Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Distribution: Caldera, CTOS, Debian, FreeBSD, Mac OS X, Mandrake, Minix, OpenBSD, Slackware, SuSE
Unable to open configuration file "/etc/samba/smb.conf": No such file or directory
You deleted the samba configuration file without also stopping the samba service from starting. The service that is active in RAM is looking for it's configuration file and is complaining, that is normal error message. Once you stop the service, the complaining it can't find it's configuration file will stop.
and [smbd st] but I now get that error msg about missing smb.conf file in response to MY issuing those commands. (Used to be, after rm'ing the /etc/samba/smb.conf file it would stop the services when I ordered it to.) I assume
service nmbd stop
is equivalent to my
Just now they are stymied: I changed root psswd, and stopped/killed all the usual suspects listed in netstat -lanap (plus rmdir'ed a few other directories and rm'ed a few other files, and a couple other commands ). I know they're stuck when I see things like this (in this case, in Authentication file):
12/16/2007 11:59:44 AM localhost none last message repeated 2 times
12/16/2007 11:59:34 AM localhost none last message repeated 6 times
Anyway, I'm online again, for now. They are not gone, but at least in between checking the konsole (netstat -lanap) I can browse.
Eventually, based on past experience, they will somehow get hold of something (I don't even know what), some hook into my machine. Then my CD-ROM drive will start up, and I won't be able to do anything about it (until I literally pull the plug). The system will respond verrry slooooooowly to anything I try to do (even switch from browser to konsole). It's starting to happen already, actually: CD-ROM just turned on again. Oh, well, at least it only takes me about 30-45 minutes of hacking to get online initially these days, and I can at least check e-mail before I get shut down again!
Last edited by techwatcher; 12-16-2007 at 12:38 PM.
12/16/2007 01:27:05 PM localhost /USR/SBIN/CRON (clamav) CMD ([ -x /usr/bin/freshclam ] && /usr/bin/freshclam >/dev/null)
12/16/2007 01:27:05 PM localhost /USR/SBIN/CRON (clamav) MAIL (mailed 38 bytes of output but got status 0x0001 )
This is what I often see in SYSLOGD when they are trying to work out what to do next. I can't get access to /usr/sbin/ (it's "read-only"), since apparently I'm not the user. They can't get the mail, though, because I killed that directory.
I also rmdir the /etc/cron.hourly (after rm'ing .placeholder file), because they used to use that to get some info; don't know what. So now they use the /usr/sbin or /usr/bin files instead. *sigh*
I've read this thread carefully, and with all due respect, I too reside with those that state there is no problem except you not understanding what's regular system activity and jumping to conclusions. ClamAV update and e-mail log entries are no signs of "cracking".
Well, let me put it this way: My first programming course was in 1969 (FORTRAN). My GRE scores were 790 (verbal), and 780 (math). My professional experience, before I was physically (NOT mentally!) disabled, was about 20 years as a professional "consulting documentation specialist" working in Manhattan, mostly at headquarters for various banks & brokerages. No-one in IT (DP, MIS, etc.) ever wants to waste time talking to a documenter, so I am used to finding my way around a new system by myself. But in this case, I have limited access to documentation (I have nothing printed, and I can't store anything even if I find stuff online and download).
I'm not stupid, not ignorant, just new to Linux (MEPIS). If there's one thing I know how to do, it's work in an unfamiliar system (OS) or program (app). So here's the fact I can't get around: This system, running each and every time from CD-ROM, with no hard drive, and no physical connection, and on a system supposedly without wireless capability, runs differently just about every time I boot up. Now, how can that be? Hmmm...
The first time I realized I was being hacked, it was because various windows were closing up -- becoming just title bars if I moved the cursor off them. After a day or two, I discovered I could move my cursor over the title bar to invoke the menu, then press S to resize it (using arrow keys). Oddly enough, after I discovered how to do that, the strange "minimize-to-title-bar" behavior of all apps suddenly ceased (mostly, anyway; just the other day it recurred once... they must have been desperate).
The altered system behavior includes BIOS changes. Initially, I was able to specify certain BIOS options, now if I try to alter anything I see screen 'flashes.' My existing BIOS options are altered as the PC boots up. When my system comes up now, it ALWAYS begins (after the first logo screen) with "keyboard security lock,
keyboard security unlock."
I do NOT have that lock specified in BIOS. It didn't used to do that the first few weeks...
After the first several lines of Mepis the booting report (just after a line like "entering saved state of the serial devices"), I always see a line that says something like
** INIT RUNLEVEL 5
This happened even when I tried, for a few days, booting with option runlevel=1.
In addition, when I first started trying to work with this minimal system (when I had high-speed cable modem service reinstalled October 25), I would open the konsole and work with an ordinary shell -- and the konsole would suddenly shut down! One day I discovered how to open konsole with a "root shell" instead, which solved that problem.
Other odd behavior I noticed early on included: sometimes I would attempt (with just konsole & syslog open) to open an app (even just the Patience card game)... it would start to open (I'd see it on the menu at bottom with the hour-glass), then just disappear. It is not possible the system was out of memory, since during other sessions I've had multiple instances of Firefox open, plus other utilities or programs, and then opened Patience! Sometimes I would try to open 2-3 copies of Firefox & see this disappearing act on each instance, sequentially. Recently, now that I've learned to hack better, I don't try to open Firefox (or another app) until after I have them stymied upstairs. Then this behavior, too, disappeared. (Actually, about a week ago I opened Firefox early, before I started to hack on the konsole, and by the time I was ready to plug in and go online, I noticed they had somehow shut down Firefox. That's when I realized I needed to shut them down first, before opening the browser!)
Also, before I learned to hack a little, sometimes they would shut down the machine on me: I'd be typing in the browser, or playing Patience, and the drive would whir -- then the disk would eject itself. You can't tell me that's normal behavior! (Once, around the end of October, I was playing chess online in a Java virtual machine when this happened. But since I was inside the Java app, I was able to just keep on playing. Weird!)
Anyway, this aspect of the discussion is all academic, because I can actually hear them speaking (though these days I can't make out many words). As I said, they apparently have to be quite close (in the next apartment, or upstairs) in order to work this trick. The other day they had a visitor, and I guess they told her that although I had been online, I appeared to be visiting artist sites; a woman's voice I didn't recognize told them I had visited the ACLU site that morning (you bet I had!).
The only clues I have as to how they're doing it:
 Whatever their process is, it's slow. At the beginning of each session, I always kill the PID's of a couple hal daemons (& the processes that start more hal daemons), and they seldom try to restart them again. (I can type the kill #### command faster than they can restart their daemons, I guess.) This is hal, not hald, btw. I see processes labeled things like 'hal runner' and 'hal add-on' as well as 'hal-daemon,' and just kill them all. I also kill any su process I see (usually later) -- I'm root, after all, not running as su! I also kill any process that shows up without any description whatsoever.
 Although I'm pretty sure they're working off a Win machine(s?), they apparently have to work through my own PC's directory structure. When I got online a few days ago, and left the PC on overnight (just disconnecting Ethernet cable), they worked all night (apparently, while I slept) to recreate some of the directory structures I'd wiped out (in /etc) in their own dir (usr/bin or usr/sbin, I forget now).
My theory (which is pure sci-fi, really, since I'm not a physicist) is that they have some sort of very high-frequency generator of (very small) radio waves, targeting port(s) (keyboard port, game port?) with strings of 1's & 0's. It would be like tapping out Morse code on a telegraph line (which explains why it's slow). I don't know why they access my CD-ROM drive sometimes, either; apparently once I kill a directory, they can't reinstall it in the same place: The first few days I rm'ed smb.conf in /etc/samba, I heard the woman hacker up there say I'd removed it, but now, even though I remove it routinely, nmbd (netbios?) still appears in the process column of the Syslog and my attempts to stop it fail.
As I said, the system behaves differently on different days. Originally, they weren't able to work with BIOS structures, but now they have learned to do that. (I can turn off options, but they don't stay off -- disable serial or game ports at the BIOS level, but they get used anyway.) Today they are again playing with my video output; my screen (LCD, old Viewsonic) has a distinctly yellow cast, and as I was watching the bootup sequence, I could see it being altered. (I've used the Viewsonic's built-in front-panel controls to compensate somewhat for the color, btw; the panel itself still has accurate white & primary colors, so it's not the monitor -- the color cast only occurs on apps.)
