14

My Linux (Ubuntu 12.04) password suddenly changed last night and I'm not sure if this is an attack or just a hardware/user error. This is on a personal/non-server box. Several strange events led up to it, enumerated below:

  • While browsing web pages, I can't seem to scroll down. My right hand was on my mouse, left eating food so I'm sure I'm not accidentally pressing any keys. I ran showkey and discovered that every now and then, I'd get spammed by keycode 104 events. 104 seems to be Pg Up.
  • Then it happened that I can't seem to get my password right when invoking sudo commands. However, I can get sudo to authenticate if I copy-paste my password.
  • I got suspicious at this point and checked if there are any unwanted log-ins in my box. who command returns as expected (i.e., only me and my open terminals) and sshd is not running nor can I access port 22 (via telnet).
  • Eventually, I locked my screen and, when I returned, I was prompted for a password and I can't enter it properly anymore.
  • My machine is dual-boot with Windows 8. I try to log-in to Windows 8 and, when I enter my password, I seem to notice that, when I enter my password (19 chars long, same as Ubuntu's), the cursor suddenly shifts to the first character. So, for instance, if my password is "password", entering it straight out it becomes "dpasswor". This got me a few times until I observed the behavior. It helps that Windows 8 allows you the option to see the password you type. You can still edit it though and log-in to Windows just fine.

This is not the first time that my keyboard glitched like this. Last year, it was the direction buttons that was spamming signals. What particularly bothers me is that I got locked out of my machine and that it seemed to change my password and introduce all that weird behavior.

I left it over night and woke up today to address the issue. Windows is no longer displaying the weird behavior of the last bullet. I have been able to reset my Linux password (to something shorter for the meantime). who and telnet/ssh is same as ever and I no longer seem to observe the unwanted keypress 104 signals. Are there any further steps you advise me to take?

skytreader
  • 263
  • 2
  • 6
  • has there been some "separation" of the OSes? i.e encrypted partitions, or may we assume a root in your Linux means essentially all control over windows 8 too? – humanityANDpeace Sep 21 '14 at 08:36
  • also nice to know: in linux wayland or X11? given that X11 might allow a hacked browser to send shit to other X11 windows (i.e a sudo'ed terminal). – humanityANDpeace Sep 21 '14 at 08:38
  • Nope, my partitions are not encrypted. I did not tinker further beyond the typical set-up you get with GRUB and GParted when I set-up the machine. If by "control" you mean the ability to delete/change files and config, I believe that's possible. – skytreader Sep 21 '14 at 08:58
  • I'm not exactly aware of wayland and X11 but I believe I'm running X11 as: `$ locate wayland -> /usr/share/apport/package-hooks/source_wayland.py /usr/share/doc/mesa-common-dev/WL_bind_wayland_display.spec` but `$ locate x11 | wc -l -> 663`. Chromium is my primary browser (Version 37.0.2062.94 Ubuntu 12.04 (290621) (64-bit)) but, every now and then I also use Firefox (v32) concurrently with Chromium. – skytreader Sep 21 '14 at 09:01
  • 21
    Sounds like a hardware(keyboard) problem to me, have you tried using a spare one? – user36976 Sep 21 '14 at 09:15
  • @Nick Shame this is a laptop so spares won't really eliminate the problem. :| – skytreader Sep 21 '14 at 09:19
  • 5
    Most likely this is just bad keyboard on the laptop. Can you not use a USB keyboard as a spare? See if the same occurs. – user1720897 Sep 21 '14 at 09:35
  • 8
    Have you checked to see if there is any food stuck under the keys? – Pharap Sep 21 '14 at 11:57
  • 7
    the fact that a password copy paste works indicates that the password hasn't changed. That combined with the fact that it also glitches in win8 definitely seems like this is a hw issue. –  Sep 21 '14 at 15:08

2 Answers2

26

While browsing web pages, I can't seem to scroll down. My right hand was on my mouse, left eating food so I'm sure I'm not accidentally pressing any keys. I ran showkey and discovered that every now and then, I'd get spammed by keycode 104 events. 104 seems to be Pg Up.

I try to log-in to Windows 8 and, when I enter my password, I seem to notice that, when I enter my password (19 chars long, same as Ubuntu's), the cursor suddenly shifts to the first character. So, for instance, if my password is "password", entering it straight out it becomes "dpasswor".

Any more questions? :) There is either food stuck below the PgUp key or it is an electronic problem like a hair-line crack on the motherboard.

How this could affect your password file is mysterious, but maybe it didn't and it jumped around too? More probable the PgUp keystroke got interpreted as part of the password.

user55886
  • 261
  • 2
  • 2
  • 3
    Can we guess what the food was based on the symptoms? Hm... Crunchy enough to go flying from mouth to keyboard, sticky enough to get lodged under a key forever. My money is on Doritos. – Alex Shroyer Sep 21 '14 at 15:12
  • Haha. Fair point. I'm positive it isn't so since, the way this laptop keyboard is made (I've opened it once), I'd definitely feel if anything crumb-sized is under any of the keys. :) – skytreader Sep 21 '14 at 16:27
  • 1
    I would actually suspect you got at least a drop of some sort of liquid in there rather than a crumb . . . –  Sep 21 '14 at 22:25
14

You are right in asking the question. The situation as you describe it allows for both alternatives an attack and a hardware failure (i.e. keyboard failure).

if you had some copies of /etc/shadow before the occurence and after you could see if the salted hash was different, which would have been a good indication that the password was indeed changed and there has not merely been a problem with the entering of the password due to keypresses sent by the keyboard that changed the position of the cursor while entering the password. Since you might have been one of the persons that takes a backup once in a while you might have the copy before the occurence and maybe you made a copy of the /etc/shadow file after you rechanged your password. Then just check for inconsistencies there.

What speaks in favour of the explanation of a hardware failure is that you experienced problems at the win8 login which seemed rather to be a keyboard malfunction than the result of a hack. Or at least it seems strange that the windows password should not have been changed by the attack, as it was possible and the attacker should have not tried to cover-up anything in linux and even create suspicion in the win8 login. It seems strange to cause suspicion needlessly.

To better give a judgement about if there are better changes to assume a hack over a hardware failure of course it would have been nice to know which website(s) you had been visiting. Surely some regions of the web are more likely to attack your system via first attacking the browsers.

As you indicated that you used X11 and not Wayland (which you would know - as it takes effort to setup still) the vectore of X11 from browser to terminal/sudo is existing.

I am sorry the answer does not give fixed answer, but only tries to help you to make a guess. Maybe you are lucky and can try to get some insight via the /etc/shadow which in case of changed password has a high probability to reflect them. Since you yourself did not change the password a perceived change in /etc/shadow would go far in hinting that there was a hack

humanityANDpeace
  • 1,412
  • 1
  • 12
  • 24
  • I accepted this since this has info on what I could actually check next. The way things look, I guess it really is just a hardware glitch. Thanks everyone! – skytreader Sep 21 '14 at 16:29
  • @skytreader thank you! Since you express some reluctance of being attacked, you might consider at least to keep your linux safe from win8 by using encryption. Also another layer of protection by using a linux securtity module to yet again sandbox the browser keeps the worried/paranoid among us happy ;) – humanityANDpeace Sep 22 '14 at 07:16
  • I found that a my phone kept interfering with the scroll wheel on my old wired mouse. I'd get a scroll-up every time my speakers clicked with the typical "mobile phone" sounds. Maybe you have a wireless keyboard/mouse and one is screwing with the other? – Mark K Cowan Sep 22 '14 at 08:51