Discover Centmin Mod today
Register Now

freedesktop was installed without consent?

Discussion in 'System Administration' started by elargento, Jan 15, 2016.

  1. elargento

    elargento Member

    293
    16
    18
    Jan 4, 2016
    Ratings:
    +39
    Local Time:
    2:56 AM
    10
    Hi Everybody

    I'm worried because cPanel told me freedesktop was installed on my VPS and I never installed it. Litespeed was installed a few days ago but I couldn't find any information linking freedesktop to LS. Can freedesktop be used as some kind of backdoor?

    Everything started in this way:
    1) Litespeed was installed on WHM. I started to get many emails saying there were many services down and they couldn't be restarted. This was causing the issue:
    Code:
    root@ns5 [/var/log]# tail -f messages
    Jan 14 14:51:44 ns5 dbus[2761]: [system] Failed to activate service 'org.freedesktop.systemd1': timed out
    Jan 14 14:52:09 ns5 dbus[2761]: [system] Failed to activate service 'org.freedesktop.systemd1': timed out
    Jan 14 14:52:20 ns5 nscd: 10966 monitored file `/etc/resolv.conf` was moved, removing watch
    Jan 14 14:52:20 ns5 nscd: 10966 monitored file `/etc/resolv.conf` was created, adding watch
    Jan 14 14:52:20 ns5 nscd: 10966 monitored file `/etc/resolv.conf` was written to
    Jan 14 14:52:34 ns5 dbus[2761]: [system] Failed to activate service 'org.freedesktop.systemd1': timed out
    The issue gone after restarted the VPS
    2) I contacted cPanel support and ask them what's going on since the only extensions I have installed are Litespeed, CSF and CS Explorer. They replied the following:
    Code:
    This doesn't appear to be an issue related to cPanel, but rather freedesktop. Unfortunately the only threads with the error I have been able to find are a few years old:
    
    https://bugs.freedesktop.org/show_bug.cgi?id=50199
    
    What version of freedesktop do you have installed in this server? If it is older than 1.6.12 and 1.7.4 you would want to update to at least those versions. If you do not have it installed it is likely this is an error with the monitoring system in the server. Could you confirm that this is installed, and the version?
    3) I told them I've never installed freedesktop so they replied:
    Code:
    From the logs it appears this software is part of the dbus system. Looking over the log I am not seeing anything that would have caused this, but it appears to have started on the 10th. Were any changes made to the server around that time?
    Code:
    It appears that the message bus system is is alerting of you of the issue.
    
    I noticed that you removed sound-theme-freedesktop.noarch recently. Did this first occur after you removed that?
    
    It appears that someone may have installed freedesktop at one point.
    
    Does anyone have an idea what could happen? Is there any security bug which allows somebody to install freedesktop or to gain access to do it? BTW my VPS is on Linode and after the DDoS attacks and the password change request I'm starting to think my VPS was compromised.
    Has anyone experienced this before?
     
  2. Matt Williams

    Matt Williams WordPress Fanatic

    468
    90
    28
    Nov 22, 2014
    Virginia, USA
    Ratings:
    +135
    Local Time:
    12:56 AM
    latest
    10
    Sounds like your've been hacked. Did you change your root password and the port number after setting up your VPS? What kind of security do you have installed on it?
     
  3. elargento

    elargento Member

    293
    16
    18
    Jan 4, 2016
    Ratings:
    +39
    Local Time:
    2:56 AM
    10
    CSF and CSE. SSH default port was changed and the root password is very strong.
    Security was set by Mattw so I trust him but I can't understand how they could do this (if it was compromised)
    The sites running on the vps are vBulletin 4, XenForo and Wordpress. CSE hasn't detected any infected file.

    Did I miss anything?
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,839
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    3:56 PM
    Nginx 1.13.x
    MariaDB 5.5
    I'm surprised cPanel doesn't know what freedesktop is related to from what I understand it's a crucial part of CentOS 7 and systemd and dbus. Without it working properly you won't be able to restart services on CentOS 7 via systemd and systemctl commands and much more that I don't entirely understand.
    lets see a working messagebus and dbus services status and notice what the service name= references, yes org.freedesktop.* :)
    Code:
    systemctl status dbus
    ● dbus.service - D-Bus System Message Bus
       Loaded: loaded (/usr/lib/systemd/system/dbus.service; static; vendor preset: disabled)
       Active: active (running) since Fri 2016-01-15 06:28:23 UTC; 26min ago
    Main PID: 624 (dbus-daemon)
       CGroup: /system.slice/dbus.service
               └─624 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
    
    Jan 15 06:28:24 centos7.localdomain dbus-daemon[624]: dbus[624]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service'
    Jan 15 06:28:24 centos7.localdomain dbus-daemon[624]: dbus[624]: [system] Activating via systemd: service name='fi.w1.wpa_supplicant1' unit='wpa_supplicant.service'
    Jan 15 06:28:24 centos7.localdomain dbus[624]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
    Jan 15 06:28:24 centos7.localdomain dbus-daemon[624]: dbus[624]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
    Jan 15 06:28:24 centos7.localdomain dbus[624]: [system] Successfully activated service 'fi.w1.wpa_supplicant1'
    Jan 15 06:28:24 centos7.localdomain dbus-daemon[624]: dbus[624]: [system] Successfully activated service 'fi.w1.wpa_supplicant1'
    Jan 15 06:28:24 centos7.localdomain dbus[624]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
    Jan 15 06:28:24 centos7.localdomain dbus-daemon[624]: dbus[624]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
    Jan 15 06:28:24 centos7.localdomain dbus[624]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
    Jan 15 06:28:24 centos7.localdomain dbus-daemon[624]: dbus[624]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
    Code:
    systemctl status messagebus
    ● dbus.service - D-Bus System Message Bus
       Loaded: loaded (/usr/lib/systemd/system/dbus.service; static; vendor preset: disabled)
       Active: active (running) since Fri 2016-01-15 06:28:23 UTC; 24min ago
    Main PID: 624 (dbus-daemon)
       CGroup: /system.slice/dbus.service
               └─624 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
    
    Jan 15 06:28:24 centos7.localdomain dbus-daemon[624]: dbus[624]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service'
    Jan 15 06:28:24 centos7.localdomain dbus-daemon[624]: dbus[624]: [system] Activating via systemd: service name='fi.w1.wpa_supplicant1' unit='wpa_supplicant.service'
    Jan 15 06:28:24 centos7.localdomain dbus[624]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
    Jan 15 06:28:24 centos7.localdomain dbus-daemon[624]: dbus[624]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
    Jan 15 06:28:24 centos7.localdomain dbus[624]: [system] Successfully activated service 'fi.w1.wpa_supplicant1'
    Jan 15 06:28:24 centos7.localdomain dbus-daemon[624]: dbus[624]: [system] Successfully activated service 'fi.w1.wpa_supplicant1'
    Jan 15 06:28:24 centos7.localdomain dbus[624]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
    Jan 15 06:28:24 centos7.localdomain dbus-daemon[624]: dbus[624]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
    Jan 15 06:28:24 centos7.localdomain dbus[624]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
    Jan 15 06:28:24 centos7.localdomain dbus-daemon[624]: dbus[624]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
    what gets installed by dbus - includes dbus and dbus-daemon and messagebus services
    Code:
    rpm -ql dbus
    /bin/dbus-cleanup-sockets
    /bin/dbus-daemon
    /bin/dbus-monitor
    /bin/dbus-send
    /bin/dbus-uuidgen
    /etc/dbus-1
    /etc/dbus-1/session.conf
    /etc/dbus-1/session.d
    /etc/dbus-1/system.conf
    /etc/dbus-1/system.d
    /lib/systemd/system/dbus.service
    /lib/systemd/system/dbus.socket
    /lib/systemd/system/dbus.target.wants/dbus.socket
    /lib/systemd/system/messagebus.service
    /lib/systemd/system/multi-user.target.wants/dbus.service
    /lib/systemd/system/sockets.target.wants/dbus.socket
    /lib64/dbus-1
    /lib64/dbus-1/dbus-daemon-launch-helper
    /usr/share/dbus-1
    /usr/share/dbus-1/interfaces
    /usr/share/dbus-1/services
    /usr/share/dbus-1/system-services
    /usr/share/doc/dbus-1.6.12
    /usr/share/doc/dbus-1.6.12/COPYING
    /usr/share/man/man1/dbus-cleanup-sockets.1.gz
    /usr/share/man/man1/dbus-daemon.1.gz
    /usr/share/man/man1/dbus-monitor.1.gz
    /usr/share/man/man1/dbus-send.1.gz
    /usr/share/man/man1/dbus-uuidgen.1.gz
    /var/lib/dbus
    /var/run/dbus
    look up dbus yum package install history and you can see it was installed the very first yum history transaction id = 1 which means it was installed at OS install time
    Code:
    yum history package-list dbus
    Loaded plugins: fastestmirror, priorities
    ID     | Action(s)      | Package                                            
    -------------------------------------------------------------------------------
         2 | Updated        | dbus-1:1.6.12-8.el7.x86_64                         EE
         2 | Update         |      1:1.6.12-13.el7.x86_64                        EE
         1 | Dep-Install    | dbus-1:1.6.12-8.el7.x86_64   
    summary of yum history id = 1 for me suggests it was part of initial install when i setup this virtualbox CentOS 7 guest OS test server
    Code:
    yum history summary 1
    Loaded plugins: fastestmirror, priorities
    Login user                 | Time                | Action(s)        | Altered
    -------------------------------------------------------------------------------
    System <unset>             | Over a year ago     | Install          |      401
    history summary
    Code:
    yum history list 1
    Loaded plugins: fastestmirror, priorities
    ID     | Login user               | Date and time    | Action(s)      | Altered
    -------------------------------------------------------------------------------
         1 | System <unset>           | 2014-07-08 03:28 | Install        |  401 
    No one hacked your system, your problem probably was that dbus or dbus-daemon didn't restart for some reason so a server reboot should fix it AFAIK.
     
    • Like Like x 1
    • Informative Informative x 1
  5. elargento

    elargento Member

    293
    16
    18
    Jan 4, 2016
    Ratings:
    +39
    Local Time:
    2:56 AM
    10
    I can't believe cPanel doesn't know that either. Thank you for your help eva2000!
    I'll make sure to let them know this
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,839
    6,903
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,393
    Local Time:
    3:56 PM
    Nginx 1.13.x
    MariaDB 5.5
    Yeah think of it like trying to change the channel (service restart) on the tv that is turned on already using the remote and the remote having dead batteries. Swapping the batteries (server reboot) only way :) Nothing wrong with the tv or remote :D
     
    • Like Like x 1
    • Informative Informative x 1