I was hacked? (am I a slave?)What could be the cause for these strange UFW block entries in my syslog?Was my Ubuntu computer hacked?I think I got hacked 16.04 LTSStrange new rules added to my iptables config… Was my server hacked?Ubuntu server hacked. Recovering

Is my saddle at the correct position?

How to replace a pair of brackets

A finite alternating sum

How to make a vertical iff?

Advantages and disadvantages of hash-based signatures

Genetic algorithms(GAs): to be considered only as optimization algorithms? Are GAs used in machine learning any way?

How to use warm start to solve MIPs efficiently?

Is it a circumfix?

Does the voicing of a chord affect the name it's been given? If not, what does?

What can a parasite offer its human hosts in a mutualistic relationship?

If someone orders a pizza in the US and doesn't pay for it, could they be arrested?

Can Alter Self be used to enter an enemy's body and destroy it from the inside?

The state of the art in music puzzles

How do physicists deal with fields at the location of charges?

How does `at` know there will be a time change?

Can I take 3 bags of total 100 lb in Emirates?

Do any languages have a kinship terms for the relationship between the respective parents of a married couple?

In Japan (Nippon) can people criticize royal family

What is the correct location for PS1 Shell variable?

What was the point of the label on the bottom of the NES?

What problems arise when we use a self-signed certificate for the SMTP protocol?

Can a fiance sleep at his in-law's?

What is the binding agent in eggs?

How (and when) was the RTG in the lunar modules installed?



I was hacked? (am I a slave?)


What could be the cause for these strange UFW block entries in my syslog?Was my Ubuntu computer hacked?I think I got hacked 16.04 LTSStrange new rules added to my iptables config… Was my server hacked?Ubuntu server hacked. Recovering






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









0

















I'm a newbie to Ubuntu

Few days back, I noticed a text file named pwn3d.txt on my home folder. The following text was in it:




You are (fully) pwn3d due to a homobraphic error on your software dependencies




I didn't notice any unusual activity and my account weren't hacked.



But still, I panicked and reinstalled my Ubuntu (I still have windows installed)
Today I tried to dig into the logs to see if I can find any suspicious behavior, and I think I found a few:



  1. My firewall (UFW) is blocking tons of stuff:

Example




  1. I have --slave commands, few examples:



     update-alternatives 2019-02-10 00:12:25: run with --quiet --install /usr/bin/awk awk /usr/bin/mawk 5 --slave /usr/share/man/man1/awk.1.gz awk.1.gz /usr/share/man/man1/mawk.1.gz --slave /usr/bin/nawk nawk /usr/bin/mawk --slave /usr/share/man/man1/nawk.1.gz nawk.1.gz /usr/share/man/man1/mawk.1.gz
     update-alternatives 2019-06-14 10:38:23: run with --install /usr/bin/c++ c++ /usr/bin/g++ 20 --slave /usr/share/man/man1/c++.1.gz c++.1.gz /usr/share/man/man1/g++.1.gz
     update-alternatives 2019-06-09 13:34:33: run with --quiet --install /usr/bin/c99 c99 /usr/bin/c99-gcc 20 --slave /usr/share/man/man1/c99.1.gz c99.1.gz /usr/share/man/man1/c99-gcc.1.gz



  2. when i ran the following command: cat /etc/passwd|grep '/bin/bash'
    I got the following result alongside with my own username:



    root:x:0:0:root:/root:/bin/bash


Any suggestions? Am I under attack? Should I format my computer? Is there any danger for other devices on my network (laptops, router, streamers)?






18.04 security ufw logs hacking







share|improve this question























  • 1





    Most likely, your current system (after your recent reinstall) is fine. Your points 2 and 3 are completely normal and would not have any connection to malicious activity, because these things you investigated there are absolutely unrelated. About the firewall logs, those with DST=224.0.0.251 are not suspicious either, that looks like just your router sending multicast DNS probes. Can't say anything about the remaining log entries though.

    – Byte Commander
    Jun 14 at 21:30












  • Thanks. I have pihole configured as my DNS, could it cause all the remaining log entries? also, I locked my computer now for an hour to see what happens, and I have noticed the following log entries (which have been logged after I locked the computer): pam_unix(cron:session): session opened for user root by (uid=0), pam_unix(cron:session): session closed for user root, are there any suspicious?

    – eq3wv1rk
    Jun 14 at 22:33






  • 1





    Those cron entries would appear on a normal machine too, so they are not an indicator neither for nor against any external intrusions. Don't know about the pihole.

    – Byte Commander
    Jun 14 at 23:03






  • 1





    For the other log entries, we can not tell because the lines are chopped. My guess is that they are O.k. as well. Note you will observe this stuff constantly on any external (WAN) facing device. Also UFW is extremely annoying because it uses one generic "UFW BLOCK" log prefix for all of its blocks. It should use a unique log prefix for every log entry so that the users knows the log branch it took from the resulting iptables rule set.

    – Doug Smythies
    Jun 14 at 23:40


















0

















I'm a newbie to Ubuntu

Few days back, I noticed a text file named pwn3d.txt on my home folder. The following text was in it:




You are (fully) pwn3d due to a homobraphic error on your software dependencies




I didn't notice any unusual activity and my account weren't hacked.



But still, I panicked and reinstalled my Ubuntu (I still have windows installed)
Today I tried to dig into the logs to see if I can find any suspicious behavior, and I think I found a few:



  1. My firewall (UFW) is blocking tons of stuff:

Example




  1. I have --slave commands, few examples:



     update-alternatives 2019-02-10 00:12:25: run with --quiet --install /usr/bin/awk awk /usr/bin/mawk 5 --slave /usr/share/man/man1/awk.1.gz awk.1.gz /usr/share/man/man1/mawk.1.gz --slave /usr/bin/nawk nawk /usr/bin/mawk --slave /usr/share/man/man1/nawk.1.gz nawk.1.gz /usr/share/man/man1/mawk.1.gz
     update-alternatives 2019-06-14 10:38:23: run with --install /usr/bin/c++ c++ /usr/bin/g++ 20 --slave /usr/share/man/man1/c++.1.gz c++.1.gz /usr/share/man/man1/g++.1.gz
     update-alternatives 2019-06-09 13:34:33: run with --quiet --install /usr/bin/c99 c99 /usr/bin/c99-gcc 20 --slave /usr/share/man/man1/c99.1.gz c99.1.gz /usr/share/man/man1/c99-gcc.1.gz



  2. when i ran the following command: cat /etc/passwd|grep '/bin/bash'
    I got the following result alongside with my own username:



    root:x:0:0:root:/root:/bin/bash


Any suggestions? Am I under attack? Should I format my computer? Is there any danger for other devices on my network (laptops, router, streamers)?






18.04 security ufw logs hacking







share|improve this question























  • 1





    Most likely, your current system (after your recent reinstall) is fine. Your points 2 and 3 are completely normal and would not have any connection to malicious activity, because these things you investigated there are absolutely unrelated. About the firewall logs, those with DST=224.0.0.251 are not suspicious either, that looks like just your router sending multicast DNS probes. Can't say anything about the remaining log entries though.

    – Byte Commander
    Jun 14 at 21:30












  • Thanks. I have pihole configured as my DNS, could it cause all the remaining log entries? also, I locked my computer now for an hour to see what happens, and I have noticed the following log entries (which have been logged after I locked the computer): pam_unix(cron:session): session opened for user root by (uid=0), pam_unix(cron:session): session closed for user root, are there any suspicious?

    – eq3wv1rk
    Jun 14 at 22:33






  • 1





    Those cron entries would appear on a normal machine too, so they are not an indicator neither for nor against any external intrusions. Don't know about the pihole.

    – Byte Commander
    Jun 14 at 23:03






  • 1





    For the other log entries, we can not tell because the lines are chopped. My guess is that they are O.k. as well. Note you will observe this stuff constantly on any external (WAN) facing device. Also UFW is extremely annoying because it uses one generic "UFW BLOCK" log prefix for all of its blocks. It should use a unique log prefix for every log entry so that the users knows the log branch it took from the resulting iptables rule set.

    – Doug Smythies
    Jun 14 at 23:40














0












0








0








I'm a newbie to Ubuntu

Few days back, I noticed a text file named pwn3d.txt on my home folder. The following text was in it:




You are (fully) pwn3d due to a homobraphic error on your software dependencies




I didn't notice any unusual activity and my account weren't hacked.



But still, I panicked and reinstalled my Ubuntu (I still have windows installed)
Today I tried to dig into the logs to see if I can find any suspicious behavior, and I think I found a few:



  1. My firewall (UFW) is blocking tons of stuff:

Example




  1. I have --slave commands, few examples:



     update-alternatives 2019-02-10 00:12:25: run with --quiet --install /usr/bin/awk awk /usr/bin/mawk 5 --slave /usr/share/man/man1/awk.1.gz awk.1.gz /usr/share/man/man1/mawk.1.gz --slave /usr/bin/nawk nawk /usr/bin/mawk --slave /usr/share/man/man1/nawk.1.gz nawk.1.gz /usr/share/man/man1/mawk.1.gz
     update-alternatives 2019-06-14 10:38:23: run with --install /usr/bin/c++ c++ /usr/bin/g++ 20 --slave /usr/share/man/man1/c++.1.gz c++.1.gz /usr/share/man/man1/g++.1.gz
     update-alternatives 2019-06-09 13:34:33: run with --quiet --install /usr/bin/c99 c99 /usr/bin/c99-gcc 20 --slave /usr/share/man/man1/c99.1.gz c99.1.gz /usr/share/man/man1/c99-gcc.1.gz



  2. when i ran the following command: cat /etc/passwd|grep '/bin/bash'
    I got the following result alongside with my own username:



    root:x:0:0:root:/root:/bin/bash


Any suggestions? Am I under attack? Should I format my computer? Is there any danger for other devices on my network (laptops, router, streamers)?






18.04 security ufw logs hacking







share|improve this question

















I'm a newbie to Ubuntu

Few days back, I noticed a text file named pwn3d.txt on my home folder. The following text was in it:




You are (fully) pwn3d due to a homobraphic error on your software dependencies




I didn't notice any unusual activity and my account weren't hacked.



But still, I panicked and reinstalled my Ubuntu (I still have windows installed)
Today I tried to dig into the logs to see if I can find any suspicious behavior, and I think I found a few:



  1. My firewall (UFW) is blocking tons of stuff:

Example




  1. I have --slave commands, few examples:



     update-alternatives 2019-02-10 00:12:25: run with --quiet --install /usr/bin/awk awk /usr/bin/mawk 5 --slave /usr/share/man/man1/awk.1.gz awk.1.gz /usr/share/man/man1/mawk.1.gz --slave /usr/bin/nawk nawk /usr/bin/mawk --slave /usr/share/man/man1/nawk.1.gz nawk.1.gz /usr/share/man/man1/mawk.1.gz
     update-alternatives 2019-06-14 10:38:23: run with --install /usr/bin/c++ c++ /usr/bin/g++ 20 --slave /usr/share/man/man1/c++.1.gz c++.1.gz /usr/share/man/man1/g++.1.gz
     update-alternatives 2019-06-09 13:34:33: run with --quiet --install /usr/bin/c99 c99 /usr/bin/c99-gcc 20 --slave /usr/share/man/man1/c99.1.gz c99.1.gz /usr/share/man/man1/c99-gcc.1.gz



  2. when i ran the following command: cat /etc/passwd|grep '/bin/bash'
    I got the following result alongside with my own username:



    root:x:0:0:root:/root:/bin/bash


Any suggestions? Am I under attack? Should I format my computer? Is there any danger for other devices on my network (laptops, router, streamers)?






18.04 security ufw logs hacking




18.04 security ufw logs hacking






share|improve this question
















share|improve this question













share|improve this question




share|improve this question








edited Jun 14 at 21:19









guntbert

9,94813 gold badges32 silver badges74 bronze badges




9,94813 gold badges32 silver badges74 bronze badges










asked Jun 14 at 21:12









eq3wv1rkeq3wv1rk

63 bronze badges




63 bronze badges










  • 1





    Most likely, your current system (after your recent reinstall) is fine. Your points 2 and 3 are completely normal and would not have any connection to malicious activity, because these things you investigated there are absolutely unrelated. About the firewall logs, those with DST=224.0.0.251 are not suspicious either, that looks like just your router sending multicast DNS probes. Can't say anything about the remaining log entries though.

    – Byte Commander
    Jun 14 at 21:30












  • Thanks. I have pihole configured as my DNS, could it cause all the remaining log entries? also, I locked my computer now for an hour to see what happens, and I have noticed the following log entries (which have been logged after I locked the computer): pam_unix(cron:session): session opened for user root by (uid=0), pam_unix(cron:session): session closed for user root, are there any suspicious?