One more thing: at an earlier stage of these attacks, I would be unable to get the root@1 konsole shell. I'd start opening root shells and MY root shell #1 would be root@4, root shell #2 would be root@5, etc. When this happened, I would reboot.
I've never worked on any computer system where the exact same input produced such different results each time. LOL
Let's split this into two problems. First, you have odd behavior. Second, you believe you are being spied on.
I believe that your symptoms are a result of hardware failure (some if it is normal behavior). Problems that may be easiest to diagnose include CD-ROM disc, CD-ROM drive, Memory, and motherboard.
Make sure you have the latest version and that it is intact. You should be able to find instructions online to verify the md5sum of your disk, even while you're booted off of it, using "isoinfo", "dd" and "md5sum". I believe I've posted this on a linuxquestions.org thread before.
If the "isoinfo"/"dd"/"md5sum" test does not return the correct checksum, but the disk is fine (on another system) then it is probably the drive.
Run memtest86 or memtest86+. On most livecd's, you can simply type "memtest" at the "boot: " prompt. I don't know if Mepis has it nor not. Memtest is not linux. It is its own superminimal OS that cannot be hacked. If it gives error or weird behavior, you definitely have a hardware problem. If memtest doesn't exist on the mepis disk, then you can either try booting off a knoppix disk, or you can create a memtest disk using the images found at memtest.org.
Crack open the case, and look at the capacitors. Do not touch anything unless you know how to prevent ESD. The capacitors are the cylindrical components. Are any of them bulged at the top, or leaking? You may want to check the voltage of the CMOS battery. This is a large button battery responsibly for keeping the time and BIOS Settings.
Now, as for being hacked, I don't believe you. There, I've said it. Now I will assume for the sake of argument that you are being hacked. It is possible, but very unlikely, that your router is compromised. If there is no network (or wireless) connection to the outside world, then something on your desk must be compromised. Either the CD, The computer, the router, something. Your theory about "them" connecting wirelessly to the game port (etc) sounds like psycotic paranoia. Technology DOES exist to read a monitor through a wall, but I've never heard a sane person describing a way to manipulate a computer remotely (except through real access ports, IrDA, bluetooth, 802.11, ethernet, etc).
If your web browsing is truly being observed from nearby, then there is a much more likely explanation. You are using cable. To my understanding, all local cable customers share the same line. If someone nearby has a hacked cable modem, they could listen to all your internet traffic without any attempt to hack your local machine whatsoever. If that were the case, then they would be reading this thread along with you right now. They will have seen everything that you've done online, read all the emails that you have, and so forth.
In closing, you are hyper paranoid at the very least. You are attributing normal behavior, and what are likly hardware problems, to being spied upon. You are going out of your way to justify these assertions. You feel a need to assert your sanity and mental capacity. I don't like to say this, but I'd suggest you talk to a medical councilor. I'm serious. And if there really is a rogue FBI operation in progress, they may be able to help you out smart them and assert your rights.
Elliot, I assume that's what they're doing. I don't understand what they're doing, or what their constraints are. I only know that even now, 6-7 weeks after I became aware of what they are doing and started experimenting with what to kill (pid, files to rm where I can, directories to rmdir where I can), I can only stay on for (usually) a short while.
They can't really update my system, since I have no HD; no storage. Maybe they are using routines in the apt-get as a faster way to install parts of the system which I've deleted? Whatever method they are using, it must be quite slow.
Btw, back in late October, I used to connect a small USB flash memory device for storage, but when I saw messages about files being deleted (not files I was even using at the time!), I stopped plugging it in. I had some documentation about this problem, and previous PC problems I had this past summer, so I didn't want them deleted.
These past few days, when I boot up, I've noticed that rsyncd.conf file no longer exists. (I try to remove it, and it's not there.) I suspect that's because they think I might learn enough to use rsync myself.
Technology DOES exist to read a monitor through a wall,
Yes, I've read Cryptonomicron too, so I knew this. But because it's an LCD monitor (fairly low wattage), it should not be generating the same level of radiation, right? Should be much harder to read. Anyway, they're not simply reading what I'm writing; the problem is my PC is affected somehow during the bootup sequence, as well as afterwards.
They will have seen everything that you've done online, read all the emails that you have, and so forth.
That's right. The woman (visitor) who told them I'd been to the ACLU site that morning was informing these hackers of something they did not know (since I had once again made my machine... not exactly secure, but temporarily free of their control, anyway).
As to the machine, this is one of the most pleasant and accessible machines I've ever owned. The cover opens easily (not even requiring a screwdriver), and everything is visible. (It's not a tower.) No bulging components, nothing looks strange. As it happens, I had looked at the components earlier, because another expert with whom I'd spoken with over the phone informed me that before the Iraq invasion, the PCs there had been compromised with embedded radio transmitters. He thought that was a likelier explanation. (I didn't think so, since I purchased this PC from a Goodwill outlet, but I looked anyway.)
I've removed the battery a few times, to be sure I've reset the BIOS before restoring it to factory defaults. (Then I change the startup sequence, since there's no HD.) There is nothing wrong with the MEPIS disk, since I used it earlier this year to install to the HD of another PC without incident. Later (weeks after I started using it) that PC was destroyed, but I don't believe that was because of any defect in the disk.
It's fine that you don't believe I'm being hacked, gd2shoe. No hacker (as far as I can ascertain via Web searches) is aware that this is possible. This is not the first board on which I've tried to warn hackers and others that this technology (whatever it is) exists, and I can hardly expect many people to believe me. I only hope that at least one other person, reading this and believing it CAN be done, figures it out -- and lets everyone else know. It's much easier to work out how something can be done if you know it can be done.
More from my 'Authentication Log'
12/17/2007 12:27:37 AM localhost none last message repeated 7 times
12/17/2007 12:27:02 AM localhost sudo root : TTY=unknown ; PWD=/ramdisk/root ; USER=root ; COMMAND=/usr/bin/apt-get -s upgrade
12/17/2007 12:27:01 AM localhost CRON (pam_unix) session opened for user clamav by (uid=0)
12/17/2007 12:27:01 AM localhost CRON (pam_unix) session closed for user clamav
I did not open or close this pam_unix session, whatever that is. (If MEPIS does this as an automatic routine, it's not anything I observed on previous days.) I did not submit any CRON jobs, either.
I don't even know how to find the PID for CRON jobs so I can kill them. I rm'ed crontab in /etc, as well as rmdir'ing cron.hourly, at the start of this session. I know klamav is an anti-virus program (one I'm not using, since I'm a CD-ROM based system with no storage), but I am not clamav, am I?
They used to run a cron.hourly function, until I learned to wipe out that directory quickly. Now they apparently run this other routine instead.
Last edited by techwatcher; 12-17-2007 at 12:18 AM.
At the time I d/l'd the file & subsequently burned the CD (using Nero, on yet a third PC, the SATA drive of which has since been destroyed also), the hash was correct. (I do not remember what it was.)
As to memory, I tried running a memtest a few days after October 25 (when I had high-speed cable service re-installed). It was still running, with no errors reported, after several minutes, so I finally stopped it to boot up. (This is only a 1K Mhz system.)
How do I find cmos battery voltage (written on battery itself?), and how is that relevant? This PC is dated 2001, but I bought it (used, with empty HD) sometime around April-May this year. Used it briefly, then didn't use it again for about 5 months, when I first swapped out, then removed, HD.
CMOS batteries have a tendency to go dead when the system isn't in use for an extended period of time. In the very least, it could explain why the machine is having trouble retaining BIOS settings. A few motherboards act up in weird ways when the battery is dead (it's not likely to explain all your symptoms).
Most CMOS batteries are CR2032 and should test to 3V.
I'd recommend letting memtest run again, perhaps overnight. Let it get at least one pass done (a "1" in the "pass" field).
Assuming the CD was good, it or the drive may not be good. I'd still recommend running that test to eliminate it as a possible culprit.
isoinfo -d -i /dev/cdrom | grep size
You may need to substitute the true location of your CD drive (such as /dev/hdc) instead of /dev/cdrom. This gives you the numbers for the next command. Now run:
dd if=/dev/cdrom bs=2048 count=312140 | md5sum
The 2048 is the Logical volume size. It's a very standard number. The 312140 is the "volume size" of a CD I have handy. Compare the hash it spits out to f69ce0a894ad14a6385db7095aebec5d (I believe this is the published hash for the disk you are using. I could be wrong.) You may need to install the genisoimage package to get isoinfo to work (I'm not sure about Mepis).
In fact, I can hear two of them discussing what to try next, while the third is (as usual) pacing.
A rogue FBI operation (violating civil rights left & right) is responsible, and the only reason they are still there at this point (having determined I'm innocent of the various charges against me originally!) is that I know they are doing this.
I can actually hear them speaking (though these days I can't make out many words). As I said, they apparently have to be quite close (in the next apartment, or upstairs) in order to work this trick. The other day they had a visitor, and I guess they told her that although I had been online, I appeared to be visiting artist sites; a woman's voice I didn't recognize told them I had visited the ACLU site that morning (you bet I had!).
... that they have some sort of very high-frequency generator of (very small) radio waves, targeting port(s) (keyboard port, game port?) with strings of 1's & 0's. It would be like tapping out Morse code on a telegraph line (which explains why it's slow).
The woman (visitor) who told them I'd been to the ACLU site that morning was informing these hackers of something they did not know (since I had once again made my machine... not exactly secure, but temporarily free of their control, anyway).
So, you are hearing voices, and "hackers upstairs" and a rogue FBI operation are messing with your computer, even when it is offline, and beaming radio waves at your ports?
Hmmmmm. I think you should visit your physician and have your medication adjusted.
I am serious.
Get well soon.
Thanks, gd2shoe, will try those and report hash. (It does originally find MEPIS at dev/hdc, according to msg I see at boot.) Btw, the info I wrote last night was incorrect; blame 'recall vs. recognition.' It is a hald-daemon, and hald-add-on, etc., not hal or dbus daemons, that I always kill first (via pid's listed through netstat -lanap).
Will also try to let memtest run overnight.
I'm fairly sure the battery is good: One day I dropped it, and because of my physical limitations (and it was late in the day) I didn't pick it up and re-insert it until the next day. That morning the PC would not power-up; I realized the battery needed time to recharge. Sure enough, in an hour it came up with no problems. The battery must be part of the power-up circuit; I had already observed that PC won't power-on without it inserted.
tredegar, there actually is a sorta logical explanation for this: FBI runs data-mining operations to catch (among other things) "insurance frauds" who are "not really disabled." I was a false positive. (You can verify they do this by searching for the relevant FBI.gov page of a manual they have online.)
Then it gets crazy: This one young agent is very impatient. Being unable to prove I am able-bodied, and with the operation headed into its 8th month, in September he attempted to frame me (I won't go into details). Following the failure of this (utterly illegal) move, he started a cover-up.
So when I re-started Web access and began searching online for similar cases & lawyers to help me (just get them OUT of my life!), apparently he called in a hacker consultant or specialist agent. After all, I had earlier given up and had the service shut down when my access was interfered with (about a month before I knew what was happening).
Well, they never expected me to deduce that they were affecting my PC before I even got online. How could they expect that??? Most older disabled women don't have a clue about PCs, after all, and they only saw the stereotype. (The reason I was originally targeted is that they actually did NO investigation, just went with their data-mining results. Unusually, I had not applied for disability until 10 years after becoming physically disabled. So, not much of a recent medical record!)
And now we are all stuck in this absolutely absurd situation. I can't figure out why they don't just go away, while no "friend" believes me about what's happening here. Except, maybe, because so many people in my building (but all believing I am either an insurance fraud, or perhaps a drug user or dealer -- from that frame atttempt) have been aware of their presence for so long?
Last edited by techwatcher; 12-17-2007 at 11:20 AM.