My syslog indicates that someone plugged an iPhone USB device into my desktop at 4am today, for about 10 minutes. I'm checking physical security logs to see if there was someone in the room, but in the meantime I'm trying to investigate whether these symptoms could indicate some other kind of intrusion. I hope not...
Any other suggestions to investigate this?
System:
Linux hostname 2.6.35-28-generic #40-Ubuntu SMP Fri Mar 18:42:20 UTC 2011 x86_64 GNU/Linux Ubuntu 10.10
Symptoms (hostname has been obfuscated):
An open dialog in Gnome that reads
"Unable to mount GEORGE's iPhone. DBus error org.freedeskop.DBus.Error.NoReply: Message did not receive a reply (timeout by message bus)"
.The following messages in /var/log/kern.log. All other logged messages are normal.
May 18 04:01:29 hostname kernel: [1250738.453932] usb 2-3: new high speed USB device using ehci_hcd and address 2 May 18 04:01:31 hostname kernel: [1250740.692816] ipheth 2-3:4.2: Apple iPhone USB Ethernet device attached May 18 04:01:31 hostname kernel: [1250740.692906] usbcore: registered new interface driver ipheth May 18 04:12:23 hostname kernel: [1251392.150063] usb 2-3: USB disconnect, address 2 May 18 04:12:23 hostname kernel: [1251392.270794] ipheth 2-3:4.2: Apple iPhone USB Ethernet now disconnected
The following new processes. All other current processes can be accounted for.
root 5519 1 99 04:01 ? 05:24:11 /lib/udev/iphone-set-info root 5525 486 0 04:01 ? 00:00:00 udevd --daemon root 5526 486 0 04:01 ? 00:00:00 udevd --daemon
The iphone-set-info process has pinned one core at 100% utilisation. I only noticed this after physically removing the machine from the network.
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 5519 root 18 -2 50028 2660 2108 R 100 0.0 455:36.10 iphone-set-info
The following messages in /var/log/syslog. All subsequent messages are normal. The php cron message is normal.
May 18 04:01:29 hostname kernel: [1250738.453932] usb 2-3: new high speed USB device using ehci_hcd and address 2 May 18 04:01:31 hostname kernel: [1250740.692816] ipheth 2-3:4.2: Apple iPhone USB Ethernet device attached May 18 04:01:31 hostname kernel: [1250740.692906] usbcore: registered new interface driver ipheth May 18 04:01:33 hostname NetworkManager[1181]: SCPlugin-Ifupdown: devices added (path: /sys/devices/pci0000:00/0000:00:1d.7/usb2/2-3/2-3:4.2/net/wwan0, iface: wwan0) May 18 04:01:33 hostname NetworkManager[1181]: SCPlugin-Ifupdown: device added (path: /sys/devices/pci0000:00/0000:00:1d.7/usb2/2-3/2-3:4.2/net/wwan0, iface: wwan0): no ifupdown configuration found. May 18 04:09:01 hostname CRON[5572]: (root) CMD ( [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) -delete) May 18 04:12:23 hostname kernel: [1251392.150063] usb 2-3: USB disconnect, address 2 May 18 04:12:23 hostname NetworkManager[1181]: SCPlugin-Ifupdown: devices removed (path: /sys/devices/pci0000:00/0000:00:1d.7/usb2/2-3/2-3:4.2/net/wwan0, iface: wwan0) May 18 04:12:23 hostname vmnetBridge: RTM_DELLINK: name:wwan0 index:79 flags:0x00001002 May 18 04:12:23 hostname avahi-daemon[1175]: Withdrawing workstation service for wwan0. May 18 04:12:23 hostname kernel: [1251392.270794] ipheth 2-3:4.2: Apple iPhone USB Ethernet now disconnected
Nothing unusual in history, bash history zsh etc for any users
- Nothing unusual in /var/log/auth
An iphone device has never been used on this machine. I understand the dialog and pinned core are a common problem when it's not set up.
To me, all evidence suggests someone plugged in a phone at 4am, but if the physical security logs (swipe cards & video) don't support this assumption I need to suspect some kind of remote exploit. Any other suggestions to investigate this?
My hypothesis is the cleaner plugged in their phone to recharge it for 10 minutes, however I've taken precautions to lock down the machine.