LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
Search this Thread
Old 08-18-2010, 10:15 AM   #1
MsRefusenik
LQ Newbie
 
Registered: Aug 2010
Location: Chicago area
Distribution: OsDisc.com
Posts: 5

Rep: Reputation: 0
My network is hacked for sure. I want to reinstall but it will be hacked again.


Please believe me when I say my new Ubuntu install was hacked. Before that the Mac on which it was installed was hacked for over two years by the same person. I have forensic evidence that takes up boxes. I just can't get the F.B.I. to do their job. Anyhow, the hacker destroyed the install. When you turn on the computer, this is what it says:

init:error while reading from descriptor/bad filedescriptor
init: nwclockmain process (353/terminated with status 2
init: plymouth main process (352) terminated with status 2
init: nread ahead main process (354) terminated with status 3
/bin/sh: can't open /proc/self/fd/8
init: mountall main process (355) terminated with status 2
init: plymouth - stop pre-start process (359) terminiated with stats 2
init: mountall - shell main process (362) terminated with status 2
/bin/sh: can't open /proc/self/fd/8
init: mountall-shell past-stop process (363) terminated with status 2

I have no idea what this means or if it means I can't reinstall. I was able to get the grub file and it only replied with this same message.

Anyhow, trying to plan what to do to avoid being hacked next time, I did many things, one of which was an netstat -an from a Live Knoppix CD on my computer. It showed so many "connected" not just listening points that I feel the situation is hopeless. They are all through Unix right now. How will I ever clean that tangled mess out to have any hope of computing with my reinstall without being hacked? He is even hacking the Knoppix Live CD according to the results of the Netstat.

Will you please give me some serious, much needed advice and spare me all the b.s. about how do I know I'm really hacked. I could write a book about how I really know I'm hacked.

Thank you.

Last edited by MsRefusenik; 08-26-2010 at 07:29 PM. Reason: This is NOT solved. I don't understand any of it. It's all a foreign language to me. Why can't I just erase and reinstall?
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 08-18-2010, 10:52 AM   #2
craigevil
Senior Member
 
Registered: Apr 2005
Location: OZ
Distribution: Debian Sid
Posts: 4,732
Blog Entries: 12

Rep: Reputation: 455Reputation: 455Reputation: 455Reputation: 455Reputation: 455
First disconnect the computer and any other system from the internet. Second wipe the hard drive using a livecd.

Then buy a router preferably one you can install dd-wrt or tomato on.

Read Securing Debian Manual http://www.debian.org/doc/manuals/se...-debian-howto/
Linux Security HOWTO http://tldp.org/HOWTO/Security-HOWTO/
Securing a New Ubuntu Installation - https://help.ubuntu.com/community/Ma...ringNewInstall

Install a firewall like moblock on the pc and lock it down using Bastille or Selinux.

Stick to the packages in your distros repositories and you will be fine.

Last edited by craigevil; 08-18-2010 at 10:55 AM.
 
Old 10-16-2010, 08:41 PM   #3
ndarkduck
LQ Newbie
 
Registered: Nov 2008
Location: Mex,Mex
Distribution: Fedora || Red Hat Linux
Posts: 28

Rep: Reputation: 7
Quote:
Originally Posted by MsRefusenik View Post
Please believe me when I say my new Ubuntu install was hacked. Before that the Mac on which it was installed was hacked for over two years by the same person. I have forensic evidence that takes up boxes. I just can't get the F.B.I. to do their job. Anyhow, the hacker destroyed the install. When you turn on the computer, this is what it says:

init:error while reading from descriptor/bad filedescriptor
init: nwclockmain process (353/terminated with status 2
init: plymouth main process (352) terminated with status 2
init: nread ahead main process (354) terminated with status 3
/bin/sh: can't open /proc/self/fd/8
init: mountall main process (355) terminated with status 2
init: plymouth - stop pre-start process (359) terminiated with stats 2
init: mountall - shell main process (362) terminated with status 2
/bin/sh: can't open /proc/self/fd/8
init: mountall-shell past-stop process (363) terminated with status 2

I have no idea what this means or if it means I can't reinstall. I was able to get the grub file and it only replied with this same message.

Anyhow, trying to plan what to do to avoid being hacked next time, I did many things, one of which was an netstat -an from a Live Knoppix CD on my computer. It showed so many "connected" not just listening points that I feel the situation is hopeless. They are all through Unix right now. How will I ever clean that tangled mess out to have any hope of computing with my reinstall without being hacked? He is even hacking the Knoppix Live CD according to the results of the Netstat.

Will you please give me some serious, much needed advice and spare me all the b.s. about how do I know I'm really hacked. I could write a book about how I really know I'm hacked.

Thank you.

XD ! Are you serious? It seems more like a hardware failure XD!!!!! You just need iptables in your computer, and being sure about no one has physical access to it.
 
0 members found this post helpful.
Old 10-17-2010, 12:18 AM   #4
mesiol
Member
 
Registered: Nov 2008
Location: Lower Saxony, Germany
Distribution: CentOS, RHEL, Solaris 10, AIX, HP-UX
Posts: 731

Rep: Reputation: 137Reputation: 137
Hi,

i agree whith ndarkduck, that non of the above reported errors are related to any kind of hack. This really sound like a damaged hard disk, partition table or memory.

First you should check your hardware. Boot from a live cd, check filesystems, use smarttools to check you disk, run a tool like memtest86 to check system memory.
 
0 members found this post helpful.
Old 10-17-2010, 12:23 AM   #5
jtarin
Member
 
Registered: May 2010
Location: Vladivostok, Russia
Distribution: Slackware 13.0, Linux Mint 17.0
Posts: 97

Rep: Reputation: 22
Quote:
netstat -an
LOL
 
0 members found this post helpful.
Old 10-17-2010, 12:34 AM   #6
czarherr
Member
 
Registered: Sep 2003
Location: Suwon, Korea
Distribution: Slackware 13
Posts: 288

Rep: Reputation: 32
I, nor does it seem anyone else, seems convinced you are hacked. Post some of this definitive evidence you have if you're completely convinced, but until you do, this looks very much like a hardware error, particularly if you're having similar problems with every install.

As far as security, you could go nuts with wrappers, firewalls, and the like, or just get a router and don't forward any unnecessary ports to your machine. Unless you've made yourself a target, there is probably no one dedicated enough to randomly hack into your freshly installed machine repeatedly.

I really hate to sound antagonistic, but working in tech support, I learned that every person not familiar with computers who has a problem of any kind with their computer will immediately blame either a virus or a hacker, and will do so with an insistent fervor.

Last edited by czarherr; 10-17-2010 at 12:36 AM.
 
Old 10-17-2010, 08:02 AM   #7
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,778
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
Quote:
Anyhow, trying to plan what to do to avoid being hacked next time, I did many things, one of which was an netstat -an from a Live Knoppix CD on my computer. It showed so many "connected" not just listening points that I feel the situation is hopeless. They are all through Unix right now.
Please be aware that having a lot of CONNECTED entries showing up in netstat output is actually normal, particularly if they are unix sockets. It is a very, very common way for the various bits and pieces of the system to communicate with each other.

Quote:
He is even hacking the Knoppix Live CD according to the results of the Netstat.
If you downloaded Knoppix from a good source (like one recommended by Knoppix) and checked the md5sum of the download, the chances of it being hacked are extremely close to zero. Live CDs are read-only devices that can't be altered by a cracker.

Quote:
Will you please give me some serious, much needed advice and spare me all the b.s. about how do I know I'm really hacked. I could write a book about how I really know I'm hacked.
The way LQ handles suspected security breaches is by looking at the facts, and we don't simply take someone's word for it that they've been cracked. As czaherr pointed out, cracking is blamed for far too much, and what you've posted here suggests hardware failure, not cracking.

@jtarin

You have a problem with netstat?
 
2 members found this post helpful.
Old 10-17-2010, 11:02 AM   #8
czarherr
Member
 
Registered: Sep 2003
Location: Suwon, Korea
Distribution: Slackware 13
Posts: 288

Rep: Reputation: 32
Look, you've already told us you don't have a clue what that output even means, and it's frankly amusing you think your hacker managed countless connections to your knoppix environment in the very short window of time he had to Identify your new os and find exploits for it,then execute them.

You really don't seem to get how networking really works, given your dismay at a netstat report, but I'll bite. Post some output for us. From netstat, from your logs, anything to show us you were not only hacked, but to show us how. We aren't psychic here, and there are thousands of ways to hack a system.

Post the proof you say you have. If it's true, someone here will certainly catch it. But honestly, that you really think someone hacked your knoppix environment through a read only environment in a tiny window of time just tells me you have very little understanding of unix networking and you're letting your imagination run away with you.

I mean seriously, you said it yourself, you don't understand the error message. Your reason for edit says this is a foreign language to you and you don't understand any of it. Therefore, it's definately a hacker? Take my word for it, there's a reason the FBI is ignoring you, you aren't being hacked. I e worked in networking over 10 years, and I've heard your story a million times from everyone from moms to CEOs, but ive never once seen someone persistently harrassed by a hacker. This isn't a cheesy 90s hacker movie. It's just not that easy and probably not worth anyones time. If you were serious enough to be a target, you already have a team of security engineers on this, not arguing on LQ.

Last edited by czarherr; 10-17-2010 at 11:17 AM.
 
Old 10-17-2010, 12:04 PM   #9
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: Slackware®
Posts: 11,044
Blog Entries: 1

Rep: Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370
Hi,

Guys, the OP posted this in Aug/10. No response since, so don't expect any reply or input for this 2+ month old thread from the OP.

It would surprise me if we get a reply.
 
Old 10-17-2010, 12:44 PM   #10
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,778
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
D'OH! Missed the date entirely.
 
Old 10-18-2010, 01:02 AM   #11
jtarin
Member
 
Registered: May 2010
Location: Vladivostok, Russia
Distribution: Slackware 13.0, Linux Mint 17.0
Posts: 97

Rep: Reputation: 22
Quote:
Originally Posted by Hangdog42 View Post
@jtarin

You have a problem with netstat?
Yes in the context of using it as evidence of hacking....in this case.
No in the context of using it in a fundamentally proper way as a tool.
Do you have a problem with me having a problem with anything? Maybe you could have phrased your question slightly different.
 
Old 10-18-2010, 06:51 AM   #12
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,778
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
Quote:
Originally Posted by jtarin View Post
Yes in the context of using it as evidence of hacking....in this case.
No in the context of using it in a fundamentally proper way as a tool.
Do you have a problem with me having a problem with anything? Maybe you could have phrased your question slightly different.

You're original post consisted of "LOL" and a smiley, which is hardly a constructive way to educate someone about the proper use, or not, of any tool. What would have been nice is if you had posted why you think netstat isn't appropriate here. So given your original post, I think my question was phrased very properly.

Besides, netstat can be an extremely useful tool in uncovering evidence of a compromise. Granted, one has to keep in mind that it may have been compromised as well, but that would have required a cracker to get root access, and not all cracks do that. So in my opinion, netstat definitely has a place in an investigators tool box.
 
1 members found this post helpful.
Old 10-18-2010, 07:53 AM   #13
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: Slackware®
Posts: 11,044
Blog Entries: 1

Rep: Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370
Hi,

I have to agree with Hangdog42 on this issue. 'netstat' is a tool and can be useful as a tool when utilized properly to investigate.

One needs to look holistically when working to find out potential problems. You cannot rely on one point to provide the answer(s) when things of this sort are addressed. Trouble-shooting requires the use of the whole toolbox and knowing which tools to provide the answers or solutions!
 
Old 10-18-2010, 08:41 AM   #14
jdkaye
Senior Member
 
Registered: Dec 2008
Location: Westgate-on-Sea, Kent, UK
Distribution: Debian Testing Amd64
Posts: 4,455

Rep: Reputation: Disabled
Is everyone convinced that this was a serious post? The style suggests (at least to my very warped mind) either:
a. A joke (taking the piss) or
b. A bit of trolling
As I said, it's really hard for me to take this post too seriously.
ciao,
jdk
 
Old 10-18-2010, 09:10 AM   #15
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: Slackware®
Posts: 11,044
Blog Entries: 1

Rep: Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370
Hi,

OP date & no feedback from OP could indicate such. But the current posts since do provide good points.
 
  


Closed Thread

Tags
cd, hacked, kernels, knoppix, netstat, network, reinstalling, security, ubuntu


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] I am hacked? Cartman89 Linux - Newbie 39 09-22-2009 08:35 AM
Can I Get Hacked If I Lack Any Kind of Network Connectivity? Gins Linux - General 9 06-15-2009 05:03 PM
Network Traffic problem..Being hacked? AmdMhz Linux - Networking 9 11-03-2004 11:02 PM
Hacked? DiBosco Linux - Security 3 03-24-2002 11:01 AM
Microsoft’s network is hacked - Intruders believed to have stolen code for software jeremy General 3 11-26-2000 08:21 AM


All times are GMT -5. The time now is 01:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration