What exactly you think is hacked?
ok, but i should be able to filter in software also…
I don’t know… Trying to sniff traffic in firewall and letting in traffic and so on… Trying to set up a HIPS in Qubesbecause it’snot on by default. But i don’t really know how to set it up in the best way… I want an overview of the traffic in Qubes… Even after a fresh install i get ovh in connections… wierd. Might be the server for updates though.
Trying to get some feeling and overview but i just figured out that opensnitch in firewall could be good to have!
That might be the case also… I re-installed anyways… Qubes should have a HIPS by default… Some cool live widget that shows the traffic. Winamp style…
What is the best way to keep track of traffic in qubes if the system behaves strange lets say? wireshark in sys-firewall?
13 posts were split to a new topic: Staying sane in a surveillance captialism world (available only to trust level 2 users)
Wireshark in sys-firewall if not considering attacker hacking dom0.
Wireshark on your router/hardware firewall if you consider attacker hacking dom0.
I wouldn’t be so sure that voice calls over GSM and SMS are such a good idea.
Mobile operator can read your SMS and listen to your voice. So can anyone who can pay money to the corrupt mobile operator employee. Not even talking about state actors.
While there is an obvious problem of eavesdropping while using GSM calls and SMS there is also a problem when someone has access to a large array of your voice information and can use it to train their neural network and in the end to make a high-quality fake of your voice for different purposes.
With a look from this side the option of using encrypted messenger app and encrypted VoIP app over mobile internet looks more attractive to me.
Btw. Aide gives more peace of mind… You know if someone is on the system or not and that could be good. So aide in dom0 is like a firewall kinda… Just a system check.
Maybe in sys-net also? Maybe sys-firewall…
aide is very clever!
Does this mean i’m hacked? In sys-net…
Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/synth/emux
Inode : 9848 | 30398
Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/usb
Inode : 9779 | 30329
Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/usb/6fire
Inode : 9853 | 30403
Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/usb/bcd2000
Inode : 9852 | 30402
Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/usb/caiaq
Inode : 9854 | 30404
Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/usb/hiface
Inode : 9849 | 30399
Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/usb/line6
Inode : 9851 | 30401
Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/usb/misc
Inode : 9850 | 30400
Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/usb/usx2y
Inode : 9855 | 30405
Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/virtio
Inode : 9782 | 30332
Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/x86
Inode : 9776 | 30326
Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/sound/xen
Inode : 9784 | 30334
Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/virt
Inode : 8901 | 29451
Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/kernel/virt/lib
Inode : 9857 | 30407
Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/systemtap
Inode : 8890 | 29440
Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/updates
Inode : 8892 | 29442
Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/vdso
Inode : 8893 | 29443
Directory: /usr/lib/modules/5.17.8-100.fc34.x86_64/weak-updates
Inode : 8891 | 29441
Directory: /usr/lib/modules/firmware
Inode : 62 | 20209
Directory: /usr/lib/modules/firmware/5.10.112-1.fc32.qubes.x86_64
Inode : 9863 | 30413
Directory: /usr/lib/modules/lost+found
Inode : 63 | 20210
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.gz
And allot of other entries… dom0 seems to be clean. Kinda interesting to learn how to check if a qubes OS installation is hacked or not and the different techniques.
hehe yeah i might be hacked actually! Wierd. I’m not that interesting so thats wierd… Or if i did install something in work terminal… Not sure now.
I got this in dom0:
AIDE found differences between database and filesystem!!
Summary:
Total number of entries:
Added entries: 23
Removed entries: 1
Changed entries: 6
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /etc/libvirt/libxl/disp7926.xml
f++++++++++++++++: /etc/libvirt/libxl/work.xml
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01525-2027803273.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01526-338206498.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01527-2002950907.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01528-2143776976.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01529-990793250.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01530-2030022979.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01531-2119476302.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01532-1335343791.vg
f++++++++++++++++: /etc/lvm/archive/qubes_dom0_01533-553133732.vg
f++++++++++++++++: /root/.bash_history
f++++++++++++++++: /root/.xauthvlk2rj
f++++++++++++++++: /var/log/libvirt/libxl/disp7926.log
f++++++++++++++++: /var/log/libvirt/libxl/work.log
f++++++++++++++++: /var/log/qubes/guid.disp7926.log
f++++++++++++++++: /var/log/qubes/guid.work.log
f++++++++++++++++: /var/log/qubes/qrexec.disp7926.log
f++++++++++++++++: /var/log/qubes/qrexec.work.log
f++++++++++++++++: /var/log/qubes/qubesdb.disp7926.log
f++++++++++++++++: /var/log/qubes/qubesdb.work.log
f++++++++++++++++: /var/log/xen/console/guest-disp7926.log
f++++++++++++++++: /var/log/xen/console/guest-work.log
---------------------------------------------------
Removed entries:
---------------------------------------------------
f----------------: /root/.xauthLp1UAT
---------------------------------------------------
Changed entries:
---------------------------------------------------
f ... i . : /etc/libvirt/libxl/untrusted.xml
d = ... mc.. .. : /root
f = ... mc..C.. : /var/log/lastlog
f < ... i. .. .: /var/log/qubes/guid.untrusted.log
f = ... i. .. .: /var/log/qubes/guid.untrusted.log.old
f < ... .. .. .: /var/log/qubes/qrexec.untrusted.log
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /etc/libvirt/libxl/untrusted.xml
Inode : 802619 | 802665
Directory: /root
Mtime : |
Ctime : |
File: /var/log/lastlog
File: /var/log/qubes/guid.untrusted.log
Size : 1991 | 19
Inode : 802088 | 802087
File: /var/log/qubes/guid.untrusted.log.old
Inode : 802087 | 802088
File: /var/log/qubes/qrexec.untrusted.log
Size : 3015 | 0
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
I’m hacked right?
Or maybe because i installed something. I need to learn this one before i can know if i’m hacked or not. 
Might have been me also. yeah it’s hard to know if you are no coder like others on here. I need to mess around with aide and learn it.
I did set sudo su in sys-net and firewall just to test…
If someone where on the machine they might get in from that i don’t know.
If i’m even hacked that is. I might not be. I don’t know yet.
edit: I might not be hacked… But dom0 register if i just open a browser… dvm-whonix, personal or work.
So yeah… I need to try and learn these patterns if i am going to know anything about this. It’s a kinda new install so it would be wierd if would be hacked that is all.
Also! I can see if i open browsers, but not it i install an audioplayer in an appvm as a test… why is that? It does not show up in a template either! So how do i know what an attacker does on QubesOS even?
This os have nothing as default when it comes to overview of the system and potential attackers…
And i don’t think that is secure thinking if the OS itself do not warn if a system is compromised by default. That should be security thinking…
Aide?
Moderatiion note: Rephrased the title to make it more explicit of the question and moved all off-topic discussion about dissatisfaction of surveillance capitalism and what to do about it to our off-topic section. (available only to trust level 2 users)
1 Like
ok thanks… But do you think it was update servers or the machine hacked? Which sources do qubes use for updates?
Yes. It checks the integrity of the filesystem… So if anyone log in and change stuff it will show up. But dom0 register all kind of stuff so you need to know how that works, which i don’t really do or understand. i’m no coder or hacker like that.
It’s really important that you know what normal looks like, before
launching off in to “Have I been hacked?”
Let’s look at the first issue: - you haven’t got any trace, but just from the IP
it looks normal:
You can use dig -x to get the name from the IP address.
104.236.116.147 - ellone.fdisk.io
A quick search would confirm that this is an NTP server
38.145.60.20 - proxy-iad01.fedoraproject.org
That’s a normal Fedora mirror
130.236.254.253 - ftp.lysatr.liu.se
That’s a normal Fedora mirror
A couple of minutes searching would have shown you that there’s unlikely
to be an issue here. It’s standard time and update checking. If you don’t
want it, turn it off.
Now for the AIDE output - it’s almost impossible to use any host IDS
unless you know what is normal and factor it in to the configuration.
If you don’t do this you will be swamped by false positives.
“i might be hacked actually!” - No, you’re not.
There is absolutely nothing unusual here.
You may be surprised at the /etc/lvm/archive/ entries - your qubes are
stored in LVM pool, and Qubes keeps track of changes using the LVM
archive.
You can see why those archives were created using vgcfgrestore -l qubes_dom0
The output will show you, for each entry, when and why it was created.
So, no suspicious IPs, no suspicious file activity - case closed.
4 Likes
Thank you unman. You always have good quality answers and posts.
But what’s the easiest way to check if i have been hacked? Qubes should have a sound alert when that happens…Or some easy way to check it?
“Now for the AIDE output - it’s almost impossible to use any host IDS
unless you know what is normal and factor it in to the configuration.
If you don’t do this you will be swamped by false positives.”
I agree. Could someone make a guide on how to know your qubes have been hacked maybe?
howto guide. “101 guide to know your qubes OS have been hacked.”
Or on how to set up easy IDS and HIPS maybe. Snort or whatever… Whatever protection is the best. AIDE with the right config maybe. That would be cool.
An AIDE guide with the right config or if there are config files in aide for qubes.
You already started a topic about it:
1 Like
Yes i got some about checking the integrity of files or snort…maybe some check at startup…
It just seems hard to set up that is all.
Moved this thread into ‘User Support’ because it should have been there from the start, but also to be able to select @unman’s much appreciated answer as solution. This will hopefully obviate the need for latecomers to fight their way through the entire thread.
2 Likes
Fight their way through reading a thread? You have never been in a real fight huh? Kidding Thanks for the help.