER run rm -rf / it might brick your complete machine, as old linux versions (older than 4.5) do not protect the UEFI and you would damage it, if you are removing a few files from /sys/firmware/efi/efivars/.
  • Rosemary S
    Rosemary S about 8 years
    Multiple windows being opened after waking from suspend is [SOLVED]. My laptop no longer suspends upon closing the lid, it's a touch screen. It gets pushed around in my backpack, and I caught my cats walking on it at home. I've tested my theory, windows were opened due to this issue. I was not seeing the guest session desktop.
  • andy256
    andy256 about 8 years
    ... or in my case ... deleting all texts from one friend ...

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Help! My server has been hacked - .IptabLes and .IptabLex in /boot
Ubuntu - saying your security settings have blocked an application from running with an out-of-date version of java
Where is the username and password stored?
Does reinstalling openssh-server change the host key?
Disable interactive SSH at user-level
Disable all Logging in Ubuntu Server
ssh-copy-id without authentication
strange folder in /tmp with name ssh-*
SSH authentication: either SSH keys or one time password
How did this exploit allow write access to root owned files?