16

My syslog indicates that someone plugged an iPhone USB device into my desktop at 4am today, for about 10 minutes. I'm checking physical security logs to see if there was someone in the room, but in the meantime I'm trying to investigate whether these symptoms could indicate some other kind of intrusion. I hope not...

Any other suggestions to investigate this?

System:

Linux hostname 2.6.35-28-generic #40-Ubuntu SMP Fri Mar 18:42:20 UTC 2011 x86_64 GNU/Linux Ubuntu 10.10

Symptoms (hostname has been obfuscated):

  • An open dialog in Gnome that reads "Unable to mount GEORGE's iPhone. DBus error org.freedeskop.DBus.Error.NoReply: Message did not receive a reply (timeout by message bus)".

  • The following messages in /var/log/kern.log. All other logged messages are normal.

    May 18 04:01:29 hostname kernel: [1250738.453932] usb 2-3: new high speed USB device using ehci_hcd and address 2
May 18 04:01:31 hostname kernel: [1250740.692816] ipheth 2-3:4.2: Apple iPhone USB Ethernet device attached
May 18 04:01:31 hostname kernel: [1250740.692906] usbcore: registered new interface driver ipheth
May 18 04:12:23 hostname kernel: [1251392.150063] usb 2-3: USB disconnect, address 2
May 18 04:12:23 hostname kernel: [1251392.270794] ipheth 2-3:4.2: Apple iPhone USB Ethernet now disconnected

  • The following new processes. All other current processes can be accounted for.

    root      5519     1 99 04:01 ?        05:24:11 /lib/udev/iphone-set-info
root      5525   486  0 04:01 ?        00:00:00 udevd --daemon
root      5526   486  0 04:01 ?        00:00:00 udevd --daemon

  • The iphone-set-info process has pinned one core at 100% utilisation. I only noticed this after physically removing the machine from the network.

    PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                                                            
5519 root      18  -2 50028 2660 2108 R  100  0.0 455:36.10 iphone-set-info

  • The following messages in /var/log/syslog. All subsequent messages are normal. The php cron message is normal.

    May 18 04:01:29 hostname kernel: [1250738.453932] usb 2-3: new high speed USB device using ehci_hcd and address 2
May 18 04:01:31 hostname kernel: [1250740.692816] ipheth 2-3:4.2: Apple iPhone USB Ethernet device attached
May 18 04:01:31 hostname kernel: [1250740.692906] usbcore: registered new interface driver ipheth
May 18 04:01:33 hostname NetworkManager[1181]:    SCPlugin-Ifupdown: devices added (path: /sys/devices/pci0000:00/0000:00:1d.7/usb2/2-3/2-3:4.2/net/wwan0, iface: wwan0)
May 18 04:01:33 hostname NetworkManager[1181]:    SCPlugin-Ifupdown: device added (path: /sys/devices/pci0000:00/0000:00:1d.7/usb2/2-3/2-3:4.2/net/wwan0, iface: wwan0): no ifupdown configuration found.
May 18 04:09:01 hostname CRON[5572]: (root) CMD (  [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) -delete)
May 18 04:12:23 hostname kernel: [1251392.150063] usb 2-3: USB disconnect, address 2
May 18 04:12:23 hostname NetworkManager[1181]:    SCPlugin-Ifupdown: devices removed (path: /sys/devices/pci0000:00/0000:00:1d.7/usb2/2-3/2-3:4.2/net/wwan0, iface: wwan0)
May 18 04:12:23 hostname vmnetBridge: RTM_DELLINK: name:wwan0 index:79 flags:0x00001002
May 18 04:12:23 hostname avahi-daemon[1175]: Withdrawing workstation service for wwan0.
May 18 04:12:23 hostname kernel: [1251392.270794] ipheth 2-3:4.2: Apple iPhone USB Ethernet now disconnected

  • Nothing unusual in history, bash history zsh etc for any users

  • Nothing unusual in /var/log/auth

An iphone device has never been used on this machine. I understand the dialog and pinned core are a common problem when it's not set up.

To me, all evidence suggests someone plugged in a phone at 4am, but if the physical security logs (swipe cards & video) don't support this assumption I need to suspect some kind of remote exploit. Any other suggestions to investigate this?

My hypothesis is the cleaner plugged in their phone to recharge it for 10 minutes, however I've taken precautions to lock down the machine.

john
  • 10,968
  • 1
  • 36
  • 43
Jeromy Evans
  • 263
  • 1
  • 5
  • I like your hypothesis, however a more sinister option could be that they were attempting to use the tethering feature of their iPhone to take files off your network without them passing through your gateway. Although I think your hypothesis is more likely (do you work somewhere that people would go so such lengths to steal data?) – Mark Henderson May 18 '11 at 03:07
  • Thanks Farseeker. I wouldn't think so... Although that would be easy for a cleaner to do while they're doing their rounds. – Jeromy Evans May 18 '11 at 04:54
  • 10
    Although if you're worried enough about security that you have physical security logs to see who got into your office, *why in the name of all the saints and minor deities are you running a system config that automatically tries to set up an internet connection through any newly attached device* ? – Shadur May 18 '11 at 06:47
  • 3
    Is your cleaners name George? – Caleb May 18 '11 at 09:33
  • 2
    How come you have iphone-set-info installed if an iphone device has never been used on this machine? It's not installed by default, and the 100% cpu consumption is a known bug of this utility. – john May 18 '11 at 10:22
  • 4
    It's entirely possible the cleaner came in, realized his iphone was low on battery and plugged it into your computer's USB port for a quick recharge while he cleaned the office. Again, though, given how security conscious you claim the rest of your setup is, leaving your system configured to automatically attempt iphone tethering was a terribly poor idea. – Shadur May 18 '11 at 12:14
  • 1
    It's probably enabled by default by Ubuntu to make it more usable. Your cleaners must be well paid to have an iPhone :) – Stephen Paulger May 18 '11 at 14:00
  • This appears to be Ubuntu's default behaviour to automount USB devices and automatically set up the tethered network device if the device supports it (except that it didn't quite work in this scenario). – Jeromy Evans May 18 '11 at 23:38
  • @john confirmed ipeth-utils is not installed. libgpod-0.7.51-1 is installed (library to read and write songs and artwork to an iPod) which is distributed with 10.10 I think. – Jeromy Evans May 18 '11 at 23:49
  • who is George? Can you check how many Georges are workin at night shift? – VP. May 19 '11 at 09:42
  • 1
    http://www.infosecblog.org/2011/01/autorun-attacks-on-ubuntu/ This link may be interesting to people reading this page. – Stephen Paulger May 24 '11 at 13:18

1 Answers1

9

It is more common for people to have iPhones than 0-day exploits and there for its more likely that someone really did plug in an iphone. That being said, its entirely possible to exploit a machine via USB. In this case the ipheth kernel module could have been exploited and there is really no way to know from this log, its simply not enough information. Sometimes a memory corruption exploit will execute its shellcode, install a backdoor and then crash the vulnerable process. You could see a kernel panic in dmesg, but that didn't happen. If the exploit is written well, then the kernel won't crash.

rook
  • 46,916
  • 10
  • 92
  • 181
  • 6
    Thanks everyone. Swipe card records confirmed the cleaner was in the room for 2.30am to 4.30am. The cleaning company has been asked to ask the cleaner and to advise them this is not okay. I expect they do it regularly to recharge their phones but happened to plug into this Ubuntu machine instead of the more common Windows boxes. It is however an excellent way to deliver exploits and/or steal data with a low probably of detection. – Jeromy Evans May 18 '11 at 23:42