I am 99.9% sure that my system on my personal computer has been infiltrated. Allow me to first give my reasoning so the situation will be clear:
Rough timeline of suspicious activity and subsequent actions taken:
4-26 23:00
I ended all programs and closed my laptop.
4-27 12:00
I opened my laptop after it had been in suspend mode for about 13 hours. Multiple windows were open including: Two chrome windows, system settings, software center. On my desktop there was a git installer (I checked, it has not been installed).
4-27 13:00
Chrome history displayed logins to my email, and other search history that I did not initiate (between 01:00 and 03:00 on 4-27), including "installing git". There was a tab, Digital Ocean "How to customize your bash prompt" open in my browser. It reopened several times after I closed it. I tightened security in Chrome.
I disconnected from WiFi, but when I reconnected there was an up-down arrow symbol instead of the standard symbol, and there was no longer a list of networks in the drop down menu for Wifi
Under 'Edit Connections' I noticed my laptop had connected to a network called "GFiberSetup 1802" at ~05:30 on 4-27. My neighbors at 1802 xx Drive just had google fiber installed, so I'm guessing it's related.
4-27 20:30
The who command revealed that a second user named guest-g20zoo was logged into my system. This is my private laptop that runs Ubuntu, there should not be anyone else on my system. Panicking, I ran sudo pkill -9 -u guest-g20zoo and disabled Networking and Wifi
I looked in /var/log/auth.log and found this:
Apr 27 06:55:55 Rho useradd[23872]: new group: name=guest-g20zoo, GID=999
Apr 27 06:55:55 Rho useradd[23872]: new user: name=guest-g20zoo, UID=999, GID=999, home=/tmp/guest-g20zoo, shell=/bin/bash
Apr 27 06:55:55 Rho su[23881]: Successful su for guest-g20zoo by root
Apr 27 06:55:55 Rho su[23881]: + ??? root:guest-g20zoo
Apr 27 06:55:55 Rho su[23881]: pam_unix(su:session): session opened for user guest-g20zoo by (uid=0)
Apr 27 06:55:56 Rho systemd: pam_unix(systemd-user:session): session opened for user guest-g20zoo by (uid=0)
Apr 27 06:55:56 Rho systemd-logind[767]: New session c3 of user guest-g20zoo.
Apr 27 06:55:56 Rho su[23881]: pam_unix(su:session): session closed for user guest-g20zoo
Apr 27 06:55:56 Rho systemd-logind[767]: Removed session c3.
Apr 27 06:55:56 Rho lightdm: pam_unix(lightdm-autologin:session): session opened for user guest-g20zoo by (uid=0)
Apr 27 06:55:56 Rho systemd: pam_unix(systemd-user:session): session closed for user guest-g20zoo
Apr 27 06:55:56 Rho systemd-logind[767]: New session c4 of user guest-g20zoo.
Apr 27 06:55:56 Rho systemd: pam_unix(systemd-user:session): session opened for user guest-g20zoo by (uid=0)
Apr 27 06:56:51 Rho pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=1000)
Apr 27 06:56:51 Rho pkexec: pam_systemd(polkit-1:session): Cannot create session: Already running in a session
Sorry it's a lot of output, but that's the bulk of activity from guest-g20zoo in the log, all within a couple of minutes.
I also checked /etc/passwd:
guest-G4J7WQ:x:120:132:Guest,,,:/tmp/guest-G4J7WQ:/bin/bash
And /etc/shadow:
root:!:16669:0:99999:7:::
daemon:*:16547:0:99999:7:::
.
.
.
nobody:*:16547:0:99999:7:::
rhobot:$6$encrypted-passwd-cut-for-length.:16918:0:99999:7:::
guest-G4J7WQ:*:16689:0:99999:7:::
.
.
I don't entirely understand what this output means for my situation. Are guest-g20zoo and guest-G4J7WQ the same user?
lastlog shows:
guest-G4J7WQ Never logged in
However, last shows:
guest-g20zoo Wed Apr 27 06:55 - 20:33 (13:37)
So it seems like they are not the same user, but guest-g20zoo was nowhere to be found in the output of lastlog.
I would like to block access for user guest-g20zoo but since (s)he doesn't appear in /etc/shadow and I'm assuming doesn't use a password to login, but uses ssh, will passwd -l guest-g20zoo work?
I tried systemctl stop sshd, but got this error message:
Failed to stop sshd.service: Unit sshd.service not loaded
Does this mean remote login was already disabled on my system, and therefore the above command is redundant?
I have tried to find more information about this new user, like what ip address they logged in from, but I can't seem to find anything.
Some potentially relevant information:
Currently I'm connected to my university's network, and my WiFi icon looks fine, I can see all my network options, and there aren't any weird browsers popping up on their own. Does this indicate that whoever is logging into my system is within range of my WiFi router at my home?
I ran chkrootkit and everything seemed fine, but I also don't know how to interpret all the output. I don't really know what to do here. I just want to be absolutely sure this person (or anyone else for that matter) will never be able to access my system again and I want to find and remove any hidden files created by them. Please and Thank You!
P.S. – I already changed my password and encrypted my important files while WiFi and Networking were disabled.
Best Answer
It looks like someone opened a guest session on your laptop while you where away from your room. If I were you I'd ask around, that may be a friend.
The guest accounts you see in
/etc/passwdand/etc/shadoware not suspicious to me, they are created by the system when someone open a guest session.This line means
roothas access to the guest account, which could be normal but should be investigated. I've tried on my ubuntu1404LTS and don't see this behaviour. You should try to login with a guest session and grep yourauth.logto see if this line appear everytime a guest user logs in.All the opened windows of chrome, that you've seen when you opened your laptop. Is it possible that you were seeing the guest session desktop ?