LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Closed Thread
  Search this Thread
Old 12-22-2008, 12:21 PM   #1
Ubuntu Lou
LQ Newbie
 
Registered: Dec 2008
Posts: 12

Rep: Reputation: 0
Ubuntu Machine Has Malware And Spyware....Need Help!


Greetings,

I've been using Ubuntu Hardy Heron distro since I bought a preloaded machine with this company's (in Georgia--'Eight Virtues') own version of Ubuntu on it.

Here's what I need.

Someone else besides myself has administrator (sudo) control over my machine.

It's being spammed with porn, and it's got a keylogger on it.

I found these malware with a spyware finder search.

Please don't tell me that Ubuntu CAN'T be cracked, because ANY computer can be cracked by a gifted and talented cracker.

I've had a command to completely wipe the hard drive clean, and I'm using it as sudo, but when I finish the command, it says "permission denied".

Here's what I need:

1. I need to completely wipe the hard drive clean, what if someone ELSE has sudo control (and I'm the *only* person using this machine) over my machine, is there any way to 'over ride' the sudo user??

2. I need to flash the BIOS, is it possible to RESET the BIOS to the factory settings by poping out the battery for like 15 minutes, and then re-inserting it?

3. Let's assume for a minute that the spyware finder was right and this machine really is being spammed with porn and has a keylogger on it and other malware. Would completely wiping the hard drive 7 times over take this stuff off?

4. I've got a copy of the BIOS from the seller of the machine, Eight Virtues in Stone Mountain, GA, but when you put the BIOS in and do the correct command line, it will only go through part of the process and not finish it. Since I have the correct command for flashing the BIOS, I really don't understand why this is not working. That's why I was asking about popping the BIOS battery out and resetting it back to the factory settings.

5. If I was able to get this computer clean again, can you please tell me is there any way to keep Ubuntu Hardy Heron safer from outside intruders. Yeah, yeah, I know it's supposed to be a completely safe distro, I heard this many times before I bought it, but in my case this has proved to be untrue. I'm using a D-Link high-speed gaming router, which also has a password on it, but this has proven ineffective.

6. I've also thought of just going back to the simple Hardy Heron OS that I also have a copy of instead of using the OS that came with the machine, which I also have on a disk that I got from Eight Virtues.

7. Perhaps somebody on this forum could give me the command line for Hardy Heron to wipe the hard drive clean, perhaps the one I found in a Google search is simply incorrect. That's possible, if not very likely.


I know that I've asked a lot of questions for a first post, but I really need help.

I've consulted Google many times looking for the questions that I've asked here, and have found little help.

I also have 'Beginng Ubuntu Linux' (Third Edition) by Keir Thomas and Jamie Sicam, which has not been very helpful at all.

So, I've looked else where for help before I came to this forum to ask.

Thank you for your time and energy, and please don't lecture me about how "safe" Ubuntu Hardy Heron is, because I've heard all of that before.

What I am telling you is the truth, and is actually happening to me.

Thanks a lot.

Ubuntu Lou

Last edited by Ubuntu Lou; 12-22-2008 at 12:31 PM.
 
Old 12-22-2008, 12:33 PM   #2
wernerz
Member
 
Registered: Jun 2008
Location: Ottawa, Ontario, Canada
Distribution: debian, dsl-n
Posts: 55

Rep: Reputation: 15
If you're intent on erasing the hard drive, get a live CD of ubuntu or any other distro and reinstall. The formatting WILL erase all previous data. Disconnecting the bios battery will reset the bios. Some require that you hold the power button down for about a minute while the battery is removed and then put it back in. Good luck!
 
Old 12-22-2008, 12:36 PM   #3
GazL
Senior Member
 
Registered: May 2008
Posts: 4,176
Blog Entries: 5

Rep: Reputation: 1617Reputation: 1617Reputation: 1617Reputation: 1617Reputation: 1617Reputation: 1617Reputation: 1617Reputation: 1617Reputation: 1617Reputation: 1617Reputation: 1617
Quote:
Originally Posted by Ubuntu Lou View Post

3. Let's assume for a minute that the spyware finder was right and this machine really is being spammed with porn and has a keylogger on it and other malware. Would completely wiping the hard drive 7 times over take this stuff off?
Dangerous assumption. Where did you get this spyware finder? If you found it on some random web page, chances are its a fake.
 
Old 12-22-2008, 12:37 PM   #4
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
I'm intrigued. Got a link for that spyware scanner?

Anyway, just re-install from normal Ubuntu discs downloaded from the Ubuntu site. If you're feeling really, really paranoid, go for:
$ sudo su -
# dd if=/dev/zero of=/dev/sda
This will clobber _all_ data on the sda drive (check which drive this is if there's any data on any drive you want to keep).

I'd just re-install though.

Securing it afterwards?
1) Don't allow admin access to your router from WAN or wireless.
2) Switch off sshd, telnet, vnc and anything else that allows a remote login
3) Job done.

Dave
 
Old 12-22-2008, 12:55 PM   #5
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738
Quote:
Let's assume for a minute that the spyware finder was right and this machine really is being spammed with porn and has a keylogger on it and other malware. Would completely wiping the hard drive 7 times over take this stuff off?
Wiping 7 times is complete overkill. In your situation a basic wipe with all zeroes will be fine.

The most I ever do is two passes: One with /dev/urandom, the other with /dev/zero (I do this only to be sure private data does not stay on a machine that is leaving my possession.)

You should also report the issues to the company that provided the machine.
 
Old 12-22-2008, 01:03 PM   #6
widget
Senior Member
 
Registered: Oct 2008
Location: S.E. Montana
Distribution: Debian Testing, Stable, Sid and Manjaro, Mageia 3, LMDE
Posts: 2,621

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
If yo need remote access get Start up Manager through Synaptic and password protect your recovery log in. This will stop anyone from getting super user status easily.
 
Old 12-22-2008, 01:10 PM   #7
tredegar
LQ 5k Club
 
Registered: May 2003
Location: London, UK
Distribution: Debian "Jessie"
Posts: 6,085

Rep: Reputation: 398Reputation: 398Reputation: 398Reputation: 398
Quote:
I found these malware with a spyware finder search.
Calm down.
It's a fake.

It pops up a window along the lines of "Your computer is infected!!!! Click this link to fix it". Maybe it even says "And pay us $9.99".

In linux: Go ahead and click it. The worst that can happen is linux will say "What do you want to do with the file malware.exe ? Save, Ignore, Open with an editor?"

In windows: Malware is installed, and you pay $9.99 for it.

Last edited by tredegar; 12-22-2008 at 01:14 PM.
 
Old 12-22-2008, 01:20 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Quote:
Originally Posted by Ubuntu Lou View Post
Someone else besides myself has administrator (sudo) control over my machine.
How can you tell? Do you have any hints? Or even better: log data to show us?


Quote:
Originally Posted by Ubuntu Lou View Post
It's being spammed with porn,
Receiving unwanted emails of the pr0n kind doesn't constitute a breach of security.


Quote:
Originally Posted by Ubuntu Lou View Post
and it's got a keylogger on it. I found these malware with a spyware finder search.
I'll echo the others asking for that "spyware" scanner. Posting actual log data and scan results might help us determine. That is, if you would like a second opinion. I'm not saying I don't believe you but, with all due respect, it wouldn't be the first time we saved somebody from reformatting because their perception of things and events did not correlate with reality.
 
Old 12-22-2008, 07:00 PM   #9
Ubuntu Lou
LQ Newbie
 
Registered: Dec 2008
Posts: 12

Original Poster
Rep: Reputation: 0
Will this command totally erase the hard drive?

Dear Dave,

Will the command below totally erase the HARD DRIVE?

If NOT, do you know the right command for THAT?

Thank you *all* very much for your help!

Lou



Quote:
Originally Posted by ilikejam View Post
I'm intrigued. Got a link for that spyware scanner?

Anyway, just re-install from normal Ubuntu discs downloaded from the Ubuntu site. If you're feeling really, really paranoid, go for:
$ sudo su -
# dd if=/dev/zero of=/dev/sda
This will clobber _all_ data on the sda drive (check which drive this is if there's any data on any drive you want to keep).

I'd just re-install though.

Securing it afterwards?
1) Don't allow admin access to your router from WAN or wireless.
2) Switch off sshd, telnet, vnc and anything else that allows a remote login
3) Job done.

Dave
 
Old 12-22-2008, 07:23 PM   #10
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Those commands will be enough to render the filesystems on /dev/sda completely unusable (run 'df -kl' to see what's mounted on what disks, it may not be sda on your system - post the output if you've got any doubts/questions), and any malware similarly so. I'd be willing to bet that the system would crash hard at some point during the operation, but by that point you'd have easily done enough. The 'dd' command will first completely clobber the partition table and boot loader, then start writing over each partition in sequence until the machine crashes, or the dd command writes over every last byte on the disk. Once the partition tables are gone the disk is effectively blank as far as any operating system is concerned, so after a couple of seconds you should end up with an un-bootable system, and anything on the disk will be neutralised.

You'd get just as much protection /in this case/ by simply re-installing, and choosing to format any existing filesystems, though. If you have any doubts about the integrity of your host, re-install. If nothing else it'll give you peace of mind - once the filesystem(s) have been (re)formatted, you're safe.

I'll be honest, though - I /seriously/ doubt you've got any malware on your system unless the people you got the machine from are actively malicious. Please do provide a link to the scanner you used - LinuxQuestions is consistently high on Google's results, so you might save someone else from some serious hassle if we can pick apart what's happened to you.

Dave

Last edited by ilikejam; 12-22-2008 at 07:28 PM.
 
Old 12-22-2008, 08:15 PM   #11
Quakeboy02
Senior Member
 
Registered: Nov 2006
Distribution: Debian Squeeze 2.6.32.9 SMP AMD64
Posts: 3,277

Rep: Reputation: 126Reputation: 126
To continue with the general theme of "you've been hoaxed" here is a random news-site about the recent federal court injunction against scareware purveyors:
Quote:
A Baltimore federal court judge ordered six absent defendants yesterday - including one from Maryland - to shut down Internet businesses that the Federal Trade Commission claims are part of a vast $100 million "scareware" scheme that tricked more than a million people into purchasing useless security software by making them think their computers were under attack.

"The evidence in this case is quite overwhelming," said U.S. District Judge Richard D. Bennett.

He also extended a freeze on the defendants' assets and signed an order requiring them to show why they shouldn't be held in contempt of court for missing the hearing and ignoring an earlier restraining order.

Bennett promised he would issue arrest warrants within five days if this round of orders in the civil case is ignored.
http://www.baltimoresun.com/news/loc...,4764703.story
 
Old 12-22-2008, 08:58 PM   #12
Ubuntu Lou
LQ Newbie
 
Registered: Dec 2008
Posts: 12

Original Poster
Rep: Reputation: 0
Dear Dave,

I could tell you the real truth about HOW all of this happened, but you wouldn't believe me anyway.

I've been laughed at, and had people think that I'm a nut case before, when I simply asked politely for help.

It's a real long story anyway. And it's got some kind of 'X-Files' moments, in it too.

Here's what I did.....I used BOTH commands that you gave me, and *neither* of them worked.

I also used these yesterday (I found them on Google):

Using sudo (just as I did tonight with your commands).


dd if=/dev/random of=/dev/hda bs=1024 count


# shred -vfz -n 100 /dev/hda


Here's what I'm gonna TRY next, reset the BIOS (which has been corrupted)

by taking the battery out, and pressing on the start button.

THEN, I'm gonna install a regular Ubuntu Hardy Heron OS on it and try your commands AGAIN.

There's a keylogger in the BIOS, please don't tell me that this is impossible, because HOW it was installed (long distance, on the internet), by a tool that was specifically designed & made to do exactly this.

There's only a very small amount of space on the BIOS, but it's enough for a keylogger.

Until the keylogger is gone, it's probably impossible to fix any of these other problems.

I just wanted you to know that I did EXACTLY what you told me, and it did not work....I entered the exact command using sudo.

Onward in the fog.....Lou












Quote:
Originally Posted by ilikejam View Post
Those commands will be enough to render the filesystems on /dev/sda completely unusable (run 'df -kl' to see what's mounted on what disks, it may not be sda on your system - post the output if you've got any doubts/questions), and any malware similarly so. I'd be willing to bet that the system would crash hard at some point during the operation, but by that point you'd have easily done enough. The 'dd' command will first completely clobber the partition table and boot loader, then start writing over each partition in sequence until the machine crashes, or the dd command writes over every last byte on the disk. Once the partition tables are gone the disk is effectively blank as far as any operating system is concerned, so after a couple of seconds you should end up with an un-bootable system, and anything on the disk will be neutralised.

You'd get just as much protection /in this case/ by simply re-installing, and choosing to format any existing filesystems, though. If you have any doubts about the integrity of your host, re-install. If nothing else it'll give you peace of mind - once the filesystem(s) have been (re)formatted, you're safe.

I'll be honest, though - I /seriously/ doubt you've got any malware on your system unless the people you got the machine from are actively malicious. Please do provide a link to the scanner you used - LinuxQuestions is consistently high on Google's results, so you might save someone else from some serious hassle if we can pick apart what's happened to you.

Dave
 
Old 12-22-2008, 09:06 PM   #13
Quakeboy02
Senior Member
 
Registered: Nov 2006
Distribution: Debian Squeeze 2.6.32.9 SMP AMD64
Posts: 3,277

Rep: Reputation: 126Reputation: 126
Quote:
Originally Posted by Ubuntu Lou View Post
There's a keylogger in the BIOS, please don't tell me that this is impossible, because HOW it was installed (long distance, on the internet), by a tool that was specifically designed & made to do exactly this.
You are aware that Linux doesn't use the BIOS once it gets into the boot process, right?
 
Old 12-22-2008, 09:33 PM   #14
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hi Lou.

If you're utterly convinced that you've been compromised, then nothing I or anyone else says will persuade you otherwise. Let's work on that premise.
If you doubt the integrity of the BIOS on your motherboard w.r.t keyloggers et al, then you and me both know that you need to not use that motherboard. So don't. Chuck it in the bin and be done with it. Buy a new motherboard. No amount of drive wiping will be sufficient for your ends.

"I could tell you the real truth about HOW all of this happened, but you wouldn't believe me anyway."
Try me. PM me if you feel the need. You're giving off some serious paranoid vibes here, but if you have reason to be paranoid then fair enough - you'll know if you're willing to share accordingly.

Dave
 
Old 12-22-2008, 09:40 PM   #15
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 376Reputation: 376Reputation: 376Reputation: 376
Why do you keep refusing to post a link to the alleged spyware scanner you used?

Is it because it doesn't exist?
 
  


Closed Thread

Tags
troll


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] May have contracted malware. Yes, malware. Firefox on Ubuntu Fiesty. Seeking a fix drachenchen Linux - Security 22 08-17-2008 02:05 PM
May have contracted malware. Yes, malware. Firefox on Ubuntu Fiesty. Seeking a fix drachenchen Linux - Security 1 06-12-2008 06:10 AM
Spyware / Malware Threats? carlosinfl Linux - Security 5 11-24-2005 09:57 AM
Spyware/Malware Content filtering? Kaashar Linux - Security 16 03-31-2005 11:06 PM


All times are GMT -5. The time now is 10:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration