Qubes Connected Automatically to These IPs: what does it mean? Was I hacked?

Yeah i might be hacked. Wierd traffic going on…
Should these ip’s be active in qubes as in uploading stuff or even be connected? nethogs said traffic was uploaded or connected… am i just being paranoid? is this normal for qubes? I got nothing illegal on my pc so yeah… it would be wierd if i’m interesting. Got nothing to hide and not doing anything illegal.

104.236.116.147 US Clifton,
New Jersey,
United States,
North America 104.236.116.0/22 07014 40.8364,
-74.1403 20 Digital Ocean Digital Ocean 501
38.145.60.20 US United States,
North America 38.145.60.0/22 37.751,
-97.822 1000 Red Hat REDHAT-3 redhat.com
209.132.190.2 US United States,
North America 209.132.190.0/23 37.751,
-97.822 1000 Red Hat Red Hat redhat.com
130.236.254.253 SE Linköping,
Östergötland County,
Sweden,
Europe 130.236.254.0/24 581 83 58.4016,
15.6462 20 Linkopings universitet Linkopings universitet liu.se

? Thanks

Also i have nothing to hide. I just wished others would respect my privacy if my machine is hacked…
it’s disrespectful… traffic in either sys-net or sys-firewall…
im too lazy to re-install qubes…
I can check the traffic some more…

edit: It can’t just be the fedora-34 updates right? What’s the best way to check if dom0 is hacked? Or qubes overall??

It could be just updates. Disable the automatic updates check in the Qubes Global Settings and see if anything changes.

2 Likes

As an example. I usually use Mikrotik equipment as a router. The capabilities of the Router OS are very large, and help to conveniently control and monitor traffic. It is also very convenient to write security rules in the firewall.

1 Like

What exactly you think is hacked?

ok, but i should be able to filter in software also…

I don’t know… Trying to sniff traffic in firewall and letting in traffic and so on… Trying to set up a HIPS in Qubesbecause it’snot on by default. But i don’t really know how to set it up in the best way… I want an overview of the traffic in Qubes… Even after a fresh install i get ovh in connections… wierd. Might be the server for updates though.
Trying to get some feeling and overview but i just figured out that opensnitch in firewall could be good to have!

That might be the case also… I re-installed anyways… Qubes should have a HIPS by default… Some cool live widget that shows the traffic. Winamp style…
What is the best way to keep track of traffic in qubes if the system behaves strange lets say? wireshark in sys-firewall?

13 posts were split to a new topic: Staying sane in a surveillance captialism world (available only to trust level 2 users)

Wireshark in sys-firewall if not considering attacker hacking dom0.
Wireshark on your router/hardware firewall if you consider attacker hacking dom0.

I wouldn’t be so sure that voice calls over GSM and SMS are such a good idea.
Mobile operator can read your SMS and listen to your voice. So can anyone who can pay money to the corrupt mobile operator employee. Not even talking about state actors.
While there is an obvious problem of eavesdropping while using GSM calls and SMS there is also a problem when someone has access to a large array of your voice information and can use it to train their neural network and in the end to make a high-quality fake of your voice for different purposes.
With a look from this side the option of using encrypted messenger app and encrypted VoIP app over mobile internet looks more attractive to me.

Btw. Aide gives more peace of mind… You know if someone is on the system or not and that could be good. So aide in dom0 is like a firewall kinda… Just a system check.
Maybe in sys-net also? Maybe sys-firewall…
aide is very clever!

Does this mean i’m hacked? In sys-net…


Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/synth/emux
  Inode    : 9848                             | 30398

Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/usb
  Inode    : 9779                             | 30329

Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/usb/6fire
  Inode    : 9853                             | 30403

Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/usb/bcd2000
  Inode    : 9852                             | 30402

Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/usb/caiaq
  Inode    : 9854                             | 30404

Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/usb/hiface
  Inode    : 9849                             | 30399

Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/usb/line6
  Inode    : 9851                             | 30401

Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/usb/misc
  Inode    : 9850                             | 30400

Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/usb/usx2y
  Inode    : 9855                             | 30405

Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/virtio
  Inode    : 9782                             | 30332

Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/x86
  Inode    : 9776                             | 30326

Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/xen
  Inode    : 9784                             | 30334

Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/virt
  Inode    : 8901                             | 29451

Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/virt/lib
  Inode    : 9857                             | 30407

Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/systemtap
  Inode    : 8890                             | 29440

Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/updates
  Inode    : 8892                             | 29442

Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/vdso
  Inode    : 8893                             | 29443

Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/weak-updates
  Inode    : 8891                             | 29441

Directory: /usr/lib/modules/firmware
  Inode    : 62                               | 20209

Directory: /usr/lib/modules/firmware/5.10.112-1.fc32.qubes.x86_64
  Inode    : 9863                             | 30413

Directory: /usr/lib/modules/lost+found
  Inode    : 63                               | 20210


---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.gz

And allot of other entries… dom0 seems to be clean. Kinda interesting to learn how to check if a qubes OS installation is hacked or not and the different techniques.

hehe yeah i might be hacked actually! Wierd. I’m not that interesting so thats wierd… Or if i did install something in work terminal… Not sure now.
I got this in dom0:

AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	
  Added entries:		23
  Removed entries:		1
  Changed entries:		6

