LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-18-2010, 02:29 PM   #1
compuslave
LQ Newbie
 
Registered: Aug 2007
Posts: 17

Rep: Reputation: 0
Rooted, big time with acpi bios kit


Hey guys, long time no post! I started using ubuntu and it's various strains about two years ago, mainly because I had very little hardware configuration to do. I learned linux (if you call it learned) with slackware so to have something work out of the box was a relief to someone who was busy and just wanted a working non-microsoft computer. Anyway, I got lazy and my machine was compromised at some point. I don't know when because like I said I was lazy, I never checked logs, verified repositories, never even checked the first md5 sum. I still cant remember how I discovered it but at any rate once I found that I was being visited I started trying to find out what was where. As you might suspect I could not find the source, so I thought what the hell, I'll just reinstall my os. Well, it was right there again upon first reboot. Long story short I tried everything from installing with new hard drive and memory to running nothing but a single stick of fresh ram with a live cd, same thing every time. I finally discovered that my bios had been altered. Any changes I make are immediately discarded and/or ignored and the backbone of the kit, the acpi system, is totally hidden so I can't even deal with it. It is ghosting itself in my video card's expansion rom. It's really impressive. I can't even be mad about it cause I'm like dayum, nice. So, here's my question. I know that the files on my external have been tampered with, all my pictures and flaks from years and years, what should I do with them? I will be chunking everything but I want to save my pics and home videos. I have a fresh lenny install compiling a kernel on an old imac g4 800 right now that will be my new machine, but I'm afraid to plug in my external.

I'm hoping I can reflash and save my pc but if not I don't care. What say ye linux geeks of the interwebs?
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 01-18-2010, 05:32 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,360
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Quote:
Originally Posted by compuslave View Post
I finally discovered that my bios had been altered.
Can you explain how you did determine this is the case?


Quote:
Originally Posted by compuslave View Post
the backbone of the kit, the acpi system, is totally hidden so I can't even deal with it. It is ghosting itself in my video card's expansion rom.
Same for this?
 
Old 01-18-2010, 07:18 PM   #3
compuslave
LQ Newbie
 
Registered: Aug 2007
Posts: 17

Original Poster
Rep: Reputation: 0
As for the bios it would only keep some changes, others would revert even if I didn't let the os boot. Some features that were there a year ago, like the acpi stuff, were totally gone. Also while poking around with Hiren's boot cd and Ultimate boot cd one of the bios utilities said I had an active virus in cmos, this happened with both cds. As for the video rom, I just have strong suspicion based on my untrained eye that the video rom was involved somehow. Once I read more about the subject I was convinced. It's in there.

So, how do I save my files?
 
Old 01-19-2010, 04:10 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,360
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
From your posts I see:
0. you did not take care of your machine properly,
1. your machine got compromised at an earlier stage,
2. you did not investigate the breach of security properly.
By reading documents, by not verifying what you think you see you arrived at the conclusion it is a BIOS rootkit.

However talking about something is not the same as actually posting "evidence", besides:
- For fun or profit exploiting of vulnerabilities in software running as system accounts that do not require root account rights is common while the amount of (confirmed) rootkit incidents has dropped dramatically over the past five or more years.
- Because of the effort required, deploying a rootkit should occur when a target (or adjacent target) is sufficiently "interesting" for a cracker.
- Right now implementing and deploying a BIOS rootkit would require considerably more effort compared to deploying a "regular" rootkit.
- Rootkits by definition are meant to allow the cracker to keep a low profile. Physical manifestations like opening CD trays or easily detectable alterations do not fit in this type of crackers MO.
- I have not read about any Linux BIOS rootkit implementations yet, and reading available documentation does in no way suggest that running Live CDs, changing RAM, wiping or replacing harddrives will aid in detecting this type of rootkit (while comparing firmware hashes could help).
- I haven't yet read about any Linux tools to detect BIOS rootkits easily.

Since it is not known which OS you ran at the time (for all I know you might have ran mcrsft), since no evidence was gathered, since you verified nothing, since the state of the hardware is unknown, since running tools from a Live CD containing cracked software is questionable itself and given the 6 arguments I offered above I see no reason to agree with your conclusion of a BIOS rootkit.

Last edited by unSpawn; 01-19-2010 at 04:11 AM.
 
3 members found this post helpful.
Old 01-19-2010, 01:28 PM   #5
compuslave
LQ Newbie
 
Registered: Aug 2007
Posts: 17

Original Poster
Rep: Reputation: 0
Wow, okay. Nevermind then.
 
Old 01-19-2010, 01:29 PM   #6
compuslave
LQ Newbie
 
Registered: Aug 2007
Posts: 17

Original Poster
Rep: Reputation: 0
Awesome dude, you rock, and you're waaay smart. Thanks for the help.
 
Old 01-19-2010, 01:58 PM   #7
Chromezero
Member
 
Registered: Nov 2004
Location: Arizona
Distribution: Slackware, RHEL, others
Posts: 470

Rep: Reputation: 40
Quote:
Originally Posted by compuslave View Post
I finally discovered that my bios had been altered. Any changes I make are immediately discarded and/or ignored
Is it possible that your bios battery is simply dead? This would cause changes to not be saved, reverting to factory settings...
 
Old 01-20-2010, 12:31 AM   #8
compuslave
LQ Newbie
 
Registered: Aug 2007
Posts: 17

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Chromezero View Post
Is it possible that your bios battery is simply dead? This would cause changes to not be saved, reverting to factory settings...
Nah, I checked the battery and finally did remove it just to try one more thing.
 
Old 01-20-2010, 08:25 AM   #9
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
Originally Posted by compuslave View Post
Awesome dude, you rock, and you're waaay smart. Thanks for the help.

It might be a good idea to consider the intent behind unSpawn's comments. If you read most of the threads here from people who suspect they've been cracked, the common thread is that there is much guessing, theorizing and general speculation but nothing based on facts. The vast majority of cases never get solved simply because the owner sticks their head in the sand and pretends it never happened.

This is truly unfortunate because there are several very experienced people in this forum willing to help. However, that help has to be based on facts, and if you wish to cooperate by posting those facts (logs, etc.) then you'll get the help you're looking for.
 
3 members found this post helpful.
Old 01-20-2010, 07:34 PM   #10
compuslave
LQ Newbie
 
Registered: Aug 2007
Posts: 17

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Hangdog42 View Post
It might be a good idea to consider the intent behind unSpawn's comments. If you read most of the threads here from people who suspect they've been cracked, the common thread is that there is much guessing, theorizing and general speculation but nothing based on facts. The vast majority of cases never get solved simply because the owner sticks their head in the sand and pretends it never happened.

This is truly unfortunate because there are several very experienced people in this forum willing to help. However, that help has to be based on facts, and if you wish to cooperate by posting those facts (logs, etc.) then you'll get the help you're looking for.
Yeah, I could have guessed that. See, the problem here is the logs lie, so that's pointless. Bottom line here is I know things changed drastically. I went from no floppy drive to 3 virtual floppies over night and literally dozens of other virtual devices that did not exist prior. Also my /boot directory became an executable, not a regular directory. Whether I have the proof to satisfy whoever's whatever is really of no concern to me. My machine was thoroughly owned and I dont need confirmation. My question was simply how should I handle my files I'd like to keep, and lets assume that you have no idea what got it but you know something did. I've been using linux for going on 15 years now and I have done it because I enjoy it. I'm not some hardcore dude who can code and what not but I like the challenge sometimes. In all those years one thing has remained constant, the arrogant and belittling attitude of people like what ever his name was.


Peace
 
0 members found this post helpful.
Old 01-21-2010, 08:29 AM   #11
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
My machine was thoroughly owned and I dont need confirmation. My question was simply how should I handle my files I'd like to keep, and lets assume that you have no idea what got it but you know something did.
And there is the crux of your problem. Without spending some time figuring out what happened, you'll never have any idea if you can safely save any of your files. Sure, you can make the assumption that data files are safe, but that is an assumption. Are they actually safe? Who knows? Your guess is as good as anyone elses.


Quote:
In all those years one thing has remained constant, the arrogant and belittling attitude of people like what ever his name was.
What I've learned from this forum is that if I simply pay attention to what is going on, there is a lot to be learned. I see lots of people like you coming in here for help and nearly 100% of them ignore the advice given and stick their head in the sand about their problems. From where I sit, the problem lies with the people asking for help at least as much as the people offering it.
 
1 members found this post helpful.
Old 01-22-2010, 09:25 AM   #12
nowonmai
Member
 
Registered: Jun 2003
Posts: 481

Rep: Reputation: 48
Quote:
Originally Posted by compuslave View Post
I went from no floppy drive to 3 virtual floppies over night and literally dozens of other virtual devices that did not exist prior. Also my /boot directory became an executable, not a regular directory.
These occurrences do not pass nowonmai's first law of "have I been owned?". This states that if there is not obvious route to monetising how your system is misbehaving, chances are it's not malware.
Basically, the days of random vandalism has long passed. Most exploits these days are for pretty much the same small group of purposes... email/CC# harvesting, spam generation & relaying and botnets. If your system is not exhibiting behaviour in keeping with these goals, the likelihood is that it's not malware.

There exist various server hacks that would seem to step outside this rule, but these are stepping stones to these same goals.
 
Old 01-22-2010, 10:16 AM   #13
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Quote:
I went from no floppy drive to 3 virtual floppies over night and literally dozens of other virtual devices that did not exist prior. Also my /boot directory became an executable, not a regular directory.
Have you tried monitoring (from a different computer) the network traffic between this "owned" computer and the internet? If you see changes in your setup, but no network traffic to cause it, then the changes are occurring due to some internal program, not an external hacker controlling your computer.
 
Old 01-22-2010, 06:39 PM   #14
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
even crackers won't do that randomly, you are wrong by using "hacker" term here.

but checking out network traffic is recommended. what distribution are you using(and what version)?
and by the way, what kind of problems do you always experience since that accident?

you can ensure your imgs,texts,videos are safe by running them in a separate PC on a virtual machine.
 
Old 02-03-2010, 09:00 AM   #15
compuslave
LQ Newbie
 
Registered: Aug 2007
Posts: 17

Original Poster
Rep: Reputation: 0
Okay, so I got a little pissed, sorry about that. I guess the problem is I didn't phrase my question right and I got impatient. I guess what I'm really asking is can a trojan 'infect' files that, if launched, would check for it's server program, then rebuild or repair it if it doesnt find anything? I was just curious as to what is possible, or likely. I should fess up now how I got in the situation to begin with. I ran a live version of backtrack3 and used it for a few days. I was playing with the burp suite's spider at facebook, something happened. Not sure what but it never was the same after that. I'd love to understand the why but I need that external disk for the room to do a clean install of something. I got it now, I got new everything, cepts video card, lol. I'm keeping a close eye now but for a minute there I didn't give a damn.

I was thinking you guys could read my mind and my love of doing shit with a blind fury(for real) only made the hole deeper. I have gotten some great help over the years, some not so great, ymmv.

Anyway, what kinds of things did you want to see?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
97 Bios, needs acpi=force... how? philip.aston@ntlworl Linux - Newbie 2 10-03-2007 05:04 AM
Linux ACPI and BIOS ACPI - problem to understand and giving out bugs marisdembovskis Linux - Software 3 09-20-2007 11:22 PM
ACPI disabled because bios is from 99 and too old laurahlane Linux - Newbie 2 06-04-2005 10:32 PM
ACPI Bios Problem GoRinNoSho Linux - Newbie 1 06-27-2003 09:30 AM
big BIG javascript & loading time luigi Programming 3 09-10-2001 04:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration