LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Closed Thread
 
Search this Thread
Old 12-12-2007, 09:49 PM   #1
techwatcher
Member
 
Registered: Aug 2006
Distribution: MEPIS
Posts: 73

Rep: Reputation: 15
Help me shutdown localhost, please?


This will sound crazy, but PLEASE "work the problem" instead of assuming the problem doesn't exist (really, I am not crazy). I am running a 2001 IBM NetVista PC from which I have removed hard drive & floppy, with no USB storage device connected. (This PC is ONLY for surfing the Web. For now.) When I boot up, I have Ethernet cable unplugged from cable modem, but (not wireless!) router is plugged into PC. I boot the Mepis 6.5 CD in a read-only drive.

From before I boot up, I am hacked. (Don't fight me on this, please.) My BIOS settings are ignored/altered, and I cannot force runlevel=1, etc. The behavior of the PC (and its messages while booting) has changed from day to day, though I'm doing nothing differently... Anyway, when I come up, I log in as root (why not? there's nothing to be destroyed!) in a Konsole, using a root shell. (I open a few root shells, actually, since sometimes the hacker has apparently grabbed the keyboard, such that I can't type an "l" or particular numeral. Switching to the next tab solves that.)

Although I'm comparatively new to Linux, I have learned various ways to fight my way free, mostly, of this problem. (I shut down hald daemons and other processes I've learned to recognize, using kill [pid] based on netstat -lanap listings.) BUT, I cannot shut down localhost. First I rm /etc/samba/smb.conf and that (after I also stop smbd & nmbd) solves that, but removing rsyncd.conf doesn't get rid of localhost. I've read what I can find in the man pages, but don't have a full understanding of sockets, ports, etc. or binding and so on. What's the opposite of listening? How do I shut down localhost (which is apparently where these hackers are 'coming from,' as it were)?

Once I managed to shut down localhost, but either I don't know how I did it, or they circumvented my method the next time. I'm learning to hack as I go, and just need more help!

Right now, at a certain point I feel safe enough to plug in the cable modem and go online, but I have to switch back & forth constantly from browser to root shell/system log, to make sure I'm still safe. I really want to know how to SHUT DOWN localhost!
 
Old 12-12-2007, 10:30 PM   #2
bsdunix
Senior Member
 
Registered: May 2006
Distribution: Caldera, CTOS, Debian, FreeBSD, Mac OS X, Mandrake, Minix, OpenBSD, Slackware, SuSE
Posts: 1,757

Rep: Reputation: 79
I don't know what is happening on your computer, but all modern TCP/IP protocol enabled computers have LOCALHOST. IP address 127.0.0.1 is assigned to LOCALHOST and is non-routable IP address, only the local machine will ever use that IP address. Check your /etc/hosts and you'll probably see 127.0.0.1 shown next to localhost.

http://en.wikipedia.org/wiki/Localhost

Maybe the data on the CD disk your using is corrupted. Did you get the disk from a known good location? I would try to use another Linux live distribution disk and see you have the same symptoms. While most of the file system on a live distribution disk is non-writeable, certain parts of the file system, such as /etc, are stored in a temporary created RAM drive so system configurations can be made. Once the computer shuts down or reboots, the RAM drive disappears and thus any changes to /etc.

http://en.wikipedia.org/wiki/Live_CD

Are there other computers network wired to the router? I suspect your router is configured as a DHCP server so your computers will get assigned a local network IP address such as 192.168.x.x. If you have another computer on your network, that might be the cause of your problem and not LOCALHOST.

Could your problem be hardware related, possible, but I would try another live disk to see if the symptoms return.
 
Old 12-12-2007, 11:21 PM   #3
techwatcher
Member
 
Registered: Aug 2006
Distribution: MEPIS
Posts: 73

Original Poster
Rep: Reputation: 15
Thanks for letting me know localhost is normal... but I still want to shut it down. This is not a hardware problem...

