Virus on Fedora? Actually logs from normal container operation

Ask Fedora
,
1

Hi everyone,

I stepped away from my PC with Silverblue for about 30 seconds, and when I returned, I noticed it was turned off (I was alone at home). I then ran this command and saw the following:

usuario@linux-mini:~$ journalctl -b1
Aug 25 15:28:37 linux-mini usermod[210817]: change user 'usuario' password
Aug 25 15:28:37 linux-mini usermod[210817]: change user 'usuario' shell from '/bin/sh' to '/bin/bash'
Aug 25 15:28:37 linux-mini usermod[210817]: add 'usuario' to group 'wheel'
Aug 25 15:28:37 linux-mini usermod[210817]: add 'usuario' to shadow group 'wheel'
Aug 25 15:28:37 linux-mini passwd[210838]: password for 'root' changed by 'root'

(There is nothing else on the output aside of that when using that command)

Should I be concerned?

The only thing I did before leaving was run an official Nginx container.

Thanks!

2

You didn’t issue the commands shown in the journalctl output?

3

No, I didn’t, I just executed a container of Nginx, that’s all

4

I’ve executed this now and I see this:

sudo ls -l /etc/sudoers /etc/sudoers.d
-r–r-----. 1 root root 4375 2. Dez 11:02 /etc/sudoers

/etc/sudoers.d:
total 0

5

Block internet access for this device on your router just to be on the safe side.

Test out, if your root password still works.

6

I turn off wifi and I accesed root with the old password with no issues, do you know if there is a possibility or a way to test if this was a false positive?

7

The date doesn’t match with the journal log

sudo ls -l /etc/passwd /etc/shadow
[sudo] password for usuario:
-rw-r–r–. 1 root root 85 8. Jul 20:11 /etc/passwd
----------. 1 root root 1227 8. Jul 20:11 /etc/shadow

8

I’ve discovered something very interesting. I dug deeper into the logs and noticed that this activity actually started on October 1. The August 25 date is incorrect, it’s actually December 3. The computer had been turned off by some reason, which caused the date to be reset. Take a look:

journalctl --all | grep “password for ‘root’ changed by ‘root’”
Aug 25 15:28:37 linux-mini passwd[210838]: password for ‘root’ changed by ‘root’
Okt 01 22:28:04 linux-mini passwd[26063]: password for ‘root’ changed by ‘root’
Okt 03 09:05:54 linux-mini passwd[34921]: password for ‘root’ changed by ‘root’
Okt 03 09:18:26 linux-mini passwd[4391]: password for ‘root’ changed by ‘root’
Okt 06 23:28:19 linux-mini passwd[177857]: password for ‘root’ changed by ‘root’
Okt 07 10:26:31 linux-mini passwd[10420]: password for ‘root’ changed by ‘root’
Okt 07 20:15:12 linux-mini passwd[6554]: password for ‘root’ changed by ‘root’
Okt 08 11:16:44 linux-mini passwd[33886]: password for ‘root’ changed by ‘root’
Okt 13 11:19:21 linux-mini passwd[13994]: password for ‘root’ changed by ‘root’
Okt 14 23:33:41 linux-mini passwd[82799]: password for ‘root’ changed by ‘root’
Okt 19 11:20:25 linux-mini passwd[14302]: password for ‘root’ changed by ‘root’
Okt 23 23:43:41 linux-mini passwd[38970]: password for ‘root’ changed by ‘root’
Okt 24 18:52:44 linux-mini passwd[252670]: password for ‘root’ changed by ‘root’
Okt 25 14:06:31 linux-mini passwd[77837]: password for ‘root’ changed by ‘root’
Okt 27 00:43:41 linux-mini passwd[192378]: password for ‘root’ changed by ‘root’
Okt 27 19:22:20 linux-mini passwd[74865]: password for ‘root’ changed by ‘root’
Okt 28 08:31:54 linux-mini passwd[7996]: password for ‘root’ changed by ‘root’
Nov 04 01:47:51 linux-mini passwd[272400]: password for ‘root’ changed by ‘root’
Nov 04 09:58:55 linux-mini passwd[21021]: password for ‘root’ changed by ‘root’
Nov 06 23:37:32 linux-mini passwd[51392]: password for ‘root’ changed by ‘root’
Nov 12 17:16:19 linux-mini passwd[190826]: password for ‘root’ changed by ‘root’
Nov 15 00:56:23 linux-mini passwd[14688]: password for ‘root’ changed by ‘root’
Nov 28 15:20:55 linux-mini passwd[73398]: password for ‘root’ changed by ‘root’
Nov 28 15:47:14 linux-mini passwd[83940]: password for ‘root’ changed by ‘root’

I looked into old logs and noticed that this happened each time I used podman or toolbox:

Okt 01 22:27:30 linux-mini podman[25579]: image pull f24814e357182b805caee961ba2a56e577d0724f1e1dbbc4c2766577c1bbbdc4 ``registry.fedoraproject.org/fedora-to``>
Okt 01 22:28:03 linux-mini podman[25666]: container create 7f9868cb6014613bbd32da74eb1e3755056428d966825514e478b9c21edc8480 (image=registry.fedoraproject>
Okt 01 22:28:04 linux-mini systemd[2408]: Started libpod-7f9868cb6014613bbd32da74eb1e3755056428d966825514e478b9c21edc8480.scope - libcrun container.
Okt 01 22:28:04 linux-mini fedora-toolbox-42[26004]: level=debug msg=“Modifying user usuario with UID 1000:”
Okt 01 22:28:04 linux-mini usermod[26047]: change user ‘usuario’ password
Okt 01 22:28:04 linux-mini usermod[26047]: add ‘usuario’ to group ‘wheel’
Okt 01 22:28:04 linux-mini usermod[26047]: add ‘usuario’ to shadow group ‘wheel’
Okt 01 22:28:04 linux-mini passwd[26063]: password for ‘root’ changed by ‘root’

9

I think those are log messages from the toolbox, not the host:

Okt 01 22:28:04 linux-mini fedora-toolbox-42[26004]: level=debug msg=“Modifying user usuario with UID 1000:”

Here it says: fedora-toolbox

When you use toolbox enter (or create a container), the following happens:

  1. Container creation: Toolbox creates a container (a Linux environment inside your Linux host)

  2. User synchronization: To make the container useful, Toolbox must create a user inside that container that matches your user outside (on the host).

  3. Permissions: It runs usermod and passwd inside the container to give your internal user sudo (wheel) access and set the internal root password.

2 Likes
11

Hi Flo, I ran the journalctl command on the host, is still possible that the commands of the container are logged on the host?

If that’s the case then we can mark this as solved :grinning_face:

12

Yes container logs (toolbox, podman) are logged on the host system using the journald logging driver.

Your log snippet clearly has the container-id / runtime tag (toolbox-fedora-42)

Your logs look perfectly normal.

If you’re looking for reason or logs of the crash, try to filter your logs

1 Like
13

Thanks Flo, unfortunately the logs only showed that information, the rest was not visible for some reason, I’m glad that it’s not a virus or something :classic_smiley: