Mouse, keyboard, window getting hijacked by unknown hacker
 

I have a home computer that uses linux, for some reasons my system comes alive, the mouse clicks different apps by itself and the keyboard types cruel sadistic words and called me a shiny bald head.

To remedy this,

1 I checked 'the enable firewall' on my modem router
2 kept switching to different linux distros
3 Change the root password and user password
4 but the problem persist.

My system either
1. crashes (applications won't run, usually if I used gnome flavor)
2 or problem persist, hacker writing stuff in my pc (usually kde and generic xwindows)
3 also the hacker could disable my internet connection at times (DDOS?)
4 and even worst, hijack my browser session(email account, etc).

There is only one PC connected to the modem, no wifi, only local connection. So I'm quite sure the hacker comes from the internet.
How do I fix this?

It would be helpful if you could supply additional information such as your current Linux distro and version at least, which will help others to help you more efficiently.

Some information on your router would also be helpful, there have been several recent exploits reported for some models.

Also, does anyone else have physical access to this machine? When did this start and how frequently does it occur?

From the description that you have provided, the first thing to do is to disconnect the machine from the internet immediately. If you have any important data on it, make backups but consider them suspect as well.

If you want to perform any forensics on the system then keep it offline and powered off until you can organize your approach to that or turn it over to someone who can help with it.

If you simply want to clean it up and start over, then "clean up" should consist of a complete wipe of the system, reformat the hard drive and reinstall from fresh, current sources. Configure your services and firewall before connecting to the internet, and verify your router type and configuration as well.

So, to repeaat, please provide more complete information on your Linux distro, hardware and router model and configuration, and a more complete history of the exploit, and someone here with matching knowledge will try to help.

My current linux is Bodhi linux 4.0.0, so far he is able to de-stabilize the system and crash cups and midori.

Router is Zyxel

I'm the only one who have physical access to the machine. It started when I brought home an infected android. At first I didn't pay attention to it until everyone in the neighborhood started to complain about their phone. Then something funny started to happen to my computer, so I cut the wifi and formatted my PC times and times again using different Linux distro, but I think it was too late, the hacker somehow had permanent access to my ip address i think.

The attack frequently occurs during the evening.

Where can I find best firewall configuration guide before connecting to the internet?
I'll give the full details of my router model once I get home.

Perhaps it is in UEFI/Bios http://blog.trendmicro.com/trendlabs...arget-systems/

i'm a little unsure as to how serious you are.
please show us (i.e. post output, screenshots etc.) what REALLY happens.

the mouse: could just be a broken mouse/touchpad.

the text: how, when, in which apps?

also, how did you install your current distro, have you done anything non-standard to it (install SW from 3rd part sources etc.)?

See if a port is open I guess.

http://www.yougetsignal.com/tools/open-ports/

You should get a blocked readout. After hitting check.

By "switching to different linux distros", Do you mean that you wiped, formatted (especially the boot partition!), and installed a new OS on the affected machine?

If so, it is likely not coming from the computer.

When you say
Do you mean you are connected to your network but have no internet access (which, you are correct, would likely be a DOS attack) or does your NIC get shut off?

Unless you pay for a static IP (pricey) from your ISP, your IP should change fairly regularly.

You mentioned it started from an infected android phone but no other details about the phone or infection.

To check for open ports try

If it's even true, that's good that he let you notice about the intrusion.

Zyxel modem/routers have definitely been compromised. My IP provides Zyxel and although I use my own I've had about 5 emails from them giving me instructions as to how they can fix it. I notice also that Zyxel have provided at least 2 firmware updates recently.
Even though I'm not using the router I updated the firmware anyway.
If the router is supplied by your IP they should have contacted you. If it's your own then using a different router or computer, do a google check. I haven't looked but there's sure to be something on the web about it.

PS I'm not sure that the firmware updates actually address the problem but I'm not connecting the Zyxel for my isp to fix.

If I WANTED to cause those symptoms, I would get the bluetooth settings and keep connecting using an android app with remote keyboard/mouse features. I can just imagine some neighbor kid giggling away next door listening to you curse and taking notes.

That's assuming the op always has unprotected bluetooth switched on. There is definitely a problem with suspect Zyxel routers,

Wow, that's a lot to fill in.

I just switched to Sabayon Linux, I find that if I use Linux with systemd, he easily destroys my OS, plus I read a couple of articles about systemd causing crashes.

Yes, I reformatted it, so my conclusion is either bios malware or infected router.

Yes, I'm connected to my internet, but couldn't access my internet regardless how many times I restart it. I don't think NIC got shut off because there were notification icon showing that I'm trying to connect.

I know that my ip changes every reset, but I think the connection to the dhcp server is static. There was a time a technician showed it to me on the router's admin dashboard, that the ip is suppose to be static when inside the ISP's network.

The android is a long story, it's got all the symptoms of a compromised phone, choppy communication, applications opening by itself, camera all of the sudden running, phone running very hot. People around my neighborhood also reported the same symptoms and thought their phone is broken. From what I read, even factory reset doesn't help my phone. I'm not sure how they had it, but I suspect it was the same hacker.

I guess I'll try to do an nmap.

If I'm disconnected from the internet my system appears stable, mouse runs well and doesn't just open a random text editor to MOCK SOMEONE AND CALL HIM A SHINY BALD HEAD so I'm pretty sure it's that nasty hacker.

No, I downloaded from official sources.

I tried resetting the BIOS, but problem persists. I don't think Linux will run with secure boot enabled. Maybe it's too late for my mobo.

I'm not sure if iptables is effective, I tried using puppy linux and running the firewall, but had the same symptoms.

Is port the only thing I should worry about?

It came together with my ISP, but I think they won't mind if I update the firmware :) I think this is my best bet.

My router doesn't have a bluetooth. But I'm curious, how powerful is android as a hacking utility?

That sounds some pretty serious stuff going on there. Get a new router with an updated firmware. Reset the CMOS.

If your new Linux install seems to get pwned everytime, you really need to throw the router away, as it is very likely that the routes and DNS on it are poisoned. You must have antagonized someone really that bad.

ON other posts I advised some simple anti-malware steps: ClamAV, hardening, rootkit detection. Some there banged on the "linux does not need that, it is immune" drum. I wish I could invite them to read this and reconsider their stand.

If you can bring up machines off-network, install protection, restrict needed services and eliminate those not needed, install protection software, configure your system and only THEN connect it to network you can avoid many problems. Even when under serious threat.

That ISP may have had their equipment infected and used in the attacks. I would not assume ANYTHING is clean and safe until you verify it for yourself. That means assuming some level of threat, and protecting against it at every step. If that sounds paranoid, consider yourself in a position where being paranoid predicts your (network) survival.

Were we neighbors, I would offer more help. Being able to visit with some secure hardware and IDS software on CD would be a big help about now.

No, this guy obviously either has an open port leading to X-windows, or, more likely I think, he does have a malicious neighbor playing with Bluetooth. And, if his router has firewall capability, it is obviously turned off.