Easy. Boot any machine that has Linux installed on it (or use the Helix 2008R1(2.0) ISO (MD5 hash 93a285bfa8ab93d664d508e5b12446d3) burned as CDROM to boot from) and uses a wired network connection the usual way. For messages at the BIOS stage use the key combo procedure xeleema outlined in post #6 and make a screen shot with a digital camera or mobile phone camera, same for boot time messages. Log in a usual and run any tools you would usually run. Make screen shots if the tool you run doesn't create a log file (rkhunter does) or if you can't make it create a log file (you would run chkrootkit as 'chkrootkit > /var/log/chkrootkit.log 2>&1;'), then collect logs and error messages and post (or attach as plain text) them here or use any pastebin. Upload your screen shots to where we can download them from (preferably not having to jump through any hoops like with most free file hosters) or email me to discuss dropping them off.

Like I said before chances are you are just interpreting things wrongly. Too much information at this point, and I mean everything we can not use as "evidence", will cause confusion for some. So please do not post more information until we see your error messages, logs et cetera.


Thanks in advance.

1 members found this post helpful.

my name is Jacques Cadet aka "citi" and tho i'm relatively new to linux, i'm far from new to computers. you said you bought a new box and it died as well. how? did you connect any of the old hardware to it, if so, why? do you have a dvd ram optical drive? did you flash the ram b4 connecting it to the new box. as a senior member said memory holds nothing once the power is shut off so it can't be that, unless one or more of the memory sticks is bad. if so the data passing thru them would be re-arrangedand therfore corrupt, i've had thas prolblem once, i just removed the faulty stick. the only other way i see this happening is if the bug lives on your network some how. if at all possible.

I agree at base with citi and others who say that ram cannot support any data if it is unpowered. I have seen an infection with similar symptoms to what jackp27 describes. If the network is infected, a newly attached machine is instantly infected. My experience was with the Code Red Trojan, which is simpler to remove than some of the newer trojans. Wireless networks are different from wired networks, because Windows machines with wireless NICs also have zero-conf wireless access software. If there is a wireless signal present from the network, and the network is open (not encrypted), the new machine will auto-negotiate the network connection while it is booting up. Thus, the new machine would exhibit the same infection from the moment it is first powered up, because Windows has invisible (to the Windows user) shares such as C$ which let Windows machines communicate with other Windows machines. To remove the infection, one would have to take down the wireless network and scan the target machine without ever letting it get in contact with the infected machines. Look in the registry of an example infected machine to see what is under these keys

HKEY(Local Machine)->Software->Microsoft->Windows->Current Version->Run
HKEY(Local Machine)->Software->Microsoft->Windows->Current Version->Run Once
HKEY(Current User)->Software->Microsoft->Windows->Current Version->Run
HKEY(Current User)->Software->Microsoft->Windows->Current Version->Run

any key value that is not entirely recognisable (meaning that you know what it is) should be researched (search for it on Google.com)
Trojans often produce track-able alphabet-soup exe files to run themselves, and request downloads from the controller. Once you find a pattern and think you have a good idea what the choices might be, you go back to the software keys above and look for the possible names under:

HKEY(Local Machine)->Software->
HKEY(Current User)->Software->

Modern blended threats often have a spyware component and a malware component, so you probably have to use a recent update of spybot S & D, as well as a good AV, like Comodo or BitDefender.

Fix each box separately.
Put encryption on your wireless router, so boxes on the network cannot automagically connect.

How did the problem get there in the first place? Somebody came into the vicinity with an infectred laptop, and it auto-negotiated the open network. All the machines that were already on the network were instantly infected. This vector could have been in your neighbors house or apartment or in the street outside your house. This is not necessarily a planned attack. More likely it is a perfect storm of ignorance and proximity.

Without some actual evidence, that is as far as I can go.

Wolf

2 members found this post helpful.

You are all very helpful and patient. I very much appreciate your input. The last thing to go down on my network was the dual wired/wireless router; when I went to change the admin password after realizing I was totally compromised the tab on the browser said in mixed case "LOckED|Out" and no computers have yet been able to get a wired or wired signal since then, a week ago. The new PC I bought is a win7 presario that had all the inbound ports open within 5 minutes. The 6150sE card still isn't showing up in device manager but I immediately formatted the drives and haven't put any infected media in the machine. But the poster was right; it was a USB stick and the wireless network combo that sunk that cheap PC fast. I spent all day and night rebuilding my server with the cards pulled out and all but one ram chip. There were 59 remote logins by the time the first install was finished so I reformatted and started again. The next time went better, though, because I changed the ssh_config to 2 and made a private key. My last network was wep encrypted but now i know how useless that is. I will try and get some logs to post just as soon as I can. I shot a bunch of video but its HD and of i'm bleary at 4am so I'll get the real thing. One thing: I don't know why this seemed to help but it did: I bought a USB 3.5" floppy to boot DOS off from (manually locked), and after I booted once the init scripts went away. No more Internet kybd being installed at startup or the ram getting stuffed with PAM-enabled devices masquerading as my hardware passing off my passwords to other devices. It's funny to think now that I thought Pam was a real person. Thanks again for your time and support.

Excellent. We look forward to it.

*update* sorry for the delay I'm still here. I managed to copy all my logs after resetting my router and as I was pasting them into a pastebin last night (986k file) all of the sudden dozens of firefox pages started opening and my system froze from the overload. This happened 3 times. Looking at the logs, I can tell you that I have a few malicious daemons that are loaded into the kernel at startup and indeed the BIOS appears to have some code that executes on startup. From my research, it looks as if something is mimicking my nvidia driver to access DRM. I will post these logs as soon as I image my /etc directory and related inits in anticipation of questions about the logs (ie what does the syslogd say; cron inits; rcS.d, etc). I had no idea Linux was so powerful - it appears my video card has a RAM disk with a tempfs that indeed loads on startup before the vendor init so perhaps some types of RAM are persistent? I'll post again as soon as practical. Thanks again.

Friends: the situation is I am auto-mounted to a root filesystem that I cannot disconnect from. I cannot format drives or change anything to escape from this remote filesystem that limits what I can do because it executes on startup from the BIOS and the first and last MB on any bootable drives.. When I reset my BIOS it simply gets my BIOS password and changes the configuration back. Ubuntu is a cracker's dream. On startup it grants administrative rights to a guest user through policykit and copies all my drives while shadowing my every move through a remote console. This is how things were when I started this thread but now I understand the mechanics of how I am totally at their mercy. Changing any default settings quickly revert back and new software or hardware is modified to ensure they have control. I pulled out my wireless cards and I'm still somehow connected through the wired NIC that doesn't even have a cable installed. Any suggestions would be appreciated because everything I've tried is futile.

Just technically impossible. If you have no wireless-card installed and also no cable plugged to you wired card, simply nobody can connect to your machine. Besides that, it will take days to copy harddisks with nowadays sizes through a network connection, and weeks through a simple ADSL-connection.

In order for you to buy a new machine and it be compromised within minutes is also almost impossible and would have to be a targeted attack that can not be automated in any easy manner. Your bios is very limited in size so the "alleged" attack vector would have to be perfectly coded to include some un-patched or 0-day attacks with the ability to attack numerous operating systems and load payloads to infect the other machines. It is not technically possible to load everything needed into bios. There is certainly something going on that is missing.

The stuxnet worm was very complex (could be most complex attack to date) with lots of time and targeting a specific group. What you are saying would be more technical than stuxnet and would be have to be done in a fraction of the size. stuxnet was Megabytes in size.

I have a very advanced motherboard and the lastest BIOS is 1.5Mb in size.


if you look at the info from wiki below the attacks to date are very limited.

As others have stated there is information that is missing or is being interpreted wrong.

1 members found this post helpful.

We suggested everything already: you have to post tangible information.

Until you do you are not helping us help you.

Just because a rootkit is detected, it doesn't mean you actually have one.

If you are using Rootkithunter it has been known in the past to have false (fake, untrue, misleading) results at times.

It sounds like it has something to do with your internet connection or router/hub/etc

Also do a Google search (or Google Linux search.) for all the words you notice. Like Linux and udev, and so on. (or if you are using a rootkithunter do it for rootkithunter xizibit, etc.)

It appears you didn't read the whole thread, something you should do especially in this forum, or you made a spelling mistake: see my first reply.


Fake how? And BTW, if you know how to improve things, do tell.


Then by all means do add the commands the OP should run to get you the diagnostic nfo to support your claim.

???

Spelling mistake, you think?

Which is why I said do a Google search for those terms. It will bring up rootkithunter information as well as what other things, like udev, is about. For example a Google search for Rootkit Hunter Flase positives search brings up this: https://encrypted.google.com/search?...itives&spell=1

What sense does this make? If it is a hardware issue with router, etc.... Again, what sense does this make?

I also wonder if a router is being used if it somehow has been infected or if it is another issue with it. In which case the router manufactures website is the place to go.

The OP is new to Linux. Therefore I did two things. Kept it simple while showing that it would be faster and better to research it quickly first, maybe with different search terms and then asking/learning so it is quicker in the future to take care of this problem if it ever happens again.

Links of movies and Logs
1 - Feb22.zip - movie of startup - my computer boots off a remote root server
https://docs.google.com/leaf?id=0B2Y...uthkey=CNKG1lI

2. logs
https://docs.google.com/leaf?id=0B2Y...thkey=CIP6ys8K

3. logs
https://docs.google.com/leaf?id=0B2Y...thkey=CNvhut8E

4. movie
https://docs.google.com/leaf?id=0B2Y...thkey=CIOfguIE

5. movie
https://docs.google.com/leaf?id=0B2Y...thkey=CITCy4QG

OK, I had a look at your videos, and there is nothing wrong with your boot. It is a totally normal boot from a Live-CD (except that your system seems a little bit slow).
May I ask why you don't give us the logs, but your /etc and /sbin directories?
The logs (/var/log) would be much more useful.