search

hbons / SparkleShare

Share and collaborate by syncing with any Git repository instantly. Linux, macOS, and Windows.
https://sparkleshare.org
Other
4.88k stars 579 forks source link

Sparkleshare hacked? see included logs #1833

Closed frepie closed 6 years ago

frepie commented 6 years ago

The logs on my Sparkleshare server (ubuntu 16.04) are weird. I am not a security specialist but I fear that it has been hacked. Here is a part of the /var/log files that I think might show signs of hacking:

Mar 19 21:38:55 inspiron systemd[1]: Created slice User Slice of storage. Mar 19 21:38:55 inspiron systemd[1]: Starting User Manager for UID 999... Mar 19 21:38:55 inspiron systemd[1]: Started Session 415 of user storage. Mar 19 21:38:55 inspiron systemd[25151]: Starting D-Bus User Message Bus Socket. Mar 19 21:38:55 inspiron systemd[25151]: Reached target Timers. Mar 19 21:38:55 inspiron systemd[25151]: Reached target Paths. Mar 19 21:38:55 inspiron systemd[25151]: Listening on D-Bus User Message Bus Socket. Mar 19 21:38:55 inspiron systemd[25151]: Reached target Sockets. Mar 19 21:38:55 inspiron systemd[25151]: Reached target Basic System. Mar 19 21:38:55 inspiron systemd[25151]: Reached target Default. Mar 19 21:38:55 inspiron systemd[25151]: Startup finished in 108ms. Mar 19 21:38:55 inspiron systemd[1]: Started User Manager for UID 999. Mar 19 21:38:56 inspiron kernel: [41598.661909] atkbd serio0: Unknown key pressed (translated set 2, code 0x8d on isa0060/serio0). Mar 19 21:38:56 inspiron kernel: [41598.661919] atkbd serio0: Use 'setkeycodes e00d <keycode>' to make it known. Mar 19 21:38:56 inspiron kernel: [41598.671722] atkbd serio0: Unknown key released (translated set 2, code 0x8d on isa0060/serio0). Mar 19 21:38:56 inspiron kernel: [41598.671732] atkbd serio0: Use 'setkeycodes e00d <keycode>' to make it known. Mar 19 21:38:57 inspiron kernel: [41599.667315] atkbd serio0: Unknown key pressed (translated set 2, code 0x8d on isa0060/serio0). Mar 19 21:38:57 inspiron kernel: [41599.667325] atkbd serio0: Use 'setkeycodes e00d <keycode>' to make it known. Mar 19 21:38:57 inspiron kernel: [41599.677120] atkbd serio0: Unknown key released (translated set 2, code 0x8d on isa0060/serio0). Mar 19 21:38:57 inspiron kernel: [41599.677126] atkbd serio0: Use 'setkeycodes e00d <keycode>' to make it known. Mar 19 21:38:57 inspiron systemd[1]: Stopping User Manager for UID 999... Mar 19 21:38:57 inspiron systemd[25151]: Stopped target Default. Mar 19 21:38:57 inspiron systemd[25151]: Stopped target Basic System. Mar 19 21:38:57 inspiron systemd[25151]: Stopped target Sockets. Mar 19 21:38:57 inspiron systemd[25151]: Closed D-Bus User Message Bus Socket. Mar 19 21:38:57 inspiron systemd[25151]: Reached target Shutdown. Mar 19 21:38:57 inspiron systemd[25151]: Starting Exit the Session... Mar 19 21:38:57 inspiron systemd[25151]: Stopped target Paths. Mar 19 21:38:57 inspiron systemd[25151]: Stopped target Timers. Mar 19 21:38:57 inspiron systemd[25151]: Received SIGRTMIN+24 from PID 25203 (kill). Mar 19 21:38:57 inspiron systemd[1]: Stopped User Manager for UID 999. Mar 19 21:38:57 inspiron systemd[1]: Removed slice User Slice of storage.

From what I can understand, there is user created named Slice that sends keycodes(?) and then the user Slice is removed. Farther down the logs, a line that I find pretty scary:

Mar 19 21:39:01 inspiron CRON[25211]: (root) CMD ( [ -x /usr/lib/php5/maxlifetime ] && [ -x /usr/lib/php5/sessionclean ] && [ -d /var/lib/php5 ] && /usr/lib/php5/sessionclean /var/lib/php5 $(/usr/lib/php5/maxlifetime))

hbons commented 6 years ago

Hi @frepie. It looks like your logs are just noisy. I don't think the server has been hacked (based on this). I found https://access.redhat.com/solutions/1564823 that will disable these messages.

SparkleShare uses git commands over SSH to talk to the server and checks if there are new changes every few minutes so it's normal to see a lot of logins in the logs. However, I'm not an expert on server security, so it may be worth investigating further. :)