Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Duh! Yeah, I knew that -- that's why I'm only using a CD-ROM drive, and only using a CD-ROM disk. *sigh*
Look, I know this situation is hard to believe. I do know that, really: I know that even hackers seem to be completely unaware of this capability, because I've searched. That's why, despite all this abuse, I'm still communicating here: some of you may need to know about this. Freedom (i.e., learning enough to withstand this new abuse of civil rights by FBI or other agencies) is more important even than catching terrorists, imo.
Here's a technical, indisputable fact: The rsyncd.conf file has never been found on my system again, except it or similarly spelled files (rsyncdconf) appear somewhere under /usr, when I've been able to run the "find" routine. (As I previously mentioned, sometimes I can't click anything effectively.)
Previously, I had been watching shut-down messages (when I shut down the PC instead of pulling the plug), and I used to see that rsync had been shut down. So one day I read the man pages on rsync. The next session, I rm'ed that rsyncd.conf file. After that day, no more rsyncd.conf has ever been accessible to me (for deletion) on my system. Can someone explain that? Because CD-ROM disks can't be altered, you know, so the files installed should be the same, day to day.
Someone here said something useful about Getty, too. I had been doing other things that somewhat disabled the TTYs -- showing up in the who -aH listing (although not visible in who listing alone). I was trying to do this because I could not force the boot-up routine to accept the single-user option, and I thought perhaps the hacker(s) used one or more of those TTYs.
Today I managed to open the Process Table of KDE System Guard again (I'm not always able to open applications; sometimes they die, without a message or warning, while the hourglass is spinning). I killed a couple of the Getty processes. (These processes don't show up on the netstat, at least not in options I've tried, so I don't know how else to get the PIDs so I can kill them.) As I was killing the first of them (by typing
in a root shell within konsole), ALL of them (other Getty's) disappeared, all at once, from that Process Table. Hmmmm. (Now the ID's are trying to "spawn too fast" all the time, and I've been online without any slowdowns for about 5 hours. )
I'm fairly new to Linux, but not at all ignorant about computers in general. I have been a professional programmer from time to time, as well as a documenter (languages included APL, FORTRAN, BASIC, BBL, even one horrid C+ program I wrote for an academic friend). I even taught programming or "computer" classes in two institutions.
No, I am not mad or paranoid. Yes, I have contacted ACLU (aclu for NC), and other lawyers I've been able to find online who might be able/willing to help.
I came here for two reasons:
To try to get a better understanding of HOW my system is being accessed (I know little of ports, sockets, etc.), and
To warn the community of an UNKNOWN (and surely illegal) spying capability.
I do very much appreciate the little technical information I have been given here. If anyone can suggest how someone physically nearby could have been using rsync without my having a known wireless capability (on a 2001 PC) or being connected (via an Ethernet cable) to the Internet, that would be useful. If anyone can suggest how I should check my... ports? sockets?... and DISconnect them unless they are running through my browser, that would be very useful, too.
While I was typing text within a message field in an art-related forum board (looks a lot like this forum board, actually ), I got a message that the system log app had just crashed. How can my typing online (in a field like the one I'm typing in right now) have caused that? The CD-ROM had started spinning while I was typing; I'm used to that by now.
I'm no longer randomly removing directories and files from the system, btw. When I first started this hacking of my own system, having no information, I had to explore to see what worked, so I did a lot of deleting of files or directories just to see what the effect might be. But that was 6-7 weeks ago, and I no longer delete randomly.
Now I have a routine set of files or folders to delete. This includes cups-related files (cups or cupsd, networks properly used for printing), samba's .conf file in /etc/samba, a bunch of files in /dev, and so on. I no longer delete anything randomly. The only apps I run myself are Firefox and (just today) Kate, aside from utilities like konsole, Ksyslog, and (today) Process Table.
Let me rephrase part of the problem here. If someone is clever enough to hack into a fairly well secured linux box (read running a live CD), then they are bright enough to avoid causing these massive anomalies that you are describing. They would have to go out of their way to intentionally cause your programs to crash, or change the tint of you monitor. There are only three choices:
These problems are being caused by a physical hardware problem.
These problems are being caused by by your manipulation.
These problems are being caused by pranksters.
I repeat, if the FBI were hacking into your system, they would do so capably and practically invisibly.
Of course it is normal for a live CD to spin up, such as when we ask the system to do something new. But this CD drive sometimes spins up and will not stop, not at all, even if I try to eject the drive. (It's been a few weeks since the last occurrence of that, though.) Other times it spins up when I have not asked it to do anything new, and no new process seems to result.
This morning I am seeing occasional bursts of "getty's" in the ProcessTable, and I'm killing them (not as fast as they're reported). I'm not initiating those processes, certainly not knowingly, anyway. There'll be a long string of them, with PIDs that are sequential for a short while, then skip, like this (this is my killing them while my path is /dev):
There are only 5 tty terminals in runlevel 5 anyway, right? So why or how is the system, itself, producing these requests? (I blocked this process anyway, so even a running getty doesn't get one. I don't want to say online how I'm doing that.)
I searched today (find file:/ include subfolders checked) for rsyncd.conf, because last night when I shut down (normally, instead of pulling the plug), I noticed rsync did shut down again. The only copy on my own system is in /linux/usr/share/doc/rsync/examples/. When I shut down (if I can do it normally) after this session, I'll note whether rsync is running during this session and try to report back.
It's quite normal for getty processes to be there, and when you kill them, for them to re-spawn. On many distros this is controlled by the inittab file. I just tried to find it on my Ubuntu Gutsy system and there is not one, so I assume a new mechanism was introduced when they chanced the init system a release or two ago. Does anyone know what is used now?
As the for CD... You can't eject a LiveCD when it is in use because it cannot be un-mounted. You cannot un-mount a filesystem for which there are open files, and there are always open files on the LiveCD.
As for the spinning up... many program (especially GUI programs) have timers in them which trigger events on basis regular basis. If these events run code which is mapped to a part of a binary file or library which is not in memory, the CD will spin up. Exactly how often this happens is very difficult to predict and it can happen at unexpected times. This is completely normal for using a LiveCD.
As for your secret "method" of stopping the getty processes I dread to think... You mentioned earlier that you have been randomly deleting files and directories, without apparently having any idea what you are doing. It's little wonder that your computer is behaving erratically.
Without even knowing what your method is, I can tell you now - don't do it. You simply don't understand your system enough to be messing about in the way you are and expect anything other than terrible results. Moreover, it's extremely irritating to me that you mess with it like this and then come here and expect people to be able to help you because your system is behaving strangely. I am inclined to believe that this thread is either a joke, or a case of PEBKAC.
As I said, I'm no longer randomly killing files or directories; I did that many weeks ago because I had no access then to documentation that would help me learn about the system.
Okay, well, I've decided to post the real reason I know my system is being hacked just about from the moment I first turn it on. I wasn't saying this earlier, because now they will read this and know how to fix all their problems:
The version of Mepis 6.5 (32-bit) I'm running is obviously not the same as the one they think I'm running. I knew this when they first started their new approach to taking over my machine at boot-up, because
the splash screen is DIFFERENT. Okay? My CD's splash screen didn't used to look like it looks now. Now, there are F-key options at the top, and a white border or screen with smaller blue box in it, listing the various boot MEPIS options. So I knew they had started hacking in such a way that my system is simply a node on their existing system from the time I start.
Also, of course, all the BIOS options they alter are a clue. They always start now with Security: keyboard locked/keyboard unlocked, although I never set that in my BIOS. Earlier, the keyboard wasn't responding properly as I used the down-arrow to get to the option (60-MHz) I use; there was a very discernible delay before the keyboard (my tapping the keys) would 'synch' with the visible response on the monitor. Ever since I mentioned that on this board, that delay doesn't happen anymore.
They are using serial ports & game ports although I disabled them in the BIOS earlier. Now, I'm just using default BIOS, except altering the Startup sequence, since I have no HD or floppy, but I was earlier disabling those ports -- and they were using them. Are using them. Anyway, I hope now I've posted enough that savvy hackers (who won't have posted here) have a clue what to look for. Now that I've really given the game away, I expect I'll only be able to access the Internet from the library, when I can get out safely again.
Okay, they haven't been able yet to shut me out of the Internet, and I have a couple specific questions:
The KDE System Guard Process Table lists a couple processes I want to kill. I killed them last night without any problem, but today (even though I'm running again as root this morning), I can't kill them: wrap_wq is the first, and right after it is ndis_wq.
I suspect these are related to what I used to know as "ndiswrapper" which has to do with NetBIOS, so I want to kill them. Anyway, as I said, last night I killed them from Konsole with no problem, but I can't use kill <pid> today to kill them. The sysguard's own "send signal" (SIGTERM, SIGSTOP) is also having no effect on them. Any ideas?
My second question: This is actually my second attempt today to get online. First time, I had accidentally left the Ethernet cable (from router) plugged into cable modem. When I thought I was ready to launch Firefox, turned out I could not launch any app again. When I used "shutdown now," hackers tried to intercept and restart... (eventually I pulled plug). Anyway, I saw an unusual message (which I'm copying here from my hand-written note):
Starting Common Unix Printing System: cupsdcupsd: Child exited with status 1!
Now I do know about CUPS, that it is a sort of network supposed to be used for printing. I've been killing bits of CUPS for days, since I know that's one way they were getting into/trying to get into my system. But I never saw this before, and have no idea what it signifies. Can anyone help me figure out what to do, if anything, about this?
Btw, I had trouble finding this thread today, because it was listed quite far down. An advanced search found it, but listed an incorrect 'last post' date.
When I tried to get online again that night, the CD disk wouldn't even spin up fully. They finally learned enough about how that PC works to shut down the drive after I entered my boot options, I guess. No one has any answers? Guesses? I'm entering this from a 'Net Cafe.
Well... By removing the battery to completely reset the BIOS, I was able to restore PC's functioning. (Anyone want to suggest how resetting the BIOS in this way could restore CD-ROM function? Thought not.)
My monitor is still wrong (looks like wrong resolution/size, currently), but I can function online at home again, currently.
Isn't anyone here able to point me to useful "man" items? The problem I'm having with the documentation is that it's fine if one already knows the specific routine (i.e., rsync) to look up "rsync" -- but I don't know the names of these routines. How can I read the manual to find out more about shutting down networking, not knowing what to enter as a relevant term? Just the other day I finally learned that eth0 and lo are called "interfaces." Couldn't someone explain things like this, or point me to an overview which will help me understand the vocabulary, at least?