No other PC is on any network I'm running (router has one cord in, one out). I do have a laptop, but that's not even plugged in; I have another 18-month-old machine which I used to use as my offline PC (was running Win XP) but they already destroyed that this summer; I removed its SATA hard drive -- and it's also unplugged. I don't believe there's anything wrong with my CD; I downloaded it myself this past summer, copied it to a USB device, and burned the ISO when the newer machine still worked (it had Nero software & CD-burner/DVD drive). I used this CD earlier to install to yet another PC's hard drive, which I intended to use as my online PC, but then that machine was hacked to bits.

Anyway, that's all irrelevant; I can HEAR the hackers up there. I keep killing NMBD and SMBD over and over, keep wiping out directories, and then see them restored in another place (read-only). These hackers are, as I said, altering my BIOS settings; and I even used to see 'flashing' onscreen as I was trying to alter settings via GUI-based utilities. (For example, I'll alter a Network Assistant setting, and it'll be reset before I can save it that way.)

Also, sometimes I will try to open an app (Firefox, or even just Patience), and they shut it down as its opening! Again, if I type who, I see nothing, but if I type who -aH, I'll see 5 users (id's 1-5) on TTYs, then me (root) with a question mark after root. Here's a current copy:
LOGIN tty2 2007-12-12 21:13 9848 id=2
LOGIN tty3 2007-12-12 21:13 9849 id=3
LOGIN tty6 2007-12-12 21:13 9850 id=6
LOGIN tty4 2007-12-12 21:13 9857 id=4
LOGIN tty5 2007-12-12 21:13 9858 id=5
LOGIN tty1 2007-12-12 21:13 9865 id=1
LOGIN tty2 2007-12-12 21:13 9866 id=2
LOGIN tty3 2007-12-12 21:13 9867 id=3
LOGIN tty6 2007-12-12 21:14 9973 id=6
LOGIN tty4 2007-12-12 21:18 10251 id=4
LOGIN tty5 2007-12-12 21:18 10252 id=5
(and this continues for a long way -- fills the terminal screen, in fact). I have no doubt at all this is hackers; I can hear them arguing now. In fact, I managed to shut them out again tonight, but my syslog currently shows:

12/12/2007 08:34:40 PM localhost init Id "6" respawning too fast: disabled for 5 minutes
12/12/2007 08:41:21 PM localhost init Id "6" respawning too fast: disabled for 5 minutes
12/12/2007 08:46:27 PM localhost init Id "5" respawning too fast: disabled for 5 minutes
12/12/2007 08:46:30 PM localhost init Id "4" respawning too fast: disabled for 5 minutes
12/12/2007 08:46:32 PM localhost init Id "3" respawning too fast: disabled for 5 minutes
12/12/2007 08:46:34 PM localhost init Id "2" respawning too fast: disabled for 5 minutes
12/12/2007 08:46:37 PM localhost init Id "1" respawning too fast: disabled for 5 minutes
12/12/2007 08:48:02 PM localhost init Id "6" respawning too fast: disabled for 5 minutes
12/12/2007 08:48:02 PM localhost init no more processes left in this runlevel
12/12/2007 08:53:12 PM localhost init Id "4" respawning too fast: disabled for 5 minutes
12/12/2007 08:53:12 PM localhost init Id "5" respawning too fast: disabled for 5 minutes
12/12/2007 08:53:17 PM localhost init Id "1" respawning too fast: disabled for 5 minutes
12/12/2007 08:53:17 PM localhost init Id "2" respawning too fast: disabled for 5 minutes
etc...

You'll excuse me not explaining what I did to cause that , but obviously they are shut out just now. In fact, I can hear two of them discussing what to try next, while the third is (as usual) pacing. I am learning a bit about rsync, but I'd really love to shut down localhost. I don't want or need it, afaict. Firefox works without it, and that's all I want to use just now.
 
Old 12-12-2007, 11:25 PM   #4
techwatcher
Member
 
Registered: Aug 2006
Distribution: MEPIS
Posts: 73

Original Poster
Rep: Reputation: 15
I just tried what you suggested, and this is what I see as /etc/hosts (copied using view):

127.0.0.1 localhost.localdomain localhost mepis1 mepis1.example.dom

# The following lines are desirable for IPv6 capable hosts
# (added automatically by netbase upgrade)

::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Is this informative? Sorry to be so ignorant; it's hard to learn under these conditions.
 
Old 12-12-2007, 11:26 PM   #5
matthewg42
Senior Member
 
Registered: Oct 2003
Location: UK
Distribution: Kubuntu 12.10 (using awesome wm though)
Posts: 3,530

Rep: Reputation: 63
If you're really sure your machine has been compromised, you cannot trust it at all.

You should boot from a LiveCD and wipe the system completely, and re-install from known secure media.
 
Old 12-12-2007, 11:31 PM   #6
forrestt
Senior Member
 
Registered: Mar 2004
Location: Cary, NC, USA
Distribution: Fedora, Kubuntu, RedHat, CentOS, SuSe
Posts: 1,288

Rep: Reputation: 99
If you shut down localhost, your computer will not work. Localhost is what it sounds like, your local host, or the computer you are typing at. If someone is hacking you from localhost, it is you.

Most things that run in the background and allow you to use your computer are programmed to talk to and listen to localhost as well as other hosts if need be (it's easier to program a network stack than it is to program a network stack and a means to talk to your own system).

You NEED it for your system to work.

I would say you have a problem with your system, but localhost isn't it.

HTH

Forrest
 
Old 12-13-2007, 12:00 AM   #7
techwatcher
Member
 
Registered: Aug 2006
Distribution: MEPIS
Posts: 73

Original Poster
Rep: Reputation: 15
Okay, thanks, good to know that shutting down localhost isn't the solution.

Maybe I've already reached the (always temporary) solution, just knowing when they're currently unable to follow me online (for whatever reason). Earlier today I was okay when I first replugged Ethernet cable into the cable modem (having left the PC on overnight), but gradually they took control again. They got my machine to the point where its CD-ROM drive wouldn't stop running, and just trying to get a cursor into the root shell took many minutes... But of course when that happens I just pull the plug, literally. (The good thing about running from CD-ROM on a $70 used machine is one can always simply pull the plug, and will then usually be exactly where one started from. )

I'd still like to know how to shut them out from the beginning, or keep them out once I shut them out, if anyone has suggestions. Is there a way to boot the CD straight to a command line interface, and then later just invoke a GUI to use Foxfire? Any documentation on that anywhere? Thanks.
 
Old 12-13-2007, 12:02 AM   #8
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,311

Rep: Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040
That respawn is the root of your problem: http://www.unixguide.net/linux/faq/09.24.shtml
http://forums.vpslink.com/showthread.php?t=1473
 
Old 12-13-2007, 12:03 PM   #9
techwatcher
Member
 
Registered: Aug 2006
Distribution: MEPIS
Posts: 73

Original Poster
Rep: Reputation: 15
This is what my "original" (or their original) who -aH listing looks like:
NAME LINE TIME IDLE PID COMMENT EXIT
2007-12-13 11:44 1048 id=si term=0 exit=0
system boot 2007-12-13 11:44
run-level 5 2007-12-13 11:44 last=S
2007-12-13 11:44 2952 id=l5 term=0 exit=0
LOGIN tty1 2007-12-13 11:44 3573 id=1
LOGIN tty2 2007-12-13 11:44 3574 id=2
LOGIN tty3 2007-12-13 11:44 3575 id=3
LOGIN tty4 2007-12-13 11:44 3576 id=4
LOGIN tty5 2007-12-13 11:44 3577 id=5
LOGIN tty6 2007-12-13 11:44 3578 id=6
root ? :0 2007-12-13 11:44 ? 3594

Isn't that interesting? I'm only root, so they must be "LOGIN." I also saw some very interesting info earlier today... But couldn't save it before I had to restart, so I wrote it by hand (since I hadn't gotten online yet). I'll retype it here later, in hopes someone can interprete what they're doing and help me shut them down. (It was an early netstat -a listing.)

Thanks for spawn info; if I can be online long enough, I'll read it.
 
Old 12-13-2007, 12:21 PM   #10
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 115Reputation: 115
So there are 3 hackers "up there" who are dedicating all their time to ensuring the OP's computers get wiped out as soon as he starts them up.

These are machines behind a wired router, which is NOT connected to the internet when he starts. These machines have no writeable media on them (only RAM).

And yet, these machines are under the control of the three hackers before he can do anything at all with them...

Ohhhhh.....Kaaayyyy.
 
Old 12-13-2007, 12:24 PM   #11
matthewg42
Senior Member
 
Registered: Oct 2003
Location: UK
Distribution: Kubuntu 12.10 (using awesome wm though)
Posts: 3,530

Rep: Reputation: 63
When posting commands, or their output, please use [code] tags. This will aide readability because is preserves whilespace and uses a fixed width font. Compare your post to this:
Code:
NAME       LINE         TIME             IDLE          PID COMMENT  EXIT
           system boot  2007-12-13 11:23
           run-level 2  2007-12-13 11:23                   last=
LOGIN      tty4         2007-12-13 11:23              4152 id=4
LOGIN      tty5         2007-12-13 11:23              4153 id=5
LOGIN      tty2         2007-12-13 11:23              4157 id=2
LOGIN      tty3         2007-12-13 11:23              4158 id=3
LOGIN      tty6         2007-12-13 11:23              4160 id=6
The LOGIN lines are quite normal - this is the program which listens on the virtual consoles and prompts for user name and password and attaches an interactive shell to the VT if the authentication succeeds.
 
Old 12-13-2007, 12:27 PM   #12
matthewg42
Senior Member
 
Registered: Oct 2003
Location: UK
Distribution: Kubuntu 12.10 (using awesome wm though)
Posts: 3,530

Rep: Reputation: 63
Like I said before, if you are sure your machine is actually compromised, you cannot trust it - that includes the output of user lists, process lists, and directory listings. This is because the attacker might install a root kit - software which can hide the attacker's actions from other users on the system (i.e. you).

You may or may not be able to see what they are up to, but in either case you cannot trust the machine again until you have wiped it and re-installed from trusted media.
 
Old 12-13-2007, 12:57 PM   #13
forrestt
Senior Member
 
Registered: Mar 2004
Location: Cary, NC, USA
Distribution: Fedora, Kubuntu, RedHat, CentOS, SuSe
Posts: 1,288

Rep: Reputation: 99
matthewg42, this machine is a system booting off of a live cd with no harddrive. The only possible thing that could have happened is the live cd is corrupted, and this can easily be verified with a checksum and a new one downloaded. I seriously don't think there is any problem here other than a user that is seeing normal things they don't understand and jumping to conclusions.

Forrest
 
Old 12-13-2007, 01:01 PM   #14
matthewg42
Senior Member
 
Registered: Oct 2003
Location: UK
Distribution: Kubuntu 12.10 (using awesome wm though)
Posts: 3,530

Rep: Reputation: 63
Quote:
Originally Posted by forrestt View Post
matthewg42, this machine is a system booting off of a live cd with no harddrive. The only possible thing that could have happened is the live cd is corrupted, and this can easily be verified with a checksum and a new one downloaded. I seriously don't think there is any problem here other than a user that is seeing normal things they don't understand and jumping to conclusions.

Forrest
Doh, I see now. My bad. I too am skeptical of the hacker claim. The only realistic possibility is that the OP downloaded a CD from some questionable source, which contains some sort of malware. I've not heard of such a think with live CD, but I guess it's possible.
 
Old 12-14-2007, 04:34 AM   #15
techwatcher
Member
 
Registered: Aug 2006
Distribution: MEPIS
Posts: 73

Original Poster
Rep: Reputation: 15
Now, this is why I specifically asked you guys to ignore the rest & work the problem. A rogue FBI operation (violating civil rights left & right) is responsible, and the only reason they are still there at this point (having determined I'm innocent of the various charges against me originally!) is that I know they are doing this. Now, let's get back to the problem, please.

Originally I was rm'ing the /etc/samba/smb.conf file. Now I see that they have a file (up there? hidden on my machine?) replacing it... By making my syslogd show the Samba log, I see this (partial copy):
Code:
12/14/2007 04:13:39 AM	nmbd/nmbd.c	main	727	Netbios nameserver version 3.0.22 started. / Copyright Andrew Tridgell and the Samba Team 1992-2006
12/14/2007 04:13:39 AM	param/params.c	OpenConfFile	538	params.c:OpenConfFile() - Unable to open configuration file "/etc/samba/smb.conf": / 	No such file or directory
12/14/2007 04:13:39 AM	param/params.c	OpenConfFile	538	params.c:OpenConfFile() - Unable to open configuration file "/etc/samba/smb.conf": / 	No such file or directory
12/14/2007 04:13:40 AM	nmbd/nmbd.c	main	727	Netbios nameserver version 3.0.22 started. / Copyright Andrew Tridgell and the Samba Team 1992-2006
12/14/2007 04:13:40 AM	nmbd/nmbd.c	main	727	Netbios nameserver version 3.0.22 started. / Copyright Andrew Tridgell and the Samba Team 1992-2006
12/14/2007 04:13:40 AM	param/params.c	OpenConfFile	538	params.c:OpenConfFile() - Unable to open configuration file "/etc/samba/smb.conf": / 	No such file or directory
12/14/2007 04:13:40 AM	param/params.c	OpenConfFile	538	params.c:OpenConfFile() - Unable to open configuration file "/etc/samba/smb.conf": / 	No such file or directory
12/14/2007 04:13:41 AM	nmbd/nmbd.c	main	727	Netbios nameserver version 3.0.22 started. / Copyright Andrew Tridgell and the Samba Team 1992-2006
12/14/2007 04:13:41 AM	nmbd/nmbd.c	main	727	Netbios nameserver version 3.0.22 started. / Copyright Andrew Tridgell and the Samba Team 1992-2006
Can anyone tell me how to shut down Netbios NOW? Really, I do need help. Yes, it's quite incredible that hackers upstairs are doing this, but let's all pretend it's a novel or something, and please HELP. If you guys can't help me, who can?

The params lines are in response to my normal attempts to shut down nmbd (with nmbd st); the other lines are info (presumably) about how their netbios interface is still running. I'm not yet down with the syntax/commands for sockets and don't know how to do anything like un-bind-ing or un-listening... MEPIS is wonderful for people who want their networks to "just work," not so good for the rare occasions when one needs to make them NOT work!

Last edited by techwatcher; 12-14-2007 at 04:38 AM.
 
  


Closed Thread

Tags
localhost, mepis


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
apache : localhost/ works localhost/index.html does not PhilA Linux - Server 4 05-27-2007 08:32 PM
MySQL: Why are there two roots localhost, and localhost.localdomain? paulsiu Linux - Server 6 04-18-2007 10:43 AM
Change localhost name in username@localhost n175uj Linux - Newbie 4 07-01-2005 09:25 PM
Message from syslogd@localhost localhost kernel: Disabling IRQ #21 ylts Linux - Hardware 0 02-26-2005 09:01 AM
dns requests from localhost to localhost keex Linux - Networking 2 11-13-2003 02:47 PM


All times are GMT -5. The time now is 08:38 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration