Join Log in
Score:0
avatar Server

Suspicious USB activity on a server

de flag
jlecour

I'm working in a sysadmin team. We manage several servers. All of them are runing Debian (various releases). They are located in a locked cabinet in a datacenter.

Recently I've added logcheck on our servers and I begun tuning the exclude lists of patterns to have only relevant events in my inbox.

The other day, I've received this kind of log lines from a few servers :

Oct 19 17:22:55 hostname kernel: [22489246.934130] usb 1-3: USB disconnect, device number 2
Oct 19 17:23:10 hostname kernel: [22489261.782146] usb 1-3: new high-speed USB device number 3 using xhci_hcd
Oct 19 17:23:10 hostname kernel: [22489261.930822] usb 1-3: New USB device found, idVendor=413c, idProduct=a001, bcdDevice= 0.00
Oct 19 17:23:10 hostname kernel: [22489261.931839] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Oct 19 17:23:10 hostname kernel: [22489261.932839] usb 1-3: Product: Gadget USB HUB
Oct 19 17:23:10 hostname kernel: [22489261.933818] usb 1-3: Manufacturer: no manufacturer
Oct 19 17:23:10 hostname kernel: [22489261.934791] usb 1-3: SerialNumber: 0123456789
Oct 19 17:23:10 hostname kernel: [22489261.936236] hub 1-3:1.0: USB hub found
Oct 19 17:23:10 hostname kernel: [22489261.937270] hub 1-3:1.0: 6 ports detected
Oct 19 17:23:40 hostname kernel: [22489292.138234] usb 1-3.1: new high-speed USB device number 4 using xhci_hcd
Oct 19 17:23:40 hostname kernel: [22489292.282886] usb 1-3.1: New USB device found, idVendor=0624, idProduct=0249, bcdDevice= 0.00
Oct 19 17:23:40 hostname kernel: [22489292.283682] usb 1-3.1: New USB device strings: Mfr=4, Product=5, SerialNumber=6
Oct 19 17:23:40 hostname kernel: [22489292.284475] usb 1-3.1: Product: Keyboard/Mouse Function
Oct 19 17:23:40 hostname kernel: [22489292.285256] usb 1-3.1: Manufacturer: Avocent
Oct 19 17:23:40 hostname kernel: [22489292.286093] usb 1-3.1: SerialNumber: 20121018
Oct 19 17:23:40 hostname kernel: [22489292.605240] hidraw: raw HID events driver (C) Jiri Kosina
Oct 19 17:23:40 hostname kernel: [22489292.632594] usbhid: USB HID core driver
Oct 19 17:23:40 hostname kernel: [22489292.699438] input: Avocent Keyboard/Mouse Function as /devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3.1/1-3.1:1.0/0003:0624:0249.0001/input/input3
Oct 19 17:23:40 hostname kernel: [22489292.758415] hid-generic 0003:0624:0249.0001: input,hidraw0: USB HID v1.00 Keyboard [Avocent Keyboard/Mouse Function] on usb-0000:00:14.0-3.1/input0
Oct 19 17:23:40 hostname kernel: [22489292.760141] input: Avocent Keyboard/Mouse Function as /devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3.1/1-3.1:1.1/0003:0624:0249.0002/input/input4
Oct 19 17:23:40 hostname kernel: [22489292.761879] hid-generic 0003:0624:0249.0002: input,hidraw1: USB HID v1.00 Mouse [Avocent Keyboard/Mouse Function] on usb-0000:00:14.0-3.1/input1
Oct 19 17:23:40 hostname kernel: [22489292.763970] input: Avocent Keyboard/Mouse Function as /devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3.1/1-3.1:1.2/0003:0624:0249.0003/input/input5
Oct 19 17:23:40 hostname kernel: [22489292.765991] hid-generic 0003:0624:0249.0003: input,hidraw2: USB HID v1.00 Mouse [Avocent Keyboard/Mouse Function] on usb-0000:00:14.0-3.1/input2
Oct 19 17:23:41 hostname systemd-logind[505]: Watching system buttons on /dev/input/event3 (Avocent Keyboard/Mouse Function)
Oct 19 17:23:41 hostname kernel: [22489292.910229] usb 1-3.3: new high-speed USB device number 5 using xhci_hcd
Oct 19 17:23:41 hostname kernel: [22489293.052536] usb 1-3.3: New USB device found, idVendor=413c, idProduct=a102, bcdDevice= 3.29
Oct 19 17:23:41 hostname kernel: [22489293.053347] usb 1-3.3: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Oct 19 17:23:41 hostname kernel: [22489293.054137] usb 1-3.3: Product: iDRAC Virtual NIC USB Device
Oct 19 17:23:41 hostname kernel: [22489293.054919] usb 1-3.3: Manufacturer: Dell(TM)
Oct 19 17:23:41 hostname systemd-udevd[13345]: Using default interface naming scheme 'v240'.
Oct 19 17:23:41 hostname kernel: [22489293.162373] cdc_ether 1-3.3:1.0 usb0: register 'cdc_ether' at usb-0000:00:14.0-3.3, CDC Ethernet Device, be:11:91:5e:b3:b1
Oct 19 17:23:41 hostname systemd-udevd[13345]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Oct 19 17:23:41 hostname kernel: [22489293.295645] cdc_ether 1-3.3:1.0 idrac: renamed from usb0
Oct 19 17:23:42 hostname systemd-udevd[13348]: Using default interface naming scheme 'v240'.
Oct 19 17:23:44 hostname kernel: [22489296.471088] usb 1-3.3: USB disconnect, device number 5
Oct 19 17:23:44 hostname kernel: [22489296.471826] cdc_ether 1-3.3:1.0 idrac: unregister 'cdc_ether' usb-0000:00:14.0-3.3, CDC Ethernet Device
Oct 19 17:24:01 hostname kernel: [22489313.623135] usb 1-3.1: USB disconnect, device number 4
Oct 19 17:24:01 hostname acpid: input device has been disconnected, fd 8

I've search for "Avocent" and found some keyboard/video/mouse devides.

Here is the output of lspci on the server :

00:00.0 Host bridge: Intel Corporation Skylake Host Bridge/DRAM Registers (rev 07)
00:01.0 PCI bridge: Intel Corporation Skylake PCIe Controller (x16) (rev 07)
00:01.1 PCI bridge: Intel Corporation Skylake PCIe Controller (x8) (rev 07)
00:01.2 PCI bridge: Intel Corporation Skylake PCIe Controller (x4) (rev 07)
00:14.0 USB controller: Intel Corporation Sunrise Point-H USB 3.0 xHCI Controller (rev 31)
00:14.2 Signal processing controller: Intel Corporation Sunrise Point-H Thermal subsystem (rev 31)
00:16.0 Communication controller: Intel Corporation Sunrise Point-H CSME HECI #1 (rev 31)
00:16.1 Communication controller: Intel Corporation Sunrise Point-H CSME HECI #2 (rev 31)
00:17.0 SATA controller: Intel Corporation Sunrise Point-H SATA controller [AHCI mode] (rev 31)
00:1d.0 PCI bridge: Intel Corporation Sunrise Point-H PCI Express Root Port #9 (rev f1)
00:1d.2 PCI bridge: Intel Corporation Sunrise Point-H PCI Express Root Port #11 (rev f1)
00:1f.0 ISA bridge: Intel Corporation Sunrise Point-H LPC Controller (rev 31)
00:1f.2 Memory controller: Intel Corporation Sunrise Point-H PMC (rev 31)
00:1f.4 SMBus: Intel Corporation Sunrise Point-H SMBus (rev 31)
03:00.0 RAID bus controller: LSI Logic / Symbios Logic MegaRAID SAS-3 3108 [Invader] (rev 02)
04:00.0 Ethernet controller: Broadcom Limited NetXtreme BCM5720 Gigabit Ethernet PCIe
04:00.1 Ethernet controller: Broadcom Limited NetXtreme BCM5720 Gigabit Ethernet PCIe
05:00.0 PCI bridge: Renesas Technology Corp. SH7758 PCIe Switch [PS]
06:00.0 PCI bridge: Renesas Technology Corp. SH7758 PCIe Switch [PS]
07:00.0 PCI bridge: Renesas Technology Corp. SH7758 PCIe-PCI Bridge [PPB]
08:00.0 VGA compatible controller: Matrox Electronics Systems Ltd. G200eR2 (rev 01)

and lsusb :

Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 413c:a001 Dell Computer Corp. Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

It's highly unlikely that someone has been able to plug some device into the server, but it's still possible. I'm asking here because I also might over-react if this is a benine event on a server.

Any idea what this is about?

Thanks

120
0 + 0
djdomi avatar
za flag
djdomi
check your door logs in case you have a eletrical door lock ;)
0
Reply
in flag
Robert
Check the iDRAC logs. Assuming that iDRAC uses USB to control the server it may be possible that e.g. iDRAC rebooted (or crashed?) and the USB devices were found again by your system.
0
Reply
de flag
jlecour
We're not 100% sure that no one was around the cabinets. The iDRAC might be the most probable cause.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.