[SOLVED] My network is hacked for sure. I want to reinstall but it will be hacked again.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
My network is hacked for sure. I want to reinstall but it will be hacked again.
Please believe me when I say my new Ubuntu install was hacked. Before that the Mac on which it was installed was hacked for over two years by the same person. I have forensic evidence that takes up boxes. I just can't get the F.B.I. to do their job. Anyhow, the hacker destroyed the install. When you turn on the computer, this is what it says:
init:error while reading from descriptor/bad filedescriptor
init: nwclockmain process (353/terminated with status 2
init: plymouth main process (352) terminated with status 2
init: nread ahead main process (354) terminated with status 3
/bin/sh: can't open /proc/self/fd/8
init: mountall main process (355) terminated with status 2
init: plymouth - stop pre-start process (359) terminiated with stats 2
init: mountall - shell main process (362) terminated with status 2
/bin/sh: can't open /proc/self/fd/8
init: mountall-shell past-stop process (363) terminated with status 2
I have no idea what this means or if it means I can't reinstall. I was able to get the grub file and it only replied with this same message.
Anyhow, trying to plan what to do to avoid being hacked next time, I did many things, one of which was an netstat -an from a Live Knoppix CD on my computer. It showed so many "connected" not just listening points that I feel the situation is hopeless. They are all through Unix right now. How will I ever clean that tangled mess out to have any hope of computing with my reinstall without being hacked? He is even hacking the Knoppix Live CD according to the results of the Netstat.
Will you please give me some serious, much needed advice and spare me all the b.s. about how do I know I'm really hacked. I could write a book about how I really know I'm hacked.
Thank you.
Last edited by MsRefusenik; 08-26-2010 at 07:29 PM.
Reason: This is NOT solved. I don't understand any of it. It's all a foreign language to me. Why can't I just erase and reinstall?
Please believe me when I say my new Ubuntu install was hacked. Before that the Mac on which it was installed was hacked for over two years by the same person. I have forensic evidence that takes up boxes. I just can't get the F.B.I. to do their job. Anyhow, the hacker destroyed the install. When you turn on the computer, this is what it says:
init:error while reading from descriptor/bad filedescriptor
init: nwclockmain process (353/terminated with status 2
init: plymouth main process (352) terminated with status 2
init: nread ahead main process (354) terminated with status 3
/bin/sh: can't open /proc/self/fd/8
init: mountall main process (355) terminated with status 2
init: plymouth - stop pre-start process (359) terminiated with stats 2
init: mountall - shell main process (362) terminated with status 2
/bin/sh: can't open /proc/self/fd/8
init: mountall-shell past-stop process (363) terminated with status 2
I have no idea what this means or if it means I can't reinstall. I was able to get the grub file and it only replied with this same message.
Anyhow, trying to plan what to do to avoid being hacked next time, I did many things, one of which was an netstat -an from a Live Knoppix CD on my computer. It showed so many "connected" not just listening points that I feel the situation is hopeless. They are all through Unix right now. How will I ever clean that tangled mess out to have any hope of computing with my reinstall without being hacked? He is even hacking the Knoppix Live CD according to the results of the Netstat.
Will you please give me some serious, much needed advice and spare me all the b.s. about how do I know I'm really hacked. I could write a book about how I really know I'm hacked.
Thank you.
XD ! Are you serious? It seems more like a hardware failure XD!!!!! You just need iptables in your computer, and being sure about no one has physical access to it.
Distribution: CentOS, RHEL, Solaris 10, AIX, HP-UX
Posts: 731
Rep:
Hi,
i agree whith ndarkduck, that non of the above reported errors are related to any kind of hack. This really sound like a damaged hard disk, partition table or memory.
First you should check your hardware. Boot from a live cd, check filesystems, use smarttools to check you disk, run a tool like memtest86 to check system memory.
I, nor does it seem anyone else, seems convinced you are hacked. Post some of this definitive evidence you have if you're completely convinced, but until you do, this looks very much like a hardware error, particularly if you're having similar problems with every install.
As far as security, you could go nuts with wrappers, firewalls, and the like, or just get a router and don't forward any unnecessary ports to your machine. Unless you've made yourself a target, there is probably no one dedicated enough to randomly hack into your freshly installed machine repeatedly.
I really hate to sound antagonistic, but working in tech support, I learned that every person not familiar with computers who has a problem of any kind with their computer will immediately blame either a virus or a hacker, and will do so with an insistent fervor.
Anyhow, trying to plan what to do to avoid being hacked next time, I did many things, one of which was an netstat -an from a Live Knoppix CD on my computer. It showed so many "connected" not just listening points that I feel the situation is hopeless. They are all through Unix right now.
Please be aware that having a lot of CONNECTED entries showing up in netstat output is actually normal, particularly if they are unix sockets. It is a very, very common way for the various bits and pieces of the system to communicate with each other.
Quote:
He is even hacking the Knoppix Live CD according to the results of the Netstat.
If you downloaded Knoppix from a good source (like one recommended by Knoppix) and checked the md5sum of the download, the chances of it being hacked are extremely close to zero. Live CDs are read-only devices that can't be altered by a cracker.
Quote:
Will you please give me some serious, much needed advice and spare me all the b.s. about how do I know I'm really hacked. I could write a book about how I really know I'm hacked.
The way LQ handles suspected security breaches is by looking at the facts, and we don't simply take someone's word for it that they've been cracked. As czaherr pointed out, cracking is blamed for far too much, and what you've posted here suggests hardware failure, not cracking.
Look, you've already told us you don't have a clue what that output even means, and it's frankly amusing you think your hacker managed countless connections to your knoppix environment in the very short window of time he had to Identify your new os and find exploits for it,then execute them.
You really don't seem to get how networking really works, given your dismay at a netstat report, but I'll bite. Post some output for us. From netstat, from your logs, anything to show us you were not only hacked, but to show us how. We aren't psychic here, and there are thousands of ways to hack a system.
Post the proof you say you have. If it's true, someone here will certainly catch it. But honestly, that you really think someone hacked your knoppix environment through a read only environment in a tiny window of time just tells me you have very little understanding of unix networking and you're letting your imagination run away with you.
I mean seriously, you said it yourself, you don't understand the error message. Your reason for edit says this is a foreign language to you and you don't understand any of it. Therefore, it's definately a hacker? Take my word for it, there's a reason the FBI is ignoring you, you aren't being hacked. I e worked in networking over 10 years, and I've heard your story a million times from everyone from moms to CEOs, but ive never once seen someone persistently harrassed by a hacker. This isn't a cheesy 90s hacker movie. It's just not that easy and probably not worth anyones time. If you were serious enough to be a target, you already have a team of security engineers on this, not arguing on LQ.
Yes in the context of using it as evidence of hacking....in this case.
No in the context of using it in a fundamentally proper way as a tool.
Do you have a problem with me having a problem with anything? Maybe you could have phrased your question slightly different.
Yes in the context of using it as evidence of hacking....in this case.
No in the context of using it in a fundamentally proper way as a tool.
Do you have a problem with me having a problem with anything? Maybe you could have phrased your question slightly different.
You're original post consisted of "LOL" and a smiley, which is hardly a constructive way to educate someone about the proper use, or not, of any tool. What would have been nice is if you had posted why you think netstat isn't appropriate here. So given your original post, I think my question was phrased very properly.
Besides, netstat can be an extremely useful tool in uncovering evidence of a compromise. Granted, one has to keep in mind that it may have been compromised as well, but that would have required a cracker to get root access, and not all cracks do that. So in my opinion, netstat definitely has a place in an investigators tool box.
I have to agree with Hangdog42 on this issue. 'netstat' is a tool and can be useful as a tool when utilized properly to investigate.
One needs to look holistically when working to find out potential problems. You cannot rely on one point to provide the answer(s) when things of this sort are addressed. Trouble-shooting requires the use of the whole toolbox and knowing which tools to provide the answers or solutions!
Is everyone convinced that this was a serious post? The style suggests (at least to my very warped mind) either:
a. A joke (taking the piss) or
b. A bit of trolling
As I said, it's really hard for me to take this post too seriously.
ciao,
jdk
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.