3

I am currently facing random freeze of my Ubuntu(16.04) desktop and screen fills up with the garbage pixels. I even cannot start command line using Ctrl-Shift-F1. Every time I have to manually do the hard reboot. After this happened few times I decided to drill it down using the log files, below are my findings

To debug the recent failure I tried checking log file under /var/log/syslog. I found below lines

  10 May 21 17:52:26 sunils-pc gnome-session[1730]: (gnome-software:1922): GsPlugin-WARNING **: failed to load stock icon preferences-system: Icon 'preferences-system' n     ot present in theme (null)
  11 May 21 17:52:26 sunils-pc gnome-session[1730]: (gnome-software:1922): Gs-WARNING **: Failed to create permission org.freedesktop.packagekit.trigger-offline-update:      GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Action org.freedesktop.packagekit.trigger-offline-update is not registered
  12 May 21 17:52:27 sunils-pc gnome-session[1730]: (gnome-software:1922): GsPlugin-WARNING **: failed to load stock icon preferences-system: Icon 'preferences-system' n     ot present in theme (null)
  13 May 21 17:52:27 sunils-pc gnome-session[1730]: (gnome-software:1922): Gs-WARNING **: Failed to create permission org.freedesktop.packagekit.trigger-offline-update:      GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Action org.freedesktop.packagekit.trigger-offline-update is not registered
  14 May 21 17:52:27 sunils-pc gnome-session[1730]: (gnome-software:1922): Gs-WARNING **: failed to get updates: no results to show
  15 May 21 17:54:12 sunils-pc gnome-session[1730]: 21/05/2016 05:54:12 PM [IPv4] Got connection from client ip-147-62-102-190.netblk.digicelpanama.net
  16 May 21 17:54:12 sunils-pc gnome-session[1730]: 21/05/2016 05:54:12 PM   other clients:
  17 May 21 17:54:12 sunils-pc gnome-session[1730]: 21/05/2016 05:54:12 PM      ip-147-62-102-190.netblk.digicelpanama.net
  18 May 21 17:54:12 sunils-pc gnome-session[1730]: message repeated 6 times: [ 21/05/2016 05:54:12 PM      ip-147-62-102-190.netblk.digicelpanama.net]
  19 May 21 17:54:12 sunils-pc gnome-session[1730]: 21/05/2016 05:54:12 PM Client Protocol Version 3.3
  20 May 21 17:54:12 sunils-pc gnome-session[1730]: ** (vino-server:1918): WARNING **: Deferring authentication of 'ip-147-62-102-190.netblk.digicelpanama.net' for 5 sec     onds
  21 May 21 17:54:18 sunils-pc gnome-session[1730]: ** (vino-server:1918): WARNING **: VNC authentication failure from 'ip-147-62-102-190.netblk.digicelpanama.net'
  22 May 21 17:54:18 sunils-pc gnome-session[1730]: 21/05/2016 05:54:18 PM rfbAuthPasswordChecked: password check failed

Looks like some program from "ip-147-62-102-190.netblk.digicelpanama.net" is trying to connect to my remote desktop server. I do not know what this server is, I have never heard about it before. I checked website "digicelpanama.net" which refers to the some webpage in language I am not aware of.

I have observed this log message couple of times and timestamp of this message matches exactly with the Ubuntu Crash.

I would like to know

  1. Is my system under attack?
  2. What should I do about it?
  3. Is there any other way to debug the crash?

I am currently using Intel Skylake i7 6700, Asus H 170 Pro gaming motherboard.

Can someone please help regarding this.

Xinus
  • 93
  • 8
  • But if the logs show that they used an incorrect password, why could they gain control? Why would VNC crash *the system* on a wrong password? –  May 21 '16 at 13:05
  • I am not sure, but this is some unknown address , why its trying to connect to my machine?, maybe exploiting bugs in Ubuntu remote vnc software which does not display in logs? log shows it repeats itself 6 times "May 21 17:54:12 sunils-pc gnome-session[1730]: message repeated 6 times: [ 21/05/2016 05:54:12 PM ip-147-62-102-190.netblk.digicelpanama.net]" – Xinus May 21 '16 at 13:11
  • @Xinus unplug your machine from the network. – Avamander May 21 '16 at 13:17
  • @Avamander: But thats not the solution – Xinus May 21 '16 at 13:20
  • @Xinus I didn't post this as an answer. I told it to give you time in case someone already has successfully logged into the machine. – Avamander May 21 '16 at 13:29
  • I don't understand the log, but you can install fail2ban and gufw to block incoming connections. – eri0o May 21 '16 at 13:32
  • Restart the machine, *and stop VNC server as soon as booted*. Then look at `/var/log/auth.log` for a log of all logins/login attempts. Also look around for suspicious files. –  May 21 '16 at 13:49
  • Also, doesn't `vino` (Ubuntu's default VNC server) have an option that requires you to confirm all connections? –  May 21 '16 at 13:49
  • I have disabled remote desktop now, till it gets resolved, hopefully it did not infected my system. – Xinus May 21 '16 at 13:59
  • If you are not using remote desktop sharing, then go to `Desktop Sharing` in the Ubuntu dash, and uncheck the sharing options. As a general rule, you should not expose open ports to the public internet anyway (use UFW or iptables and/or turn OFF any unneeded port forwarding at your router) – steeldriver May 21 '16 at 14:00
  • @steeldriver: Thanks , I almost forgot about forwarded ports on router. I removed them now. – Xinus May 21 '16 at 14:06

0 Answers0