Hi, I am new to Linux and noobed out to the max. Now I have 7 in my home computers totally unusable. When I disconnect my hard drives and boot only from the Ubuntu CD, I can see the script run as they take over my system and render any connection to the outside world useless. My BIOS has been compromised from the looks of it. I am sending this from a Kinko's. I ran rkhunter last night from a CD and it said i had xibitz but the TRK was a couple of versions old. The embarassing thing is - I don't know how to restore my systems back to normal? I formatted all my hard drives and the thing keeps coming back...even without an in internet connection. If someone could help I would very much appreciate it. Many thanks. Since I don't have access to the internet I cannot post any logs. cheers to all - Jack

is this cosmicbrat? lol

first of all , RAM dies after shutdown. There can't live any script.


I'm wondering, how can you see the script? is it just that you don't have a internet connection after boot?

what wireless card do uhave? do u use ethernet?give us more input.. c'mon...

You need to provide details about how you are seeing the script run. And since you can see it, you should be able to provide information about what the script is. And what do you mean by rendering the connection useless?

The way this forum works is that you provide evidence rather than speculating. We follow facts here.

You mean you have no way to copy the logs to some other medium like a thumb drive or CD?

So if you want to post facts about what you're seeing we'll help you.

3 members found this post helpful.

0 members found this post helpful.

@xeleema,

Please, we handle potential security issues a bit differently than other problems, so if you don't have anything helpful to post, please don't.

Apologies. Unhelpful post has been removed.

@Jackp27
Greetingz and Welcome to LQ!
That's a rather strange problem...something I haven't seen mentioned yet would be the use of the "Pause" (aka "Break") button on your keyboard while one of the affected systems is booting up.

This should "freeze" the system temporarily, allowing you to write-down (or photograph) any anomolies on the screen. To resume operation, you can typically press the spacebar or the enter key.

Although not impossible, this is a bit on the unlikely side. If you could collect additional information, I think that would benefit everyone in assisting you.

I'm curious, what is xibitz? Doing a Google search with "site:linuxquestions.org xibitz", only 10 posts come back (and most/all have that word as a username...). The RootKit Hunter site doesn't mention it either as a detectable root-kit...

I hope you're able to return to Kinko's soon and check this thread for updates.

Yes it does (RKH URI corrected BTW, let's not propagate the wrong site): Xzibit is an old kit (think LRK-ish) that installs trojaned binaries and creates dirs and files in /dev like dsx, caca and ida. While I don't like speculating (I'd rather see logs) if he got warnings it's most likely due to the "hdparm" string (false positive).

2 members found this post helpful.

Thanks for the catch! Didn't think I had the wrong site... as for Xzibit, the mispelling explains it!

Hey sorry I haven't returned to you sooner. I bought a new computer to see if it would die as well and it did, quickly.
I've written copious notes and conducted similar research; the fact seems to be if you have a rootkit with a user (or 50) logged in you should re-format your drive. Except it doesn't help. The trojan loads immediately on startup even if your hard disks are physically disconnected.

I booted off a blackbuntu install disk and ran a shell immediately and the same notifications came up: usbhid, udevd daemon, Internet keyboard, and so on. This rootkit is in the hardware.

I ran chkrootkit and rkhunter - they both confirmed the presence of a rootkit. There's a reference to *uckit also. And not suckit. Security apps do ok at detection but not eradication. As a noob every instruction manual is somewhat Greek. No one seems to have a 'remove rootkit' button. Not sure why.

Anyhow I know you can't read my computer without logs but if someone can tell me how to zap the video ram on my geForce 6150SE card and blank my bios (HPa6000n) that might be a start. Just to get the init out of startup...as soon as I power on I'm doomed...thanks all. Appreciate it

It's not a false positive when your hard drives are formatted automatically and your drivers are emasculated so you have no Internet access. I have 7 dead computers here. I can't get one of them revived. This rootkit is serious business that is costing me money.

From looking at syslogs, they emulate a video card, use Pam to get your password by working with a USB-configured device that captures your sudo password, they make 122 new groups that include your username (group added to /etc/gshadow: name=sammyj) and then change my name (sammyj) to "group floppy/25" "group tape/26"..."group sambashare/122)

There's a lot of mentions of X.org

I can't get rid of it

Did you try to remove the backup battery and leaf it out for a few minutes.
Flushing you're BIOS I suggest visit the manufacture website
Some manufacture provide a tool to do so and load the new BIOS program
But please do it correct way

You're new to Linux. You are interpreting whatever it is you think you are seeing wrongly. That is a problem we can correct.
However it does not make sense to ask questions that will lead some here off on a treasure hunt.
So please stop asking questions and concentrate on answering questions posted here or ask how you can get us the information we need to help you.

1 members found this post helpful.

This would certainly not be the first advice I'd give any user and please be careful not to follow the OP on his treasure hunt. He hasn't provided any evidence so far, no "copious notes", no specific log messages, no tangible data from which we can discard false positives and chances are he's interpreting events wrongly. At this point the OP should only post when he's willing to cooperate our way.

1 members found this post helpful.

Yes I removed my battery. I removed my hard drives. I removed my ram and my lithium battery. I had to put some ram back for the computer to start. I flashed my bios. I've tried everything. Even without hard drives the script runs. A little keyboard on the top left corner of my windows machine pops up. It's a light something keyboard. My notes are furiously scribbled and handwritten - sp sorry. No other alternative. On my Linux box the bios is shadowed and the video ram is shadowed. If I am lucky enough to open a shell ifconfig shows eth0 up even though the inboard LAN is disabled. A message pops up asking me to verify my video settings every 45 seconds. I wish I knew what to ask you to help me solve this. Apparently my router is fine because my tv works but I can't login to it with any device or computer. Meanwhile chkrootkit says there are 12 confirmed TTY connections active.

There's a udevd daemon that installs --not sure what that is-- and then a raid replaces my hard drives and then I have no bootmgr or way to use my hard drives. All of my gear is in pieces since I took out the wireless cards, batteries and all other devices that could be harboring the persistent code. Some of you sound like you think I am making this up. I've been trying to fix this for a week. I have a new library of Linux and python manuals to my name. Ps -ef shows an extraordinarily large nvidia entry and usbhid before the drive turns into a RAID. A few days ago I went and bought another copy of ubuntu 10.04 and tried to reinstall it on a newly formatted laptop with no battery or wireless card or any software for that matter. Somehow on a separate computer that I was trying to install ubuntu
Server it knew via dmesg or syslog that a raid on the desktop ubuntu was in progress the thing is, the networking was totally off on both machines and they were not connected in any way

The wireless cards were turned off because I had physically removed them. It's as if when a computer just has power it is vulnerable. That's what happened to my new computer today. First run and BAM - rootkit detected and every port open. It took me 2 hours to close them all in windows 7 to no avail.