| View previous topic :: View next topic |
| Author |
Message |
Joseph_sys
Advocate
Joined: 08 Jun 2004
Posts: 2716
Location: Edmonton, AB
|
 Posted: Sat Jul 31, 2010 4:32 am Post subject: [SOLVED] strange device mounted ? am I hacked? |
 |
|
I've a strange USB device showing up when I click on mount-desktop icon, the device is showing up as:
/dev/sdb1
THE are NO USB DEVICES PLUGGED IN into external ports.
in my fstab:
| Code: | ...# USB Stick Camera etc
/dev/sdb1 /media/stick auto noauto,rw,users,exec,umask=0077 0 0
/dev/sdc1 /media/stick2 auto noauto,rw,users,exec,umask=0077 0 0 |
When I mount the device it is showing the following files: | Code: | ll /media/stick
total 103618
drwx------ 2 joseph joseph 2048 Aug 27 2007 bios
drwx------ 2 joseph joseph 2048 Aug 27 2007 custom
-rwx------ 1 joseph joseph 48496977 Aug 27 2007 kernel.bin
-rwx------ 1 joseph joseph 0 Aug 27 2007 skin0000.asus.mockup05
-rwx------ 1 joseph joseph 268092 Aug 27 2007 skin0000.bin
-rwx------ 1 joseph joseph 72 Aug 27 2007 skin0000.idx
-rwx------ 1 joseph joseph 0 Aug 27 2007 splash.top
-rwx------ 1 joseph joseph 10485760 Jul 24 2007 user-000.dat
-rwx------ 1 joseph joseph 15 Jul 24 2007 user-000.dat.date
-rwx------ 1 joseph joseph 36 Jul 24 2007 user-000.dat.md5
-rwx------ 1 joseph joseph 10485760 Jul 24 2007 user-001.dat
-rwx------ 1 joseph joseph 15 Jul 24 2007 user-001.dat.date
-rwx------ 1 joseph joseph 36 Jul 24 2007 user-001.dat.md5
-rwx------ 1 joseph joseph 327680 Aug 27 2007 va-config.sq
-rwx------ 1 joseph joseph 16551936 Aug 27 2007 va-ff.sq
-rwx------ 1 joseph joseph 17969152 Aug 27 2007 va-sk.sq
-rwx------ 1 joseph joseph 1482752 Aug 27 2007 va-splashtophelp.sq
-rwx------ 1 joseph joseph 20480 Aug 27 2007 va-zenv.sq
-rwx------ 1 joseph joseph 0 Aug 27 2007 va.config-dvm-0.1-20070827.ver
-rwx------ 1 joseph joseph 0 Aug 27 2007 va.firefox-2.0.0.3-dvm-0.1-20070827.ver
-rwx------ 1 joseph joseph 0 Aug 27 2007 va.firefox.splashtophelp-2.0.0.3-dvm-0.1-20070827.ver
-rwx------ 1 joseph joseph 0 Aug 27 2007 va.skype-1.3.0.53-dvm-0.1-20070827.ver
-rwx------ 1 joseph joseph 0 Aug 27 2007 va.zenv-dvm-0.1-20070827.ver
|
I don't recognize any of these files, I've never used skype.
How is it happening that external device is mounted without anything plugged into the USB port.
I only have USB scanner and USB serial device (to which UPS is plug IN).
Am I hacked?
Last edited by Joseph_sys on Sun Aug 01, 2010 2:15 am; edited 1 time in total |
|
| Back to top |
|
 |
Joseph_sys
Advocate
Joined: 08 Jun 2004
Posts: 2716
Location: Edmonton, AB
|
| Posted: Sat Jul 31, 2010 4:56 am Post subject: |
|
|
Strange. I rebooted the computer, physically turning the power OFF/ON and the mysterious mounting device is gone.
Don't know what to think about it.
I've run:
rkhunter --checkall --createlogfile --propupd
but everything is clean except few warnings: | Code: | /usr/bin/ldd [ Warning ]
/usr/bin/whatis [ Warning ]
/usr/bin/lwp-request [ Warning ] |
chkrootkit - is getting stuck on php files :-/ |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23082
|
| Posted: Sat Jul 31, 2010 5:18 pm Post subject: |
|
|
| I suppose you did not copy files from the mysterious mount point before rebooting? Did you stat -f the mounted filesystem? Run lsusb? |
|
| Back to top |
|
|
Sadako
Advocate
Joined: 05 Aug 2004
Posts: 3792
Location: sleeping in the bathtub
|
| Posted: Sat Jul 31, 2010 5:54 pm Post subject: |
|
|
Looking at some of the filenames, looks like your motherboard has Splashtop available on embedded flash memory, which is somehow being recognized and automatically mounted (what auto mount daemons, if any, are you running)?
Also, check what `modprobe -l | grep mtd` returns, which I'm guessing is the device driver used to access such flash, and see if lsmod lists such a module loaded.
Check the specs for your system, and unless Splashtop isn't listed I wouldn't be so concerned.
_________________
"You have to invite me in" |
|
| Back to top |
|
|
Joseph_sys
Advocate
Joined: 08 Jun 2004
Posts: 2716
Location: Edmonton, AB
|
| Posted: Sat Jul 31, 2010 10:13 pm Post subject: |
|
|
| Hu wrote: | | I suppose you did not copy files from the mysterious mount point before rebooting? Did you stat -f the mounted filesystem? Run lsusb? |
No I did not run "stat -f" the lsusb return nothing suspicious | Code: | Bus 008 Device 002: ID 045e:0039 Microsoft Corp. IntelliMouse Optical
Bus 008 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 002: ID 0711:0230 Magic Control Technology Corp. MCT-232 Serial Port
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 002: ID 04b8:011b Seiko Epson Corp. Perfection 2400 Photo
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 002: ID 0b05:1742 ASUSTek Computer, Inc. 802.11n Network Adapter
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub |
|
|
| Back to top |
|
|
Joseph_sys
Advocate
Joined: 08 Jun 2004
Posts: 2716
Location: Edmonton, AB
|
| Posted: Sat Jul 31, 2010 10:27 pm Post subject: |
|
|
| Sadako wrote: | Looking at some of the filenames, looks like your motherboard has Splashtop available on embedded flash memory, which is somehow being recognized and automatically mounted (what auto mount daemons, if any, are you running)?
Also, check what `modprobe -l | grep mtd` returns, which I'm guessing is the device driver used to access such flash, and see if lsmod lists such a module loaded.
Check the specs for your system, and unless Splashtop isn't listed I wouldn't be so concerned. |
I'm not running any auto-mount daemons except "hald" rc-update show | Code: | alsasound | boot
apache2 | default
apcupsd | default
asterisk | default
bootmisc | boot
checkfs | boot
checkroot | boot
clock | boot
consolefont | boot
cupsd | default
ddclient | default
hald | default
hostname | boot
hylafax | default
keymaps | boot
local | default nonetwork
localmount | boot
modules | boot
mysql | default
net.eth0 | default
net.lo | boot
netmount | default
portmap | default
postfix | default
postgresql-8.4 | default
rmnologin | boot
samba | default
sshd | default
syslog-ng | default
udev-postmount | default
urandom | boot
vixie-cron | default
xdm | default |
"modprobe -l | grep mtd" is not returning anything.
It could be that during reboot I somehow triggered Splashtop, I have ASUS P5E3 MB and apparently it comes with Splashtop. But how did I trigger it?
I would like to repeat the process to make sure it is it :-/ |
|
| Back to top |
|
|
Joseph_sys
Advocate
Joined: 08 Jun 2004
Posts: 2716
Location: Edmonton, AB
|
| Posted: Sat Jul 31, 2010 10:43 pm Post subject: |
|
|
I was looking at the Asus Splashtop page:
http://www.neoseeker.com/Articles/Hardware/Reviews/asus_p5e3_deluxe/3.html
My motherboard does not show any splash when I boot; in addition I had some strange directory USB in my home "/home/joseph/usb" it appear to have some root file system but I remove it. I have no clue how it was created. |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
|
| Back to top |
|
|
Joseph_sys
Advocate
Joined: 08 Jun 2004
Posts: 2716
Location: Edmonton, AB
|
| Posted: Sat Jul 31, 2010 11:48 pm Post subject: |
|
|
Most of those files in /dev/sdb1 were binary files, so there was nothing to look at.
My splashtop does not come up during booting as system I had an upgraded bios before I got it so Splashtop wasn't working (no do I need it).
Now, I'm just trying to duplicate this process. |
|
| Back to top |
|
|
BitJam
Advocate
Joined: 12 Aug 2003
Posts: 2513
Location: Silver City, NM
|
| Posted: Sun Aug 01, 2010 2:04 am Post subject: |
|
|
I got Splashtop working in my ASUS mobo. It is just a big PITA IMO. Anyway here are the files from /$MOUNT_POINT/ASUS.SYS/: | Code: | total 159602
-rwxrwxrwx 1 root root 268092 Dec 2 2009 10000010.bin*
-rwxrwxrwx 1 root root 100 Dec 2 2009 10000010.idx*
-rwxrwxrwx 1 root root 268092 Dec 2 2009 10000100.bin*
-rwxrwxrwx 1 root root 100 Dec 2 2009 10000100.idx*
-rwxrwxrwx 1 root root 268092 Dec 2 2009 10000110.bin*
-rwxrwxrwx 1 root root 100 Dec 2 2009 10000110.idx*
-rwxrwxrwx 1 root root 268092 Dec 2 2009 20000010.bin*
-rwxrwxrwx 1 root root 100 Dec 2 2009 20000010.idx*
-rwxrwxrwx 1 root root 2193930 Dec 2 2009 CE.CEX*
-rwxrwxrwx 1 root root 104038 Dec 2 2009 CEFULL*
-rwxrwxrwx 1 root root 105574 Dec 2 2009 CE_BZ*
-rwxrwxrwx 1 root root 376832 Dec 2 2009 SplashtopDll.dll*
-rwxrwxrwx 1 root root 225954 Dec 2 2009 bs-apache.sqx*
-rwxrwxrwx 1 root root 2949820 Dec 2 2009 bs-boxtool.sqx*
-rwxrwxrwx 1 root root 8213160 Dec 2 2009 bs-font1.sqx*
-rwxrwxrwx 1 root root 2769568 Dec 2 2009 bs-gtk.sqx*
-rwxrwxrwx 1 root root 35361434 Dec 2 2009 bs-kde.sqx*
-rwxrwxrwx 1 root root 3363498 Dec 2 2009 bs-locale.sqx*
-rwxrwxrwx 1 root root 21162 Dec 2 2009 bs-persist.sqx*
-rwxrwxrwx 1 root root 6275740 Dec 2 2009 bs-php5.sqx*
-rwxrwxrwx 1 root root 9331370 Dec 2 2009 bs-pyeng.sqx*
-rwxrwxrwx 1 root root 8450730 Dec 2 2009 bs-scim.sqx*
-rwxrwxrwx 1 root root 2663084 Dec 2 2009 bs-tinyx.sqx*
drwxrwxrwx 1 root root 0 Dec 2 2009 custom/
drwxrwxrwx 1 root root 0 Dec 2 2009 help/
-rwxrwxrwx 1 root root 23552258 Dec 2 2009 kernel.bin*
drwxrwxrwx 1 root root 4096 Dec 2 2009 persist/
-rwxrwxrwx 1 root root 268092 Dec 2 2009 skin0000.bin*
-rwxrwxrwx 1 root root 100 Dec 2 2009 skin0000.idx*
-rwxrwxrwx 1 root root 268092 Dec 2 2009 skin0001.bin*
-rwxrwxrwx 1 root root 100 Dec 2 2009 skin0001.idx*
-rwxrwxrwx 1 root root 268092 Dec 2 2009 skin0002.bin*
-rwxrwxrwx 1 root root 100 Dec 2 2009 skin0002.idx*
-rwxrwxrwx 1 root root 268092 Dec 2 2009 skin0003.bin*
-rwxrwxrwx 1 root root 100 Dec 2 2009 skin0003.idx*
-rwxrwxrwx 1 root root 268092 Dec 2 2009 skin0004.bin*
-rwxrwxrwx 1 root root 100 Dec 2 2009 skin0004.idx*
-rwxrwxrwx 1 root root 268092 Dec 2 2009 skin0005.bin*
-rwxrwxrwx 1 root root 100 Dec 2 2009 skin0005.idx*
-rwxrwxrwx 1 root root 268092 Dec 2 2009 skin0006.bin*
-rwxrwxrwx 1 root root 100 Dec 2 2009 skin0006.idx*
-rwxrwxrwx 1 root root 0 Dec 2 2009 splash.top*
-rwxrwxrwx 1 root root 17074 Dec 2 2009 va-915resolution.sqx*
-rwxrwxrwx 1 root root 90900 Dec 2 2009 va-aboutbox.sqx*
-rwxrwxrwx 1 root root 860856 Dec 2 2009 va-asusutility.sqx*
-rwxrwxrwx 1 root root 422562 Dec 2 2009 va-automount.sqx*
-rwxrwxrwx 1 root root 1512110 Dec 2 2009 va-config.sqx*
-rwxrwxrwx 1 root root 1987252 Dec 2 2009 va-fileaccess.sqx*
-rwxrwxrwx 1 root root 13898436 Dec 2 2009 va-firefox.sqx*
-rwxrwxrwx 1 root root 4816 Dec 2 2009 va-fsearch.sqx*
-rwxrwxrwx 1 root root 1762010 Dec 2 2009 va-help.sqx*
-rwxrwxrwx 1 root root 119498 Dec 2 2009 va-langpack1.config.sqx*
-rwxrwxrwx 1 root root 17094 Dec 2 2009 va-langpack1.fileaccess.sqx*
-rwxrwxrwx 1 root root 1516232 Dec 2 2009 va-langpack1.firefox.sqx*
-rwxrwxrwx 1 root root 656068 Dec 2 2009 va-langpack1.pidgin.sqx*
-rwxrwxrwx 1 root root 164552 Dec 2 2009 va-langpack1.skype.sqx*
-rwxrwxrwx 1 root root 5874338 Dec 2 2009 va-photo.sqx*
-rwxrwxrwx 1 root root 8892 Dec 2 2009 va-pidgin.help.sqx*
-rwxrwxrwx 1 root root 6058678 Dec 2 2009 va-pidgin.sqx*
-rwxrwxrwx 1 root root 8934 Dec 2 2009 va-prefs.sqx*
-rwxrwxrwx 1 root root 17879734 Dec 2 2009 va-skype.sqx*
-rwxrwxrwx 1 root root 1053390 Dec 2 2009 va-theme-bioblu.sqx*
-rwxrwxrwx 1 root root 426702 Dec 2 2009 va-theme-mirage.sqx*
-rwxrwxrwx 1 root root 21164 Dec 2 2009 va-zenv.sqx*
-rwxrwxrwx 1 root root 5312 Dec 2 2009 version* |
As others have said, ISTM the mysterious files that showed up were from an earlier version of Splashtop. I have no idea where those files are residing though. On my system I created an ntfs-3g partition and manually installed the files but I don't remember where from.
I think it is highly unlikely that the mysterious appearance was due to someone breaking into the machine. I agree with the theory that the mobo has some sort of built-in flash memory that somehow showed up as usb drives. My Splashtop has also misbehaved. I had some trouble with Slim and Nvidia drivers on an antiX install that got the system jammed up so it would only boot into Splashtop. I think I had to unplug the hard drive just to be able to get into the BIOS settings and straighten things out. |
|
| Back to top |
|
|
Joseph_sys
Advocate
Joined: 08 Jun 2004
Posts: 2716
Location: Edmonton, AB
|
| Posted: Sun Aug 01, 2010 2:15 am Post subject: |
|
|
| Thanks for the input. The files look very alike but yours are from 2009 mine are from 2007; so I guess there is no reason for panic :-/ |
|
| Back to top |
|
|
Joseph_sys
Advocate
Joined: 08 Jun 2004
Posts: 2716
Location: Edmonton, AB
|
| Posted: Tue Sep 14, 2010 4:51 pm Post subject: |
|
|
| Hu wrote: | | I suppose you did not copy files from the mysterious mount point before rebooting? Did you stat -f the mounted filesystem? Run lsusb? |
That device mounts again. Running: | Code: | stat -f /dev/sdb1
File: "/dev/sdb1"
ID: 0 Namelen: 255 Type: tmpfs
Block size: 4096 Fundamental block size: 4096
Blocks: Total: 2560 Free: 2487 Available: 2487
Inodes: Total: 1024504 Free: 1021930
modprobe -l | grep mtd
return nothing
lsmod
Module Size Used by
vboxnetadp 4976 0
vboxnetflt 11200 0
vboxdrv 1706732 2 vboxnetadp,vboxnetflt
scsi_wait_scan 1424 0 |
|
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23082
|
| Posted: Wed Sep 15, 2010 3:32 am Post subject: |
|
|
| Joseph_sys wrote: | That device mounts again. Running: | Code: | stat -f /dev/sdb1
File: "/dev/sdb1"
ID: 0 Namelen: 255 Type: tmpfs |
|
You stat'd the device node, not the filesystem. Look up where the files are exposed and stat -f that. |
|
| Back to top |
|
|
Joseph_sys
Advocate
Joined: 08 Jun 2004
Posts: 2716
Location: Edmonton, AB
|
| Posted: Wed Sep 15, 2010 4:55 am Post subject: |
|
|
| Hu wrote: | | Joseph_sys wrote: | That device mounts again. Running: | Code: | stat -f /dev/sdb1
File: "/dev/sdb1"
ID: 0 Namelen: 255 Type: tmpfs |
|
You stat'd the device node, not the filesystem. Look up where the files are exposed and stat -f that. |
I see, so it will be /media/stick and it gives me: | Code: | stat -f /media/stick
File: "/media/stick"
ID: 81100000000 Namelen: 260 Type: msdos
Block size: 2048 Fundamental block size: 2048
Blocks: Total: 61862 Free: 8490 Available: 8490
Inodes: Total: 0 Free: 0 |
|
|
| Back to top |
|
|
|
Networking & Security
