1

I realized my system Ubuntu and windows dual boot might have been compromised. So, I installed OSSEC HIDS to try to look for issues.

When I ran dmesg, i found the following trace:

------------[ cut here ]------------
[   31.461050] Could not determine valid watermarks for inherited state
[   31.461117] WARNING: CPU: 3 PID: 321 at /build/linux-VWHl78/linux-4.15.0/drivers/gpu/drm/i915/intel_display.c:14537 intel_modeset_init+0xfcf/0x1010 [i915]
[   31.461118] Modules linked in: i915(+) intel_rapl_perf mxm_wmi joydev ideapad_laptop sparse_keymap wmi ttm serio_raw snd_rawmidi snd_seq snd_seq_device mac_hid btusb btrtl btbcm btintel bluetooth ecdh_generic snd_timer video lpc_ich drm_kms_helper snd drm shpchp mei_me i2c_algo_bit fb_sys_fops mei syscopyarea sysfillrect soundcore sysimgblt sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables autofs4 rtsx_usb_sdmmc rtsx_usb r8169 ahci psmouse libahci mii
[   31.461150] CPU: 3 PID: 321 Comm: systemd-udevd Not tainted 4.15.0-69-generic #78-Ubuntu
[   31.461151] Hardware name: LENOVO 20354/Lancer 5A5, BIOS 9BCN29WW 10/20/2014
[   31.461189] RIP: 0010:intel_modeset_init+0xfcf/0x1010 [i915]
[   31.461190] RSP: 0018:ffffa7e8c13bb9b0 EFLAGS: 00010286
[   31.461191] RAX: 0000000000000000 RBX: ffff95ec82218000 RCX: 0000000000000006
[   31.461193] RDX: 0000000000000007 RSI: 0000000000000082 RDI: ffff95ec8f2d6490
[   31.461194] RBP: ffffa7e8c13bba40 R08: 00000000000002e9 R09: 0000000000000004
[   31.461195] R10: 0000000000000040 R11: 0000000000000001 R12: ffff95ec8287cc00
[   31.461196] R13: ffff95ec828cbc00 R14: 00000000ffffffea R15: ffff95ec82218358
[   31.461197] FS:  00007fb2fe9ca680(0000) GS:ffff95ec8f2c0000(0000) knlGS:0000000000000000
[   31.461199] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   31.461200] CR2: 00007fb2fe94d8b9 CR3: 0000000242a7e003 CR4: 00000000001606e0
[   31.461201] Call Trace:
[   31.461236]  i915_driver_load+0xa73/0xe60 [i915]
[   31.461268]  i915_pci_probe+0x42/0x70 [i915]
[   31.461271]  local_pci_probe+0x47/0xa0
[   31.461273]  pci_device_probe+0x10e/0x1c0
[   31.461276]  driver_probe_device+0x30c/0x490
[   31.461278]  __driver_attach+0xcc/0xf0
[   31.461280]  ? driver_probe_device+0x490/0x490
[   31.461282]  bus_for_each_dev+0x70/0xc0
[   31.461284]  driver_attach+0x1e/0x20
[   31.461285]  bus_add_driver+0x1c7/0x270
[   31.461287]  ? 0xffffffffc0512000
[   31.461289]  driver_register+0x60/0xe0
[   31.461290]  ? 0xffffffffc0512000
[   31.461292]  __pci_register_driver+0x5a/0x60
[   31.461326]  i915_init+0x5c/0x5f [i915]
[   31.461329]  do_one_initcall+0x52/0x19f
[   31.461331]  ? __vunmap+0x8e/0xc0
[   31.461334]  ? _cond_resched+0x19/0x40
[   31.461337]  ? kmem_cache_alloc_trace+0xa6/0x1b0
[   31.461340]  ? do_init_module+0x27/0x213
[   31.461342]  do_init_module+0x5f/0x213
[   31.461345]  load_module+0x16bc/0x1f10
[   31.461348]  ? ima_post_read_file+0x96/0xa0
[   31.461352]  SYSC_finit_module+0xfc/0x120
[   31.461354]  ? SYSC_finit_module+0xfc/0x120
[   31.461357]  SyS_finit_module+0xe/0x10
[   31.461359]  do_syscall_64+0x73/0x130
[   31.461361]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[   31.461362] RIP: 0033:0x7fb2fe4ec839
[   31.461363] RSP: 002b:00007ffcef7f0b08 EFLAGS: 00000246 ORIG_RAX:     0000000000000139
[   31.461365] RAX: ffffffffffffffda RBX: 000055bb6b9f0fd0 RCX: 00007fb2fe4ec839
[   31.461366] RDX: 0000000000000000 RSI: 00007fb2fe1cb145 RDI: 0000000000000016
[   31.461367] RBP: 00007fb2fe1cb145 R08: 0000000000000000 R09: 00007ffcef7f0c20
[   31.461368] R10: 0000000000000016 R11: 0000000000000246 R12: 0000000000000000
[   31.461369] R13: 000055bb6b9de3d0 R14: 0000000000020000 R15: 000055bb6b9f0fd0

