Hi,

I have a Slackware Linux system which is acting strangely. I am afraid that virtual machine software has been installed on my machine and that the machine I think is my machine is actually a virtual machine and/or a rootkit has taken over and/or that my BIOS has been modified.

The symptoms I have include failure to log in properly and some programs are hanging or being very slow. Boot SEEMS to go OK.

I have checked all system file checksums and they are all correct. I have re-installed the entire system to no avail. I have run every virtual machine detector that I can find on line and they show nothing. I have considered the possibility that there is a hardware error somewhere which only affects logins, but I don't know how to test for that. (Ironically I used to write hardware diagnostics so I know how limited they can be.)

What I want to do is physically disconnect the machine from the net, ENTIRELY erase the physical disk (not a virtual disk)including boot blocks, reinstall but stay off line. Update my BIOS. Erase the disk again, then re-install, check patch checksums, do all patches, take a snapshot of everything, and then reconnect to the network. All of this is in the hopes of having a clean machine which functions properly again.

However I am afraid that if I just use the DD command to wipe the disk it will only wipe the disk of a virtual machine. If there is a virtual machine there I need an erasure program which only deals with physical devices and not virtual devices.

That or any other suggestions would be appreciated.

Thanks,
Jeff B.

If you're that worried, take the hard drive out, put it in another machine and wipe the disk.

Hi Jeff...

I'm not sure if it's strictly for physical drives but if it's for personal use, you can see if DBAN will work. If I remember correctly, they used to be an Open Source project (at least I thought they were) but now they have a free version for home use and a paid version for business/organizational use.

Regards...

I would not presume to dismiss your concerns, but I would have to seriously ask myself who might do such a thing and why. That would be pretty far outside the scope of anything that might be called "ordinary" intrusion.

I would ask myself why anyone would have reason, resources and opportunity to target me in such a way, and I would want to see some strong evidence that it had in fact be done. Only you can evaluate the answers to that line of question.

Then, if you really think it has happened, I would not even attempt to clean it up... I would do the following:

* 1. Remove the hard drive and either physically destroy it or store it where it will never be reused for anything other than your own forensics.
* 2. Disassemble the hardware and discard each piece separately and destructively.
* 3. Do one of the following...
** 3.a. Remain offline, do not replace the computer, and never again login to any previous online account - ever, from anywhere.
** 3.b. On some random day, take a cab to a computer store you have never been to, in a part of town you never visit - buy a new machine of only the minimum specs necessary for your uses, pay cash. NEVER leave it unattended in bootable condition - remove the drive when not in use and keep it in your possession at all times. If it hiccups, trash it.

Only you can decide if your concerns are well founded or not. But if you really think that they are, and you seriously want to end whatever may be happening, you can't end it by wiping the drive...

1 members found this post helpful.

"Friend, you are thrashing." You don't yet know where the trouble is, so you're blowing holes in your own walls with your shotgun. Stop that.

The symptoms that you have described are that "performance is very slow" and that "login sometimes fails." (But you don't give details as toprecisely what sort of failure it is.) Therefore, initially assume that your system has not "been compromised," and start looking through the logs in /var/log. Use the SMART self-diagnosis capability that is built into every modern hard drive to see if the drive thinks that it is failing.

(It is certainly possible that an imminent hardware failure e.g. of a disk drive or some component of the motherboard could be a contributing cause.)

I assume that you have been keeping a "Captain's Log, stardate 3113.2," because "tomorrow is yesterday." When did the symptoms first appear, and what happened at or immediately prior to that moment in time? Do not "try to remember," because you don't.

"Penetration and total compromise system" ranks second only to "cosmic rays" as a proffered explanation of why your computer has gone south, and snake-oil salesmen have gone to great lengths to encourage that notion. Most of the time, though, the reality is mundane.

3 members found this post helpful.

ardvark71,

Just to point out that that the popular DBAN does NOT erase hidden areas (e.g. Host Protected Area and Device Configuration Overlay), unlike Blancco and the Internal Secure Erase method on Disk Eraser.


See post #6:

http://www.linuxquestions.org/questi...dd-4175563804/

Hi beachboy2...

Thank you for the heads up on that, I wasn't really sure but I thought I would throw DBAN out there as a potential solution.

Regards...

>> RE: astrogeek

>> I would not presume to dismiss your concerns,

Well, you ARE being very dismissive and presumptuous.


>> but I would have to seriously ask myself who might do such a thing and why.

Why? Because my machine is up and on-line 24x7. Ever hear of a botnet? Every machine a botnet owner can acquire is a valuable resource, especially one which is always on.


>> I would ask myself why anyone would have reason, resources and opportunity to target me in such a way,

I would not presume that anyone is targeting ME. If in fact there has been an intrusion it is because some bad guy out there has found a generic way to attack and take over the kind of system I have and, having somehow found my machine and determined what it's running, etc, then they automatically applied the the right software can-opener to it.

The Chinese, BTW, do have the resources AND they have been caught attacking our computing infra structure AND, if that's not bad enough, they have now been caught selling hardware to us which hooks up with servers back in China. Now WHY would they do that?

There are other groups out there, too, who take over machines whenever and however they can, and for their own reasons. Search a large enough number of compromised machines and you find things like files of passwords and other valuable data. Compromise a large enough number of machines and you can bring down a nation. Electronic Pearl Harbors have already happened SO WISE UP.

The rest of your suggestions were snide and worthless.


>> RE: sundialsvcs

Same to you.

-----------------

And thank you to the rest of you.

I am sorry that you took it that way, it was definitely not intended that way.

Please allow me to restate my point very briefly and I will not trouble you again.

In your original post you said...

The internet is a nasty place and in my opinion the fight has already been lost to the botnets and spammers and various abusers, especially state sponsored exploitation (and I don't have the Chinese in mind...).

That said, what you describe in that paragraph is absolutely not an ordinary, untargeted, random botnet hijack of your system! Period.

Only you can know whether that is the case or not, and I did not dismiss your concern. In fact I assumed that you must have some reason for reaching such a conclusion, such as high-value data on your machine, or perhaps something related to your professional life. In any event, your description would indicate that you are a high value target, worthy of the exploit and I assumed that might indeed be the case.

What I did was to say that you should re-examine the reasons that you reached that conclusion, who might have access to do this as it is not a common botnet exploit, and what they might be after - only you know what is on your machine that might be of sufficient value for such an intrusion.

Having made that re-examination, if you still feel that to be a likely scenario, then you do indeed need to take very serious steps to put it to an end - some of which I then described.

But you now say...

Which makes suspicion of altered BIOS and installation of an invisible virtual machine on which your machine runs, unlikely, to say the very least.

So now you have staked out opposite extemes, highly targeted and sophisticated exploit, vs generic and untargeted botnet...

I say again that you need to re-examine what is actually happening and respond appropriately - which was my original point.

Best of luck.

It seems like Bruce Schneier's bcwipe should be mentioned here. One can use the old Gutman 35 pass wipe in that. But just Schneier's 7 pass seems really good (included).
The only problem is for SSD's (as in thumbdrives). A single pass is usually enough BUT stuff you wrote can get swapped out to backup cells. So you never know if you're erasing more than just one copy of the data. The firmware moves your data around so that no address gets used too much more than the rest of the addresses.
And for government threat models, worry about the thumbdrive firmware. They also contain serial numbers.
But for the nearly hospitalized paranoid, revert to an old 1.44M floppy. No serial number. The only firmware (if any) is in the old drive. Then get to know /dev/*random and dd as mentioned above.
BTW: degaussing is a poor idea. That (like erasure) only reduces stored fields down about 60 dBm at best. The disk recovery services simple remove the physical magnetic disk, mount it in a machine, and crank the amplifiers up as far as they want until they get acceptable signals. Then they start playing field strength differencing games as if nothing was erased.
But I'm no physicist. And I haven't read many papers on this. If I said something wrong, please correct me somebody.