-2

I want to re-install Ubuntu from a bootable USB, but I believe somebody is trying to break into the computer every time I try to install, and I need help figuring out how to ensure I have a clean (integrity) install.

When I first boot from bootable USB, I quickly press the key that controls the WiFi (to turn it off), and once I am in the GUI environment, I open a terminal and:

enter image description here

Notice the "Wired connection 1: connection profile removed" followed by the red letters wlo1: disconnected

Then, when I look at syslog file:

I see over 100 entries like this:

Feb  2 19:52:39 ubuntu kernel: [  363.763644] usb 2-14: new full-speed USB device number 13 using xhci_hcd
Feb  2 19:52:39 ubuntu kernel: [  363.891630] usb 2-14: device descriptor read/64, error -71
Feb  2 19:52:39 ubuntu kernel: [  364.131606] usb 2-14: device descriptor read/64, error -71

I am not adding any USBs since start up. I am using the bootable USB, another USB to save files, and a USB mouse.

Then, I also see many records of the firewall blocking inbound 

Feb  2 19:54:04 ubuntu kernel: [  448.478018] [UFW BLOCK] IN=wlo1 OUT= MAC= SRC=fe80:0000:0000:0000:363e:8d79:6cad:2c9d DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=64 TC=0 HOPLIMIT=1 FLOWLBL=404972 PROTO=UDP SPT=8612 DPT=8612 LEN=24 
Feb  2 19:54:04 ubuntu kernel: [  448.478033] [UFW BLOCK] IN=wlo1 OUT= MAC= SRC=fe80:0000:0000:0000:363e:8d79:6cad:2c9d DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=64 TC=0 HOPLIMIT=1 FLOWLBL=775837 PROTO=UDP SPT=8612 DPT=8610 LEN=24 
Feb  2 19:54:04 ubuntu kernel: [  448.488300] [UFW BLOCK] IN=wlo1 OUT= MAC= SRC=fe80:0000:0000:0000:363e:8d79:6cad:2c9d DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=64 TC=0 HOPLIMIT=1 FLOWLBL=404972 PROTO=UDP SPT=8612 DPT=8612 LEN=24 
Feb  2 19:54:04 ubuntu kernel: [  448.488321] [UFW BLOCK] IN=wlo1 OUT= MAC= SRC=fe80:0000:0000:0000:363e:8d79:6cad:2c9d DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=64 TC=0 HOPLIMIT=1 FLOWLBL=775837 PROTO=UDP SPT=8612 DPT=8610 LEN=24

After the "new full-speed USB device number 125 using xhci_hcd", it reset to device 6:

Feb  2 20:34:53 ubuntu kernel: [ 2897.317801] usb 2-14: new full-speed USB device number 6 using xhci_hcd

And its goes on...

Feb  2 20:39:34 ubuntu kernel: [ 3178.651673] [UFW BLOCK] IN=wlo1 OUT= MAC= SRC=fe80:0000:0000:0000:363e:8d79:6cad:2c9d DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=64 TC=0 HOPLIMIT=1 FLOWLBL=404972 PROTO=UDP SPT=8612 DPT=8612 LEN=24 
Feb  2 20:39:34 ubuntu kernel: [ 3178.910894] usb 2-14: new full-speed USB device number 38 using xhci_hcd
Feb  2 20:39:34 ubuntu kernel: [ 3179.060348] usb 2-14: New USB device found, idVendor=138a, idProduct=0050, bcdDevice= 0.60
Feb  2 20:39:34 ubuntu kernel: [ 3179.060351] usb 2-14: New USB device strings: Mfr=0, Product=0, SerialNumber=1
Feb  2 20:39:34 ubuntu kernel: [ 3179.060353] usb 2-14: SerialNumber: 20100020d28d
Feb  2 20:39:34 ubuntu mtp-probe: checking bus 2, device 38: "/sys/devices/pci0000:00/0000:00:14.0/usb2/2-14"
Feb  2 20:39:34 ubuntu mtp-probe: bus: 2, device: 38 was not an MTP device
Feb  2 20:39:34 ubuntu upowerd[1945]: unhandled action 'bind' on /sys/devices/pci0000:00/0000:00:14.0/usb2/2-14

UPDATE

Also, I am unable to activate a VPN connection. SO I checked the NetworkManager status, and I got:

enter image description here

Then I reset the NetworkManager and I get:

    ● NetworkManager.service - Network Manager
       Loaded: loaded (/lib/systemd/system/NetworkManager.service; enabled; vendor preset: enabled)
       Active: active (running) since Sun 2020-02-02 22:10:58 UTC; 15s ago
         Docs: man:NetworkManager(8)
     Main PID: 12119 (NetworkManager)
        Tasks: 5 (limit: 4915)
       CGroup: /system.slice/NetworkManager.service
               ├─12119 /usr/sbin/NetworkManager --no-daemon
               └─12132 /sbin/dhclient -d -q -sf /usr/lib/NetworkManager/nm-dhcp-helper -pf /run/dhclient-wlo1.pid -lf /var/lib/NetworkManager/dhclient-c85ad9a3-ae0f-44c6-84ce-bef43cb1af4a-wlo1.lease -cf /var/

Feb  2 22:11:03 ubuntu NetworkManager[12119]: <warn>  [1580681463.4284] error requesting auth for org.freedesktop.NetworkManager.enable-disable-wwan: Authorization check failed: Failed to open file “/proc/12196/status”: No such file or directory
Feb  2 22:11:03 ubuntu NetworkManager[12119]: <warn>  [1580681463.4288] error requesting auth for org.freedesktop.NetworkManager.enable-disable-wimax: Authorization check failed: Failed to open file “/proc/12196/status”: No such file or directory
Feb  2 22:11:03 ubuntu NetworkManager[12119]: <warn>  [1580681463.4293] error requesting auth for org.freedesktop.NetworkManager.network-control: Authorization check failed: Failed to open file “/proc/12196/status”: No such file or directory
Feb  2 22:11:03 ubuntu NetworkManager[12119]: <warn>  [1580681463.4297] error requesting auth for org.freedesktop.NetworkManager.wifi.share.protected: Authorization check failed: Failed to open file “/proc/12196/status”: No such file or directory
Feb  2 22:11:03 ubuntu NetworkManager[12119]: <warn>  [1580681463.4302] error requesting auth for org.freedesktop.NetworkManager.wifi.share.open: Authorization check failed: Failed to open file “/proc/12196/status”: No such file or directory
Feb  2 22:11:03 ubuntu NetworkManager[12119]: <warn>  [1580681463.4307] error requesting auth for org.freedesktop.NetworkManager.settings.modify.system: Authorization check failed: Failed to open file “/proc/12196/status”: No such file or directory
Feb  2 22:11:03 ubuntu NetworkManager[12119]: <warn>  [1580681463.4311] error requesting auth for org.freedesktop.NetworkManager.settings.modify.own: Authorization check failed: Failed to open file “/proc/12196/status”: No such file or directory
Feb  2 22:11:03 ubuntu NetworkManager[12119]: <warn>  [1580681463.4315] error requesting auth for org.freedesktop.NetworkManager.settings.modify.hostname: Authorization check failed: Failed to open file “/proc/12196/status”: No such file or directory
Feb  2 22:11:03 ubuntu NetworkManager[12119]: <warn>  [1580681463.4319] error requesting auth for org.freedesktop.NetworkManager.settings.modify.global-dns: Authorization check failed: Failed to open file “/proc/12196/status”: No such file or directory
Feb  2 22:11:03 ubuntu NetworkManager[12119]: <warn>  [1580681463.4323] error requesting auth for org.freedesktop.NetworkManager.reload: Authorization check failed: Failed to open file “/proc/12196/status”: No such file or directory
Feb  2 22:11:03 ubuntu NetworkManager[12119]: <warn>  [1580681463.4327] error requesting auth for org.freedesktop.NetworkManager.checkpoint-rollback: Authorization check failed: Failed to open file “/proc/12196/status”: No such file or directory
Feb  2 22:11:03 ubuntu NetworkManager[12119]: <warn>  [1580681463.4331] error requesting auth for org.freedesktop.NetworkManager.enable-disable-statistics: Authorization check failed: Failed to open file “/proc/12196/status”: No such file or directory
Feb  2 22:11:03 ubuntu NetworkManager[12119]: <warn>  [1580681463.4336] error requesting auth for org.freedesktop.NetworkManager.enable-disable-connectivity-check: Authorization check failed: Failed to open file “/proc/12196/status”: No such file or directory
Feb  2 22:11:04 ubuntu NetworkManager[12119]: <info>  [1580681464.7412] manager: startup complete
Feb  2 22:11:12 ubuntu NetworkManager[12119]: <info>  [1580681472.3892] manager: NetworkManager state is now CONNECTED_GLOBAL

Is there a way for me to create a bootable USB to install Ubuntu with ufw enabled and networking disabled by default?