    – eq3wv1rk
    Jun 14 at 22:33






  • 1





    Those cron entries would appear on a normal machine too, so they are not an indicator neither for nor against any external intrusions. Don't know about the pihole.

    – Byte Commander
    Jun 14 at 23:03






  • 1





    For the other log entries, we can not tell because the lines are chopped. My guess is that they are O.k. as well. Note you will observe this stuff constantly on any external (WAN) facing device. Also UFW is extremely annoying because it uses one generic "UFW BLOCK" log prefix for all of its blocks. It should use a unique log prefix for every log entry so that the users knows the log branch it took from the resulting iptables rule set.

    – Doug Smythies
    Jun 14 at 23:40













  • 1





    Most likely, your current system (after your recent reinstall) is fine. Your points 2 and 3 are completely normal and would not have any connection to malicious activity, because these things you investigated there are absolutely unrelated. About the firewall logs, those with DST=224.0.0.251 are not suspicious either, that looks like just your router sending multicast DNS probes. Can't say anything about the remaining log entries though.

    – Byte Commander
    Jun 14 at 21:30












  • Thanks. I have pihole configured as my DNS, could it cause all the remaining log entries? also, I locked my computer now for an hour to see what happens, and I have noticed the following log entries (which have been logged after I locked the computer): pam_unix(cron:session): session opened for user root by (uid=0), pam_unix(cron:session): session closed for user root, are there any suspicious?

    – eq3wv1rk
    Jun 14 at 22:33






  • 1





    Those cron entries would appear on a normal machine too, so they are not an indicator neither for nor against any external intrusions. Don't know about the pihole.

    – Byte Commander
    Jun 14 at 23:03






  • 1





    For the other log entries, we can not tell because the lines are chopped. My guess is that they are O.k. as well. Note you will observe this stuff constantly on any external (WAN) facing device. Also UFW is extremely annoying because it uses one generic "UFW BLOCK" log prefix for all of its blocks. It should use a unique log prefix for every log entry so that the users knows the log branch it took from the resulting iptables rule set.

    – Doug Smythies
    Jun 14 at 23:40








1




1





Most likely, your current system (after your recent reinstall) is fine. Your points 2 and 3 are completely normal and would not have any connection to malicious activity, because these things you investigated there are absolutely unrelated. About the firewall logs, those with DST=224.0.0.251 are not suspicious either, that looks like just your router sending multicast DNS probes. Can't say anything about the remaining log entries though.

– Byte Commander
Jun 14 at 21:30






Most likely, your current system (after your recent reinstall) is fine. Your points 2 and 3 are completely normal and would not have any connection to malicious activity, because these things you investigated there are absolutely unrelated. About the firewall logs, those with DST=224.0.0.251 are not suspicious either, that looks like just your router sending multicast DNS probes. Can't say anything about the remaining log entries though.

– Byte Commander
Jun 14 at 21:30














Thanks. I have pihole configured as my DNS, could it cause all the remaining log entries? also, I locked my computer now for an hour to see what happens, and I have noticed the following log entries (which have been logged after I locked the computer): pam_unix(cron:session): session opened for user root by (uid=0), pam_unix(cron:session): session closed for user root, are there any suspicious?

– eq3wv1rk
Jun 14 at 22:33





Thanks. I have pihole configured as my DNS, could it cause all the remaining log entries? also, I locked my computer now for an hour to see what happens, and I have noticed the following log entries (which have been logged after I locked the computer): pam_unix(cron:session): session opened for user root by (uid=0), pam_unix(cron:session): session closed for user root, are there any suspicious?

– eq3wv1rk
Jun 14 at 22:33




1




1





Those cron entries would appear on a normal machine too, so they are not an indicator neither for nor against any external intrusions. Don't know about the pihole.

– Byte Commander
Jun 14 at 23:03





Those cron entries would appear on a normal machine too, so they are not an indicator neither for nor against any external intrusions. Don't know about the pihole.

– Byte Commander
Jun 14 at 23:03




1




1





For the other log entries, we can not tell because the lines are chopped. My guess is that they are O.k. as well. Note you will observe this stuff constantly on any external (WAN) facing device. Also UFW is extremely annoying because it uses one generic "UFW BLOCK" log prefix for all of its blocks. It should use a unique log prefix for every log entry so that the users knows the log branch it took from the resulting iptables rule set.

– Doug Smythies
Jun 14 at 23:40






For the other log entries, we can not tell because the lines are chopped. My guess is that they are O.k. as well. Note you will observe this stuff constantly on any external (WAN) facing device. Also UFW is extremely annoying because it uses one generic "UFW BLOCK" log prefix for all of its blocks. It should use a unique log prefix for every log entry so that the users knows the log branch it took from the resulting iptables rule set.

– Doug Smythies
Jun 14 at 23:40











0






active

oldest

votes













Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);














draft saved

draft discarded
















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1151163%2fi-was-hacked-am-i-a-slave%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown


























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded















































Thanks for contributing an answer to Ask Ubuntu!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1151163%2fi-was-hacked-am-i-a-slave%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown









-

Popular posts from this blog

Tamil (spriik) Luke uk diar | Nawigatjuun

Image
Fering ArtiikelDrawiidisk Spriiken SölringÖömrangFeringHalunderHalifreeskMooringWiringhiirderKarhiirderGooshiirderDrawiidisk SpriikTamil NaduIndienSri Lanka (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u003Eu003Cdiv class="mw-dismissable-notice-close"u003E[u003Ca tabindex="0" role="button"u003EFersteegu003C/au003E]u003C/divu003Eu003Cdiv class="mw-dismissable-notice-body"u003Eu003Cdiv id="localNotice" lang="frr" dir="ltr"u003Eu003Cdiv id="sitenotice"u003Enu003Ccenteru003Enu003Ctable class="rahmenfarbe4" style="border-style: solid; border-width: thin; width: 70%;"u003Ennu003Ctbodyu003Eu003Ctru003Enu003Ctd style="text-align:center;"u003Eu003Ca href="/wiki/Datei:Nordfriesischeflagge.svg" class="image"u003Eu003Cimg alt="Nordfriesische
Read more

Align equal signs while including text over equalitiesAMS align: left aligned text/math plus multicolumn alignmentMultiple alignmentsAligning equations in multiple placesNumbering and aligning an equation with multiple columnsHow to align one equation with another multline equationUsing \ in environments inside the begintabularxNumber equations and preserving alignment of equal signsHow can I align equations to the left and to the right?Double equation alignment problem within align enviromentAligned within align: Why are they right-aligned?

Image
Why didn't the Universal Translator speak whale? What is /dev/null and why can't I use hx on it? The work of mathematicians outside their professional environment Does the DOJ's declining to investigate the Trump-Zelensky call ruin the basis for impeachment? Are there any tricks to pushing a grand piano? Maintaining distance Does it require less energy to reach the Sun from Pluto's orbit than from Earth's orbit? Object Oriented Design: Where to place behavior that pertains to more than one type of object? Choice of solvent during thin layer chromatography How to catch creatures that can predict the next few minutes? Use floats or doubles when writing mobile games How come the Russian cognate for the Czech word "čerstvý" (fresh) means entirely the opposite thing (stale)? What are the limits on an impeached and not convicted president? How to calculate Limit of this sequence Bash-script as linux-service won't run, but executed
Read more

Where does the image of a data connector as a sharp metal spike originate from?Where does the concept of infected people turning into zombies only after death originate from?Where does the motif of a reanimated human head originate?Where did the notion that Dragons could speak originate?Where does the archetypal image of the 'Grey' alien come from?Where did the suffix '-Man' originate?Where does the notion of being injured or killed by an illusion originate?Where did the term “sophont” originate?Where does the trope of magic spells being driven by advanced technology originate from?Where did the term “the living impaired” originate?

Image
Automatically extend a Python list to N elements if it's too short? Fired for a policy I didnt know about, as well as another false reason Why isn't tilde recognised as home folder in this case? When does an Artillerist's Cannon have disadvantage? How large should a hole be for a bolt to go through? When is TeX better than LaTeX? How to determine if drill is suitable for concrete? Huygens Lander: Why The Short Battery Life? Why do people use bigger cassettes for lower gearing when they could instead use smaller chainrings? Is there a difference between downloading / installing a list of packages and downloading each packge by its own? Question about exercise 21.10 in The TeXbook How to publish a page using tridion core service client in sdl web 8.5 Can one get into trouble if one doesn't show up at the gate 30 minutes before departure (or whatever time window the boarding pass is indicating)? Does an action-reaction pair always contain the same
Read more