I was hacked? (am I a slave?)What could be the cause for these strange UFW block entries in my syslog?Was my Ubuntu computer hacked?I think I got hacked 16.04 LTSStrange new rules added to my iptables config… Was my server hacked?Ubuntu server hacked. Recovering

Is my saddle at the correct position?

How to replace a pair of brackets

A finite alternating sum

How to make a vertical iff?

Advantages and disadvantages of hash-based signatures

Genetic algorithms(GAs): to be considered only as optimization algorithms? Are GAs used in machine learning any way?

How to use warm start to solve MIPs efficiently?

Is it a circumfix?

Does the voicing of a chord affect the name it's been given? If not, what does?

What can a parasite offer its human hosts in a mutualistic relationship?

If someone orders a pizza in the US and doesn't pay for it, could they be arrested?

Can Alter Self be used to enter an enemy's body and destroy it from the inside?

The state of the art in music puzzles

How do physicists deal with fields at the location of charges?

How does `at` know there will be a time change?

Can I take 3 bags of total 100 lb in Emirates?

Do any languages have a kinship terms for the relationship between the respective parents of a married couple?

In Japan (Nippon) can people criticize royal family

What is the correct location for PS1 Shell variable?

What was the point of the label on the bottom of the NES?

What problems arise when we use a self-signed certificate for the SMTP protocol?

Can a fiance sleep at his in-law's?

What is the binding agent in eggs?

How (and when) was the RTG in the lunar modules installed?



I was hacked? (am I a slave?)


What could be the cause for these strange UFW block entries in my syslog?Was my Ubuntu computer hacked?I think I got hacked 16.04 LTSStrange new rules added to my iptables config… Was my server hacked?Ubuntu server hacked. Recovering






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









0

















I'm a newbie to Ubuntu

Few days back, I noticed a text file named pwn3d.txt on my home folder. The following text was in it:




You are (fully) pwn3d due to a homobraphic error on your software dependencies




I didn't notice any unusual activity and my account weren't hacked.



But still, I panicked and reinstalled my Ubuntu (I still have windows installed)
Today I tried to dig into the logs to see if I can find any suspicious behavior, and I think I found a few:



  1. My firewall (UFW) is blocking tons of stuff:

Example




  1. I have --slave commands, few examples:



     update-alternatives 2019-02-10 00:12:25: run with --quiet --install /usr/bin/awk awk /usr/bin/mawk 5 --slave /usr/share/man/man1/awk.1.gz awk.1.gz /usr/share/man/man1/mawk.1.gz --slave /usr/bin/nawk nawk /usr/bin/mawk --slave /usr/share/man/man1/nawk.1.gz nawk.1.gz /usr/share/man/man1/mawk.1.gz
    update-alternatives 2019-06-14 10:38:23: run with --install /usr/bin/c++ c++ /usr/bin/g++ 20 --slave /usr/share/man/man1/c++.1.gz c++.1.gz /usr/share/man/man1/g++.1.gz
    update-alternatives 2019-06-09 13:34:33: run with --quiet --install /usr/bin/c99 c99 /usr/bin/c99-gcc 20 --slave /usr/share/man/man1/c99.1.gz c99.1.gz /usr/share/man/man1/c99-gcc.1.gz



  2. when i ran the following command: cat /etc/passwd|grep '/bin/bash'
    I got the following result alongside with my own username:



    root:x:0:0:root:/root:/bin/bash


Any suggestions? Am I under attack? Should I format my computer? Is there any danger for other devices on my network (laptops, router, streamers)?










share|improve this question























  • 1





    Most likely, your current system (after your recent reinstall) is fine. Your points 2 and 3 are completely normal and would not have any connection to malicious activity, because these things you investigated there are absolutely unrelated. About the firewall logs, those with DST=224.0.0.251 are not suspicious either, that looks like just your router sending multicast DNS probes. Can't say anything about the remaining log entries though.

    – Byte Commander
    Jun 14 at 21:30












  • Thanks. I have pihole configured as my DNS, could it cause all the remaining log entries? also, I locked my computer now for an hour to see what happens, and I have noticed the following log entries (which have been logged after I locked the computer): pam_unix(cron:session): session opened for user root by (uid=0), pam_unix(cron:session): session closed for user root, are there any suspicious?

    – eq3wv1rk
    Jun 14 at 22:33






  • 1





    Those cron entries would appear on a normal machine too, so they are not an indicator neither for nor against any external intrusions. Don't know about the pihole.

    – Byte Commander
    Jun 14 at 23:03






  • 1





    For the other log entries, we can not tell because the lines are chopped. My guess is that they are O.k. as well. Note you will observe this stuff constantly on any external (WAN) facing device. Also UFW is extremely annoying because it uses one generic "UFW BLOCK" log prefix for all of its blocks. It should use a unique log prefix for every log entry so that the users knows the log branch it took from the resulting iptables rule set.

