In November 2011, after booting to Privatix, a live German Tor distro, my linux boxes became infected with BadBIOS. BadBIOS infects burning of DVDs. Recently, I purchased two live Fedora 20 DVDs from a honest and nice Ebay seller. They are tampered. I don't believe the seller tampered them.

Fedora 20 has similar packages as the tampered Privatix.
http://www.linuxforums.org/forum/sec...tml#post950611

I could not find a list of preinstalled packages in Fedora 20 filesystem nor on Fedora's wiki. Could someone refer where to find it?

Is Privatix and Fedora injecting BadBIOS as microcode into the video card? Is Privatix and Fedora 20 PXE booting using squashfs, busybox and dracut? Are they keylogging keystrokes using AmigaOS and Atari keymaps to stream data via hamradio and GNUradio using the dialup modem's piezo electric two way transducer? I had removed the wifi card, conductive speakers and internal hard drive. Hard drives have a piezo transducer.

I will ship the Fedora 20 DVD to anyone interested in conducting forensics. Please PM me.

Fedora's clock is four hours behind using both computers.

Microcode can be a malicious firmware rootkit. Microcode injection in Tails a backdoor? : onions

Both Privatix and Fedora 20 are injecting microcode into the videocard of my HP Compaq Presario V2000. DMESG in terminal:

[ 3.192977] [drm] radeon: irq initialized. [ 3.192997] [drm] Loading R300 Microcode [ 3.193823] [drm] radeon: ring at 0x0000000060001000 [ 3.193847] [drm] ring test succeeded in 1 usecs [ 3.194191] [drm] ib test succeeded in 0 usecs [ 3.194723] [drm] Panel ID String: QDS [ 3.194726] [drm] Panel Size 1280x768

[ 52.754086] microcode: AMD CPU family 0xf not supported

Fortunately, this AMD processor does not support microcode.

The R300 radeon microcode injection by Privatix was fake microcode. I suspect the R300 radeon microcode in Fedora is also fake. The fake microcode is some type of firmware rootkit, possibly BadBIOS. Microcode injection in Tails a backdoor? : onions

Last week, I discarded my BadBIOS infected HP Compaq Presario V2000 and continued conducting forensics on the Fedora 20 DVD using a Dell Vostro 200.

Fedora 20 injected microcode into Dell Vostro 200 CPU:

[ 38.492840] microcode: CPU1 sig=0x6fd, pf=0x1, revision=0xa1 [ 38.493074] microcode: CPU1 updated to revision 0xa4, date = 2010-10-02 [ 38.493169] microcode: Microcode Update Driver: v2.00 tigran@aivazian.fsnet.co.uk, Peter Oruba

Fedora 20 file manager does not ask guest if want to open removable media. Guests has to click on activities > file manager > removable media.

Fedora 20 Disk Utility is tampered. Option to rename partition is missing.

Fedora 20 has no boot splash unless booting freezes in which case an error message is displayed. Boot splash can detect tampering that /var/logs do not. Boot splash should be the default setting for all linux distros.

/var/log is missing dmesg.log, kernel.log, messages.log, sys.log, etc. Of the logs that are in /var/log, the majority guests do not have the file permissions to read.

There is another /var/log at /run/media/_Fedora_Live_Desvar/log and /run/media/_Fedora_live_Des1/var/log

/var/boot.log: "Starting dracut mount hook... [[32m OK [0m] Started dracut mount hook. [[32m OK [0m] Reached target Initrd Default Target.

Welcome to [0;34mFedora 20 (Heisenbug)[0m!

[[32m OK [0m] Stopped Switch Root. [[32m OK [0m] Stopped target Switch Root. [[32m OK [0m] Stopped target Initrd File Systems. [[32m OK [0m] Stopped target Initrd Root File System. Starting Collect Read-Ahead Data... [[32m OK [0m] Reached target Login Prompts. [[32m OK [0m] Reached target Remote File Systems."

A search for‘busybox’ in filesystem found: 05busybox folder located: /usr/lib/Dracut/modules.d

Both Fedora 20 and Privatix have many unknown file types in their filesystems. For example, var/log.boot.log: Starting Load/Save Random Seed... I searched 'seed' in filesystem: seed type: unknown location: /usr/lib/seed-gtk3

Search for 'initrd' in filesystem found:

initrd-plymouth.img type: unknown location: /boot initrd0.img type: unknown location: run/initramfs/live/isolinux

Search for 'squashfs' found: squashfs.img type: unknown location: /run/initramfs/live/LiveOS

Search for 'pxe' in filesystem found:

pxeboot.img type unknown location: /usr/lib/grub/i386-pc pxe.pyc type:unknown location: /usr/lib/python2.7/site-packaes/sos/plugins

Dragos Ruiu, discoverer of BadBIOS, noted an increase in 8 bit fonts. Fedora 20 and Privatix have preinstalled hamradio and 8 bit packages: Amiga, MacIntosh, MacOS, lilypond (sheet music for MacOS), atari and TOS (Atari's operating system). German Tor CD has PXE server streaming Amiga Soundtracker audio, multiple squashfs, multiple busybox, preseeds & initrd.imgs : onions

Fedora 20's atari files at:

atari type: folder location: /usr/lib/kbd/keymaps/legacy ataritt type: text location: /usr/share/X11/xkb/geometry attaritt type: text location: /usr/share/X11/xkb/keycodes attaritt type: text location: /usr/share/X11/xkb/symbols/xfree68_vndr
atari-de-map.gz type: archive location: /usr/lib/kbd/keymaps/legacy/atari
atari-se.map.gz type: archive location: /usr/lib/kbd/keymaps/legacy/atari
atari-us.map.gz type: archive location: /usr/lib/kbd/keymaps/legacy/atari atari-uk-falcon.map.gz type: archive location: /usr/lib/kbd/keymaps/legacy/atari

A search for TOS (Atari's operating system)found:

fonttosfnt type: executable location: /usr/bin libxt_
tos.so type: shared library location: /usr/lib/xtables libgtossaudio.so type: shared library location: /usr/lib/gstreamer-0.10
libgtossaudio.so type: shared library location: /usr/lib/gstreamer-1.0

Nintendo files at:

x-nintendo-ds-rom.xml type: markup location: /usr/share/mime/application
vnd.nintendo.snes.rom.xml type: markup location: /usr/share/mime/application

All the amiga files have the word 'amiga' in them:

part_amiga.mod type: amiga soundtracker audio (audio/x-mod) location: /usr/lib/grub/i386-efi
part_amiga.mod type: Amiga SoundTracker audio (audio/x-mod) location: /usr/lib/grub/i386-pc part_amiga.module type: object code location: /usr/lib/grub/i386-efi
part_amiga.module type: object code location: /usr/lib/grub/i386-pc
amiga type: folder location: /usr/lib/kbd/keymaps/legacy amiga-de.map.gz type: archive Location: usr/lib/kbd/keymaps/legacy/
amiga-us-map.gz type: archive Location: usr/lib/kbd/keymaps/legacy

Are AmigaOS and Atari keylogging keystrokes to stream data using audio and hamradio or GNURadio?

A search for 'MacIntosh' files found:

MACINTOSH.so type: unknown location: /usr/lib/gconv MACINTOSH.gz type: archive location: /usr/share/i18n/charmaps
MACINTOSH.so type: unknown location: /run/media/liveuser/_Fedora-Live-Des1/usr/lib/gconv
MACINTOSH.so type: unknown location: /run/media/liveuser/_Fedora-Live-Des/usr/lib/gconv
MACINTOSH.gz type: archive location: run/media/liveuser/_Fedora-Live-Des1/usr/share/i18n/charmaps
MACINTOSH.gz type: archive location: run/media/liveuser/_Fedora-Live-Des/usr/share/i18n/charmaps
macintosh_vndr type: folder location: /run/media/liveuser/_Fedora-Live-Des1/usr/share/X11/xkb/symbols

A search for MacOS found:

20macosx type program location: /usr/libexec/os-probes/mounted
macosx.html type: text location: /usr/share/doc/cyrus-sals-lib
macosxSupport.pyc type: unknown usr/lib/python2.7/idlelib macosxSupport.pyo type: unknown /usr/lib/python2.7/idlelib macos.xml type: markup /usr/share/libosinfo/db/oses macosxSupport.cpython-33 type: unknown /usr/lib/python3.3/idlelib/pycache
macosxSupport.cpython-33 type: unknown usr/lib/python3.3/idlelib/pycache

A search for lilypond (sheet music for MacOS) found:

lilypond.lang type: text location: /usr/share/highlight/langDefs x-lilypond.xml type: markup location: /usr/share/mime/text

A search for 'hamradio' in filesystem found:

hamradio type: folder location: /usr/lib/modules/3.11.10-301.fc20.i686/extra/drivers/net
hamradio type: folder location: /usr/lib/modules/3.11.10-301.fc20.i686/extra/drivers/net

Is BadBIOS using 8 byte operating systems such as MacIntosh, MacOS, lilpond via hamradio?

Gedit text editor tampering:

Gedit is missing 'Preferences' in the 'Edit' tab. Gedit is mising 'Help' tab in the menu. Therefore, no 'Contents' and 'About' tabs.

After guest edits a text file on removable media, a hidden backup file is created and permanently saved on removable media. Fedora does not detect the permanent backup file as a backup file. Type: unknown

Timestamps of the backup files go backwards in history. First backup file has today's date, June 5, 2014. The others created on same date are dated March 12, 2014, February 7, 2013 and November 14, 2012.

Both Fedora 20 and Privatix copies entire photographs from guests' removable media. German live Tor distro has xulrunner, webinspector, eMusic & duplicates personal files : onions. After guest opens a folder on removable media containing photographs and opens one of the photographs, Fedora 20 takes a screenshot of all the photographs in the folder. The 43 hidden thumbnails is at home/liveuser/.cache/thumbnails/large.

In home/liveuser/.cache/thumbnails/fail/gnome-thumbnail-factory are 60 hidden pngs. They are solid black. Possibly failed attempts to take webcam screenshots. HP Compaq Presario V2000 does not have a external webcam. I removed the conductive speakers. Yet, Privatix's boot splash detected:

input: PC Speaker as /devices/platform/pcspkr/input/input5 Linux video capture interface: v2.00 uvcvideo: Found UVC 1.00 device USB2.0 UVC VGA WebCam (13d3:5702) input: USB2.0 UVC VGA WebCam as /deices/pci0000:00/0000:00:1d.7/usb1/1/-6/1-6:1/0/input/input6 usbcore: registred new interface driver uvcvideo USB Video Class driver (v.0.1.0) (drm) Initializing drm 1.1.0

I wish Fedora's default boot would display boot splash.

home/liveuser/.local/share/gvfs-metadata. Contains root log, three uuid logs, etc. Clicking on the logs does not bring up gedit.

systemctl detected three virtual blocks k-dm/x2d0 - x2d2 and four virtual blocks loop0 - loop4

Disk Usage Analyzer detected:

Other devices:

4.3 GB Block Device /dev/mapper/live-rw volume: _Fedora-Live-Des mounted at Filesystem Root

4.3 GB Block Device /dev/mapper/live-base mounted at /run/media/Liveuser/_F

4.3 GB Block Device /dev/mapper/lilve-osming-min

8.2 KB Loop Device /osmin.img(deleted) Volumes: squashfs Location: /run/media/liveuser/disk1

1.3 MB Loop Device /osmin volumes: DM-snapshot-cow device: /dev/loop1

930 MB Loop Device /run/initramfs/live/Live volumes: squashfs Mounted: /run/media/liveuser/disk Cannot scan: "permission denied"