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /etc/libvirt/libxl/disp7926.xml
f++++++++++++++++: /etc/libvirt/libxl/work.xml
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01525-2027803273.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01526-338206498.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01527-2002950907.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01528-2143776976.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01529-990793250.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01530-2030022979.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01531-2119476302.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01532-1335343791.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01533-553133732.vg
f++++++++++++++++: /root/.bash_history
f++++++++++++++++: /root/.xauthvlk2rj
f++++++++++++++++: /var/log/libvirt/libxl/disp7926.log
f++++++++++++++++: /var/log/libvirt/libxl/work.log
f++++++++++++++++: /var/log/qubes/guid.disp7926.log
f++++++++++++++++: /var/log/qubes/guid.work.log
f++++++++++++++++: /var/log/qubes/qrexec.disp7926.log
f++++++++++++++++: /var/log/qubes/qrexec.work.log
f++++++++++++++++: /var/log/qubes/qubesdb.disp7926.log
f++++++++++++++++: /var/log/qubes/qubesdb.work.log
f++++++++++++++++: /var/log/xen/console/guest-disp7926.log
f++++++++++++++++: /var/log/xen/console/guest-work.log

---------------------------------------------------
Removed entries:
---------------------------------------------------

f----------------: /root/.xauthLp1UAT

---------------------------------------------------
Changed entries:
---------------------------------------------------

f   ...   i  .   : /etc/libvirt/libxl/untrusted.xml
d = ... mc.. ..  : /root
f = ... mc..C..  : /var/log/lastlog
f < ...   i. .. .: /var/log/qubes/guid.untrusted.log
f = ...   i. .. .: /var/log/qubes/guid.untrusted.log.old
f < ...   .. .. .: /var/log/qubes/qrexec.untrusted.log

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /etc/libvirt/libxl/untrusted.xml
  Inode    : 802619                           | 802665

Directory: /root
  Mtime    :        | 
  Ctime    :       | 

File: /var/log/lastlog


File: /var/log/qubes/guid.untrusted.log
  Size     : 1991                             | 19
  Inode    : 802088                           | 802087

File: /var/log/qubes/guid.untrusted.log.old
  Inode    : 802087                           | 802088

File: /var/log/qubes/qrexec.untrusted.log
  Size     : 3015                             | 0


---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------


I’m hacked right?
Or maybe because i installed something. I need to learn this one before i can know if i’m hacked or not. :wink: Might have been me also. yeah it’s hard to know if you are no coder like others on here. I need to mess around with aide and learn it. :wink:
I did set sudo su in sys-net and firewall just to test…
If someone where on the machine they might get in from that i don’t know.

If i’m even hacked that is. I might not be. I don’t know yet.
edit: I might not be hacked… But dom0 register if i just open a browser… dvm-whonix, personal or work.
So yeah… I need to try and learn these patterns if i am going to know anything about this. It’s a kinda new install so it would be wierd if would be hacked that is all.

Also! I can see if i open browsers, but not it i install an audioplayer in an appvm as a test… why is that? It does not show up in a template either! So how do i know what an attacker does on QubesOS even?
This os have nothing as default when it comes to overview of the system and potential attackers…
And i don’t think that is secure thinking if the OS itself do not warn if a system is compromised by default. That should be security thinking…

Aide?

Moderatiion note: Rephrased the title to make it more explicit of the question and moved all off-topic discussion about dissatisfaction of surveillance capitalism and what to do about it to our off-topic section. (available only to trust level 2 users)

1 Like

ok thanks… But do you think it was update servers or the machine hacked? Which sources do qubes use for updates?

Yes. It checks the integrity of the filesystem… So if anyone log in and change stuff it will show up. But dom0 register all kind of stuff so you need to know how that works, which i don’t really do or understand. i’m no coder or hacker like that.

It’s really important that you know what normal looks like, before
launching off in to “Have I been hacked?”

Let’s look at the first issue: - you haven’t got any trace, but just from the IP
it looks normal:
You can use dig -x to get the name from the IP address.
104.236.116.147 - ellone.fdisk.io
A quick search would confirm that this is an NTP server

38.145.60.20 - proxy-iad01.fedoraproject.org
That’s a normal Fedora mirror

130.236.254.253 - ftp.lysatr.liu.se
That’s a normal Fedora mirror

A couple of minutes searching would have shown you that there’s unlikely
to be an issue here. It’s standard time and update checking. If you don’t
want it, turn it off.

Now for the AIDE output - it’s almost impossible to use any host IDS
unless you know what is normal and factor it in to the configuration.
If you don’t do this you will be swamped by false positives.

“i might be hacked actually!” - No, you’re not.
There is absolutely nothing unusual here.
You may be surprised at the /etc/lvm/archive/ entries - your qubes are
stored in LVM pool, and Qubes keeps track of changes using the LVM
archive.
You can see why those archives were created using vgcfgrestore -l qubes_dom0
The output will show you, for each entry, when and why it was created.

So, no suspicious IPs, no suspicious file activity - case closed.

4 Likes

Thank you unman. You always have good quality answers and posts.
But what’s the easiest way to check if i have been hacked? Qubes should have a sound alert when that happens…Or some easy way to check it?

“Now for the AIDE output - it’s almost impossible to use any host IDS
unless you know what is normal and factor it in to the configuration.
If you don’t do this you will be swamped by false positives.”

I agree. Could someone make a guide on how to know your qubes have been hacked maybe?

howto guide. “101 guide to know your qubes OS have been hacked.”
Or on how to set up easy IDS and HIPS maybe. Snort or whatever… Whatever protection is the best. AIDE with the right config maybe. That would be cool.
An AIDE guide with the right config or if there are config files in aide for qubes.

You already started a topic about it:

1 Like