New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
usb keyboard connected randomly to dedi (hetzner)
hello,
to our concern, on a server we manage, without us ever asking for support, a
random usb keyboard was connected to the dedicated server, after over 100+ day uptime. Is this normal? usb rubber ducky?lol
We just managed to find the below on our dmesg logs..
]# dmesg -T
[Sat Feb 26 04:13:30 2022] usb 1-4: new high-speed USB device number 2
using xhci_hcd
[Sat Feb 26 04:13:31 2022] usb 1-4: device descriptor read/64, error -71
[Sat Feb 26 04:13:31 2022] usb 1-4: New USB device found,
idVendor=1a40, idProduct=0101, bcdDevice= 1.11
[Sat Feb 26 04:13:31 2022] usb 1-4: New USB device strings: Mfr=0,
Product=1, SerialNumber=0
[Sat Feb 26 04:13:31 2022] usb 1-4: Product: USB 2.0 Hub
[Sat Feb 26 04:13:31 2022] hub 1-4:1.0: USB hub found
[Sat Feb 26 04:13:31 2022] hub 1-4:1.0: 4 ports detected
[Sat Feb 26 04:13:31 2022] usb 1-4.1: new low-speed USB device number
3 using xhci_hcd
[Sat Feb 26 04:13:31 2022] usb 1-4.1: New USB device found,
idVendor=046d, idProduct=c31c, bcdDevice=64.00
[Sat Feb 26 04:13:31 2022] usb 1-4.1: New USB device strings: Mfr=1,
Product=2, SerialNumber=0
[Sat Feb 26 04:13:31 2022] usb 1-4.1: Product: USB Keyboard
[Sat Feb 26 04:13:31 2022] usb 1-4.1: Manufacturer: Logitech
[Sat Feb 26 04:13:31 2022] input: Logitech USB Keyboard as
/devices/pci0000:00/0000:00:14.0/usb1/1-4/1-4.1/1-4.1:1.0/input/input4
[Sat Feb 26 04:13:31 2022] hid-generic 0003:046D:C31C.0001:
input,hidraw0: USB HID v1.10 Keyboard [Logitech USB Keyboard] on
usb-0000:00:14.0-4.1/input0
[Sat Feb 26 04:13:31 2022] input: Logitech USB Keyboard as
/devices/pci0000:00/0000:00:14.0/usb1/1-4/1-4.1/1-4.1:1.1/input/input5
[Sat Feb 26 04:13:31 2022] hid-generic 0003:046D:C31C.0002:
input,hidraw1: USB HID v1.10 Device [Logitech USB Keyboard] on
usb-0000:00:14.0-4.1/input1
[Sat Feb 26 04:13:44 2022] usb 1-4: USB disconnect, device number 2
[Sat Feb 26 04:13:44 2022] usb 1-4.1: USB disconnect, device number 3
Comments
Maybe a honest mistake since the person notice it after 10 seconds that the server he suppose to work on that the mouse not responding?
Well if someone was trying to bruteforce your login credential from the DC via keyboard I guess you would see that in logs as well. Also they could have just staged an "incident" situation pull your disks and get the data they need .
So probably a mistake.
+1 to mistake. I can't imagine what you could do in such a short time frame that would be of any consequence.
Nuke it, they already have all your data
Hi there @Kkkkm - If you write to our support team via your Robot account, they can most likely tell you what happened here. --Katie