IberoMedia
  • 139
  • Why do you need UFW active if there is no networking? Ports 8610/8612 are typically used by Canon Printer software -- is there one nearby? Either way, neither the installer nor your installed Ubuntu system listen on those ports, so that's harmless -- let whatever it is broadcast all it likes. – user535733 Feb 02 '20 at 21:38
  • 1
    but I believe somebody is trying to break into the computer every time I try to install," Impossible. There is nothing to break in to. – Rinzwind Feb 03 '20 at 00:02
  • @Rinzwind is possible to put files in the drive before I install – IberoMedia Feb 03 '20 at 04:11
  • No. Not possible. There is NO internet during installation unless you set it up and even then it is NOT possible to connect to your system from the outside. That would require a server with an exploit active and require the attacker to already install software on your installation media. That is not how the internet works – Rinzwind Feb 03 '20 at 08:25

2 Answers2

1

When I first boot from bootable USB, I quickly press the key that controls the WiFi

Why? You never provided a password to set the wifi up so there is no way someone is capable of abusing your wifi. That is not how connecting to the internet works.

Notice the "Wired connection 1: connection profile removed" followed by the red letters wlo1: disconnected

That is normal when killing wifi.

Then, I also see many records of the firewall blocking inbound 

Feb  2 19:54:04 ubuntu kernel: [  448.478018] [UFW BLOCK] IN=wlo1 OUT= MAC=    
SRC=fe80:0000:0000:0000:363e:8d79:6cad:2c9d 
DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=64 TC=0 HOPLIMIT=1 
FLOWLBL=404972 PROTO=UDP SPT=8612 DPT=8612 LEN=24

Mind then UDP and the port. That is a printer trying to connect. Specifically a Canon printer. Regardless: that is not an attacker.

Is there a way for me to create a bootable USB to install Ubuntu with ufw enabled

No. There is no need. NOTHING that tries to connect to your system during a live session is able to do anything to your system. The USB you use is in read-only mode anyways. There is no network set up and there are no servers active that someone can abuse.

Is there a way for me to create a bootable USB to install Ubuntu with networking disabled by default?

No. Mind that networking is inactive as it needs to be set up before it works.

What you claim is impossible. That is not how the internet works.

To sum up:

  1. the USB installer is read only so can not be written to.
  2. everything is done IN MEMORY and not from a disk so impossible for an attacker to get to.
  3. an attacker requires a bug in a server to be able to connect to you and alter software to be able to abuse that server. There are no such servers active during installation AND again: that server would be active IN MEMORY and not loaded from a disk. Even then: the USB is read only so nothing to write to.
  4. during installation the WIFI needs to be set up to fetch newer software from the Canonical servers or a mirror. That is one way traffic FROM your system.
  5. anything that polls your system during an installation is something inside your network. Like a printer, a phone, a NAS, a router that believes the old system is up and running where they are polling for a connection so you can use that device.

There is nothing out of the ordinairy in what you post.

To check the validity of a Live session USB see Can an integrity check be run against a USB boot disk? That can be used to check if what is written to the USB was as expected from the ISO. So any incorrect writes to the USB can be found and warned about. That is basically a check if the USB is created correctly and indirect a check if someone tampered with the ISO you downloaded. There is nothing more for us to do in regards to the safety of the ISO and the USB stick.

Rinzwind
  • 299,756
0

To ensure that your install is not compromised, always check the Checksum of the downloaded ISO and make sure to use an untempered computer to create the USB-Stick.

There is a way to do what you ask for. You not the only one, who would like to install modfied ISO's.

See here for example.

s1mmel
  • 2,024