Personal computer hacked: How do I block this user from logging in again? How do I find out how they are logging in?
Wipe the hard drive and reinstall your operating system from scratch.
In any case of unauthorised access there is the possibility the attacker was able to get root privileges, so it is sensible to assume that it happened. In this case, auth.log appears to confirm this was indeed the case - unless this was you that switched user:
Apr 27 06:55:55 Rho su[23881]: Successful su for guest-g20zoo by root
With root privileges in particular, they may have messed with the system in ways which are practically impossible to fix without a reinstall, such as by modifying boot scripts or installing new scripts and applications that run at boot, and so on. These could do things like run unauthorised network software (ie to form part of a botnet), or leave backdoors into your system. Trying to detect and repair this sort of thing without a reinstall is messy at best, and not guaranteed to rid you of everything.
It looks like someone opened a guest session on your laptop while you where away from your room. If I were you I'd ask around, that may be a friend.
The guest accounts you see in /etc/passwd
and /etc/shadow
are not suspicious to me, they are created by the system when someone open a guest session.
Apr 27 06:55:55 Rho su[23881]: Successful su for guest-g20zoo by root
This line means root
has access to the guest account, which could be normal but should be investigated. I've tried on my ubuntu1404LTS and don't see this behaviour. You should try to login with a guest session and grep your auth.log
to see if this line appear everytime a guest user logs in.
All the opened windows of chrome, that you've seen when you opened your laptop. Is it possible that you were seeing the guest session desktop ?
I just want to mention that "multiple browser tabs/windows open, Software Center open, files downloaded to desktop" is not very consistent with someone logging into your machine via SSH. An attacker logging via SSH would get a text console which is completely separate from what you see on your desktop. They also wouldn't need to google "how to install git" from your desktop session because they'd be sitting in front of their own computer, right? Even if they wanted to install Git (why?), they wouldn't need to download an installer because Git is in Ubuntu repositories, anyone who knows anything about Git or Ubuntu knows that. And why did they have to google how to customize bash prompt?
I also suspect that "There was a tab... open in my browser. It reopened several times after I closed it" was actually multiple identical tabs open so you had to close them one by one.
What I'm trying to say here is that the pattern of activity resembles a "monkey with a typewriter".
You also did not mention you even had SSH server installed - it is not installed by default.
So, if you're absolutely sure nobody had physical access your laptop without your knowledge, and your laptop has a touchscreen, and it doesn't suspend properly, and it spent some time in your backpack then I think it all can be simply a case of "pocket calling" - random screen touches combined with search suggestions and auto-correction opened multiple windows and performed google searches, clicking on random links and downloading random files.
As a personal anecdote - it happens from time to time with my smartphone in my pocket, including opening multiple apps, changing system settings, sending semi-coherent SMS messages and watching random youtube videos.