Diagnosing a security problem.

nimblemachine · 2014-04-11 01:46:49

I'm a pretty technical guy but it's all programming that I'm the best at, and I'm loving learning more through Arch. I've had some times lately where my machine has seemed like it was acting strangely and I'll notice individual log entries that seem odd, but I've always dismissed it as paranoia partly because the level of trouble that someone might have to go to seemed so unrealistic, but tonight I was working on my system and found some things that seem like a problem. I decided that even if I felt like an idiot if I was just not understanding things that it might help someone out like me who has enough knowledge to be dangerous but not really enough to make it through a situation like this one.
I'm using a HP Pavilion m7 laptop that's been running Arch since mid December. The things that had bothered me were random activity on my wireless, always with ip6, files including a lot of gvfs and fuse that it didn't seem like I should see, and activity connected to my webcam at /dev/video0. I'm just going to post some pieces of logs now:

Edit: Sorry for the formatting. I'm trying to get it into a little better shape.

from a journctl -r

Apr 10 18:06:01 ine.com    kernel: IPv6: ADDRCONF(NETDEV_UP): eno1: link is not ready
Apr 10 18:06:01 ine.com    kernel: r8169 0000:05:00.0 eno1: link down
Apr 10 18:05:55 ine.com dbus[1123]: [system] Activation via systemd failed for unit 'dbus-org.wicd.daemon.service': Unit dbus-org.wicd.daemon.service failed 
Apr 10 18:05:55 ine.com dbus[1123]: [system] Activating via systemd: service name='org.wicd.daemon' unit='dbus-org.wicd.daemon.service'
Apr 10 18:05:54 ine.com sudo[29607]: pam_unix(sudo:session): session closed for user root
Apr 10 18:05:54 ine.com sudo[29607]: pam_unix(sudo:session): session opened for user root by (uid=0)
Apr 10 18:05:54 ine.com sudo[29607]: andrew : TTY=unknown ; PWD=/usr/share/wicd/gtk ; USER=root ; COMMAND=/usr/bin/wicd
Apr 10 18:05:53 ine.com dbus[1123]: [system] Activation via systemd failed for unit 'dbus-org.wicd.daemon.service': Unit dbus-org.wicd.daemon.service failed 
Apr 10 18:05:53 ine.com dbus[1123]: [system] Activating via systemd: service name='org.wicd.daemon' unit='dbus-org.wicd.daemon.service'
Apr 10 18:05:53 ine.com pulseaudio[29434]: GetManagedObjects() failed: org.freedesktop.DBus.Error.ServiceUnknown: The name org.bluez was not provided by any 
Apr 10 18:05:53 ine.com rtkit-daemon[29435]: Supervising 4 threads of 1 processes of 1 users.
Apr 10 18:05:53 ine.com rtkit-daemon[29435]: Successfully made thread 29583 of process 29434 (/usr/bin/pulseaudio) owned by '1000' RT at priority 6.
Apr 10 18:05:53 ine.com rtkit-daemon[29435]: Supervising 3 threads of 1 processes of 1 users.
Apr 10 18:05:53 ine.com pulseaudio[29434]: We will now load module-combine-sink. Please make sure to remove module-combine from your configuration.
Apr 10 18:05:53 ine.com pulseaudio[29434]: module-combine is deprecated: Please use module-combine-sink instead of module-combine!
Apr 10 18:05:51 ine.com rtkit-daemon[29435]: Supervising 3 threads of 1 processes of 1 users.
Apr 10 18:05:51 ine.com rtkit-daemon[29435]: Successfully made thread 29561 of process 29434 (/usr/bin/pulseaudio) owned by '1000' RT at priority 5.
Apr 10 18:05:51 ine.com rtkit-daemon[29435]: Supervising 2 threads of 1 processes of 1 users.
Apr 10 18:05:51 ine.com rtkit-daemon[29435]: Supervising 2 threads of 1 processes of 1 users.
Apr 10 18:05:51 ine.com rtkit-daemon[29435]: Successfully made thread 29560 of process 29434 (/usr/bin/pulseaudio) owned by '1000' RT at priority 5.
Apr 10 18:05:51 ine.com rtkit-daemon[29435]: Supervising 1 threads of 1 processes of 1 users.
Apr 10 18:05:48 ine.com polkitd[29438]: Registered Authentication Agent for unix-session:c3 (system bus name :1.13 [/usr/lib/lxpolkit/lxpolkit], object path 
Apr 10 18:05:48 ine.com rtkit-daemon[29435]: Supervising 1 threads of 1 processes of 1 users.
Apr 10 18:05:48 ine.com rtkit-daemon[29435]: Successfully made thread 29434 of process 29434 (/usr/bin/pulseaudio) owned by '1000' high priority at nice leve
Apr 10 18:05:48 ine.com polkitd[29438]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Apr 10 18:05:47 ine.com systemd[1]: Started Authorization Manager.
Apr 10 18:05:47 ine.com dbus[1123]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
Apr 10 18:05:47 ine.com polkitd[29438]: Finished loading, compiling and executing 3 rules
Apr 10 18:05:46 ine.com systemd[1]: Mounted FUSE Control File System.
Apr 10 18:05:46 ine.com kernel: fuse init (API version 7.22)
Apr 10 18:05:46 ine.com systemd[1]: Mounting FUSE Control File System...
Apr 10 18:05:46 ine.com polkitd[29438]: Loading rules from directory /usr/share/polkit-1/rules.d
Apr 10 18:05:46 ine.com polkitd[29438]: Loading rules from directory /etc/polkit-1/rules.d 
Apr 10 18:05:46 ine.com polkitd[29438]: Started polkitd version 0.112
Apr 10 18:05:46 ine.com systemd[1]: Starting Authorization Manager...
Apr 10 18:05:45 ine.com dbus[1123]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service'
Apr 10 18:05:45 ine.com rtkit-daemon[29435]: Watchdog thread running.
Apr 10 18:05:45 ine.com rtkit-daemon[29435]: Canary thread running.
Apr 10 18:05:45 ine.com rtkit-daemon[29435]: Running.
Apr 10 18:05:45 ine.com rtkit-daemon[29435]: Successfully limited resources.
Apr 10 18:05:45 ine.com rtkit-daemon[29435]: Successfully dropped privileges.
Apr 10 18:05:45 ine.com rtkit-daemon[29435]: Successfully called chroot.
Apr 10 18:05:45 ine.com systemd[1]: Started RealtimeKit Scheduling Policy Service.
 systemd[1]: Started RealtimeKit Scheduling Policy Service.
Apr 10 18:05:45 ine.com dbus[1123]: [system] Successfully activated service 'org.freedesktop.RealtimeKit1'
Apr 10 18:05:45 ine.com systemd[1]: Starting RealtimeKit Scheduling Policy Service...
Apr 10 18:05:45 ine.com dbus[1123]: [system] Activating via systemd: service name='org.freedesktop.RealtimeKit1' unit='rtkit-daemon.service'
Apr 10 18:05:44 ine.com org.a11y.atspi.Registry[29375]: ** (at-spi2-registryd:29380): WARNING **: Unable to register client with session manager
Apr 10 18:05:44 ine.com org.a11y.atspi.Registry[29375]: ** (at-spi2-registryd:29380): WARNING **: Failed to register client: GDBus.Error:org.freedesktop.DBus
Apr 10 18:05:44 ine.com org.a11y.atspi.Registry[29375]: SpiRegistry daemon is running with well-known name - org.a11y.atspi.Registry
Apr 10 18:05:44 ine.com org.a11y.Bus[29339]: Successfully activated service 'org.a11y.atspi.Registry'
Apr 10 18:05:44 ine.com org.a11y.Bus[29339]: Activating service name='org.a11y.atspi.Registry'
Apr 10 18:05:40 ine.com systemd[1493]: pam_unix(systemd-user:session): session closed for user lightdm
Apr 10 18:05:40 ine.com systemd[1]: Removed slice user-620.slice.
Apr 10 18:05:40 ine.com systemd[1468]: Received SIGRTMIN+24 from PID 29282 (kill)

So I thought I would look at /etc/polkit-1/rules.d which had this:

polkit.addRule(function(action) {
    if (action.id == "org.freedesktop.udisks2.filesystem-mount-system") {
        return polkit.Result.YES;
    }
});
/etc/polkit-1/rules.d/10-enable-mount.rules (END)

and the other had:

polkit.addRule(function(action, subject) {
    if (subject.user == "lightdm") {
        polkit.log("action=" + action);
        polkit.log("subject=" + subject);
        if (action.id.indexOf("org.freedesktop.login1.") == 0) {
            return polkit.Result.YES;
        }
        if (action.id.indexOf("org.freedesktop.consolekit.system.") == 0) {
            return polkit.Result.YES;
        }
        if (action.id.indexOf("org.freedesktop.upower.") == 0) {
            return polkit.Result.YES;
        }
    }
});
/usr/share/polkit-1/rules.d/lightdm.rules (END)

and in the /run/user/1000/ directory, browsing as root:

$ ls -al                                                                                         ⏎
ls: cannot access gvfs: Permission denied
total 0
drwx------ 6    andrew users   12  Apr 10 18:07   .
drwxr-xr-x 3 root   root         60 Apr 10 18:05        ..
drwx------ 2    andrew users     60 Apr 10 18:05    dconf
d????????? ? ?      ?       ?            ?                        gvfs
drwx------ 2    andrew users  80 Apr 10 18:05 pulse
drwxr-xr-x 2 andrew users  80 Apr 10 17:51 systemd

So, I'm really hoping I end up looking like a fool. I have no ability to really interpret what I think I'm seeing and I really hope someone could point me in a direction to look at next.
Also, trying to clean up this pile of log pieces and output I dumped in here. I'm somewhat disturbed by the fact I'm not sure if someone has had an open door into my computer.

Last edited by nimblemachine (2014-04-11 02:14:57)

WonderWoofy · 2014-04-11 01:56:39

Code tags man!

Check out the BBCode link below to see how to fix up your above post.

ewaller · 2014-04-11 03:22:23

Just because you are paranoid, it does not mean they are not out to get you

Why do you think there is an issue? I do not see anything untoward in the posts you provided.
Are you concerned about someone who has physical access? (I know you said IPv6, but I don't see that in the log)

Are you behind a firewall? If so, what ports are open and forwarded to your machine?
What services are you running? SSH? FTP? SMTP? Telnet? HTTP? SNMP?
Are you concerned about machines on the global internet? Or are you concerned about machines inside your firewall (hotel, place of business, college campus)?

Unless you specifically start some service, Arch is pretty secure.

Edit: Oh, welcome to Arch

Last edited by ewaller (2014-04-11 03:22:58)

drcouzelis · 2014-04-11 12:45:44

ewaller wrote:

What services are you running? SSH? FTP? SMTP? Telnet? HTTP? SNMP?
Unless you specifically start some service, Arch is pretty secure.

That's what I was thinking. Unless you are running some sort of server, I can't imagine anyone being able to do anything naughty to your computer through the Internet.

Arch Linux

#1 2014-04-11 01:46:49

Diagnosing a security problem.

#2 2014-04-11 01:56:39

Re: Diagnosing a security problem.

#3 2014-04-11 03:22:23

Re: Diagnosing a security problem.

#4 2014-04-11 12:45:44

Re: Diagnosing a security problem.

Board footer