recon_lap | getent group sudo ; returns sudo:x:27: | 00:02 |
---|---|---|
TJ- | recon_lap: wow, it has actually edited the system!? | 00:02 |
TJ- | recon_lap: besides the standard Ubuntu repositories, have you added any 3rd party repos to apt? | 00:03 |
TJ- | recon_lap: I'm wondering about a malicious program | 00:03 |
recon_lap | getent group adm ; returns adm:x:4:syslog | 00:03 |
TJ- | for 'getent group sudo' I see "sudo:x:27:tj,root" | 00:03 |
TJ- | recon_lap: was this a standard installation of ubuntu-desktop ? | 00:04 |
recon_lap | malicious program not very likely I'd think. seems much more likely something blew up | 00:04 |
recon_lap | TJ-: yes, standard desktop install, the most exotic thing I've installed is the lamp stack | 00:06 |
TJ- | to remove the logged-in user from a group is almost impossible - for the same reason when you add a user to a group the user needs to re-log in. The security context is in memory | 00:06 |
recon_lap | well, apachy2 does start off as root | 00:07 |
TJ- | recon_lap: the only scenario I can imagine to do what you describe is if your user was actually removed from the sudo group during a *previous* log-in session and you only noticed it after this current log-in prevented sudo actions | 00:07 |
recon_lap | TJ-: I did reboot, but the issues was there before I did that | 00:08 |
TJ- | recon_lap: check /var/log/auth.log ... you may need to reboot and go into Recovery mode to be 'root' at start-up to view that file | 00:08 |
recon_lap | dont seem to be able to get into recovery mode? just press shift while booting? | 00:13 |
TJ- | yes | 00:16 |
TJ- | hold it down early whilst still in the firmware POST else GRUB may start before you press it | 00:16 |
recon_lap | ok,got is , had to use f12 and going EFI | 00:17 |
recon_lap | got auth.log, it's a big file | 00:21 |
TJ- | yes, work backwards through it or grep | 00:24 |
TJ- | not sure what you could search for though so best to read backward | 00:24 |
recon_lap | polkitd(authority=local): Registered Auth Agent for unix-process:16282:5514607 system bus name :1.123 [/usr/bin/pkttyagent --notify-fd 4 --fallback] object path /org/freedesktop/policykit1/authenticationAgent, locale en_IE.UTF-8) , is the line where is appears to start going wrong | 00:36 |
looodgrey | What are reasons why base-installer/kernel/image wouldn't find any valid kernels installed? I'm trying out to preseed xenial and its erroring about not finding a kernel. I've tried setting it to linux-image,linux-image-generic but errors. | 00:38 |
recon_lap | one of the reboot messages is lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pan_kwallet.so: cannot open shared object file: No such file or directory , normal? | 00:43 |
recon_lap | well, this auth.log is pretty much double dutch to me, and cant think of anyway to get it online for you to look at | 00:48 |
TJ- | recon_lap: the pam_kwallet.so message is expected, no-fatal, just a reminder | 00:50 |
TJ- | recon_lap: auth.log records all 'sudo' initiated commands. try find the last occassion such was logged; that will narrow down the time window for when this issue begain | 00:51 |
recon_lap | TJ-: I found when it started, 00:17:07 approx | 00:53 |
TJ- | recon_lap: what is your current local time ? | 00:53 |
recon_lap | 01:54:00 | 00:54 |
TJ- | ahhh, you're UK like me then. | 00:54 |
TJ- | OK, now correlate that time to package actions in /var/log/apt/history.log | 00:54 |
TJ- | recon_lap: now you've got a timeframe to search from, you can look at logs to determine if there are clues. | 00:55 |
recon_lap | the previous comand was /usr/sbin/a2enmod php5 | 00:55 |
TJ- | recon_lap: for very specific apt activity look in /var/log/apt/term.log | 00:56 |
TJ- | recon_lap: ok, so this looks to have happened *after* the packages were installed, and possibly related to the invokation of a2enmod ? | 00:56 |
recon_lap | TJ-: look that way to me, the a2enmod root session closed ok, then next command sudo service apachy2 restart bombed | 00:57 |
=== cyphase_ is now known as Guest56642 | ||
TJ- | recon_lap: now check that a2enmod is not a malicious tool: " pushd /; grep usr/sbin/a2enmod /var/lib/dpkg/info/apache2.md5sums | md5sum -c; popd " | 00:59 |
TJ- | recon_lap: also check 'sudo' itself: " pushd /; grep usr/bin/sudo /var/lib/dpkg/info/sudo.md5sums | md5sum -c; popd " | 01:00 |
recon_lap | there was one error in the php5 install log "Error: PHP7.0 module already enabled, not enabling php5 , Setting up php5-readline (5.6.17+dfsg-3ubuntu1) | 01:02 |
=== flocculant_ is now known as flocculant | ||
recon_lap | getting no properly formatted MD5 checksum found from the a2enmod check, sudo checks out ok | 01:10 |
TJ- | recon_lap: hmmm, really? | 01:12 |
TJ- | let's follow that up then | 01:12 |
TJ- | check the md5sums file looks ok manually: "grep sbin/a2enmod /var/lib/dpkg/info/apache2.md5sums" | 01:13 |
recon_lap | TJ-: nevermind, I'd left the s off sbin , opps | 01:15 |
TJ- | hahaha | 01:16 |
recon_lap | usr/sbin/a2enmod: ok | 01:16 |
recon_lap | TJ: there is an odd one in the auth log, "polkitd(authority=local): Operator of unix-session:c2 FAILED to authenticate to gain authorization for action org.freedesktop.systemd1.manage-units for system-bus-name::1.124 [systemctl restart apache2.service] (owned by unix-user:mec) | 01:25 |
recon_lap | and I had recently entered the "ServerName localhost" into /etc/apache2/conf-available/fqdn.conf | 01:27 |
TJ- | recon_lap: that auth log message, decoded, says to me that due to your user 'mec' losing sudo privs polkitd reports the systemd dbus service refusing service | 01:32 |
TJ- | recon_lap: so, that seems to confirm that something happened before you tried to restart the apache service, but after installing the package | 01:32 |
TJ- | so, you've now got a very narrow time window to work with, which helps | 01:33 |
recon_lap | sudo a2enmod php5 | 01:33 |
TJ- | recon_lap: without having access to that PC its hard to take this further; it certainly appears on the face of it to be a security issue that needs solving to prove there's nothing wrong/dangerous with the packages themselves | 01:35 |
bandit-led | any one having issues with tty and latest nvidia? | 01:37 |
recon_lap | TJ-: I really dont know, But I've a feeling it more like I found an interesting way to blow up the sudo file rather than anything malicious. | 01:38 |
TJ- | well that's Denial of Service of a rather severe kind; not something we escaping, especially because apache/php is deployed on remote servers where access to physical console may be impossible | 01:39 |
recon_lap | TJ-: the box was firewalled, no incoming connections | 01:41 |
recon_lap | not that that is proof of anything :) | 01:41 |
recon_lap | anyways, it's late, I'll have to have a go at fixing it tomorrow. thx for the help TJ- , pity we did not find anything concrete. Though you'd be interested in here as it's a rather nasty issue | 01:46 |
recon_lap | ok, re adding myself to the sudoers file was stupidly easy | 01:51 |
recon_lap | TJ-: www.pastebin.com/a714JqYR auth.log | 02:03 |
TJ- | recon_lap: how about this... something in the installed PHP web application code you've got there managed to do this when apache started? the fact you said that apache2 server itself 'blew up' might indicate a vulnerability exploit | 02:07 |
=== cyphase_ is now known as Guest77481 | ||
recon_lap | TJ-: trying to look at the apachy2 logs now. having some issues getting to the apachy dir !! | 02:10 |
recon_lap | nothing in the apache2 logs other than the crash at 00:17 , it still segfaulting when I try start it now though. | 02:21 |
recon_lap | uninstalling libapache2-mod-php5 fixes apachy | 02:24 |
recon_lap | and g'night | 02:26 |
=== ren0v0_ is now known as ren0v0 | ||
lordievader | Good morning. | 09:13 |
Mathisen | hello this morning when im trying to " sudo apt update " i get hash sum missmatch ??? | 10:04 |
Mathisen | what is going on | 10:04 |
Mathisen | using se.archive.ubuntu | 10:05 |
Mathisen | and how do i fix this ? | 10:05 |
Mathisen | change mirror ? | 10:06 |
pesari | Mathisen: you could ask at #ubuntu-mirrors | 10:07 |
Mathisen | will do | 10:07 |
zxd | I have Intel Corporation Mobile 945GM/GMS, 943/940GML Express Integrated Graphics Controller (rev 03) , using xubuntu 16 beta When X loads I get corrupted display if I goto console ctrl+alt+f1 and back alt+f7 the screen becomes clean again | 11:10 |
zxd | why does this happen? | 11:10 |
BluesKaj | Hiyas all | 13:36 |
petrovich | Hi there | 15:23 |
petrovich | is it me, or no one cannot upgrade his ubuntu? | 15:24 |
nicomachus | petrovich: what do you mean? | 15:26 |
petrovich | systemd package is corrupted | 15:26 |
petrovich | Unpacking systemd (229-3ubuntu2) over (229-3ubuntu1) ... dpkg-deb (subprocess): decompressing archive member: lzma error: compressed data is corrupt | 15:26 |
nicomachus | that would be just you. | 15:26 |
xothed | Hi I have problem with pipelight ppa. Added repo | 15:26 |
xothed | but sudo apt-get update doesnt fetch | 15:26 |
xothed | package | 15:26 |
xothed | and I cant install it | 15:27 |
nicomachus | xothed: which ppa are you using? ppa:pipelight/stable or ppa:mqchael/pipelight? | 15:27 |
xothed | pipelight/stable | 15:28 |
nicomachus | xothed: one sec, let me try here. | 15:29 |
xothed | i see when doing update.. but package is not downloaded http://ppa.launchpad.net/pipelight/stable/ubuntu xenial InRelease | 15:29 |
BluesKaj | xothed, did you add any keys? | 15:29 |
xothed | yes | 15:30 |
xothed | http://ppa.launchpad.net/pipelight/stable/ubuntu xenial InRelease | 15:30 |
xothed | sudo apt-add-repository ppa:pipelight/stable | 15:30 |
jshusky_26 | Hi guys, I installed a 16.04 alpha a few weeks ago. I do sudo apt-get update/upgrade every time I boot to get up to speed. Today I checked uname -r and saw 4.4.0-15. I expected to see 4.4.5/6 that I understood the final beta to be at. Question is this; is there something special I should be doing that I may not be doing in order to keep a dev-version current? | 15:30 |
xothed | press enter to add keys | 15:30 |
xothed | but nothing is fetched | 15:31 |
nicomachus | jshusky_26: are you doing dist-upgrade? | 15:31 |
xothed | nicomachus, did you try? | 15:32 |
jshusky_26 | ...nope, does that mean I'm still on the alpha I installed? | 15:33 |
xothed | nicomachus ? | 15:35 |
nicomachus | jshusky_26: I'm still on 4.4.0-12 | 15:35 |
xothed | BluesKaj, any idea why it doesnt work | 15:35 |
nicomachus | xothed: one sec, just got into my home box. | 15:35 |
xothed | ok | 15:35 |
jshusky_26 | looks like there are upgrades to be had with dist-upgrade though to 4.4.0-16. --if you're still on 4.4.0, I must be mistaken | 15:36 |
nicomachus | xothed: I'm having issues installing that as well. You may need to contact the PPA maintainer. | 15:37 |
jshusky_26 | I'm hoping to stop with the dev-releases once 16.04 is released and stay there. Should I be doing the dist-upgrade until that happens? | 15:37 |
nicomachus | jshusky_26: you should always do dist-upgrades to make sure the kernel is up to date. | 15:38 |
xothed | nicomachus, ugh | 15:39 |
nicomachus | xothed: I know, sorry. That's what happens with beta releases. | 15:39 |
nicomachus | ¯\_(ツ)_/¯ | 15:39 |
xothed | daily-build is still beta ? | 15:41 |
nicomachus | yes. | 15:41 |
jshusky_26 | nicomachus: oh... | 15:41 |
jshusky_26 | good to know | 15:41 |
xothed | when offical release is expteced ? | 15:41 |
BluesKaj | I'm totally up to date and it looks like the pipelight /stable ppa doesn't have the packages ..tried the ppa myself and it shows up in the update but no packages available, xothed | 15:43 |
nicomachus | April 21st | 15:43 |
nicomachus | Hmmm.... Chrome still can't get their crap together? https://paste.ubuntu.com/15589524/ | 15:43 |
xothed | BluesKaj, I have the same issue | 15:43 |
nicomachus | me too | 15:44 |
xothed | but its weird, because page shows that something should be able to be fetched | 15:44 |
xothed | https://launchpad.net/~pipelight/+archive/ubuntu/stable?field.series_filter=xenial | 15:44 |
nicomachus | xothed: yea, there's an issue with the package. As I said earlier, you'll have to contact the dev. | 15:45 |
xothed | btw there is any difference for using Intel drivers for Skylake HD 530 or build in kernel, other than support ? | 15:46 |
xothed | i see in drivers option to chose Intel microcode | 15:46 |
Bluefoxicy | has anyone actually tried removing transitional dummy packages? | 18:18 |
Bluefoxicy | damn | 18:44 |
Bluefoxicy | Ubuntu really doesn't support wine | 18:44 |
Bluefoxicy | current stable 1.8.1, ubuntu has 1.6 and 1.4 | 18:44 |
recon_lap | well, I think this install of 16.04 is toast and has to be reinstalled | 18:46 |
recon_lap | somehow my admin account got removed from all privileged groups and it's nothing but issues now. | 18:47 |
=== StaffUnicorn is now known as nhandler | ||
recon_lap | well, ok, maybe not toast, re adding my self has seemed to fix current issues | 18:55 |
Madhumper69 | is there somewhere where i can find the latest kernel information and changes for ubuntu? i cant seem to find anything only new kernel 4.4.6 install information? is this the latest kernel? | 18:57 |
Bluefoxicy | yes it's the latest kernel | 18:58 |
Bluefoxicy | I wish they'd publish a -ck kernel too but oh well. | 18:58 |
Madhumper69 | installed it and works great, im 1month new to ubuntu and learned alot, i resolved and learned so much in a month. | 18:58 |
Madhumper69 | hosting webpages and mounting a ntfs drive to share on the network was a tricky one lol | 18:59 |
Madhumper69 | -ck kernel? | 19:01 |
echeese_ | Hey there, trying out 16.04 and I get a black screen shortly after boot when I start up without nomodeset | 19:51 |
echeese_ | any ideas? | 19:51 |
recon_lap | echeese_: find the bug report for the blank screen at boot up and see if it's fixed yet, thats an old one as far as i can remember | 20:02 |
rud0lf | hello | 21:49 |
rud0lf | can i turn old-fashioned (14.04) window sliders back on? | 21:49 |
rud0lf | the new are too small for my clumsy hand :[ | 21:49 |
rud0lf | or scrollbars, not sure the name | 21:51 |
rud0lf | gsettings set com.canonical.desktop.interface scrollbar-mode says 'overlay-auto' | 21:53 |
rud0lf | (get, not set, pardon) | 21:53 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!