[   31.461371] Code: e9 46 fc ff ff 48 c7 c6 d7 0d 4a c0 48 c7 c7 2f 01 4a c0 e8 c4 b8 47 e9 0f 0b e9 73 fe ff ff 48 c7 c7 b0 65 4b c0 e8 b1 b8 47 e9 <0f> 0b e9 4b fe ff ff 48 c7 c6 e4 0d 4a c0 48 c7 c7 2f 01 4a c0 
[   31.461406] ---[ end trace 31d653066e7272ed ]---

Also after installing HIDS, there has been only 1 level 13 event in OSSEC HIDS and rest are all below 8.

I tried to search about the specific event but didnt get any clear answers.

The event of OSSEC hids is:

Level: 13 - Non standard syslog message (size too large).
Rule Id: 1003
Location: linuxbox->/var/log/syslog
Nov 19 10:23:52 linuxbox gnome-software[2785]: ignoring non-installed 
app GsApp: [0x7f94180b6530]#012kind: desktop#012state: available#012quirk: provenance#012id: io.snapcraft.gnome-calculator-J8OcDPQ0JM8dbvk29HRqpWVI9kBw0atG#012unique-id: 
system/snap/Snap Store/desktop/io.snapcraft.gnome-calculator-J8OcDPQ0JM8dbvk29HRqpWVI9kBw0atG/*#012scope: 
system#012bundle-kind: snap#012kudos: sandboxed#012kudo-percentage: 20#012name: 
GNOME Calculator#012pixbuf: 0x7f941a92f520#012icon-kind: 
remote#012icon-filename: /home/dawn/.cache/gnome-software/icons/c231dd718a0e5e282ca5a38df074a0483fa39a3b-accessories-calculator.png#012version: 
3.34.1+git1.d34dc842#012summary: GNOME Calculator#012description: 
GNOME Calculator is an application that solves mathematical equations.#012Though it at first 
appears to be a simple calculator with only basic#012arithmetic operations, you can switch into Advanced, Financial, 
or#012Programming mode to find a surprising set of capabilities.#012#012The 
Advanced calculator supports many operations, including:#012logarithms, factorials, trigono

On the windows, I had used KMS spico and I allowed a dialog that said something about tunneling regarding network access. It installed many malwares and I tried disinfecting the system. I forgot about it but multiple new blank excel and windows documents would open during startup. That is the reason I am worried.

dawn
  • 111
  • 3
  • 1
    This is a kernel panic. It does not look like a compromise but more like an issue in the driver or a hardware fault. My guess (which is all I can do due to a lack of details): you assume that your system is compromised because it is somehow behaving strange. But the reason for this might just be a hardware problem like an instability caused by overheating or faulty hardware. – Steffen Ullrich Nov 19 '19 at 06:32
  • @SteffenUllrich thank you, I have made edits and added the details. My windows system was infected with malware due to use of unverified programs. That is the reason I am suspicious. – dawn Nov 19 '19 at 07:09
  • Still, your question mainly contains the kernel panic and that OSSEC is complaining that it cannot handle this kernel panic as useful input (*"Non standard syslog message"*). Nothing here suggests that your Linux system is compromised. – Steffen Ullrich Nov 19 '19 at 07:40

0 Answers0