This will sound crazy, but PLEASE "work the problem" instead of assuming the problem doesn't exist (really, I am not crazy). I am running a 2001 IBM NetVista PC from which I have removed hard drive & floppy, with no USB storage device connected. (This PC is ONLY for surfing the Web. For now.) When I boot up, I have Ethernet cable unplugged from cable modem, but (not wireless!) router is plugged into PC. I boot the Mepis 6.5 CD in a read-only drive.

From before I boot up, I am hacked. (Don't fight me on this, please.) My BIOS settings are ignored/altered, and I cannot force runlevel=1, etc. The behavior of the PC (and its messages while booting) has changed from day to day, though I'm doing nothing differently... Anyway, when I come up, I log in as root (why not? there's nothing to be destroyed!) in a Konsole, using a root shell. (I open a few root shells, actually, since sometimes the hacker has apparently grabbed the keyboard, such that I can't type an "l" or particular numeral. Switching to the next tab solves that.)

Although I'm comparatively new to Linux, I have learned various ways to fight my way free, mostly, of this problem. (I shut down hald daemons and other processes I've learned to recognize, using kill [pid] based on netstat -lanap listings.) BUT, I cannot shut down localhost. First I rm /etc/samba/smb.conf and that (after I also stop smbd & nmbd) solves that, but removing rsyncd.conf doesn't get rid of localhost. I've read what I can find in the man pages, but don't have a full understanding of sockets, ports, etc. or binding and so on. What's the opposite of listening? How do I shut down localhost (which is apparently where these hackers are 'coming from,' as it were)?

Once I managed to shut down localhost, but either I don't know how I did it, or they circumvented my method the next time. I'm learning to hack as I go, and just need more help!

Right now, at a certain point I feel safe enough to plug in the cable modem and go online, but I have to switch back & forth constantly from browser to root shell/system log, to make sure I'm still safe. I really want to know how to SHUT DOWN localhost!

I don't know what is happening on your computer, but all modern TCP/IP protocol enabled computers have LOCALHOST. IP address 127.0.0.1 is assigned to LOCALHOST and is non-routable IP address, only the local machine will ever use that IP address. Check your /etc/hosts and you'll probably see 127.0.0.1 shown next to localhost.

http://en.wikipedia.org/wiki/Localhost

Maybe the data on the CD disk your using is corrupted. Did you get the disk from a known good location? I would try to use another Linux live distribution disk and see you have the same symptoms. While most of the file system on a live distribution disk is non-writeable, certain parts of the file system, such as /etc, are stored in a temporary created RAM drive so system configurations can be made. Once the computer shuts down or reboots, the RAM drive disappears and thus any changes to /etc.

http://en.wikipedia.org/wiki/Live_CD

Are there other computers network wired to the router? I suspect your router is configured as a DHCP server so your computers will get assigned a local network IP address such as 192.168.x.x. If you have another computer on your network, that might be the cause of your problem and not LOCALHOST.

Could your problem be hardware related, possible, but I would try another live disk to see if the symptoms return.

Thanks for letting me know localhost is normal... but I still want to shut it down. This is not a hardware problem...

No other PC is on any network I'm running (router has one cord in, one out). I do have a laptop, but that's not even plugged in; I have another 18-month-old machine which I used to use as my offline PC (was running Win XP) but they already destroyed that this summer; I removed its SATA hard drive -- and it's also unplugged. I don't believe there's anything wrong with my CD; I downloaded it myself this past summer, copied it to a USB device, and burned the ISO when the newer machine still worked (it had Nero software & CD-burner/DVD drive). I used this CD earlier to install to yet another PC's hard drive, which I intended to use as my online PC, but then that machine was hacked to bits.

Anyway, that's all irrelevant; I can HEAR the hackers up there. I keep killing NMBD and SMBD over and over, keep wiping out directories, and then see them restored in another place (read-only). These hackers are, as I said, altering my BIOS settings; and I even used to see 'flashing' onscreen as I was trying to alter settings via GUI-based utilities. (For example, I'll alter a Network Assistant setting, and it'll be reset before I can save it that way.)

Also, sometimes I will try to open an app (Firefox, or even just Patience), and they shut it down as its opening! Again, if I type who, I see nothing, but if I type who -aH, I'll see 5 users (id's 1-5) on TTYs, then me (root) with a question mark after root. Here's a current copy:
LOGIN tty2 2007-12-12 21:13 9848 id=2
LOGIN tty3 2007-12-12 21:13 9849 id=3
LOGIN tty6 2007-12-12 21:13 9850 id=6
LOGIN tty4 2007-12-12 21:13 9857 id=4
LOGIN tty5 2007-12-12 21:13 9858 id=5
LOGIN tty1 2007-12-12 21:13 9865 id=1
LOGIN tty2 2007-12-12 21:13 9866 id=2
LOGIN tty3 2007-12-12 21:13 9867 id=3
LOGIN tty6 2007-12-12 21:14 9973 id=6
LOGIN tty4 2007-12-12 21:18 10251 id=4
LOGIN tty5 2007-12-12 21:18 10252 id=5
(and this continues for a long way -- fills the terminal screen, in fact). I have no doubt at all this is hackers; I can hear them arguing now. In fact, I managed to shut them out again tonight, but my syslog currently shows:

12/12/2007 08:34:40 PM localhost init Id "6" respawning too fast: disabled for 5 minutes
12/12/2007 08:41:21 PM localhost init Id "6" respawning too fast: disabled for 5 minutes
12/12/2007 08:46:27 PM localhost init Id "5" respawning too fast: disabled for 5 minutes
12/12/2007 08:46:30 PM localhost init Id "4" respawning too fast: disabled for 5 minutes
12/12/2007 08:46:32 PM localhost init Id "3" respawning too fast: disabled for 5 minutes
12/12/2007 08:46:34 PM localhost init Id "2" respawning too fast: disabled for 5 minutes
12/12/2007 08:46:37 PM localhost init Id "1" respawning too fast: disabled for 5 minutes
12/12/2007 08:48:02 PM localhost init Id "6" respawning too fast: disabled for 5 minutes
12/12/2007 08:48:02 PM localhost init no more processes left in this runlevel
12/12/2007 08:53:12 PM localhost init Id "4" respawning too fast: disabled for 5 minutes
12/12/2007 08:53:12 PM localhost init Id "5" respawning too fast: disabled for 5 minutes
12/12/2007 08:53:17 PM localhost init Id "1" respawning too fast: disabled for 5 minutes
12/12/2007 08:53:17 PM localhost init Id "2" respawning too fast: disabled for 5 minutes
etc...

You'll excuse me not explaining what I did to cause that , but obviously they are shut out just now. In fact, I can hear two of them discussing what to try next, while the third is (as usual) pacing. I am learning a bit about rsync, but I'd really love to shut down localhost. I don't want or need it, afaict. Firefox works without it, and that's all I want to use just now.

I just tried what you suggested, and this is what I see as /etc/hosts (copied using view):

127.0.0.1 localhost.localdomain localhost mepis1 mepis1.example.dom

# The following lines are desirable for IPv6 capable hosts
# (added automatically by netbase upgrade)

::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Is this informative? Sorry to be so ignorant; it's hard to learn under these conditions.

If you're really sure your machine has been compromised, you cannot trust it at all.

You should boot from a LiveCD and wipe the system completely, and re-install from known secure media.

If you shut down localhost, your computer will not work. Localhost is what it sounds like, your local host, or the computer you are typing at. If someone is hacking you from localhost, it is you.

Most things that run in the background and allow you to use your computer are programmed to talk to and listen to localhost as well as other hosts if need be (it's easier to program a network stack than it is to program a network stack and a means to talk to your own system).

You NEED it for your system to work.

I would say you have a problem with your system, but localhost isn't it.

HTH

Forrest

Okay, thanks, good to know that shutting down localhost isn't the solution.

Maybe I've already reached the (always temporary) solution, just knowing when they're currently unable to follow me online (for whatever reason). Earlier today I was okay when I first replugged Ethernet cable into the cable modem (having left the PC on overnight), but gradually they took control again. They got my machine to the point where its CD-ROM drive wouldn't stop running, and just trying to get a cursor into the root shell took many minutes... But of course when that happens I just pull the plug, literally. (The good thing about running from CD-ROM on a $70 used machine is one can always simply pull the plug, and will then usually be exactly where one started from. )

I'd still like to know how to shut them out from the beginning, or keep them out once I shut them out, if anyone has suggestions. Is there a way to boot the CD straight to a command line interface, and then later just invoke a GUI to use Foxfire? Any documentation on that anywhere? Thanks.

That respawn is the root of your problem: http://www.unixguide.net/linux/faq/09.24.shtml
http://forums.vpslink.com/showthread.php?t=1473

This is what my "original" (or their original) who -aH listing looks like:
NAME LINE TIME IDLE PID COMMENT EXIT
2007-12-13 11:44 1048 id=si term=0 exit=0
system boot 2007-12-13 11:44
run-level 5 2007-12-13 11:44 last=S
2007-12-13 11:44 2952 id=l5 term=0 exit=0
LOGIN tty1 2007-12-13 11:44 3573 id=1
LOGIN tty2 2007-12-13 11:44 3574 id=2
LOGIN tty3 2007-12-13 11:44 3575 id=3
LOGIN tty4 2007-12-13 11:44 3576 id=4
LOGIN tty5 2007-12-13 11:44 3577 id=5
LOGIN tty6 2007-12-13 11:44 3578 id=6
root ? :0 2007-12-13 11:44 ? 3594

Isn't that interesting? I'm only root, so they must be "LOGIN." I also saw some very interesting info earlier today... But couldn't save it before I had to restart, so I wrote it by hand (since I hadn't gotten online yet). I'll retype it here later, in hopes someone can interprete what they're doing and help me shut them down. (It was an early netstat -a listing.)

Thanks for spawn info; if I can be online long enough, I'll read it.

So there are 3 hackers "up there" who are dedicating all their time to ensuring the OP's computers get wiped out as soon as he starts them up.

These are machines behind a wired router, which is NOT connected to the internet when he starts. These machines have no writeable media on them (only RAM).

And yet, these machines are under the control of the three hackers before he can do anything at all with them...

Ohhhhh.....Kaaayyyy.

When posting commands, or their output, please use [code] tags. This will aide readability because is preserves whilespace and uses a fixed width font. Compare your post to this:
The LOGIN lines are quite normal - this is the program which listens on the virtual consoles and prompts for user name and password and attaches an interactive shell to the VT if the authentication succeeds.

Like I said before, if you are sure your machine is actually compromised, you cannot trust it - that includes the output of user lists, process lists, and directory listings. This is because the attacker might install a root kit - software which can hide the attacker's actions from other users on the system (i.e. you).

You may or may not be able to see what they are up to, but in either case you cannot trust the machine again until you have wiped it and re-installed from trusted media.

matthewg42, this machine is a system booting off of a live cd with no harddrive. The only possible thing that could have happened is the live cd is corrupted, and this can easily be verified with a checksum and a new one downloaded. I seriously don't think there is any problem here other than a user that is seeing normal things they don't understand and jumping to conclusions.

Forrest

Doh, I see now. My bad. I too am skeptical of the hacker claim. The only realistic possibility is that the OP downloaded a CD from some questionable source, which contains some sort of malware. I've not heard of such a think with live CD, but I guess it's possible.

Now, this is why I specifically asked you guys to ignore the rest & work the problem. A rogue FBI operation (violating civil rights left & right) is responsible, and the only reason they are still there at this point (having determined I'm innocent of the various charges against me originally!) is that I know they are doing this. Now, let's get back to the problem, please.

Originally I was rm'ing the /etc/samba/smb.conf file. Now I see that they have a file (up there? hidden on my machine?) replacing it... By making my syslogd show the Samba log, I see this (partial copy):
Can anyone tell me how to shut down Netbios NOW? Really, I do need help. Yes, it's quite incredible that hackers upstairs are doing this, but let's all pretend it's a novel or something, and please HELP. If you guys can't help me, who can?

The params lines are in response to my normal attempts to shut down nmbd (with nmbd st); the other lines are info (presumably) about how their netbios interface is still running. I'm not yet down with the syntax/commands for sockets and don't know how to do anything like un-bind-ing or un-listening... MEPIS is wonderful for people who want their networks to "just work," not so good for the rare occasions when one needs to make them NOT work!