Score:0

Ubuntu

Unusual activity on my Ubuntu

cookieserver

12/26/23, 12:18 AM

I am running a device with Ubuntu installed, this device hasn’t been connected to the internet for few months. I have installed Ubuntu on a different device, then used a usb to transfer files between both devices for few days.

Today when I I tried to turn off the device that doesn’t have any internet (The wireless card is disconnected so there is no way it can connect to any internet connection) it said unattended upgrade please don’t switch off.

I was very surprised, how can Ubuntu download any update while being offline for months? Could it be the other device with the online version has been compromised? Note: The device that does have Internet connection had a new hard drive replacement recently, also the USB was bought recently.

I suspect the device with no internet is compromised and this is the reason I have switched the wireless card off after seeing some weird outgoing connections from it months back.

Could it be that malware copied itself to the USB from the device offline and then when plugged into the device with an internet connection compromised that device as well?
Or is it a supply chain attack because of the internal hard drive & usb I have purchased recently online?

I am slightly confused. I want to know if it's possible for unattended upgrade please don't switch off to show after months of no internet connection at all 0.

Update: I have decided to close the internet connection on the second device as well due to this happening for few days now: the files I have on the desktop main screen (Ubuntu 20.04 with latest security updates) keep changing positions… For instance I turn the device on and they are arranged in a certain way, after 1 hour or so of writing code I go back to the desktop and the files change position. Could this be a faulty Harddrive or an issue with device memory? or is it something to do with device being compromised as well? Note: This issue is happening on the device with new harddrive.

109

0 + 12

updates

security

usb

internet

Organic Marble

12/26/23, 4:01 AM

"I suspect the device with no internet is compromised and this is the reason I have switched the wireless card off after seeing some weird outgoing connections from it months back." So months ago you suspected this device? What action did you take months ago other than turning it off?

cookieserver

12/26/23, 5:23 AM

@user535733 I spelled that wrong as it was there for few seconds only. Corrected : unattended

user68186

12/26/23, 5:28 AM

`unattended upgrade` is a default process meant to update to fix critical bugs and vulnerabilities. Unless you turn it off, it will try to update your Ubuntu device every now and then. Without internet it will fail and try again later. I think that is what is happening.

cookieserver

12/26/23, 5:32 AM

@OrganicMarble I just decided to switch the wireless card off. Because I am working on some backend code I couldn’t risk keeping it online while rewriting the sensitive parts of the code again. I didn’t need any testing that requires internet connection, but now I wanted to test different part of the code that needs some internet connection and this is the reason I have moved the files to my other device.. The device with online connection is running Ubuntu 20.04 with latest updates so I would assume whatever compromised that old Ubuntu OS version cannot compromise this as well..

Thomas Ward

12/26/23, 5:33 AM

@cookieserver as an IT Security Professional, if you believe a device is compromised, you should immediately nuke the device, whether you have 'backend code' present on the system or not. And depending of the 'connections' it might not be suspicious and probably is "typical behavior" when you have web browsers open or other services running. Ubuntu 20.04 is not 'old' enough to be on its own compromised. And it likely can still infect your newer OSes. Nuke and reformat the drive long before hand first.

cookieserver

12/26/23, 5:44 AM

@OrganicMarble I suspect one of the two developers that I hired previously put a rootkit into my device while doing some work for me previously.. they had root password and were connecting to my device via TeamViewer and SSH. I wasn’t checking any logs or anything like that because I trusted them. They were very slow so I ended up leaving them both, and started my coding journey to get things done myself. Only 6 months after I found out there is weird outgoing connection to some ip in Russia..

cookieserver

12/26/23, 5:51 AM

@ThomasWard the device is fully offline with no internet (switched off from hardware) The one that has internet is 20.04 LTS with latest updates so I think it cant be compromised easily, but if I plug a USB into the compromised device and then move some python code files to my other device, can the rootkit copy itself to the USB automatically and then inject itself to my new device? The compromised device is dead hand, unless rootkit is using AI and adjusting itself offline but thats too extreme I would think haha.

user unknown

12/26/23, 9:34 AM

Are your devices laptops? If they are, and the suspicious workers had root access to both machines, they might have established a bluetooth connection with both machines trusting each other. Can you verify whether bt is on or off on both devices? If there is no connection at all, the system update can still start and try to connect for some 30 sec. without success.

cookieserver

12/26/23, 1:52 PM

@userunknown they had root access to only 1 machine (The one being offline for many months)

cookieserver

12/26/23, 1:59 PM

@user68186 Ah ok, so its a usual message that can be expected.

user535733

12/26/23, 2:26 PM

That seems an usual message from Unattended Upgrades. U-U will delay or inhibit the shutdown ONLY if there are remaining packages to install at the time of shutdown. It will simply abort silently at other times. Since there cannot be any unexpected packages to install on an air-gapped system, I find the message highly suspicious.

cookieserver

12/27/23, 6:46 PM

@user535733 I think it was run by whatever installed on that device, run X every X months..

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Unusual activity on my Ubuntu

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.