Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hey guys, long time no post! I started using ubuntu and it's various strains about two years ago, mainly because I had very little hardware configuration to do. I learned linux (if you call it learned) with slackware so to have something work out of the box was a relief to someone who was busy and just wanted a working non-microsoft computer. Anyway, I got lazy and my machine was compromised at some point. I don't know when because like I said I was lazy, I never checked logs, verified repositories, never even checked the first md5 sum. I still cant remember how I discovered it but at any rate once I found that I was being visited I started trying to find out what was where. As you might suspect I could not find the source, so I thought what the hell, I'll just reinstall my os. Well, it was right there again upon first reboot. Long story short I tried everything from installing with new hard drive and memory to running nothing but a single stick of fresh ram with a live cd, same thing every time. I finally discovered that my bios had been altered. Any changes I make are immediately discarded and/or ignored and the backbone of the kit, the acpi system, is totally hidden so I can't even deal with it. It is ghosting itself in my video card's expansion rom. It's really impressive. I can't even be mad about it cause I'm like dayum, nice. So, here's my question. I know that the files on my external have been tampered with, all my pictures and flaks from years and years, what should I do with them? I will be chunking everything but I want to save my pics and home videos. I have a fresh lenny install compiling a kernel on an old imac g4 800 right now that will be my new machine, but I'm afraid to plug in my external.
I'm hoping I can reflash and save my pc but if not I don't care. What say ye linux geeks of the interwebs?
Click here to see the post LQ members have rated as the most helpful post in this thread.
As for the bios it would only keep some changes, others would revert even if I didn't let the os boot. Some features that were there a year ago, like the acpi stuff, were totally gone. Also while poking around with Hiren's boot cd and Ultimate boot cd one of the bios utilities said I had an active virus in cmos, this happened with both cds. As for the video rom, I just have strong suspicion based on my untrained eye that the video rom was involved somehow. Once I read more about the subject I was convinced. It's in there.
From your posts I see:
0. you did not take care of your machine properly,
1. your machine got compromised at an earlier stage,
2. you did not investigate the breach of security properly.
By reading documents, by not verifying what you think you see you arrived at the conclusion it is a BIOS rootkit.
However talking about something is not the same as actually posting "evidence", besides:
- For fun or profit exploiting of vulnerabilities in software running as system accounts that do not require root account rights is common while the amount of (confirmed) rootkit incidents has dropped dramatically over the past five or more years.
- Because of the effort required, deploying a rootkit should occur when a target (or adjacent target) is sufficiently "interesting" for a cracker.
- Right now implementing and deploying a BIOS rootkit would require considerably more effort compared to deploying a "regular" rootkit.
- Rootkits by definition are meant to allow the cracker to keep a low profile. Physical manifestations like opening CD trays or easily detectable alterations do not fit in this type of crackers MO.
- I have not read about any Linux BIOS rootkit implementations yet, and reading available documentation does in no way suggest that running Live CDs, changing RAM, wiping or replacing harddrives will aid in detecting this type of rootkit (while comparing firmware hashes could help).
- I haven't yet read about any Linux tools to detect BIOS rootkits easily.
Since it is not known which OS you ran at the time (for all I know you might have ran mcrsft), since no evidence was gathered, since you verified nothing, since the state of the hardware is unknown, since running tools from a Live CD containing cracked software is questionable itself and given the 6 arguments I offered above I see no reason to agree with your conclusion of a BIOS rootkit.
Awesome dude, you rock, and you're waaay smart. Thanks for the help.
It might be a good idea to consider the intent behind unSpawn's comments. If you read most of the threads here from people who suspect they've been cracked, the common thread is that there is much guessing, theorizing and general speculation but nothing based on facts. The vast majority of cases never get solved simply because the owner sticks their head in the sand and pretends it never happened.
This is truly unfortunate because there are several very experienced people in this forum willing to help. However, that help has to be based on facts, and if you wish to cooperate by posting those facts (logs, etc.) then you'll get the help you're looking for.
It might be a good idea to consider the intent behind unSpawn's comments. If you read most of the threads here from people who suspect they've been cracked, the common thread is that there is much guessing, theorizing and general speculation but nothing based on facts. The vast majority of cases never get solved simply because the owner sticks their head in the sand and pretends it never happened.
This is truly unfortunate because there are several very experienced people in this forum willing to help. However, that help has to be based on facts, and if you wish to cooperate by posting those facts (logs, etc.) then you'll get the help you're looking for.
Yeah, I could have guessed that. See, the problem here is the logs lie, so that's pointless. Bottom line here is I know things changed drastically. I went from no floppy drive to 3 virtual floppies over night and literally dozens of other virtual devices that did not exist prior. Also my /boot directory became an executable, not a regular directory. Whether I have the proof to satisfy whoever's whatever is really of no concern to me. My machine was thoroughly owned and I dont need confirmation. My question was simply how should I handle my files I'd like to keep, and lets assume that you have no idea what got it but you know something did. I've been using linux for going on 15 years now and I have done it because I enjoy it. I'm not some hardcore dude who can code and what not but I like the challenge sometimes. In all those years one thing has remained constant, the arrogant and belittling attitude of people like what ever his name was.
My machine was thoroughly owned and I dont need confirmation. My question was simply how should I handle my files I'd like to keep, and lets assume that you have no idea what got it but you know something did.
And there is the crux of your problem. Without spending some time figuring out what happened, you'll never have any idea if you can safely save any of your files. Sure, you can make the assumption that data files are safe, but that is an assumption. Are they actually safe? Who knows? Your guess is as good as anyone elses.
Quote:
In all those years one thing has remained constant, the arrogant and belittling attitude of people like what ever his name was.
What I've learned from this forum is that if I simply pay attention to what is going on, there is a lot to be learned. I see lots of people like you coming in here for help and nearly 100% of them ignore the advice given and stick their head in the sand about their problems. From where I sit, the problem lies with the people asking for help at least as much as the people offering it.
I went from no floppy drive to 3 virtual floppies over night and literally dozens of other virtual devices that did not exist prior. Also my /boot directory became an executable, not a regular directory.
These occurrences do not pass nowonmai's first law of "have I been owned?". This states that if there is not obvious route to monetising how your system is misbehaving, chances are it's not malware.
Basically, the days of random vandalism has long passed. Most exploits these days are for pretty much the same small group of purposes... email/CC# harvesting, spam generation & relaying and botnets. If your system is not exhibiting behaviour in keeping with these goals, the likelihood is that it's not malware.
There exist various server hacks that would seem to step outside this rule, but these are stepping stones to these same goals.
I went from no floppy drive to 3 virtual floppies over night and literally dozens of other virtual devices that did not exist prior. Also my /boot directory became an executable, not a regular directory.
Have you tried monitoring (from a different computer) the network traffic between this "owned" computer and the internet? If you see changes in your setup, but no network traffic to cause it, then the changes are occurring due to some internal program, not an external hacker controlling your computer.
even crackers won't do that randomly, you are wrong by using "hacker" term here.
but checking out network traffic is recommended. what distribution are you using(and what version)?
and by the way, what kind of problems do you always experience since that accident?
you can ensure your imgs,texts,videos are safe by running them in a separate PC on a virtual machine.
Okay, so I got a little pissed, sorry about that. I guess the problem is I didn't phrase my question right and I got impatient. I guess what I'm really asking is can a trojan 'infect' files that, if launched, would check for it's server program, then rebuild or repair it if it doesnt find anything? I was just curious as to what is possible, or likely. I should fess up now how I got in the situation to begin with. I ran a live version of backtrack3 and used it for a few days. I was playing with the burp suite's spider at facebook, something happened. Not sure what but it never was the same after that. I'd love to understand the why but I need that external disk for the room to do a clean install of something. I got it now, I got new everything, cepts video card, lol. I'm keeping a close eye now but for a minute there I didn't give a damn.
I was thinking you guys could read my mind and my love of doing shit with a blind fury(for real) only made the hole deeper. I have gotten some great help over the years, some not so great, ymmv.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.