0

Two process named gksu and two process named su-to-root appeared on my system monitor, is my computer owned? How can I be sure, and if this true, how can I rip out the intruder without full system reinstall?

Where and which logs I should check, and looking exactly for what?

I use Firestarter, but events logger appear empty(?)... what is another bad sign...

Thanks so much for any help.

Ubuntu 11.10

EDIT:

I forgot to mention a SH process running too

My 50-default.conf 

....

# First some standard log files.  Log by facility.
#
auth,authpriv.*         /var/log/auth.log
*.*;auth,authpriv.none      -/var/log/syslog
#cron.*             /var/log/cron.log
#daemon.*           -/var/log/daemon.log
kern.*              -/var/log/kern.log
#lpr.*              -/var/log/lpr.log
m    ail.*              -/var/log/mail.log
#user.*             -/var/log/user.log
...

AND THE PROCESS SH KEEPS REBORNING!!

H_7
  • 661
  • 2
  • 7
  • 15
  • `sudo-to-root` is a standard script to provide a dialog asking for admin password. It relies on other programs, in your case `gksu` to display the actual UI. It would be a bit strange for an intruder to use gksu because firstly this would require a graphical shell and secondly they would need to know admin's password to make any use of gksu... Are you sure you didn't have any programs running which might be asking you for admin password, such as Update Manager or Software Center? – Sergey Feb 13 '12 at 05:07
  • @Sergey Yes, I am sure, except for firestarter asking password, for sure. (?) I had a virtual machine running windows 7 asking for permissions inside windows only. I have reasons to suspect about someone knowing my password too. What scary me mostly its firestarter giving me no events at all, no logs saved... – H_7 Feb 13 '12 at 05:10
  • So firestarter was asking you for password? That would explain it, why are you saying "except"? If you suspect somebody knows your password, you need to change it immediately. How do you connect to internet? Is it possible to connect to your machine from outside your LAN at all (i.e. have you set up port forwarding etc.)? Or do you suspect the attacker may be in your LAN? – Sergey Feb 13 '12 at 05:18
  • No attacker in LAN, I connect directly. Already changed password. Maybe problems is solved and question should be closed... But I still need a solution for my no-logs firestarter. Thanks @Sergey, write as an answer so I can choose it and vote too. – H_7 Feb 13 '12 at 05:24

1 Answers1

0

I'll put my last comment as an answer:

Unless we're talking about a server with a static IP-address which is visible form internet, in most cases people connect to internet via an ADSL modem (either via wi-fi or with a LAN cable). In this case it is the modem which will have an "external" IP-address, your computer will have a "local" address like 10.1.1.1 etc. In this case it's impossible to connect to your computer from the outside world unless you configured your modem to forward certain types of packets to a certain address in your internal network.

So, unless you have a "real" IP-address, the only practical possibility to get "owned" is to download something yourself, start it and give it your root password. Or, less likely, to visit a malicious website which would exploit a not-yet-pached vulnerability in your web browser, browser plugin or something.

So I think in this case the processes you saw was Firestarter asking you for your password.

Regarding the problem with Firestarter not writing logs - please have a look at this question

Community
  • 1
Sergey
  • 43,339
  • 13
  • 106
  • 107
  • Thanks again @Sergey, but how I fix my firestarter? Reloading Events give me "Error reading system log (null), file does not exist" and open log gives "Failed to open the system log. No event information will be avaliable" – H_7 Feb 13 '12 at 05:53
  • Question edited. – H_7 Feb 13 '12 at 05:58
  • Have a look at the link I gave in the answer – Sergey Feb 13 '12 at 06:04
  • I have tryed with no sucess since my ubuntu is 11.10 and not 11.04. My file differ in this: `# First some standard log files. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog #cron.* /var/log/cron.log #daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log #lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log #user.* -/var/log/user.log ` Since this is confusion I edited question. – H_7 Feb 13 '12 at 06:36