LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   My network is hacked for sure. I want to reinstall but it will be hacked again. (http://www.linuxquestions.org/questions/linux-security-4/my-network-is-hacked-for-sure-i-want-to-reinstall-but-it-will-be-hacked-again-827019/)

MsRefusenik 08-18-2010 10:15 AM

My network is hacked for sure. I want to reinstall but it will be hacked again.
 
Please believe me when I say my new Ubuntu install was hacked. Before that the Mac on which it was installed was hacked for over two years by the same person. I have forensic evidence that takes up boxes. I just can't get the F.B.I. to do their job. Anyhow, the hacker destroyed the install. When you turn on the computer, this is what it says:

init:error while reading from descriptor/bad filedescriptor
init: nwclockmain process (353/terminated with status 2
init: plymouth main process (352) terminated with status 2
init: nread ahead main process (354) terminated with status 3
/bin/sh: can't open /proc/self/fd/8
init: mountall main process (355) terminated with status 2
init: plymouth - stop pre-start process (359) terminiated with stats 2
init: mountall - shell main process (362) terminated with status 2
/bin/sh: can't open /proc/self/fd/8
init: mountall-shell past-stop process (363) terminated with status 2

I have no idea what this means or if it means I can't reinstall. I was able to get the grub file and it only replied with this same message.

Anyhow, trying to plan what to do to avoid being hacked next time, I did many things, one of which was an netstat -an from a Live Knoppix CD on my computer. It showed so many "connected" not just listening points that I feel the situation is hopeless. They are all through Unix right now. How will I ever clean that tangled mess out to have any hope of computing with my reinstall without being hacked? He is even hacking the Knoppix Live CD according to the results of the Netstat.

Will you please give me some serious, much needed advice and spare me all the b.s. about how do I know I'm really hacked. I could write a book about how I really know I'm hacked.

Thank you.

craigevil 08-18-2010 10:52 AM

First disconnect the computer and any other system from the internet. Second wipe the hard drive using a livecd.

Then buy a router preferably one you can install dd-wrt or tomato on.

Read Securing Debian Manual http://www.debian.org/doc/manuals/se...-debian-howto/
Linux Security HOWTO http://tldp.org/HOWTO/Security-HOWTO/
Securing a New Ubuntu Installation - https://help.ubuntu.com/community/Ma...ringNewInstall

Install a firewall like moblock on the pc and lock it down using Bastille or Selinux.

Stick to the packages in your distros repositories and you will be fine.

ndarkduck 10-16-2010 08:41 PM

Quote:

Originally Posted by MsRefusenik (Post 4070329)
Please believe me when I say my new Ubuntu install was hacked. Before that the Mac on which it was installed was hacked for over two years by the same person. I have forensic evidence that takes up boxes. I just can't get the F.B.I. to do their job. Anyhow, the hacker destroyed the install. When you turn on the computer, this is what it says:

init:error while reading from descriptor/bad filedescriptor
init: nwclockmain process (353/terminated with status 2
init: plymouth main process (352) terminated with status 2
init: nread ahead main process (354) terminated with status 3
/bin/sh: can't open /proc/self/fd/8
init: mountall main process (355) terminated with status 2
init: plymouth - stop pre-start process (359) terminiated with stats 2
init: mountall - shell main process (362) terminated with status 2
/bin/sh: can't open /proc/self/fd/8
init: mountall-shell past-stop process (363) terminated with status 2

I have no idea what this means or if it means I can't reinstall. I was able to get the grub file and it only replied with this same message.

Anyhow, trying to plan what to do to avoid being hacked next time, I did many things, one of which was an netstat -an from a Live Knoppix CD on my computer. It showed so many "connected" not just listening points that I feel the situation is hopeless. They are all through Unix right now. How will I ever clean that tangled mess out to have any hope of computing with my reinstall without being hacked? He is even hacking the Knoppix Live CD according to the results of the Netstat.

Will you please give me some serious, much needed advice and spare me all the b.s. about how do I know I'm really hacked. I could write a book about how I really know I'm hacked.

Thank you.


XD ! Are you serious? It seems more like a hardware failure XD!!!!! You just need iptables in your computer, and being sure about no one has physical access to it.

mesiol 10-17-2010 12:18 AM

Hi,

i agree whith ndarkduck, that non of the above reported errors are related to any kind of hack. This really sound like a damaged hard disk, partition table or memory.

First you should check your hardware. Boot from a live cd, check filesystems, use smarttools to check you disk, run a tool like memtest86 to check system memory.

jtarin 10-17-2010 12:23 AM

Quote:

netstat -an
LOL:)

czarherr 10-17-2010 12:34 AM

I, nor does it seem anyone else, seems convinced you are hacked. Post some of this definitive evidence you have if you're completely convinced, but until you do, this looks very much like a hardware error, particularly if you're having similar problems with every install.

As far as security, you could go nuts with wrappers, firewalls, and the like, or just get a router and don't forward any unnecessary ports to your machine. Unless you've made yourself a target, there is probably no one dedicated enough to randomly hack into your freshly installed machine repeatedly.

I really hate to sound antagonistic, but working in tech support, I learned that every person not familiar with computers who has a problem of any kind with their computer will immediately blame either a virus or a hacker, and will do so with an insistent fervor.

Hangdog42 10-17-2010 08:02 AM

Quote:

Anyhow, trying to plan what to do to avoid being hacked next time, I did many things, one of which was an netstat -an from a Live Knoppix CD on my computer. It showed so many "connected" not just listening points that I feel the situation is hopeless. They are all through Unix right now.
Please be aware that having a lot of CONNECTED entries showing up in netstat output is actually normal, particularly if they are unix sockets. It is a very, very common way for the various bits and pieces of the system to communicate with each other.

Quote:

He is even hacking the Knoppix Live CD according to the results of the Netstat.
If you downloaded Knoppix from a good source (like one recommended by Knoppix) and checked the md5sum of the download, the chances of it being hacked are extremely close to zero. Live CDs are read-only devices that can't be altered by a cracker.

Quote:

Will you please give me some serious, much needed advice and spare me all the b.s. about how do I know I'm really hacked. I could write a book about how I really know I'm hacked.
The way LQ handles suspected security breaches is by looking at the facts, and we don't simply take someone's word for it that they've been cracked. As czaherr pointed out, cracking is blamed for far too much, and what you've posted here suggests hardware failure, not cracking.

@jtarin

You have a problem with netstat?

czarherr 10-17-2010 11:02 AM

Look, you've already told us you don't have a clue what that output even means, and it's frankly amusing you think your hacker managed countless connections to your knoppix environment in the very short window of time he had to Identify your new os and find exploits for it,then execute them.

You really don't seem to get how networking really works, given your dismay at a netstat report, but I'll bite. Post some output for us. From netstat, from your logs, anything to show us you were not only hacked, but to show us how. We aren't psychic here, and there are thousands of ways to hack a system.

Post the proof you say you have. If it's true, someone here will certainly catch it. But honestly, that you really think someone hacked your knoppix environment through a read only environment in a tiny window of time just tells me you have very little understanding of unix networking and you're letting your imagination run away with you.

I mean seriously, you said it yourself, you don't understand the error message. Your reason for edit says this is a foreign language to you and you don't understand any of it. Therefore, it's definately a hacker? Take my word for it, there's a reason the FBI is ignoring you, you aren't being hacked. I e worked in networking over 10 years, and I've heard your story a million times from everyone from moms to CEOs, but ive never once seen someone persistently harrassed by a hacker. This isn't a cheesy 90s hacker movie. It's just not that easy and probably not worth anyones time. If you were serious enough to be a target, you already have a team of security engineers on this, not arguing on LQ.

onebuck 10-17-2010 12:04 PM

Hi,

Guys, the OP posted this in Aug/10. No response since, so don't expect any reply or input for this 2+ month old thread from the OP.

It would surprise me if we get a reply.
:hattip:

Hangdog42 10-17-2010 12:44 PM

D'OH! Missed the date entirely.

jtarin 10-18-2010 01:02 AM

Quote:

Originally Posted by Hangdog42 (Post 4130275)
@jtarin

You have a problem with netstat?

Yes in the context of using it as evidence of hacking....in this case.
No in the context of using it in a fundamentally proper way as a tool.
Do you have a problem with me having a problem with anything? Maybe you could have phrased your question slightly different. :)

Hangdog42 10-18-2010 06:51 AM

Quote:

Originally Posted by jtarin (Post 4130913)
Yes in the context of using it as evidence of hacking....in this case.
No in the context of using it in a fundamentally proper way as a tool.
Do you have a problem with me having a problem with anything? Maybe you could have phrased your question slightly different. :)


You're original post consisted of "LOL" and a smiley, which is hardly a constructive way to educate someone about the proper use, or not, of any tool. What would have been nice is if you had posted why you think netstat isn't appropriate here. So given your original post, I think my question was phrased very properly.

Besides, netstat can be an extremely useful tool in uncovering evidence of a compromise. Granted, one has to keep in mind that it may have been compromised as well, but that would have required a cracker to get root access, and not all cracks do that. So in my opinion, netstat definitely has a place in an investigators tool box.

onebuck 10-18-2010 07:53 AM

Hi,

I have to agree with Hangdog42 on this issue. 'netstat' is a tool and can be useful as a tool when utilized properly to investigate.

One needs to look holistically when working to find out potential problems. You cannot rely on one point to provide the answer(s) when things of this sort are addressed. Trouble-shooting requires the use of the whole toolbox and knowing which tools to provide the answers or solutions!
:hattip:

jdkaye 10-18-2010 08:41 AM

Is everyone convinced that this was a serious post? The style suggests (at least to my very warped mind) either:
a. A joke (taking the piss) or
b. A bit of trolling
As I said, it's really hard for me to take this post too seriously.
ciao,
jdk

onebuck 10-18-2010 09:10 AM

Hi,

OP date & no feedback from OP could indicate such. But the current posts since do provide good points.
:hattip:


All times are GMT -5. The time now is 09:56 AM.