[SOLVED] Mouse, keyboard, window getting hijacked by unknown hacker
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Mouse, keyboard, window getting hijacked by unknown hacker
I have a home computer that uses linux, for some reasons my system comes alive, the mouse clicks different apps by itself and the keyboard types cruel sadistic words and called me a shiny bald head.
To remedy this,
1 I checked 'the enable firewall' on my modem router
2 kept switching to different linux distros
3 Change the root password and user password
4 but the problem persist.
My system either
1. crashes (applications won't run, usually if I used gnome flavor)
2 or problem persist, hacker writing stuff in my pc (usually kde and generic xwindows)
3 also the hacker could disable my internet connection at times (DDOS?)
4 and even worst, hijack my browser session(email account, etc).
There is only one PC connected to the modem, no wifi, only local connection. So I'm quite sure the hacker comes from the internet.
How do I fix this?
It would be helpful if you could supply additional information such as your current Linux distro and version at least, which will help others to help you more efficiently.
Some information on your router would also be helpful, there have been several recent exploits reported for some models.
Also, does anyone else have physical access to this machine? When did this start and how frequently does it occur?
From the description that you have provided, the first thing to do is to disconnect the machine from the internet immediately. If you have any important data on it, make backups but consider them suspect as well.
If you want to perform any forensics on the system then keep it offline and powered off until you can organize your approach to that or turn it over to someone who can help with it.
If you simply want to clean it up and start over, then "clean up" should consist of a complete wipe of the system, reformat the hard drive and reinstall from fresh, current sources. Configure your services and firewall before connecting to the internet, and verify your router type and configuration as well.
So, to repeaat, please provide more complete information on your Linux distro, hardware and router model and configuration, and a more complete history of the exploit, and someone here with matching knowledge will try to help.
My current linux is Bodhi linux 4.0.0, so far he is able to de-stabilize the system and crash cups and midori.
Router is Zyxel
I'm the only one who have physical access to the machine. It started when I brought home an infected android. At first I didn't pay attention to it until everyone in the neighborhood started to complain about their phone. Then something funny started to happen to my computer, so I cut the wifi and formatted my PC times and times again using different Linux distro, but I think it was too late, the hacker somehow had permanent access to my ip address i think.
The attack frequently occurs during the evening.
Where can I find best firewall configuration guide before connecting to the internet?
I'll give the full details of my router model once I get home.
By "switching to different linux distros", Do you mean that you wiped, formatted (especially the boot partition!), and installed a new OS on the affected machine?
If so, it is likely not coming from the computer.
When you say
Quote:
also the hacker could disable my internet connection at times
Do you mean you are connected to your network but have no internet access (which, you are correct, would likely be a DOS attack) or does your NIC get shut off?
Quote:
the hacker somehow had permanent access to my ip address i think.
Unless you pay for a static IP (pricey) from your ISP, your IP should change fairly regularly.
You mentioned it started from an infected android phone but no other details about the phone or infection.
Distribution: openSUSE(Leap and Tumbleweed) and a (not so) regularly changing third and fourth
Posts: 627
Rep:
Zyxel modem/routers have definitely been compromised. My IP provides Zyxel and although I use my own I've had about 5 emails from them giving me instructions as to how they can fix it. I notice also that Zyxel have provided at least 2 firmware updates recently.
Even though I'm not using the router I updated the firmware anyway.
If the router is supplied by your IP they should have contacted you. If it's your own then using a different router or computer, do a google check. I haven't looked but there's sure to be something on the web about it.
PS I'm not sure that the firmware updates actually address the problem but I'm not connecting the Zyxel for my isp to fix.
Last edited by petelq; 01-04-2017 at 04:29 PM.
Reason: to add comment re firmware
If I WANTED to cause those symptoms, I would get the bluetooth settings and keep connecting using an android app with remote keyboard/mouse features. I can just imagine some neighbor kid giggling away next door listening to you curse and taking notes.
Distribution: openSUSE(Leap and Tumbleweed) and a (not so) regularly changing third and fourth
Posts: 627
Rep:
Quote:
Originally Posted by wpeckham
If I WANTED to cause those symptoms, I would get the bluetooth settings and keep connecting using an android app with remote keyboard/mouse features. I can just imagine some neighbor kid giggling away next door listening to you curse and taking notes.
That's assuming the op always has unprotected bluetooth switched on. There is definitely a problem with suspect Zyxel routers,
I just switched to Sabayon Linux, I find that if I use Linux with systemd, he easily destroys my OS, plus I read a couple of articles about systemd causing crashes.
Quote:
By "switching to different linux distros", Do you mean that you wiped, formatted (especially the boot partition!), and installed a new OS on the affected machine?
If so, it is likely not coming from the computer.
Yes, I reformatted it, so my conclusion is either bios malware or infected router.
Quote:
Do you mean you are connected to your network but have no internet access (which, you are correct, would likely be a DOS attack) or does your NIC get shut off?
Yes, I'm connected to my internet, but couldn't access my internet regardless how many times I restart it. I don't think NIC got shut off because there were notification icon showing that I'm trying to connect.
Quote:
Unless you pay for a static IP (pricey) from your ISP, your IP should change fairly regularly.
You mentioned it started from an infected android phone but no other details about the phone or infection.
To check for open ports try
I know that my ip changes every reset, but I think the connection to the dhcp server is static. There was a time a technician showed it to me on the router's admin dashboard, that the ip is suppose to be static when inside the ISP's network.
The android is a long story, it's got all the symptoms of a compromised phone, choppy communication, applications opening by itself, camera all of the sudden running, phone running very hot. People around my neighborhood also reported the same symptoms and thought their phone is broken. From what I read, even factory reset doesn't help my phone. I'm not sure how they had it, but I suspect it was the same hacker.
I guess I'll try to do an nmap.
Quote:
Im a little unsure as to how serious you are.
please show us (i.e. post output, screenshots etc.) what REALLY happens.
the mouse: could just be a broken mouse/touchpad.
the text: how, when, in which apps?
also, how did you install your current distro, have you done anything non-standard to it (install SW from 3rd part sources etc.)?
If I'm disconnected from the internet my system appears stable, mouse runs well and doesn't just open a random text editor to MOCK SOMEONE AND CALL HIM A SHINY BALD HEAD so I'm pretty sure it's that nasty hacker.
I tried resetting the BIOS, but problem persists. I don't think Linux will run with secure boot enabled. Maybe it's too late for my mobo.
I'm not sure if iptables is effective, I tried using puppy linux and running the firewall, but had the same symptoms.
Is port the only thing I should worry about?
Quote:
Zyxel modem/routers have definitely been compromised. My IP provides Zyxel and although I use my own I've had about 5 emails from them giving me instructions as to how they can fix it. I notice also that Zyxel have provided at least 2 firmware updates recently.
Even though I'm not using the router I updated the firmware anyway.
If the router is supplied by your IP they should have contacted you. If it's your own then using a different router or computer, do a google check. I haven't looked but there's sure to be something on the web about it.
PS I'm not sure that the firmware updates actually address the problem but I'm not connecting the Zyxel for my isp to fix.
It came together with my ISP, but I think they won't mind if I update the firmware I think this is my best bet.
Quote:
If I WANTED to cause those symptoms, I would get the bluetooth settings and keep connecting using an android app with remote keyboard/mouse features. I can just imagine some neighbor kid giggling away next door listening to you curse and taking notes.
That's assuming the op always has unprotected bluetooth switched on. There is definitely a problem with suspect Zyxel routers,
My router doesn't have a bluetooth. But I'm curious, how powerful is android as a hacking utility?
That sounds some pretty serious stuff going on there. Get a new router with an updated firmware. Reset the CMOS.
If your new Linux install seems to get pwned everytime, you really need to throw the router away, as it is very likely that the routes and DNS on it are poisoned. You must have antagonized someone really that bad.
ON other posts I advised some simple anti-malware steps: ClamAV, hardening, rootkit detection. Some there banged on the "linux does not need that, it is immune" drum. I wish I could invite them to read this and reconsider their stand.
If you can bring up machines off-network, install protection, restrict needed services and eliminate those not needed, install protection software, configure your system and only THEN connect it to network you can avoid many problems. Even when under serious threat.
That ISP may have had their equipment infected and used in the attacks. I would not assume ANYTHING is clean and safe until you verify it for yourself. That means assuming some level of threat, and protecting against it at every step. If that sounds paranoid, consider yourself in a position where being paranoid predicts your (network) survival.
Were we neighbors, I would offer more help. Being able to visit with some secure hardware and IDS software on CD would be a big help about now.
No, this guy obviously either has an open port leading to X-windows, or, more likely I think, he does have a malicious neighbor playing with Bluetooth. And, if his router has firewall capability, it is obviously turned off.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.