0

I'm a newbie to Ubuntu
Few days back, I noticed a text file named pwn3d.txt on my home folder. The following text was in it:

You are (fully) pwn3d due to a homobraphic error on your software dependencies

I didn't notice any unusual activity and my account weren't hacked.

But still, I panicked and reinstalled my Ubuntu (I still have windows installed) Today I tried to dig into the logs to see if I can find any suspicious behavior, and I think I found a few:

  1. My firewall (UFW) is blocking tons of stuff:

Example

  1. I have --slave commands, few examples:

      update-alternatives 2019-02-10 00:12:25: run with --quiet --install /usr/bin/awk awk /usr/bin/mawk 5 --slave /usr/share/man/man1/awk.1.gz awk.1.gz /usr/share/man/man1/mawk.1.gz --slave /usr/bin/nawk nawk /usr/bin/mawk --slave /usr/share/man/man1/nawk.1.gz nawk.1.gz /usr/share/man/man1/mawk.1.gz
  update-alternatives 2019-06-14 10:38:23: run with --install /usr/bin/c++ c++ /usr/bin/g++ 20 --slave /usr/share/man/man1/c++.1.gz c++.1.gz /usr/share/man/man1/g++.1.gz
  update-alternatives 2019-06-09 13:34:33: run with --quiet --install /usr/bin/c99 c99 /usr/bin/c99-gcc 20 --slave /usr/share/man/man1/c99.1.gz c99.1.gz /usr/share/man/man1/c99-gcc.1.gz

  2. when i ran the following command: cat /etc/passwd|grep '/bin/bash' I got the following result alongside with my own username:

    root:x:0:0:root:/root:/bin/bash

Any suggestions? Am I under attack? Should I format my computer? Is there any danger for other devices on my network (laptops, router, streamers)?

4
  • 1
    Most likely, your current system (after your recent reinstall) is fine. Your points 2 and 3 are completely normal and would not have any connection to malicious activity, because these things you investigated there are absolutely unrelated. About the firewall logs, those with DST=224.0.0.251 are not suspicious either, that looks like just your router sending multicast DNS probes. Can't say anything about the remaining log entries though.
    – Byte Commander
    Commented Jun 14, 2019 at 21:30
  • Thanks. I have pihole configured as my DNS, could it cause all the remaining log entries? also, I locked my computer now for an hour to see what happens, and I have noticed the following log entries (which have been logged after I locked the computer): pam_unix(cron:session): session opened for user root by (uid=0), pam_unix(cron:session): session closed for user root, are there any suspicious?
    – eq3wv1rk
    Commented Jun 14, 2019 at 22:33
  • 1
    Those cron entries would appear on a normal machine too, so they are not an indicator neither for nor against any external intrusions. Don't know about the pihole.
    – Byte Commander
    Commented Jun 14, 2019 at 23:03
  • 1
    For the other log entries, we can not tell because the lines are chopped. My guess is that they are O.k. as well. Note you will observe this stuff constantly on any external (WAN) facing device. Also UFW is extremely annoying because it uses one generic "UFW BLOCK" log prefix for all of its blocks. It should use a unique log prefix for every log entry so that the users knows the log branch it took from the resulting iptables rule set.
    – Doug Smythies
    Commented Jun 14, 2019 at 23:40

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .