Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 18
This thread is part three: preseeds and file permissions. The first two parts are: 'Fake browser plugins in live linux DVDs' in Security section and 'BadBIOS infected linux distros have ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2014
    Posts
    56

    BadBIOS infected German Tor DVD has preseeds. Root pwned.


    This thread is part three: preseeds and file permissions. The first two parts are: 'Fake browser plugins in live linux DVDs' in Security section and 'BadBIOS infected linux distros have multiple squashfs, busybox initrd' in Security section.

    Bartsimpson and Xii did not report on finding a preseed file in PartedMagic, UBCD and DEFT. I will ask them to search.

    Linux distros should not have a preseed. Privatix 11.04.11, a German Debian remix Tor CD, has several preseeds. Boot splash message displays loading a squashfs and then loading a preseed.
    Screenshots are at 'German Tor CD has PXE server streaming Amiga' in /r/onions subreddit of reddit.

    /live/image/live.log:

    Begin: Running /scripts/live-premount ... done.
    Begin: Running /scripts/live-realpremount ... done.
    Begin: Mounting "/live/image/live/filesystem.squashfs" on "//filesystem.squashfs" via "/dev/loop0" ... done.
    done.
    Begin: Running /scripts/live-bottom
    ... Begin: Configuring fstab ... done.
    Begin: Preconfiguring networking ... done.
    Begin: Loading preseed file ... done.
    No default user for accessibility options.
    done.

    While in the computer directory, I searched for 'preseed.' There are two 24preseed, six lb_chroot_local-preseeds and two live-preseeds.

    24preseed > right click to select properties:

    Type: shell script
    Size: 980 bytes
    Location: /media/disk/usr/share/initramfs-to
    Accessed: Tue 01 Feb 2011 09:52:00 PM UTC
    Modified: Tue 01 Feb 2011 09:52:00 PM UTC

    Permissions:
    Owner root: read and write and execute
    Group root: read-only and execute
    Others: read-only and execute
    SELinux context: unknown
    Last changed: unknown
    You are not the owner, so you cannot change these permissions.

    The second 24preseed > right click to select properties:

    size: 980 bytes
    location: /usr/share/initramfs-tools/scripts/li
    rest of the information is identifical to the first 24preseed.

    There are six lb_chroot_local-preseeds files. Two are shell scripts. location: /media/disk/usr/share/live/build/sc

    and /usr/share/live/build/scripts/build.

    Four lb_chroot_local-preseeds are gzip archives.
    location: /media/disk/usr/share/man/de/m, /media/disk/usr/share/man/man1/usr/share/man/de/man1, /usr/share/man/man1
    volume: unknown

    Two live-preseeds shell scripts. Both are 506 bytes:
    First live-preseed file location: /media/disk/usr/share/live-boot
    Volume: unknown
    Accessed date, modified date and permissions are same as above.

    Second live-preseed file location: /usr/share/live-boot

    File permissions

    Users do not have the file permissions to read many of the file system files. Nor do users have permission to extract .gz files.

    Privatix’s root is pwned. Live DVD has no option to log into the graphical desktop at bootup as root. After logging out, guests cannot log back in because a password is required. Privatix’s website does not disclose a password. After logging out, there is no option to switch to root.

    System > Administration > Users and Groups > Users Settings:

    Account type: Custom
    Password: Asked on login

    Screenshots of preseeds is at 'German Tor CD has PXE Server Streaming Amiga' in /r/onions subreddit of reddit.
    Last edited by BadBIOSVictim; 05-18-2014 at 07:59 PM.

  2. #2
    Linux Engineer
    Join Date
    Dec 2013
    Posts
    1,378
    Before anyone gets too excited: 4 reasons BadBIOS isn't real | Security - InfoWorld
    Researcher skepticism grows over badBIOS malware claims | Ars Technica

    badBIOS may be real but no-one has seen any evidence of it other then Dragos Ruiu and when people have examined the software he claims holds the proof it has mysteriously been tampered with removing the evidence he found.

    Ruiu is highly respected in the industry but it has been sometime since it was first reported and still no real evidence of its existence.

  3. #3
    Just Joined!
    Join Date
    May 2014
    Posts
    56
    gregm, you cited an old article. See new research in 'Evidence of BadBIOS ultrasonic hacking' is in r/badBIOS subreddit of reddit.

    NSA developed GENIE which is BadBIOS.

  4. #4
    Just Joined!
    Join Date
    May 2014
    Posts
    56
    I apologize for citing the wrong location of the live.log I quoted. Please replace /live/image/live.log with /live/cow/var/log/live.log.

  5. #5
    Just Joined!
    Join Date
    May 2014
    Posts
    56
    Edit: Last night, I replied to someone's comment who read this thread after posting his own thread on firmware rootkits in this security section. After reading my reply below, he replied back that his computer was infected after he had downloaded Parted Magic. His thread and his two replies were deleted by this morning, May 27, 2014.

    see badbios subreddit in reddit.
    Last edited by BadBIOSVictim; 05-27-2014 at 01:37 PM.

  6. #6
    Just Joined!
    Join Date
    May 2014
    Posts
    56
    Edit: This comment was to answer another member's question for information on GENIE. I answered the question last night, but by this morning their question was deleted.

    Evidence of BadBIOS thread in badBIOS subreddit of reddit referred page 60 of NSA documents to Glenn Greenwald's book Nowhere to Hide.
    Last edited by BadBIOSVictim; 05-27-2014 at 01:35 PM.

  7. #7
    Just Joined!
    Join Date
    May 2014
    Posts
    56
    Zakarro's comments from yesterday were deleted. Fortunately, linuxforums.org notifies subscribers of new comments and includes the new comment in the body of the emails. I am copying and pasting the emails:

    Zakarro 5/26/2014:
    "Laugh, are you going to say Blue Pill is a myth too?

    I also beleive I am a victim of firmware based bios and still am, heck they are probably watching everything I am doing right now.

    Im stuck here and dont know what to do. Happened to me 2 years ago as well, warrantied all hardware and also spent money for anew work pc since that wasnt covered by warranty anymore. Anything that can be written to can be infected that includes ALL Firmwares whether they be motherboard, CPU, RAM, PCI cards ANYTHING."

    I commented: "see badbios subreddit in reddit."

    Zakarro 5/26/2014:
    I avoid reddit like the plague but Ill check it out. thx

    Zakarro 5/26/2014:

    Interesting, I use a live parted magic cd I made from an ISO I downloaded from their main site when it was still free.

    Im sure you have seen my other posts here concerning being infected with a firmware virus. You think this may have caused it? Im not sure what version of parted magic is all I have is that I marked the date Jan '13 on the CD."

    Last night I read a thread by Zakarro in this Security section. This morning, it had been deleted.

    Last night, Zakarro private messaged me and asked me to reply. I tried to private message him. Error message: "Zakarro has chosen not to receive private messages or may not be allowed to receive private messages. Therefore you may not send your message to him/her."

    I never received a notification for the comment for a reference to GENIE. So, I cannot retrieve the comment from my email account. I do not remember the person's name. He joked about Snowden and Putin.

    My answer was: "Evidence of BadBIOS thread in badBIOS subreddit of reddit referred page 60 of NSA documents to Glenn Greenwald's book Nowhere to Hide. "
    Last edited by BadBIOSVictim; 05-27-2014 at 09:25 PM.

  8. #8
    Linux Newbie nihili's Avatar
    Join Date
    Dec 2013
    Posts
    212
    i have read that evolving chatty conversation between zakarro and badbiosvictim, and although i don't approve of this sort of chat-like "powerposting", i did not see anything that would require the removal of these posts.

    at least an explanation by admin would be appropriate, not only for the affected users but also for other readers. because now it really looks a little bit like biased censorship.

    that said, i do not in any way agree with the original posters claims.
    but so far i've seen nothing that would require admin intervention.

    explanation, please?

  9. #9
    Just Joined!
    Join Date
    May 2014
    Posts
    56
    nihili, thank you.

    Instead of starting part four as a separate thread, I will post other findings here. I hope members will scroll down to read this.

    PCLinuxOS FullMonty 2013.04, purchased from OSDisc.com, also has:
    71 Amiga soundtracker files with an .uni file extension location: /union/usr/lib/kbd/unimaps
    amiga-de.map.gz and amiga-us.map.gz at /union/usr/kbd/keymaps/amiga
    atari files at /usr/share/keymaps
    commodore 64 audio sid files
    MacIntosh, MacOS and LilyPond for MacOS
    hamradio
    radio
    kismet

    Amiga, MacOS and atari are 8 byte. Dragos Ruiu found that BadBIOS used 8 byte fonts. Initially, Amiga was written for musical keyboards. Amiga is keystroke logging via sound and bluetooth and via speakers and ultrasound.

    I took screenshots of the above mentioned files in PCLinuxOS . Since I posted only three times in this forum, I am not allowed to link. When I have time, I will post a thread in reddit with links to the screenshots.

    How I discovered these files in PCLinuxOS was that I first discovered them (except for kismet and Lilypond) in Privatix, a German Tor distro. Privatix has multiple filesystems. Links to screenshots to Privatix and a link to a screenshot of PCLinuxOS FullMonty are in thread titled 'German Tor CD has PXE streaming Amiga Soundtracker audio' in onions subreddit of reddit.

  10. #10
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    899
    Quote Originally Posted by nihili View Post
    i have read that evolving chatty conversation between zakarro and badbiosvictim, and although i don't approve of this sort of chat-like "powerposting", i did not see anything that would require the removal of these posts.

    at least an explanation by admin would be appropriate, not only for the affected users but also for other readers. because now it really looks a little bit like biased censorship.

    that said, i do not in any way agree with the original posters claims.
    but so far i've seen nothing that would require admin intervention.

    explanation, please?
    He was banned/deleted for saying vulgar things in other threads. I guess the mods decided to delete all of his posts rather than sort through them one by one, as he was a brand new user.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •