Yeah i might be hacked. Wierd traffic going on…
Should these ip’s be active in qubes as in uploading stuff or even be connected? nethogs said traffic was uploaded or connected… am i just being paranoid? is this normal for qubes? I got nothing illegal on my pc so yeah… it would be wierd if i’m interesting. Got nothing to hide and not doing anything illegal.
104.236.116.147 US Clifton,
New Jersey,
United States,
North America 104.236.116.0/22 07014 40.8364,
-74.1403 20 Digital Ocean Digital Ocean 501
38.145.60.20 US United States,
North America 38.145.60.0/22 37.751,
-97.822 1000 Red Hat REDHAT-3 redhat.com
209.132.190.2 US United States,
North America 209.132.190.0/23 37.751,
-97.822 1000 Red Hat Red Hat redhat.com
130.236.254.253 SE Linköping,
Östergötland County,
Sweden,
Europe 130.236.254.0/24 581 83 58.4016,
15.6462 20 Linkopings universitet Linkopings universitet liu.se
? Thanks
Also i have nothing to hide. I just wished others would respect my privacy if my machine is hacked…
it’s disrespectful… traffic in either sys-net or sys-firewall…
im too lazy to re-install qubes…
I can check the traffic some more…
edit: It can’t just be the fedora-34 updates right? What’s the best way to check if dom0 is hacked? Or qubes overall??
As an example. I usually use Mikrotik equipment as a router. The capabilities of the Router OS are very large, and help to conveniently control and monitor traffic. It is also very convenient to write security rules in the firewall.
I don’t know… Trying to sniff traffic in firewall and letting in traffic and so on… Trying to set up a HIPS in Qubesbecause it’snot on by default. But i don’t really know how to set it up in the best way… I want an overview of the traffic in Qubes… Even after a fresh install i get ovh in connections… wierd. Might be the server for updates though.
Trying to get some feeling and overview but i just figured out that opensnitch in firewall could be good to have!
That might be the case also… I re-installed anyways… Qubes should have a HIPS by default… Some cool live widget that shows the traffic. Winamp style…
What is the best way to keep track of traffic in qubes if the system behaves strange lets say? wireshark in sys-firewall?
Wireshark in sys-firewall if not considering attacker hacking dom0.
Wireshark on your router/hardware firewall if you consider attacker hacking dom0.
I wouldn’t be so sure that voice calls over GSM and SMS are such a good idea.
Mobile operator can read your SMS and listen to your voice. So can anyone who can pay money to the corrupt mobile operator employee. Not even talking about state actors.
While there is an obvious problem of eavesdropping while using GSM calls and SMS there is also a problem when someone has access to a large array of your voice information and can use it to train their neural network and in the end to make a high-quality fake of your voice for different purposes.
With a look from this side the option of using encrypted messenger app and encrypted VoIP app over mobile internet looks more attractive to me.
Btw. Aide gives more peace of mind… You know if someone is on the system or not and that could be good. So aide in dom0 is like a firewall kinda… Just a system check.
Maybe in sys-net also? Maybe sys-firewall…
aide is very clever!
And allot of other entries… dom0 seems to be clean. Kinda interesting to learn how to check if a qubes OS installation is hacked or not and the different techniques.
hehe yeah i might be hacked actually! Wierd. I’m not that interesting so thats wierd… Or if i did install something in work terminal… Not sure now.
I got this in dom0:
AIDE found differences between database and filesystem!!
Summary:
Total number of entries:
Added entries: 23
Removed entries: 1
Changed entries: 6
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /etc/libvirt/libxl/disp7926.xml
f++++++++++++++++: /etc/libvirt/libxl/work.xml
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01525-2027803273.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01526-338206498.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01527-2002950907.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01528-2143776976.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01529-990793250.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01530-2030022979.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01531-2119476302.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01532-1335343791.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01533-553133732.vg
f++++++++++++++++: /root/.bash_history
f++++++++++++++++: /root/.xauthvlk2rj
f++++++++++++++++: /var/log/libvirt/libxl/disp7926.log
f++++++++++++++++: /var/log/libvirt/libxl/work.log
f++++++++++++++++: /var/log/qubes/guid.disp7926.log
f++++++++++++++++: /var/log/qubes/guid.work.log
f++++++++++++++++: /var/log/qubes/qrexec.disp7926.log
f++++++++++++++++: /var/log/qubes/qrexec.work.log
f++++++++++++++++: /var/log/qubes/qubesdb.disp7926.log
f++++++++++++++++: /var/log/qubes/qubesdb.work.log
f++++++++++++++++: /var/log/xen/console/guest-disp7926.log
f++++++++++++++++: /var/log/xen/console/guest-work.log
---------------------------------------------------
Removed entries:
---------------------------------------------------
f----------------: /root/.xauthLp1UAT
---------------------------------------------------
Changed entries:
---------------------------------------------------
f ... i . : /etc/libvirt/libxl/untrusted.xml
d = ... mc.. .. : /root
f = ... mc..C.. : /var/log/lastlog
f < ... i. .. .: /var/log/qubes/guid.untrusted.log
f = ... i. .. .: /var/log/qubes/guid.untrusted.log.old
f < ... .. .. .: /var/log/qubes/qrexec.untrusted.log
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /etc/libvirt/libxl/untrusted.xml
Inode : 802619 | 802665
Directory: /root
Mtime : |
Ctime : |
File: /var/log/lastlog
File: /var/log/qubes/guid.untrusted.log
Size : 1991 | 19
Inode : 802088 | 802087
File: /var/log/qubes/guid.untrusted.log.old
Inode : 802087 | 802088
File: /var/log/qubes/qrexec.untrusted.log
Size : 3015 | 0
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
I’m hacked right?
Or maybe because i installed something. I need to learn this one before i can know if i’m hacked or not. Might have been me also. yeah it’s hard to know if you are no coder like others on here. I need to mess around with aide and learn it.
I did set sudo su in sys-net and firewall just to test…
If someone where on the machine they might get in from that i don’t know.
If i’m even hacked that is. I might not be. I don’t know yet.
edit: I might not be hacked… But dom0 register if i just open a browser… dvm-whonix, personal or work.
So yeah… I need to try and learn these patterns if i am going to know anything about this. It’s a kinda new install so it would be wierd if would be hacked that is all.
Also! I can see if i open browsers, but not it i install an audioplayer in an appvm as a test… why is that? It does not show up in a template either! So how do i know what an attacker does on QubesOS even?
This os have nothing as default when it comes to overview of the system and potential attackers…
And i don’t think that is secure thinking if the OS itself do not warn if a system is compromised by default. That should be security thinking…
Moderatiion note: Rephrased the title to make it more explicit of the question and moved all off-topic discussion about dissatisfaction of surveillance capitalism and what to do about it to our off-topic section. (available only to trust level 2 users)
Yes. It checks the integrity of the filesystem… So if anyone log in and change stuff it will show up. But dom0 register all kind of stuff so you need to know how that works, which i don’t really do or understand. i’m no coder or hacker like that.
It’s really important that you know what normal looks like, before
launching off in to “Have I been hacked?”
Let’s look at the first issue: - you haven’t got any trace, but just from the IP
it looks normal:
You can use dig -x to get the name from the IP address.
104.236.116.147 - ellone.fdisk.io
A quick search would confirm that this is an NTP server
130.236.254.253 - ftp.lysatr.liu.se
That’s a normal Fedora mirror
A couple of minutes searching would have shown you that there’s unlikely
to be an issue here. It’s standard time and update checking. If you don’t
want it, turn it off.
Now for the AIDE output - it’s almost impossible to use any host IDS
unless you know what is normal and factor it in to the configuration.
If you don’t do this you will be swamped by false positives.
“i might be hacked actually!” - No, you’re not.
There is absolutely nothing unusual here.
You may be surprised at the /etc/lvm/archive/ entries - your qubes are
stored in LVM pool, and Qubes keeps track of changes using the LVM
archive.
You can see why those archives were created using vgcfgrestore -l qubes_dom0
The output will show you, for each entry, when and why it was created.
So, no suspicious IPs, no suspicious file activity - case closed.
Thank you unman. You always have good quality answers and posts.
But what’s the easiest way to check if i have been hacked? Qubes should have a sound alert when that happens…Or some easy way to check it?
“Now for the AIDE output - it’s almost impossible to use any host IDS
unless you know what is normal and factor it in to the configuration.
If you don’t do this you will be swamped by false positives.”
I agree. Could someone make a guide on how to know your qubes have been hacked maybe?
howto guide. “101 guide to know your qubes OS have been hacked.”
Or on how to set up easy IDS and HIPS maybe. Snort or whatever… Whatever protection is the best. AIDE with the right config maybe. That would be cool.
An AIDE guide with the right config or if there are config files in aide for qubes.
Might have been me also. yeah it’s hard to know if you are no coder like others on here. I need to mess around with aide and learn it.