Author Topic: Security Worry (Read 722 times)

trustytrev · « **on:** May 22, 2012, 10:32:42 AM »

Hello,
My elderly mother advised that someone communicated from her computer while she wasn't using it on Friday 18th this month.It appears they were cut off in mid sentence while referring to downloading software or something.The monitor was blanked due to power-saving at the time. It all sounded very suspicious to me and alarm bells started ringing.
Upon looking for an explanation I discovered only logs relating to after this date in PCC/System/view and search system logs appear to remain. Everything dated prior to this has disappeared.The history in the Firefox browser prior to the date in question also no longer exists.
Does this sound like a security compromise on my mothers computer or could there be another explanation.I am thinking I need to do a fresh install to ensure everything is secure again.Any advise is welcome.

trustytrev.

muungwana · « **Reply #1 on:** May 22, 2012, 10:59:18 AM »

A fresh install if possible will be a proper course of action,if somebody gain access to it, you cant be certain they didnt do anything harmful simply by looking at logs and running diagnostic checks.

The only way anybody can access the computer is if they use it while physically present next to it. Have the computer use a password to log in and make sure she logs out when not using the computer will stop the casual trouble maker. Encryption of root and home partition will stop even the more serious trouble maker.

To get access to the computer remotely is also possible if a program that allow remote access is up and running and isnt configured properly. A program that come to mind that can allow this is ssh but there are others

Have a firewall up will bounce off all incoming traffic and you wont have to worry what services is running and what is not.

trustytrev · « **Reply #2 on:** May 22, 2012, 11:18:41 AM »

Hello,

Quote

Have a firewall up will bounce off all incoming traffic and you wont have to worry what services is running and what is not.

That is the worrying thing,Shorewall is/was running.
trustytrev.

muungwana · « **Reply #3 on:** May 22, 2012, 11:28:12 AM »

are you sure she explained what happened properly?

if the firewall was up and running and configured properly, then whoever used the computer didnt use it over the network.

computer monitor not in use would suggest somebody using her internet access but not her computer, or her computer but with a different monitor, does the computer use the internet through a wired connection? maybe somebody plugged in their computer on her cable slot, change MAC address to impersonate her and went online as her.

Just17 · « **Reply #4 on:** May 22, 2012, 11:30:56 AM »

Quote

My elderly mother advised that someone communicated from her computer while she wasn't using it on Friday 18th this month.It appears they were cut off in mid sentence while referring to downloading software or something.

That is not at all clear ....... and without clarity everything will be a guess ...

communicate how? ...... text, voice, video? if the monitor was blank the PC was unattended?

what was she doing at the time? at/near the PC? elsewhere?

If you have any doubts, then reinstall with a completely new user's /home setup.

trustytrev · « **Reply #5 on:** May 22, 2012, 12:49:02 PM »

Hello,
It is a wired adsl internet connection.The screen saver is set to blank the monitor after a period of time not being used.Mum was in the same room but not using the computer at the time.No one else had physical access to the machine.She phoned to tell me she had heard someone talking about downloading and that it cut in mid sentence then asked me what she should do.I told her to shut the machine down till I could look at it.As she is in her eighties she relies on me and PClinuxOS to do her online shopping and speak to family members on Skype as well as email.I thought perhaps she may have clicked on something while she was using the browser.I often find multiple things open but forgotten about.

trustytrev.

Just17 · « **Reply #6 on:** May 22, 2012, 01:03:03 PM »

I would wonder if she had Skype running? A forgotten connection?

muungwana · « **Reply #7 on:** May 22, 2012, 01:17:02 PM »

Quote from: Just18 on May 22, 2012, 01:03:03 PM

I would wonder if she had Skype running? A forgotten connection?

I am thinking the same thing, probably there was an application running that produced the sound she heard coming from the computer. You removed any clues when you asked her to shut down the computer, if she was in the presence of the computer, then you should have just asked her to disconnect from the internet deny any access if the thread came through the network and you could have examined the computer with running application at the time.

I would sign this off as a false alarm.

T6 · « **Reply #8 on:** May 22, 2012, 02:05:32 PM »

maybe a page in firefox opened a second site with a video chat room?

i have seen many of those in opera, firefox and chrome recently, the browser can't stop them anymore from opening without your authorization

also could be a video she opened but didn't loaded so she left it unattended and when it finally could be played made the noise?

that could explain the sound but the logs you mention are completely different, not sure if related or not and what that means, if a real intrusion or just that the system deleted old entries

the machine has a firewall if i understood correctly but sometimes a router is a better option than connect directly to the modem

i'm not sure if you could put one for a extra layer of protection without making things more complicated

it will have wifi but if you don't use it or don't want it, some d-link models will let you disable the wifi signal

menotu · « **Reply #9 on:** May 22, 2012, 02:36:37 PM »

And my thinking is that most "intruders" (one's with any sense

) would copy data and not move/delete it

T6 · « **Reply #10 on:** May 22, 2012, 02:46:41 PM »

if the intrusion was made by a hacker, he surely would delete any file that could show what he did or completely hide the intrusion

unfortunately a hacker is not a concern but a cracker is, not much hackers out there anymore

trustytrev · « **Reply #11 on:** May 23, 2012, 10:19:08 AM »

Hello,
Connection to the phone line is via an ADSL router which has a fire wall.The fire wall with PCLinuxOS was/is still active.It does not have a wireless capability.
What puzzles me is

Quote

I discovered only logs relating to after this date in PCC/System/view and search system logs appear to remain. Everything dated prior to this has disappeared.The history in the Firefox browser prior to the date in question also no longer exists

Is there any simple reason for this to be so as logs and histories on my own machines go back to original installations as far as I am aware.
Surly that is the point of having them. Only I have Root access to the machine that is causing concern so I would have thought logs being removed would be impossible without me knowing.

trustytrev.

AS · « **Reply #12 on:** May 23, 2012, 10:23:42 AM »

Quote from: trustytrev on May 23, 2012, 10:19:08 AM

Hello,
Connection to the phone line is via an ADSL router which has a fire wall.The fire wall with PCLinuxOS was/is still active.It does not have a wireless capability.
What puzzles me is
Quote
I discovered only logs relating to after this date in PCC/System/view and search system logs appear to remain. Everything dated prior to this has disappeared.The history in the Firefox browser prior to the date in question also no longer exists
Is there any simple reason for this to be so as logs and histories on my own machines go back to original installations as far as I am aware.
Surly that is the point of having them. Only I have Root access to the machine that is causing concern so I would have thought logs being removed would be impossible without me knowing.
trustytrev.

logs are periodically deleted from a cron job, so what appear strange to me is that you have logs back to the original install ...

trustytrev · « **Reply #13 on:** May 23, 2012, 02:02:35 PM »

Hello,

Quote

logs are periodically deleted from a cron job, so what appear strange to me is that you have logs back to the original install ...

I may have made an incorrect assumption about logs going back to installation.
Is there somewhere one can find how long logs are retained?Or can the time span for deletion be altered?
Thanks.
trustytrev.

AS · « **Reply #14 on:** May 23, 2012, 02:22:10 PM »

Quote from: trustytrev on May 23, 2012, 02:02:35 PM

Hello,
Quote
logs are periodically deleted from a cron job, so what appear strange to me is that you have logs back to the original install ...
I may have made an incorrect assumption about logs going back to installation.
Is there somewhere one can find how long logs are retained?Or can the time span for deletion be altered?
Thanks.
trustytrev.

log files are compressed / deleted from logrotate command, run from a cron job: /etc/cron.d/logrotate, logs are compressed / deleted accordingly to settings in /etc/logrotate.conf /etc/logrotate.d/*.

the man pages may provide further details:

Code: [Select]

man logrotate

PCLinuxOS-Forums

News:

Author Topic: Security Worry (Read 722 times)

trustytrev

Security Worry

muungwana

Re: Security Worry

trustytrev

Re: Security Worry

muungwana

Re: Security Worry

Just17

Re: Security Worry

trustytrev

Re: Security Worry

Just17

Re: Security Worry

muungwana

Re: Security Worry

T6

Re: Security Worry

menotu

Re: Security Worry

T6

Re: Security Worry

trustytrev

Re: Security Worry

AS

Re: Security Worry

trustytrev

Re: Security Worry

AS

Re: Security Worry