LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Closed Thread
 
Search this Thread
Old 11-22-2013, 05:26 PM   #1
nice1m8
LQ Newbie
 
Registered: Nov 2013
Posts: 9

Rep: Reputation: Disabled
My family is under attack 24/7 any linux or windows is rootkitted, botnet, metasploit


Hello,
I used to work in SEO and I rated someones website who turned out to be an evil hacker.

He has a machine attacking my family PC 24/7.

I havn't used the internet in half a year but my 60 year old mother is still under constant attack. I want to help them as its my fault.

I didn't realise rating a website would lead someone to such a sadistic and relentless act.

Any windows or linux I install is taken. We've lost over 10 PCs and phones and 3 businesses in the attack leaving us unemployed. They control the machines at BIOS level and I cannot get anybody to help.

Ther UK police told me outright they won't help. I quote "we do nothing about hackers".


I can install any OS and it gets hijacked instantly. They block antivirus and firewalls and put loads of fake certificates in. Any browser on the net is constantly warning that theres a "man in the middle" attack and that the connection is unsafe.


With linux they hijack everything, the updates etc - we can't even use a live CD as it appears to be in the BIOS. A mini linux that runs daemons.


If I format the harddisk offline, there is always a fake filesystem. If I type // into the browser I can see the real file system and there is a folder caller run/lock and no program will delete it.

I've tried rescue CD, midnight commander, Knoppix - we've tried everything we can think of - moving house, changing routers, changing ISPs but its nearly 1 year now and the attack is still happening.

The attacker seems to be using a botnet and metasploit attack on us. Hes destroyed entire PCs and phones. I was warned he runs a hacking forum and is advanced in it.


I believe even the firmware on the router has been altered as its now saying "busybox" and the BIOS has been altered very obviously.


Our routers lights flash really fast - both the in and out lights are going crazy constantly.


I don't even use the internet anymore but I'm so sick of my mother being attacked. Shes 60 years old with a heart condition and relies on shopping online. Theres a lot of things she HAS to do online.

We've tried changing house, ISPs, routers and they still attack us. They won't let her work online on her shop she used to have selling clothes.

We under constant harrassment and no idea how to stop it now. We've given up buying new PCs and using the net altogether but lifes become very difficult as everything is online.
 
Old 11-22-2013, 05:38 PM   #2
joe_2000
Member
 
Registered: Jul 2012
Location: Aachen, Germany
Distribution: Crunchbang, Debian
Posts: 315

Rep: Reputation: 77
You have changed the house?!? Wow.
How about hiring an IT security professional? Would seem cheaper and more efficient...
 
Old 11-22-2013, 05:38 PM   #3
nice1m8
LQ Newbie
 
Registered: Nov 2013
Posts: 9

Original Poster
Rep: Reputation: Disabled
Basicaly every single thing has been attacked, the bios needs replacing the router but they use doxing to find us again.

When I run rescue CD off of the front of Linux Magazine, they have restricted the options, only one kernal can be loaded. I've tried every Linux you can think of including Kali and putting the harddisk in a docking bay and dismounting it but we cannot remove the "lock" file.

Even running a live CD the system log is reporting that the BIOS memory areas have been hijacked. I will try and find a log file to copy and some pictures.


It just popped up with this error link "http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1064" I believe they are metasploit attacking her.

She has a chromebook and that has also been hijacked - it won't powerwash and if you go into developer mode theres hundreds of errors. When I check the security certificates theres hundreds of false ones.

The base PC we have had every computer expert in we can and they cannot remove it or help us. They told us to change everything and move but that does not help.
 
Old 11-22-2013, 05:42 PM   #4
nice1m8
LQ Newbie
 
Registered: Nov 2013
Posts: 9

Original Poster
Rep: Reputation: Disabled
Name Size Date Modified
lost+found 49.2 kB 10:01:30 PM 07/11/2012
initrd.img 19.9 MB 10:05:14 PM 07/11/2012
vmlinuz 5.0 MB 07:01:55 PM 08/10/2013
opt 4.1 kB 08:47:11 AM 07/23/2013
mnt 4.1 kB 10:32:24 AM 04/19/2012
proc 0 bytes 10:07:52 PM 11/22/2013
root 4.1 kB 10:05:04 PM 07/11/2012
boot 4.1 kB 10:05:14 PM 07/11/2012
var 4.1 kB 10:07:09 PM 11/22/2013
selinux 4.1 kB 01:48:47 PM 03/05/2012
home 4.1 kB 10:03:45 PM 07/11/2012
usr 4.1 kB 08:47:11 AM 07/23/2013
lib 4.1 kB 10:04:38 PM 07/11/2012
srv 4.1 kB 08:47:11 AM 07/23/2013
run 760 bytes 10:45:34 PM 11/22/2013
bin 4.1 kB 10:04:38 PM 07/11/2012
tmp 4.1 kB 11:17:01 PM 11/22/2013
sys 0 bytes 10:07:53 PM 11/22/2013
dev 4.3 kB 10:43:32 PM 11/22/2013
sbin 4.1 kB 10:04:56 PM 07/11/2012
media 4.1 kB 08:47:11 AM 07/23/2013
etc 4.1 kB 10:43:33 PM 11/22/2013
windows 16.4 kB 01:00:00 AM 01/01/1970
cdrom 4.1 kB 10:03:30 PM 07/11/2012
 
Old 11-22-2013, 05:43 PM   #5
k3lt01
Senior Member
 
Registered: Feb 2011
Location: Australia
Distribution: Debian Wheezy, Jessie, Sid/Experimental, playing with Slackware 14.
Posts: 2,581

Rep: Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534
1st thing first, if this is actually coming via the internet turn off your modem.
2nd thing, do a totally clean install on your systems.
3rd thing, do not reconnect the modem at all.
4th thing, use your systems totally (I mean totally) disconnected from the interent.
5th thing, let us know how you go.
 
Old 11-22-2013, 05:49 PM   #6
nice1m8
LQ Newbie
 
Registered: Nov 2013
Posts: 9

Original Poster
Rep: Reputation: Disabled
If I type // into the address bar of a browser it appears file:/// then the above list of stuff is there ^^

a false file system is created its always the same, it has VMLINUZ and a run/lock directory. It has SElinux but I never even install it.

When I try to run any commands in terminal - a terminal emulator comes up called "busybox".

I can get to # by unplugging everything and resetiung the mother board and tehres a mini linux running still that has acpi and avahi daemons and fake version of TOP, you can try and kill all the processes but it won't work. The lock file owner has no setting and there is a group called root and a user called root - so I cannot ever be the real root

If I try to update my firmware or flash the bios they divert me to horrible images or just block us or send a new virus or start a new exploit.



I tracked the hacker to a location in Taunton England and believe I have is name but the police have refused to help. They told us they "do do anything about hackers".
 
Old 11-22-2013, 05:53 PM   #7
astrogeek
Senior Member
 
Registered: Oct 2008
Distribution: Slackware: 12.1, 13.1, 14.1, 64-14.1, -current, FreeBSD-10
Posts: 1,659

Rep: Reputation: 571Reputation: 571Reputation: 571Reputation: 571Reputation: 571Reputation: 571
If this is not a joke on the part of the OP, then I think he/she needs to refresh their knowledge of PCs.

Allowing that they are having serious problems, I think taking a deep breath, lower the paranoia a notch, quit seeing monsters under every rug and take things logically, one step at a time, would be a good first step.

Last edited by astrogeek; 11-22-2013 at 05:55 PM.
 
1 members found this post helpful.
Old 11-22-2013, 05:56 PM   #8
nice1m8
LQ Newbie
 
Registered: Nov 2013
Posts: 9

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by k3lt01 View Post
4th thing, use your systems totally (I mean totally) disconnected from the interent.
5th thing, let us know how you go.
Yes I have but I cannot remove it. It infects every USB device, remotely activates bluetooth and wifi.

I had to physically remove the WIFI cards and even then it adapts and learns. The mini liux in the BIOS has a kind of A.I - it recognises what disk you put in and always you can never be root or dismount the drive and format it. Even knoppix did not work its that powerful.

I read online they can infect CDROM memory areas, the I.T experts have gone insane - one of them waqas litterally crazy - he said its impossible to do what it has done. As It wrote the virus to a LIVECD which transfered to my offline PC this PC did not even have WIFI in it so either I accidently used a infected drive and forgot or its capable of writing to finalised CDs.


It takes over Windows or any linux machine. Even phones have been remote activated. The hacker sent us horrible messages then the phones locked and would not work again. Some of the PCs were also destroyed by him putting passwords on the harddisks and bioses and encrypting it all.
 
Old 11-22-2013, 06:01 PM   #9
k3lt01
Senior Member
 
Registered: Feb 2011
Location: Australia
Distribution: Debian Wheezy, Jessie, Sid/Experimental, playing with Slackware 14.
Posts: 2,581

Rep: Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534
Quote:
Originally Posted by nice1m8 View Post
Yes I have but I cannot remove it. It infects every USB device, remotely activates bluetooth and wifi.
Turn OFF the powerpoint to the modem etc pull out the powerlead from the wall and start again. Until you do that, if as astrogeek says this is not a huge hoax, nothing will change.
 
Old 11-22-2013, 06:18 PM   #10
nice1m8
LQ Newbie
 
Registered: Nov 2013
Posts: 9

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by astrogeek View Post
If this is not a joke on the part of the OP, then I think he/she needs to refresh their knowledge of PCs.

Allowing that they are having serious problems, I think taking a deep breath, lower the paranoia a notch, quit seeing monsters under every rug and take things logically, one step at a time, would be a good first step.
I've been readfing every book I possibly can. Hacking for dummies, advanced SSH off-port tunnels, metasploiting - we are under a botnet attack. Its targeted and a powerful rootkit that infects the biuos and grub and locks itself as "root" and opens up the PC in some way.


I'm not seeing stuff - we've paid thousands of pounds hiring I.T experts and they told me that is what this is and we have to live with it every day.



I know about PCS. In Windows, it takes hold of a mini partition and core windows files - if you put the machine online it emulates the entire system with a fake root which can be found by typing cd c:,
- effectively theres always 3 partiions no matter what I do or what OS I install. If I install a Linux it creates a mini partition to boot it, a virtual linux XCFE that is mostly fake software, there wil be a load of packageses installed that state they are not part of the OS. I can go into synaptics package manager and they are all from "multi-verse" and the linux states its untrusted. They are all packages that effect control of the PC at core level.


The PC is basically unusable because the devices are faked. For example Its created a directory called mount and if I dismount SDA1 5 and 6 they just automatically remount themselves. I can try installing ubuntu into 1 partition and when its done - theres 3 partitions and you cannot remove the packages using DPKG as they have created ALIASES and SYMLINKS to prevent you from removing it.


This is not a joke its been effecting my family for almost a year now. I don't go online anymore, Its juist upsetting to see what their doing to my mother. Shes 60 years old, has a heart condition and really does need to use the net to shop and bank.

We can't et a secure connection. They block her for sadistic fun. The security certificates are forged and every browser tells you theres a "man in the middle" attack. You could not make this up. We've had to live with it and its horrible.
 
Old 11-22-2013, 06:25 PM   #11
nice1m8
LQ Newbie
 
Registered: Nov 2013
Posts: 9

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by k3lt01 View Post
Turn OFF the powerpoint to the modem etc pull out the powerlead from the wall and start again. Until you do that, if as astrogeek says this is not a huge hoax, nothing will change.
We have.

We moved house, change PC and changed ISP but it only lasted 3 weeks and they found us again.

The hacker usesd doxing and we can't prevent that because my family has 6 members and they use websites to find our address. I never even knew about it until it happened to me that half this stuff was even possible. Its called "doxing" but thats how they find you.

I don't thgink theres anything we can do because I can't get every memeber of my family to to change name anonymously, its just impossible. They are even rootkitting family memebers phones etc so its just been impossible to stop.


I can't even have an offloine PC because I cannot remove it from them. So far I have only 1 pc thats not infected - because I removed the WIFI card physically and have never plugged any USB or ethernet in or used any CD that been used in the other machines.
 
Old 11-22-2013, 06:27 PM   #12
nice1m8
LQ Newbie
 
Registered: Nov 2013
Posts: 9

Original Poster
Rep: Reputation: Disabled
Look for yourself at what has been done

Your public IP address is 90.204.60.225

^ this is our IP.
 
Old 11-22-2013, 06:28 PM   #13
k3lt01
Senior Member
 
Registered: Feb 2011
Location: Australia
Distribution: Debian Wheezy, Jessie, Sid/Experimental, playing with Slackware 14.
Posts: 2,581

Rep: Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534
I understand your a bit hysterical, again if this is real it is a bad experience but nothing will change until you totally disconnect from the internet and do complete clean reinstalls. Once you have done that remain totally disconnected from the internet, if you must use the internet go to an internet cafe or something that way you and your family are not able to be targetted until the issue is fixed.
 
Old 11-22-2013, 06:32 PM   #14
k3lt01
Senior Member
 
Registered: Feb 2011
Location: Australia
Distribution: Debian Wheezy, Jessie, Sid/Experimental, playing with Slackware 14.
Posts: 2,581

Rep: Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534
Quote:
Originally Posted by nice1m8 View Post
Look for yourself at what has been done

Your public IP address is 90.204.60.225

^ this is our IP.
Anyone can post their IP up, I can do it but I wont.
Seriously settle down because you're not listening and your not even attempting to do as you are asked when we are trying to offer help. We are volunteers and I for one won't waste time with someone who wont listen.
 
2 members found this post helpful.
Old 11-22-2013, 06:40 PM   #15
astrogeek
Senior Member
 
Registered: Oct 2008
Distribution: Slackware: 12.1, 13.1, 14.1, 64-14.1, -current, FreeBSD-10
Posts: 1,659

Rep: Reputation: 571Reputation: 571Reputation: 571Reputation: 571Reputation: 571Reputation: 571
Quote:
Originally Posted by nice1m8 View Post
I've been readfing every book I possibly can...
But apparently you have not understood anything that you have read... I do not intend that in any mean-spirited way, but it is rather obvious from your posts that you really do not have any understanding about how these things work.

As long as you continue to believe in viruses that jump air-gaps, AI's running in your BIOS, re-written CDs, faking of entire operating systems and mass replacement of certificates with dupes on a secure connection, remote activation of a disabled WIFI device - and attempt to convince people who read your posts of those things, your situation will remain hopeless. Your only hope will be to discard all your electronic devices, throw your mobile phone in the river and move to a village in Patgonia without electrical service.

On the other hand, if you are willing to understand the basic principles involved and identify the actual source of your problems, there are many here willing to help.

Last edited by astrogeek; 11-22-2013 at 06:43 PM.
 
2 members found this post helpful.
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
rootkit attack on windows linux network salimshahzad General 5 01-27-2010 12:01 PM
I got rootkitted, recommendations for recovery? haertig Linux - Security 6 05-29-2009 02:00 AM
Family planner / calender on linux & windows ReefShark Linux - Software 1 06-29-2005 04:54 PM


All times are GMT -5. The time now is 04:08 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration