Computer compromised /home deleted [ANOMALY]

trivial29 · 2023-07-22 09:27:23

Hi,

A cyberattack beginning this morning in my computer and i'm little bit confuse.

my folder /home was deleted. All files, no logs, nothing in trash bin when i try to copy a folder in MEGA cloud.

Then i try to listening et monitoring delete file with the command
$ inotifywait -m -r -e delete ~/

Watch the amazing logs! In a infinity loop: try to delete a cache file in firefox "doomed" who is a correlation with my twitter account.
Pastebin logs : https://pastebin.com/q5yZ7efS

Then i try to watch and monitoring my network connection. I change my password, wifi key, disconnected NAS server and backup, etc.... I call my ISP and try to get information on the router: nothing, diag was ok.

ss logs: https://pastebin.com/prAqm1et
netstat logs: https://pastebin.com/R4JMwHQ3

I need some helps, i'm not a expert to analysis network logs and find a backdoor, but i think is huge.

Trilby · 2023-07-22 12:50:48

trivial29 wrote:

A cyberattack beginning this morning in my computer and i'm little bit confuse.

The end of that statement is clearly true. Unfortunately without caution it's also quite contagious.

Do you have any actual evidence of the first half of that statement? What is the basis for the claim that this is a "cyberattack"?

trivial29 wrote:

my folder /home was deleted.

How do you know this? What's the actual evidence / data? Is it possible your /home partition was simply not mounted properly?
If you're /home was actually deleted, how is it you are showing logs later in your post about attempts to delete specific files related to firefox under your users home folder??

trivial29 wrote:

In a infinity loop: try to delete a cache file in firefox

I highly doubt a hacker broke into your computer just to delete your browser cache for you. Much more likely is the potential of some "system cleaning" tool that you set up (and perhaps forgot about) such as bleachbit or any one of it's relatives.

seth · 2023-07-22 12:51:11

Som something (most liekly firefox) deletes around in your firefox cache. Nothing to phone home about, isn't?

Post the outputs of

mount
lsblk -f
cat /etc/fstab

Edit: Ah, fuck.

Last edited by seth (2023-07-22 12:51:43)

trivial29 · 2023-07-22 13:12:06

Trilby wrote:

I highly doubt a hacker broke into your computer just to delete your browser cache for you. Much more likely is the potential of some "system cleaning" tool that you set up (and perhaps forgot about) such as bleachbit or any one of it's relatives.

Man, i'm a very high target with value data in my computer, it's the risk.

$ mount

proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
sys on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
dev on /dev type devtmpfs (rw,nosuid,relatime,size=8053480k,nr_inodes=2013370,mode=755,inode64)
run on /run type tmpfs (rw,nosuid,nodev,relatime,mode=755,inode64)
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
/dev/mapper/root on / type ext4 (rw,relatime)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=34,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=571)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
ramfs on /run/credentials/systemd-sysctl.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)
ramfs on /run/credentials/systemd-sysusers.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)
ramfs on /run/credentials/systemd-tmpfiles-setup-dev.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)
/dev/nvme0n1p1 on /boot type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
/dev/mapper/tmp on /tmp type tmpfs (rw,nosuid,nodev,relatime,inode64)
/dev/mapper/home on /home type ext4 (rw,noatime)
ramfs on /run/credentials/systemd-tmpfiles-setup.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=1613840k,nr_inodes=403460,mode=700,uid=1000,gid=984,inode64)
gvfsd-fuse on /run/user/1000/gvfs type fuse.gvfsd-fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=984)
portal on /run/user/1000/doc type fuse.portal (rw,nosuid,nodev,relatime,user_id=1000,group_id=984)

$ lsblk -f

NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
sda
nvme0n1
├─nvme0n1p1 vfat FAT32 F40C-E455 420,5M 18% /boot
└─nvme0n1p2 LVM2_member LVM2 001 rtxIVj-bpFS-62Da-ZLzz-TooR-TqIY-jHMs7i
├─vglvm-root crypto_LUKS 2 d138e21f-54c8-4798-bcc5-1227ee1b96e2
│ └─root ext4 1.0 11dae9c8-94d7-4b7e-b39a-895b3fe95aad 9,4G 63% /
├─vglvm-swap
│ └─swap swap 1 swap 1e8df0de-af3d-4728-b986-e6e60cde8cc5 [SWAP]
├─vglvm-tmp
│ └─tmp ext4 1.0 tmp c32f7c8a-966b-43ce-a49b-f6c06a6c04fb 7,7G 0% /tmp
└─vglvm-home crypto_LUKS 2 337567fa-aac0-4d5b-a8c5-9c089cf337d1
└─home ext4 1.0 4802a7ee-cfc4-4969-9abb-894c690115f3 181,5G 1% /home

$ cat /etc/fstab

# Static information about the filesystems.
# See fstab(5) for details.
# <file system> <dir> <type> <options> <dump> <pass>
# /dev/mapper/root UUID=11dae9c8-94d7-4b7e-b39a-895b3fe95aad
/dev/mapper/root / ext4 rw,relatime 0 1
# /dev/nvme0n1p1 UUID=F40C-E455
/dev/nvme0n1p1 /boot vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2
/dev/mapper/home /home ext4 rw,noatime 0 2
/dev/mapper/tmp /tmp tmpfs nodev,nosuid 0 0
/dev/mapper/swap none swap sw 0 0

Trilby · 2023-07-22 13:17:17

trivial29 wrote:

Man, i'm a very high target

I'd believe the very high part. That could explain the paranoia. But even assuming that you were a high value target, that is not evidence of an attack. Again, what is the basis for your inferences? You're making huge and highly unlikely claims - jumping to the least parsimonious explanation for a set of symptoms without reason is absurd.

seth · 2023-07-22 13:28:00

The /home partition is not empty (there's ~1.8GB of data)
How much data are you missing?
If you unmount the /home partition, are there still files in the mountpoint (/home on the root partition)?

Last edited by seth (2023-07-22 13:28:12)

trivial29 · 2023-07-22 20:52:28

Around + 150 GB of data deleted. All is backup in my NAS local (in quarantine and isolate to my network now by security) automate by 7 days then transfert to a Cloud storage. So i don't lost my Data. The problem is the hole....

seth · 2023-07-22 20:59:49

I'd tell you to look into your shell histoy, but that's oc gone as well.

https://wiki.archlinux.org/title/Catego … _detection
rkhunter will produce a lot of false positives on scans, so don't freak out.

The most likely explanation remains an EBKAC, somebody actually attacking you might steal valuable data or, worse, place compromising.
But they won't draw attention by deleting your $HOME, let alone the entire /home partition, let alone if they even just suspect you've backups.
That's a layer 8 error.

If you've an active root account, you might want to inspect its shell histories - maybe you did what you did as root.

Edit: did you recently mess around w/ the device encryption/configuration?

Last edited by seth (2023-07-22 21:01:02)

trivial29 · 2023-07-22 22:03:27

Man... Watch that. Logs of network traffic on my router. My ISP tell me to see nothing.....

Explosion of traffic logs beginning this morning, screenshot: https://twitter.com/anth_lg/status/1682 … 09/photo/1

trivial29 · 2023-07-22 22:27:14

WTF! Logs of port open and site traffic domain listen on: https://pastebin.com/MQ5T6yQr

seth · 2023-07-22 22:34:52

"Explosion of traffic logs" "on my router", whatever those are (I'm not gonna visit your twit-twat), are not "my home partition disappeared"

Quit your browser and torrent client.
If you want to know what process is communicating there, "netstat -tulpen" or wireshark. And you want to do that from the multi-user.target to make sure "who" isn't just "you".

Trilby · 2023-07-22 22:45:11

I did look at the twatter post. And while there is an increase, I'd hardly call an increase of roughly 50% over the previous baseline an "explosion". Especially when there is an expected atypical behavior for the day of restoring 150GB of "lost" data via the network.

Last edited by Trilby (2023-07-22 22:46:11)

ewaller · 2023-07-22 23:30:35

What services do you expose to the internet?

Do you expose sshd?
Do you allow password access?
Do you allow root access?

Koatao · 2023-07-23 09:10:40

Hello,

trivial29 wrote:

WTF! Logs of port open and site traffic domain listen on: https://pastebin.com/MQ5T6yQr

According to https://www.hybrid-analysis.com/, searching with IP and domain name couple from the logs you mentioned shows that multiple entries are linked to potential malicious activities.
But, at first glance, I see nothing linked to Linux (only Windows). Do you have other hosts on the network?

Bouygues Telecom support desk for non-professional customers does not have the ability to analyze network traffic for this kind of malicious activity. Do not rely on them to do your security for you (you ain't paying them for that anyway).

If you feel you have been hacked, then disconnect the potential insecure hosts from the internet at least...

EDIT: here the results from hybrid-analysis.com: https://pastebin.com/dJfm6ABd

Last edited by Koatao (2023-07-23 09:26:57)

trivial29 · 2023-07-23 12:15:48

I know Bouygues Telecom don't have help desk for cyberattack in individual. I try to push but, doesn't really care. It's strange 14 days ago I try to buy a Netgear RAX30 router for improve security of my local network, then the command was annulated by the seller. In my local network:
- My Laptop on Arch
- NAS Synology
- Server Proxmox
- Tablet Android
- Printer HP Laser
- PS4 online

I try to put off UPNP on the router to mitigate the attack and port redirection. I will re-install Arch soon, this night or tomorrow. Clean Install and remove potential backdoor. I upgrade to Linux Kernel-Zen + LKRG by the way

Last edited by trivial29 (2023-07-23 12:17:22)

Arch Linux

#1 2023-07-22 09:27:23

Computer compromised /home deleted [ANOMALY]

#2 2023-07-22 12:50:48

Re: Computer compromised /home deleted [ANOMALY]

#3 2023-07-22 12:51:11

Re: Computer compromised /home deleted [ANOMALY]

#4 2023-07-22 13:12:06

Re: Computer compromised /home deleted [ANOMALY]

#5 2023-07-22 13:17:17

Re: Computer compromised /home deleted [ANOMALY]

#6 2023-07-22 13:28:00

Re: Computer compromised /home deleted [ANOMALY]

#7 2023-07-22 20:52:28

Re: Computer compromised /home deleted [ANOMALY]

#8 2023-07-22 20:59:49

Re: Computer compromised /home deleted [ANOMALY]

#9 2023-07-22 22:03:27

Re: Computer compromised /home deleted [ANOMALY]

#10 2023-07-22 22:27:14

Re: Computer compromised /home deleted [ANOMALY]

#11 2023-07-22 22:34:52

Re: Computer compromised /home deleted [ANOMALY]

#12 2023-07-22 22:45:11

Re: Computer compromised /home deleted [ANOMALY]

#13 2023-07-22 23:30:35

Re: Computer compromised /home deleted [ANOMALY]

#14 2023-07-23 09:10:40

Re: Computer compromised /home deleted [ANOMALY]

#15 2023-07-23 12:15:48

Re: Computer compromised /home deleted [ANOMALY]

Board footer