Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi, I am new to Linux and noobed out to the max. Now I have 7 in my home computers totally unusable. When I disconnect my hard drives and boot only from the Ubuntu CD, I can see the script run as they take over my system and render any connection to the outside world useless. My BIOS has been compromised from the looks of it. I am sending this from a Kinko's. I ran rkhunter last night from a CD and it said i had xibitz but the TRK was a couple of versions old. The embarassing thing is - I don't know how to restore my systems back to normal? I formatted all my hard drives and the thing keeps coming back...even without an in internet connection. If someone could help I would very much appreciate it. Many thanks. Since I don't have access to the internet I cannot post any logs. cheers to all - Jack
When I disconnect my hard drives and boot only from the Ubuntu CD, I can see the script run as they take over my system and render any connection to the outside world useless.
You need to provide details about how you are seeing the script run. And since you can see it, you should be able to provide information about what the script is. And what do you mean by rendering the connection useless?
Quote:
Originally Posted by Jackp27
My BIOS has been compromised from the looks of it.
The way this forum works is that you provide evidence rather than speculating. We follow facts here.
Quote:
Originally Posted by Jackp27
Many thanks. Since I don't have access to the internet I cannot post any logs
You mean you have no way to copy the logs to some other medium like a thumb drive or CD?
So if you want to post facts about what you're seeing we'll help you.
@xeleema,
Please, we handle potential security issues a bit differently than other problems, so if you don't have anything helpful to post, please don't.
Apologies. Unhelpful post has been removed.
@Jackp27
Greetingz and Welcome to LQ!
Quote:
Originally Posted by Jackp27
...I have 7 in my home computers totally unusable. When I disconnect my hard drives and boot only from the Ubuntu CD, I can see the script run as they take over my system and render any connection to the outside world useless.
That's a rather strange problem...something I haven't seen mentioned yet would be the use of the "Pause" (aka "Break") button on your keyboard while one of the affected systems is booting up.
This should "freeze" the system temporarily, allowing you to write-down (or photograph) any anomolies on the screen. To resume operation, you can typically press the spacebar or the enter key.
Quote:
Originally Posted by Jackp27
My BIOS has been compromised from the looks of it.
Although not impossible, this is a bit on the unlikely side. If you could collect additional information, I think that would benefit everyone in assisting you.
Quote:
Originally Posted by Jackp27
I ran rkhunter last night from a CD and it said i had xibitz but the TRK was a couple of versions old. The embarassing thing is - I don't know how to restore my systems back to normal?
I'm curious, what is xibitz? Doing a Google search with "site:linuxquestions.org xibitz", only 10 posts come back (and most/all have that word as a username...). The RootKit Hunter site doesn't mention it either as a detectable root-kit...
Quote:
Originally Posted by Jackp27
I am sending this from a Kinko's....Since I don't have access to the internet I cannot post any logs.
I hope you're able to return to Kinko's soon and check this thread for updates.
Last edited by unSpawn; 02-12-2011 at 06:37 PM.
Reason: //Let's not propagate the wrong RKH URI
I'm curious, what is xibitz? Doing a Google search with "site:linuxquestions.org xibitz", only 10 posts come back (and most/all have that word as a username...). The RootKit Hunter site doesn't mention it either as a detectable root-kit...
Yes it does (RKH URI corrected BTW, let's not propagate the wrong site): Xzibit is an old kit (think LRK-ish) that installs trojaned binaries and creates dirs and files in /dev like dsx, caca and ida. While I don't like speculating (I'd rather see logs) if he got warnings it's most likely due to the "hdparm" string (false positive).
Yes it does (RKH URI corrected BTW, let's not propagate the wrong site): Xzibit is an old kit (think LRK-ish) that installs trojaned binaries and creates dirs and files in /dev like dsx, caca and ida. While I don't like speculating (I'd rather see logs) if he got warnings it's most likely due to the "hdparm" string (false positive).
Thanks for the catch! Didn't think I had the wrong site... as for Xzibit, the mispelling explains it!
Hey sorry I haven't returned to you sooner. I bought a new computer to see if it would die as well and it did, quickly.
I've written copious notes and conducted similar research; the fact seems to be if you have a rootkit with a user (or 50) logged in you should re-format your drive. Except it doesn't help. The trojan loads immediately on startup even if your hard disks are physically disconnected.
I booted off a blackbuntu install disk and ran a shell immediately and the same notifications came up: usbhid, udevd daemon, Internet keyboard, and so on. This rootkit is in the hardware.
I ran chkrootkit and rkhunter - they both confirmed the presence of a rootkit. There's a reference to *uckit also. And not suckit. Security apps do ok at detection but not eradication. As a noob every instruction manual is somewhat Greek. No one seems to have a 'remove rootkit' button. Not sure why.
Anyhow I know you can't read my computer without logs but if someone can tell me how to zap the video ram on my geForce 6150SE card and blank my bios (HPa6000n) that might be a start. Just to get the init out of startup...as soon as I power on I'm doomed...thanks all. Appreciate it
It's not a false positive when your hard drives are formatted automatically and your drivers are emasculated so you have no Internet access. I have 7 dead computers here. I can't get one of them revived. This rootkit is serious business that is costing me money.
From looking at syslogs, they emulate a video card, use Pam to get your password by working with a USB-configured device that captures your sudo password, they make 122 new groups that include your username (group added to /etc/gshadow: name=sammyj) and then change my name (sammyj) to "group floppy/25" "group tape/26"..."group sambashare/122)
Distribution: Mandriva 2009 X86_64 suse 11.3 X86_64 Centos X86_64 Debian X86_64 Linux MInt 86_64 OS X
Posts: 2,369
Rep:
Did you try to remove the backup battery and leaf it out for a few minutes.
Flushing you're BIOS I suggest visit the manufacture website
Some manufacture provide a tool to do so and load the new BIOS program
But please do it correct way
I know you can't read my computer without logs but
You're new to Linux. You are interpreting whatever it is you think you are seeing wrongly. That is a problem we can correct.
However it does not make sense to ask questions that will lead some here off on a treasure hunt.
So please stop asking questions and concentrate on answering questions posted here or ask how you can get us the information we need to help you.
Did you try to remove the backup battery and leaf it out for a few minutes.
This would certainly not be the first advice I'd give any user and please be careful not to follow the OP on his treasure hunt. He hasn't provided any evidence so far, no "copious notes", no specific log messages, no tangible data from which we can discard false positives and chances are he's interpreting events wrongly. At this point the OP should only post when he's willing to cooperate our way.
Yes I removed my battery. I removed my hard drives. I removed my ram and my lithium battery. I had to put some ram back for the computer to start. I flashed my bios. I've tried everything. Even without hard drives the script runs. A little keyboard on the top left corner of my windows machine pops up. It's a light something keyboard. My notes are furiously scribbled and handwritten - sp sorry. No other alternative. On my Linux box the bios is shadowed and the video ram is shadowed. If I am lucky enough to open a shell ifconfig shows eth0 up even though the inboard LAN is disabled. A message pops up asking me to verify my video settings every 45 seconds. I wish I knew what to ask you to help me solve this. Apparently my router is fine because my tv works but I can't login to it with any device or computer. Meanwhile chkrootkit says there are 12 confirmed TTY connections active.
There's a udevd daemon that installs --not sure what that is-- and then a raid replaces my hard drives and then I have no bootmgr or way to use my hard drives. All of my gear is in pieces since I took out the wireless cards, batteries and all other devices that could be harboring the persistent code. Some of you sound like you think I am making this up. I've been trying to fix this for a week. I have a new library of Linux and python manuals to my name. Ps -ef shows an extraordinarily large nvidia entry and usbhid before the drive turns into a RAID. A few days ago I went and bought another copy of ubuntu 10.04 and tried to reinstall it on a newly formatted laptop with no battery or wireless card or any software for that matter. Somehow on a separate computer that I was trying to install ubuntu
Server it knew via dmesg or syslog that a raid on the desktop ubuntu was in progress the thing is, the networking was totally off on both machines and they were not connected in any way
The wireless cards were turned off because I had physically removed them. It's as if when a computer just has power it is vulnerable. That's what happened to my new computer today. First run and BAM - rootkit detected and every port open. It took me 2 hours to close them all in windows 7 to no avail.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.