| 10 Apr 2024 |
 evidlo | watch your machine with wireshark and figure out if your machine is actually sending emails or not | 04:48:01 |
| evidlo | and you should always wipe your machine if you think its compromised | 04:49:46 |
 fabu.io | might be better to just wipe ubuntu and install fedora | 05:06:06 |
| fabu.io | but i am curious as to how it happened | 05:06:17 |
 cclausen | it could be a compromised snap / container or python package or nodejs package... lots of fake stuff out there. Did you ask campus security for more details, like specific traffic or email addresses your host is sending to? I hope its not just root emails going to someplace unintended to some odd default or DNS lookup or something like that. | 13:50:24 |
| cclausen | I would try and get details on when exactly the email activity started and try and trace what you were doing around then. Can also check your system logs. I would assume that Ubuntu logs emails that it sends by default, assuming the local MTA was used and not direct network connections to mail servers. | 14:05:49 |
| cclausen | If you want to make an image of your system I'd be happy to investigate using our forensics tools. (I perform forensics as part of my incident response activites at NCSA.) Or you can try and run https://github.com/sleuthkit/autopsy yourself on an image taken prior to reinstall. See https://github.com/sleuthkit/autopsy/blob/develop/Running_Linux_OSX.md | 14:10:45 |
| fabu.io | I did, but the people on desk were unable to give me any specific details | 16:52:23 |
| fabu.io | and since I need to connect to IllinoisNet for part of my research, I need to deal with this asap | 16:52:50 |
| cclausen | If it were me, I'd pull the current SSD / hard drive and reinstall onto a new one to keep working. can always put the original back to do any forensics | 17:55:22 |
| cclausen | (this of course assumes you have another drive you can use) | 17:56:19 |
 Jos | Redacted or Malformed Event | 17:57:51 |
| cclausen | I've had some no good experiences with campus security alerting on stupid hits, like people typoing web sites (yahooo for example) and this triggering something in their next gen firewall that really isn't a big deal and them creating a ticket. | 17:58:09 |
| cclausen | In my case I could argue against them since I am an IT Pro on campus - not sure students have much they can do here... | 17:58:40 |
| evidlo | get them to change their stance on SSH exceptions please | 17:59:10 |
| cclausen | can you point me to more details on what you mean? | 18:01:04 |
 @pngdeity:matrix.org | In reply to @jos44:matrix.org
hello, online jitsi meetings stopped? We don't always set up Jitsi for meetings, no. Typically if someone is planning on watching remotely, they will send a message to this chat, and the Jitsi meeting will get set up. | 18:03:37 |
| Jos | Redacted or Malformed Event | 18:04:17 |
| Jos | Redacted or Malformed Event | 18:05:25 |
| evidlo | cclausen: https://answers.uillinois.edu/illinois/page.php?id=74159 | 18:06:23 |
| evidlo | I applied, waited 6 weeks with a bit of back and forth, then got rejected and told to "just use the VPN". | 18:07:04 |
| cclausen | hmm... yeah, that I'm not much a fan of their VPN | 18:07:26 |
| evidlo | of course they don't scrutinize other vulnerable services nearly as much, like outdated Wordpress or something. and its possible to make sshd listen on other ports | 18:09:03 |
| evidlo | * of course they don't scrutinize other vulnerable services nearly as much, like outdated Wordpress or something. and its possible to make sshd listen on other ports so the whole thing is moot | 18:09:39 |
| cclausen | their Qualys scans should pick up outdated Wordpress | 18:11:35 |
| cclausen | yeah, was going to ask if you could just have SSH listen on 443 or 80 | 18:11:47 |
 Cosine | do they just block port 22 or use some sort of DPI to detect SSH activities? | 18:15:36 |
| fabu.io | ya :( | 18:28:07 |
| cclausen | technically SSH could be detected via Zeek/Bro that is run for campus network traffic | 19:15:28 |
| cclausen | not saying that they would use those logs to detect and then block, but they could. My guess is that the SSH block is just a port 22/tcp firewall block at the campus border | 19:16:10 |