    – Doug Smythies
    Jun 14 at 23:40


















0

















I'm a newbie to Ubuntu

Few days back, I noticed a text file named pwn3d.txt on my home folder. The following text was in it:




You are (fully) pwn3d due to a homobraphic error on your software dependencies




I didn't notice any unusual activity and my account weren't hacked.



But still, I panicked and reinstalled my Ubuntu (I still have windows installed)
Today I tried to dig into the logs to see if I can find any suspicious behavior, and I think I found a few:



  1. My firewall (UFW) is blocking tons of stuff:

Example




  1. I have --slave commands, few examples:



     update-alternatives 2019-02-10 00:12:25: run with --quiet --install /usr/bin/awk awk /usr/bin/mawk 5 --slave /usr/share/man/man1/awk.1.gz awk.1.gz /usr/share/man/man1/mawk.1.gz --slave /usr/bin/nawk nawk /usr/bin/mawk --slave /usr/share/man/man1/nawk.1.gz nawk.1.gz /usr/share/man/man1/mawk.1.gz
    update-alternatives 2019-06-14 10:38:23: run with --install /usr/bin/c++ c++ /usr/bin/g++ 20 --slave /usr/share/man/man1/c++.1.gz c++.1.gz /usr/share/man/man1/g++.1.gz
    update-alternatives 2019-06-09 13:34:33: run with --quiet --install /usr/bin/c99 c99 /usr/bin/c99-gcc 20 --slave /usr/share/man/man1/c99.1.gz c99.1.gz /usr/share/man/man1/c99-gcc.1.gz



  2. when i ran the following command: cat /etc/passwd|grep '/bin/bash'
    I got the following result alongside with my own username:



    root:x:0:0:root:/root:/bin/bash


Any suggestions? Am I under attack? Should I format my computer? Is there any danger for other devices on my network (laptops, router, streamers)?










share|improve this question























  • 1





    Most likely, your current system (after your recent reinstall) is fine. Your points 2 and 3 are completely normal and would not have any connection to malicious activity, because these things you investigated there are absolutely unrelated. About the firewall logs, those with DST=224.0.0.251 are not suspicious either, that looks like just your router sending multicast DNS probes. Can't say anything about the remaining log entries though.

    – Byte Commander
    Jun 14 at 21:30












  • Thanks. I have pihole configured as my DNS, could it cause all the remaining log entries? also, I locked my computer now for an hour to see what happens, and I have noticed the following log entries (which have been logged after I locked the computer): pam_unix(cron:session): session opened for user root by (uid=0), pam_unix(cron:session): session closed for user root, are there any suspicious?

    – eq3wv1rk
    Jun 14 at 22:33






  • 1





    Those cron entries would appear on a normal machine too, so they are not an indicator neither for nor against any external intrusions. Don't know about the pihole.

    – Byte Commander
    Jun 14 at 23:03






  • 1





    For the other log entries, we can not tell because the lines are chopped. My guess is that they are O.k. as well. Note you will observe this stuff constantly on any external (WAN) facing device. Also UFW is extremely annoying because it uses one generic "UFW BLOCK" log prefix for all of its blocks. It should use a unique log prefix for every log entry so that the users knows the log branch it took from the resulting iptables rule set.

    – Doug Smythies
    Jun 14 at 23:40














0












0








0








I'm a newbie to Ubuntu

Few days back, I noticed a text file named pwn3d.txt on my home folder. The following text was in it:




You are (fully) pwn3d due to a homobraphic error on your software dependencies




I didn't notice any unusual activity and my account weren't hacked.



But still, I panicked and reinstalled my Ubuntu (I still have windows installed)
Today I tried to dig into the logs to see if I can find any suspicious behavior, and I think I found a few:



  1. My firewall (UFW) is blocking tons of stuff:

Example




  1. I have --slave commands, few examples:



     update-alternatives 2019-02-10 00:12:25: run with --quiet --install /usr/bin/awk awk /usr/bin/mawk 5 --slave /usr/share/man/man1/awk.1.gz awk.1.gz /usr/share/man/man1/mawk.1.gz --slave /usr/bin/nawk nawk /usr/bin/mawk --slave /usr/share/man/man1/nawk.1.gz nawk.1.gz /usr/share/man/man1/mawk.1.gz
    update-alternatives 2019-06-14 10:38:23: run with --install /usr/bin/c++ c++ /usr/bin/g++ 20 --slave /usr/share/man/man1/c++.1.gz c++.1.gz /usr/share/man/man1/g++.1.gz
    update-alternatives 2019-06-09 13:34:33: run with --quiet --install /usr/bin/c99 c99 /usr/bin/c99-gcc 20 --slave /usr/share/man/man1/c99.1.gz c99.1.gz /usr/share/man/man1/c99-gcc.1.gz



  2. when i ran the following command: cat /etc/passwd|grep '/bin/bash'
    I got the following result alongside with my own username:



    root:x:0:0:root:/root:/bin/bash


Any suggestions? Am I under attack? Should I format my computer? Is there any danger for other devices on my network (laptops, router, streamers)?










share|improve this question

















I'm a newbie to Ubuntu

Few days back, I noticed a text file named pwn3d.txt on my home folder. The following text was in it:




You are (fully) pwn3d due to a homobraphic error on your software dependencies




I didn't notice any unusual activity and my account weren't hacked.



But still, I panicked and reinstalled my Ubuntu (I still have windows installed)
Today I tried to dig into the logs to see if I can find any suspicious behavior, and I think I found a few:



  1. My firewall (UFW) is blocking tons of stuff:

Example




  1. I have --slave commands, few examples:



     update-alternatives 2019-02-10 00:12:25: run with --quiet --install /usr/bin/awk awk /usr/bin/mawk 5 --slave /usr/share/man/man1/awk.1.gz awk.1.gz /usr/share/man/man1/mawk.1.gz --slave /usr/bin/nawk nawk /usr/bin/mawk --slave /usr/share/man/man1/nawk.1.gz nawk.1.gz /usr/share/man/man1/mawk.1.gz
    update-alternatives 2019-06-14 10:38:23: run with --install /usr/bin/c++ c++ /usr/bin/g++ 20 --slave /usr/share/man/man1/c++.1.gz c++.1.gz /usr/share/man/man1/g++.1.gz
    update-alternatives 2019-06-09 13:34:33: run with --quiet --install /usr/bin/c99 c99 /usr/bin/c99-gcc 20 --slave /usr/share/man/man1/c99.1.gz c99.1.gz /usr/share/man/man1/c99-gcc.1.gz



  2. when i ran the following command: cat /etc/passwd|grep '/bin/bash'
    I got the following result alongside with my own username:



    root:x:0:0:root:/root:/bin/bash


Any suggestions? Am I under attack? Should I format my computer? Is there any danger for other devices on my network (laptops, router, streamers)?







18.04 security ufw logs hacking






share|improve this question
















share|improve this question













share|improve this question




share|improve this question








edited Jun 14 at 21:19









guntbert

9,94813 gold badges32 silver badges74 bronze badges




9,94813 gold badges32 silver badges74 bronze badges










asked Jun 14 at 21:12









eq3wv1rkeq3wv1rk

63 bronze badges




63 bronze badges










  • 1





    Most likely, your current system (after your recent reinstall) is fine. Your points 2 and 3 are completely normal and would not have any connection to malicious activity, because these things you investigated there are absolutely unrelated. About the firewall logs, those with DST=224.0.0.251 are not suspicious either, that looks like just your router sending multicast DNS probes. Can't say anything about the remaining log entries though.

    – Byte Commander
    Jun 14 at 21:30












  • Thanks. I have pihole configured as my DNS, could it cause all the remaining log entries? also, I locked my computer now for an hour to see what happens, and I have noticed the following log entries (which have been logged after I locked the computer): pam_unix(cron:session): session opened for user root by (uid=0), pam_unix(cron:session): session closed for user root, are there any suspicious?

    – eq3wv1rk
    Jun 14 at 22:33






  • 1





    Those cron entries would appear on a normal machine too, so they are not an indicator neither for nor against any external intrusions. Don't know about the pihole.

    – Byte Commander
    Jun 14 at 23:03






  • 1





    For the other log entries, we can not tell because the lines are chopped. My guess is that they are O.k. as well. Note you will observe this stuff constantly on any external (WAN) facing device. Also UFW is extremely annoying because it uses one generic "UFW BLOCK" log prefix for all of its blocks. It should use a unique log prefix for every log entry so that the users knows the log branch it took from the resulting iptables rule set.

    – Doug Smythies
    Jun 14 at 23:40













  • 1





    Most likely, your current system (after your recent reinstall) is fine. Your points 2 and 3 are completely normal and would not have any connection to malicious activity, because these things you investigated there are absolutely unrelated. About the firewall logs, those with DST=224.0.0.251 are not suspicious either, that looks like just your router sending multicast DNS probes. Can't say anything about the remaining log entries though.

    – Byte Commander
    Jun 14 at 21:30












  • Thanks. I have pihole configured as my DNS, could it cause all the remaining log entries? also, I locked my computer now for an hour to see what happens, and I have noticed the following log entries (which have been logged after I locked the computer): pam_unix(cron:session): session opened for user root by (uid=0), pam_unix(cron:session): session closed for user root, are there any suspicious?

    – eq3wv1rk
    Jun 14 at 22:33






  • 1





    Those cron entries would appear on a normal machine too, so they are not an indicator neither for nor against any external intrusions. Don't know about the pihole.

    – Byte Commander
    Jun 14 at 23:03






  • 1





    For the other log entries, we can not tell because the lines are chopped. My guess is that they are O.k. as well. Note you will observe this stuff constantly on any external (WAN) facing device. Also UFW is extremely annoying because it uses one generic "UFW BLOCK" log prefix for all of its blocks. It should use a unique log prefix for every log entry so that the users knows the log branch it took from the resulting iptables rule set.

    – Doug Smythies
    Jun 14 at 23:40








1




1





Most likely, your current system (after your recent reinstall) is fine. Your points 2 and 3 are completely normal and would not have any connection to malicious activity, because these things you investigated there are absolutely unrelated. About the firewall logs, those with DST=224.0.0.251 are not suspicious either, that looks like just your router sending multicast DNS probes. Can't say anything about the remaining log entries though.

– Byte Commander
Jun 14 at 21:30






Most likely, your current system (after your recent reinstall) is fine. Your points 2 and 3 are completely normal and would not have any connection to malicious activity, because these things you investigated there are absolutely unrelated. About the firewall logs, those with DST=224.0.0.251 are not suspicious either, that looks like just your router sending multicast DNS probes. Can't say anything about the remaining log entries though.

– Byte Commander
Jun 14 at 21:30














Thanks. I have pihole configured as my DNS, could it cause all the remaining log entries? also, I locked my computer now for an hour to see what happens, and I have noticed the following log entries (which have been logged after I locked the computer): pam_unix(cron:session): session opened for user root by (uid=0), pam_unix(cron:session): session closed for user root, are there any suspicious?

– eq3wv1rk
Jun 14 at 22:33





Thanks. I have pihole configured as my DNS, could it cause all the remaining log entries? also, I locked my computer now for an hour to see what happens, and I have noticed the following log entries (which have been logged after I locked the computer): pam_unix(cron:session): session opened for user root by (uid=0), pam_unix(cron:session): session closed for user root, are there any suspicious?

– eq3wv1rk
Jun 14 at 22:33




1




1





Those cron entries would appear on a normal machine too, so they are not an indicator neither for nor against any external intrusions. Don't know about the pihole.

– Byte Commander
Jun 14 at 23:03





Those cron entries would appear on a normal machine too, so they are not an indicator neither for nor against any external intrusions. Don't know about the pihole.

– Byte Commander
Jun 14 at 23:03




1




1





For the other log entries, we can not tell because the lines are chopped. My guess is that they are O.k. as well. Note you will observe this stuff constantly on any external (WAN) facing device. Also UFW is extremely annoying because it uses one generic "UFW BLOCK" log prefix for all of its blocks. It should use a unique log prefix for every log entry so that the users knows the log branch it took from the resulting iptables rule set.

– Doug Smythies
Jun 14 at 23:40






For the other log entries, we can not tell because the lines are chopped. My guess is that they are O.k. as well. Note you will observe this stuff constantly on any external (WAN) facing device. Also UFW is extremely annoying because it uses one generic "UFW BLOCK" log prefix for all of its blocks. It should use a unique log prefix for every log entry so that the users knows the log branch it took from the resulting iptables rule set.

– Doug Smythies
Jun 14 at 23:40











0






active

oldest

votes













Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);














draft saved

draft discarded
















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1151163%2fi-was-hacked-am-i-a-slave%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown


























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded















































Thanks for contributing an answer to Ask Ubuntu!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1151163%2fi-was-hacked-am-i-a-slave%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown









Popular posts from this blog

Tamil (spriik) Luke uk diar | Nawigatjuun

Align equal signs while including text over equalitiesAMS align: left aligned text/math plus multicolumn alignmentMultiple alignmentsAligning equations in multiple placesNumbering and aligning an equation with multiple columnsHow to align one equation with another multline equationUsing \ in environments inside the begintabularxNumber equations and preserving alignment of equal signsHow can I align equations to the left and to the right?Double equation alignment problem within align enviromentAligned within align: Why are they right-aligned?

Training a classifier when some of the features are unknownWhy does Gradient Boosting regression predict negative values when there are no negative y-values in my training set?How to improve an existing (trained) classifier?What is effect when I set up some self defined predisctor variables?Why Matlab neural network classification returns decimal values on prediction dataset?Fitting and transforming text data in training, testing, and validation setsHow to quantify the performance of the classifier (multi-class SVM) using the test data?How do I control for some patients providing multiple samples in my training data?Training and Test setTraining a convolutional neural network for image denoising in MatlabShouldn't an autoencoder with #(neurons in hidden layer) = #(neurons in input layer) be “perfect”?