I’ve been using Qubes as my daily, for about half a year now. I’ve been dealing with this APT since Dec 2023. I’ve come to love Qubes so this kinda hurt.
I found the breach last night. What are the IOC’s? Painful upload times, router firewall blocking attacks minutes after being reset. Then later in the day I notice a lack of privileges, a boom of unknown processes, cleaning of the logs, you know the classics.
Usually I wipe the system and move on. But I can’t this time, I have mad design work that took forever to get centralized, on this current system, I have to recover this. There is no other option.
I’m just going to run down things I noticed and took pictures of last night. Hopefully it’ll help you and maybe I can get better at this as well
So in shadow, check out how he disabled the root user, also in the same photo how he took over the Gshock account and how he put the password right in the file. Neat. I don’t how he does it but he always uses PAM against me.
Ok so this one’s a little crazy. Towards the bottom he starts a DVM, Disp5101, and changes the policy over Dom0. There’s another photo where he changes the usb qube to change dom0.
The message Repartition Root Disk was skipped because no trigger condition checks were met is because of systemd-repart.service. Which is a part of systemd and documented on Freedesktop website. Also on Archlinux Wiki. Or Debian as well as other places.
But the other messages could point to power-loss, tampering or bugs.
I cant see those images, so I’m working entirely off your descriptions.
In /etc/shadow` the root user is disabled in a normal Qubes install -
this is not a sign of anything untoward.
I’m not sure what you mean by “put the password right in the file” - if
you mean that your plaintext password has been inserted in to /etc/shadow this would be foolish - that user would be blocked
from logging in. But I’m at a loss to understand what you might mean.
Absent more details about the alleged takeover of your user account,
there’s nothing here.
I’ve commented on some of your other posts.
I cant see your images, but from your descriptions there’s nothing here,
except possibly “start a disposable” and “change the policy over dom0” -
but you’d have to explain in detail what was the change in what policy
to convince me this isnt normal Qubes usage.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
Sorry, you wrote shock, I should’ve assumed gshock. When I try to make changes I’m no longer able to because I don’t have the privileges. I thought the shadow doc prove, but I guess not. I’ll show you more, maybe of the users in the groups.
@Cantwin : looks like you’re overreacting. Your system crashed somehow, and nvme1p2 (your LUKS) journal was recovered, while nvme1p1 (probably /boot) was not automatically fixed. The rest of the screenshots (/etc/shadow, the dom0 policies) are normal, as @alimirjamali pointed out.
