How to extract log files from a compromised distro
 

I am totally reluctant to post this as I fear a torrent of scorn and ridicule. Yes, I have installed - previously - an ISO that was insufficiently verified. I was still running Windows so it is harder to check the signature in particular. Obviously, if I had googled the significance of verifying the signature I would not be writing this post now.

The image had checked out and I finally decided to install it. I installed it without persistence using Rufus directly over Windows 7 and it seemed to have gone well. I am using a wireless connection with an adapter I especially ordered which works with Linux out of the box.

After I adjusted a few things I logged off but not before looking at Netstat where I saw several IP addresses connected to my computer. I copied them down and checked them on my Windows laptop with a special utility. All three addresses were universities, one of them in Europe.

I was puzzled by this. Subsequently I also noticed that my modem would show someone logged in to my wireless network after I had already logged off. Apparently there are some installations that come with malware that gives a hacker access every time the user is logged in.

I decided to download another ISO from a different place and install it over the old one. I used my Windows laptop for this, of course, and yes, this time I did manage to verify the signature. Unfortunately and quite stupidly I did not reset my modem and the hacker was back within a day or two.

The trouble is, I’m not sure how these types of malware work. Is it a Trojan, a worm, a keylogger? Would resetting the modem eliminate this issue?

But more importantly, how did they gain access to the new installation which was clean as far as verifiable with checksums and sig??

I need to export those system log files (all the logs actually) but how do I do this without exporting the virus as well? I have heard people say that once you’re hacked the log files can get altered to hide the evidence but in a post inUbuntu somewhere it says there are signs, including the attempts at obfuscating.

Thanks for reading. Any constructive feedback is appreciated.

How to extract log files from a compromised distro
 

Boot a live CD and copy the logs to a USB stick.

But I have to ask: What distro, and where did you download it from?

Sorry, what?

I understand “copy the logs to a USB stick.”

I do not understand “Boot a live CD.” Can you please explain what you mean by that?

Do you mean I should boot the ISO that I installed on that laptop? That is on a USB, btw, not a disk. Is the reasoning that a clean copy of Linux Mint will load and be impervious to the virus? And will it have access to those logs? (I would think not.)

Also, is WiFi needed to download the logs?

Thanks rkelsen, looking forward to your reply.

This one should explain clearly the what and why:
https://www.youtube.com/watch?v=fU3zCL5g_7E

I’m sorry @Grobe maybe I should have anticipated this and explained that I can’t watch any YouTube videos right now.

I also don’t see anything inherently wrong with answering a pretty straightforward question with a straightforward answer that doesn’t require one to jump through any additional hoops?

Thanks for trying to help.

would be nice to know more about it. It looks strange for me
How do you know that? Can you give us some details?
And again, how do you know that?
obviously we have no any idea, you gave no any real information or detail.
You can safely copy those log files (actually I don't know which files), that will not harm anything.

But first you need to boot another os, which is surely not infected. That's why was suggested to download and boot a live cd. And probably reset your modem.


You have another windows laptop I guess you can use that to create that live cd (actually on an usb) and boot it. But probably not.
Believe me, much easier (and much more efficient) to send a link to a good page instead of copying that content or explaining that again in a few lines. Not only for me, but also for you.

But first of all without details we cannot help you further.

I don't do your homework
 

No, nothing wrong, but this is subjects that under normal circumstances can be searched up on internet on google, duckduckgo, etc that require little effort.

Also, nobody pays me anything to participate in this forum so I don't see what is wrong about not wasting my time on simple tasks that one must expect the thread starter to perform him/herself.

It's like - I don't do your homework, if you se what I mean.

I'm seeing an oft-repeated pattern in these posts, one that's been recurring for about a year or so. Hoping this isn't yet another in that long line, but what you're posting and saying isn't adding up logically.

You loaded Linux; so you obviously know how to not only download Linux, but create bootable media...yet don't understand how to boot from it? How did you install Linux if you can't boot? You claim 'malware that gives hackers access' to your modem. What evidence do you have? How did you see this? And is it more likely some 'hacker' got in through 'malware', or that you have a neighbor using your wifi? Or a device in your house is logged into your network??

You say yourself:
...yet you still haven't said what you downloaded, from where, despite being asked. Seems like a pretty straightforward question with a straightforward answer.

You're at once claiming to be knowledgeable (asking about UFW/firewall settings, which ports are open, able to track wifi 'hackers', reset modems, etc.), and also so inexperienced that you don't know how to boot from external media.

I'm with pan64; provide some evidence, answer some easy questions that you've been asked, and provide details and we can try to help. Otherwise, there is nothing we can tell you.

Perhaps this will help then: https://en.wikipedia.org/wiki/Live_CD

I'm going to reiterate my question: Please tell us what you downloaded and from where. The kind of incidents you're referring to are not common in Linux distributions or Open Source software in general.

As can be seen with the Audacity debacle, 'phoning home' is a practice which is routinely condemned, and software which does so is all but admonished from the community. The developers of Audacity have had to back down, and have now modified theirs to be an 'opt-in' system, instead of 'opt-out' by default.

Hence my curiosity about what you downloaded and where you got it.

All this seems very unlikely.
I just answered another post where you broke your system (essentially turning a stable release into a testing release, rebooting, getting weird glitches) ans suspected you got infected.
Now it's something to do with image file verification?

As others said, take a deep breath and do not rush to conclusions until you have some proof.

Occam's razor applies.