LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-10-2010, 06:58 PM   #1
mazinoz
Member
 
Registered: Mar 2003
Location: Mansfield Queensland Australia
Distribution: Linux Mint - Tara
Posts: 497

Rep: Reputation: 35
Debian shows file permissions change when copied to a Windows partition.


Some time back using this computer a SucKit rootkit was found.
Having dd urandomed the drive, flattened CMOS battery, flashed BIOS, run Knoppix live CD 6.1,using no flat pack battery (laptop), and memtested the RAM, I am still having problems with what I suspect is a javascript file that tries to reload the rootkit from ??firmware. I suspect the firmware as everything else should have eradicated it??

Also it or a hacker via a backdoor then corrupts the drivers so devices malfunction. Windows security programs and rootkit detectors don't seem to pick it up. Fresh install of Windows or linux after the above still show this problem, though internet not used. The person who admitted rootkitting this machine is capable of writing java programs or using javascripts to do all this.

When viewed using Ubuntu 8.4 files and dates on a Windows partition appear normal both in file manager and terminal. However booting using Knoppix CD these files are all green, and I cannot change their permissions, even as root. ie: everything is green including text files etc. If I copy them to a linux partition, I can change their permissions and make them nonexecutable and nonwritable. Also on the Windows FAT32 partition the . directory has the date 1 Jan 1970.

If I disable any green files, I can shutdown and reboot cleanly.
If I don't I start having problems shutting down [/usr/sbin/init ?]
And always these follow a pattern:

Can't remember details as I have now corralled the beast but error messages relating to:

nfs-server
inet.d/statd

are the start of these.

Has anyone else experienced this, and is it just a quirk in Debian or something sinister going on?
 
Old 12-11-2010, 05:10 AM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
I think it is far more likely that you have a simple hardware malfunction. Having wiped the system as severely as you did and re-installing everything, you should be fine. I think that the person who supposedly admitted writing Javascript to do this to you is trying to mess with you.

As far as the the file permissions go, remember that Windows does NOT support the Linux concept of file permissions. It doesn't use the inode concept. Consequently, attempting to apply Linux/Unix permissions on such a file system is meaningless, especially in any sort of persistent sense.

With regards to the date of 1 Jan 1970, this is first date of the Windows date time format, which uses an offset in system ticks of 33.3mS from an origin date. This tells me that the date-time of the file was erase or never set in the first place. Perhaps there is a problem with the RTC battery?

As far as your other problems, would you please provide some specific information such as the error messages and log entries?
 
Old 12-11-2010, 06:53 PM   #3
mazinoz
Member
 
Registered: Mar 2003
Location: Mansfield Queensland Australia
Distribution: Linux Mint - Tara
Posts: 497

Original Poster
Rep: Reputation: 35
I agree, hence the posting. However things are not. Although I suppose he could know my MAC address and is using something like Dynamic DNS to know when I am online, and begin hacking.

"I think it is far more likely that you have a simple hardware malfunction."
The hardware works fine after fresh install in WinXP or linux, but as time goes on CD and DVD drives especially start to malfunction but work properly again after a fresh install.
It is not the hardware, but the hacking that causes them to malfunction. He installs wrong drivers. I have had to deal with details of these computer malfunctions and hacking for some time and you have not.

"I think that the person who supposedly admitted writing Javascript to do this to you is trying to mess with you." SUPPOSEDLY??! Are you saying I'm lying? Exactly, what do you mean by this?

I have known him and you have not. To say I do not know what is going on about either of these matters, and you do, is extremely patronising and unhelpful,to say the least.

It is a long story, but I found a script called 'maz connects to the internet' in Kate but before I could open it, it disappeared from the screen. He is the only person here who knows that nickname. Shortly after this he contacted me asking for a favor but admitted then he had rootkitted the machine. He knew details on my laptop he could not have known without having physical access to the screen or remote access such as vncviewer. I found out acccidentally that he had engaged in industrial espionage for an employer, and the flatmates at two shared houses he lived in, had complained about hacking when he left. I gave him the benefit of the doubt at first, besides hacking can be very insidious as well. He also said things like "you have no open ports"and was insistent I turn on ssh. Also "what firewall are you using?" The pattern of hacking was like someone running a script, always the same. He wanted physical access to the laptop. The hacking began when he moved out. The hacking appears to have ceased now, due to MAC control and elimination of any javascripts. In the end I regarded him as an unpaid penetration tester, to try out different firewalls. You do not know him. He is a vindictive, controlling sociopath. His first psychiatrist actually visited me at work, to warn me about him, and later so did some people who knew him before me. I definitely had doubts before this but he was very deceitful and manipulative. One hospital discharged and barred him from the psych ward and hospital because he was harmful to other patients.

Anyway, back to the technical issues at hand.
The file permissions. I should have said I can't change these either using linux OR WinXP as the operating system, as administrator or user, when they are on the Windows partition. However if I copy them to a linux partition using a live CD, I can change the permissions easily. It seems suspicious as ALL files are green including text files that shouldn't be.

There is no problem with the CMOS or RTC battery, besides I think such a thing would be obvious, and is readily fixable especially on a laptop. I have had none of the symptoms of this. It retains settings just fine. Again I suspect you are patronising me and not contributing anything useful to the discussion.

I'll look back through notes I have kept or try to recreate the problem and post the exact details of the error messages. However, the point remains, these error messages only occur when javascripts have not been removed or disabled by changing their permissions to non-executable. I believe when they run, they install SucKit rootkit via /sbin/init changes. THEN a lot of other things start to happen such as hardware malfunction. If they don't run, no problems or hardware malfunctions. I need to stress this hacking is not just snooping but very damaging and vindictive and repetitious - or at least until I threw a router in front of my laptop. At the moment that is all that is connected to laptop, ie laptop doesn't share router. Router is just for security measures.
 
Old 12-11-2010, 07:27 PM   #4
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,830

Rep: Reputation: 2112Reputation: 2112Reputation: 2112Reputation: 2112Reputation: 2112Reputation: 2112Reputation: 2112Reputation: 2112Reputation: 2112Reputation: 2112Reputation: 2112
Quote:
the Windows FAT32 partition
...
The file permissions. I should have said I can't change these either using linux OR WinXP as the operating system, as administrator or user, when they are on the Windows partition. However if I copy them to a linux partition using a live CD, I can change the permissions easily. It seems suspicious as ALL files are green including text files that shouldn't be.
FAT doesn't support permissions so all files on it will have all permissions enabled no matter what you do.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
I think I copied a file over my entire Windows partition transparent9 Linux - Newbie 42 11-28-2016 03:33 PM
Can't change permissions of Windows partition Dimension User Fedora 5 06-05-2005 02:17 PM
How do I change permissions for my windows partition? cereal83 Slackware 9 07-15-2004 02:06 PM
Windows partition - cannot change permissions elitecodex Linux - Newbie 1 02-02-2004 05:55 PM
cant change permissions on a mounted windows partition groovin Linux - Newbie 10 11-02-2002 07:15 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration