Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 17
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    lost+found directory hiding malware. How to delete?

    Because of being hacked, I had switched to live linux DVDs. My personal files are stored on FAT32Crackers have infected all of my personal files on my linux air gapped computers. My personal files are stored on FAT32 removable media. They are all executable.
    Numerous times, I have attempted offline to reformat my removable media to ext2 without journaling, copy my personal files and remove the executable. The crackers circumvent this by:
    (1) tampering with GParted to prevent Gparted from opening;
    (2) tampering with Gparted and Disk Utility by them not being able to format ext2 or they format to an unknown partition type;
    (3) When I do ext2 format, the crackers change the file permissions. I can no longer create new files or edit existing files.
    Nor can I reformat the removable media even using a library computer. I have had to replace approximately a dozen removable media.

    Last week, using a replacement laptop I just purchased, a Toshiba Portege R205, a fresh install of PCLinuxOS GNOME 2010.12, GParted formatted my micro SD card to ext2.
    I copied my personal files. Changed my plain text files from executable. I could not change some of my PDF files and none of my music files from being executable.

    Later, when I inserted my mico SD card, I discovered my personal files were deleted. I can neither copy files nor create new files.

    Properties of ext2 partition:

    957.1 MB used
    14.3 GB free
    Total capacity 15.2 GB
    Last changed: unknown

    File permissions of ext2 partition:

    Owner root: read, write and execute
    Group root: read and execute
    Others: read and execute

    957.1 MB used is the lost+found directory. Properties of lost+found directory:

    Contents: unreadable
    Free space: unknown

    File permissions of lost+found directory:

    Owner root: read, write and execute
    Group root: execute
    Others: execute
    Last changed: unknown

    This is not the first time crackers hide their malware in lost+found directories. A lost+found directory of
    957.1 MB is huge! I cannot delete it. Is there a way to format ext2, ext3 or ext4 without a lost+found directory or to delete it afterwards?

  2. #2
    I received a private message. I could not reply as I could not type into the body of the message. Thus, I am posting the private message and my reply here. Private message:

    "Are you running as root? If not, have you put in your password for sudo and have that password cached for a period of time?

    The data in the "lost and found" directory are placed there while doing "fsck" and are usually the results of hard power off (or removal of USB devices without umounting the device).

    When you are a normal user, the real system commands can not be modified without root access. However, they can put replacement commands into a location and use your PATH environment variable to cause them to be executed (found before the system copy). Open a terminal session and type in "echo ${PATH}" what is the output of that command?"

    My reply:

    When I log into the graphical desktop as root, I do not actually receive root privileges. It

    is fakeroot. I cannot change file permissions. For example, many of the /var/logs I do have

    file permissions to read.

    The hackers have remotely logged me out of my root session and prevent me from logging back

    in. They also remotely performed hard power offs while the laptop is plugged into an outlet.

    The hard power offs have partially destroyed two laptop batteries. The hackers tamper with

    power management and prevent laptop mode. I will be posting a thread on this with logs.

    I always attempt to unmount (eject) removable media. However, they are almost always 'busy.'

    I wait a few minutes and try to unmount again. they are still 'busy.' I yank them out.

    Yanking out removable media has not resulted in corrupting my data.

    The hackers repeatedly tamper with my newly created linux partitions to force me to continue

    using FAT32. They are attaching an undocumented alternate data stream that works in NTFS and

    FAT32. Moving my personal files to a linux partition breaks up the alternate data streams.

    Hence, they repeatedly destroy my files and linux partitions. They destroy the linux

    partition by either making it read only, prevent it from mounting and/or preventing me from

    repartitioning it. I have to replace my micro SD cards.

    I will perform the echo ${PATH} command and give you the output.

    Thank you for your help.

  3. #3
    I have been unable to perform the echo ${PATH} test because crackers have further tampered with my 'air gapped' Toshiba Portege R200 and Toshiba Portege R205. They ceased booting to the hard drive. The BIOS does not detect the hard drive.

    They ceased booting to live linux DVD using an external DVD writer. My 'air gapped' computers freeze. I tested my DVD writer using a neighbor's Sony laptop and at a library computer. The library computer freezes when I right click on the DVD writer.

    Hence, I purchased a replacement DVD writer. The blue indicator light of the DVD writer turns on while my laptop is turning on and then turns off. I returned the DVD writer.

    Crackers foiled my efforts to install linux on a flashdrive and on a micro SD card using unetbootin and my neighbor's Sony laptop.

    I had to commute to the library to use a library computer to write this.

  4. $spacer_open
  5. #4
    A couple of observations.

    You will not get write access to the live DVD.

    Some SD card readers will only do that. That is, only give read access to the card. Some SD cards have a write-protect tab on them. Some SD readers will foul the tab when you insert the card and switch the card to read-only.

    Get yourself a GParted live CD. Boot from it and re-partition and format your hard drive. Re-install your OS.

  6. #5
    voidpointer69, thanks for recommending using Gparted live CD. I will download it. My R200 and R205 laptops ceased booting to my external DVD writer and the replacement DVD writer I purchased. They still will boot to a flashdrive. I will try to borrow a computer to install Gparted on a flashdrive.

    Voidpointer69, you are correct that sometimes the write protection switch on SD cards gets switched to read-only when inserted into a card reader. Over time, the write protection switch becomes damaged and corrupts the SD card. That is why I switched from using SD cards to micro SD cards.

    While on battery power, I could format my micro SD card to ext2, copy my personal files to it and start making them nonexecutable. When I connect the AC power adapter to my laptops, the hackers change the file permissions to prevent me from writing, delete my files, infect lost+found directory and/or corrupt the micro SD card or flashdrive. I cannot reformat them. I have replaced over a dozen flashdrives and micro SD cards.

    Aren't users entitled to have file permissions to open to lost+found directory on their removable media?

  7. #6
    When using the live CD/DVD...

    The user is usually auto-logged in and its Id etc may not correspond to the user Id on your hard disc.

    No matter.

    Using the live CD/DVD, open up a terminal and issue the command "su" - obviously without the quotes. Live systems usually allow this with no password. If it requires one, try "admin" or something similar.

    Once logged in as root, issue command "fdisk -l (lower case ell). This should show you your discs and their partitions. You should be able to mount your hard drive partitions to some point on the CD/DVD, usually "mnt". Mount the partition that contains you personal data and you should have access (including write) to all the files and directories.

    If you have no wifi access to your box and no cable, then the only possible way in is via the power cord. This would require physical modification to your box in addition to software additions. Even if all that had been done, your attacker would need to be on the same power circuit as your box..

    Finally, get into your BIOS and have a look at what the boot options are. Note the priorities. .

  8. #7
    voidpointer69, the times I have been able to log in as root, it is fakeroot. I still don't

    have the file permissions to open lost+found or change the file permissions of my flashdrive

    or micro SD card.

    This week, I asked another person who had attempted to air gap a BadBIOS infected computer.

    We had air gapped our computers the same way by removing the wifi, microphone, conductive

    speakers, piezo electric two way transducer for the dial up modem and dial up modem. I also

    removed the bluetooth.

    I asked him to use a live linux CD to reformat a flashdrive to ext2. The first attempt, Disk

    Utility in live Tails went on and on and coudl not format. Second attempt, he formatted his

    flashdrive. He told me he too did not have the file permissions to open the lost+found

    directory. Is this normal? Or is it evidence that our computers are being hacked over


    Hackers have interdicted and implanted my laptops. I examined online photographs of powerline ethernet chips. None on my Toshiba Portege R200 and R205 have a powerline ethernet chip.

    After forensics is completed, I will post. If any one is interested in forensics, I will ship the motherboard to you. Please private message me. Thank you.

  9. #8
    Linux Guru
    Join Date
    Dec 2013
    Victoria, B.C. Canada
    Power lines can only carry network data when combined with special hardware at both ends. Your computer can't be hacked over a power line unless you are running a network over power lines and are plugged into a modem that filters the line and reads the modulating signal converting it into something your NIC card can use.

    It is not technically possible for someone to use the power cord plugged into your power supply to hack into your computer.

    You may choose to ignore this as you have ignored other comments on the failings of your arguments. I won't be responding to any further discussion of it. You either have your reasons for thinking you are being hacked or in some other way harassed or you don't. If you do I wish you well with it but suggest you focus on the possible not the fantastical. If you are simply a troll then all I can say is, good luck with that. It is your own life you are wasting.

  10. #9

  11. #10
    Several months ago a forum member replied to this thread by private messaging me: "When you are a normal user, the real system commands can not be modified without root access. However, they can put replacement commands into a location and use your PATH environment variable to cause them to be executed (found before the system copy). Open a terminal session and type in "echo ${PATH}" what is the output of that command?"

    It took several months to decide what replacement laptop to purchase that is th3e latest laptop not to have a secret bluetooth mesh in Intel 900's chipset. This month, I erroneously purchased an Asus 1005HA netbook which was released in 2009. I unsuccessfully air gapped it. I am donating the netbook and will replace it with a pre2008 laptop.

    I am being hacked on battery power.

    Using a public desktop computer, I installed Porteus KDE on a flashdrive. However, Asus 1005HA is booting to a tampered MATE shadow ISO. This MATE desktop has two partition editors (Gparted and KDE Partition Manager), two system monitors (KSysGuard and MATE System Monitor) and two file managers (Caja and Dolphin.) I deleted Porteus, redownloaded Porteus and booted to the identical shadow ISO.

    Though I set up a root account before downloading Porteus KDE at, I am logged into the graphical desktop as guest instead of root.

    guest@porteus:~$ whoami
    guest@porteus:~$ su

    This is fakeroot. Su grants no root privileges in the graphical desktop.

    root@porteus:/home/guest# echo ${PATH}

    What is the meaning of the echo ${PATH} output?

    Gparted could not format my brand new Patriot 32 GB micro SD card into ext2, ext3 nor ext4. Gparted froze. Active@Disk Editor detected hidden NTFS, exFAT boot sector, USF, HFS and LVM partitions.

    I wiped my brand new SD card with Western Digital Data Lifeguard Diagnostics. This tool can wipe protected area (PA) and GPT protected partitions that were on my removable media. 'GPT protective partition' erased by Western Digital Data Lifeguard Diagnostics but not DiskPart : badBIOS
    Western Digital's tool is the only hard drive manufacturers' tool to wipe GPT protective partition and most likely NSA's TWISTEDKILT's HPA in hard drives & protected area (PA) in removable media : badBIOS

    Gparted could not detect my Western Digital wiped SD card. KDE Partition Manager can detect my micro SD card. Can't format to ext2 nor ext3. Freezes. I deleted Porteus. Redownloaded Porteus. KDE Partition Manager could still not format ext2 nor ext3. Freezes.

    KDE Partition Manager could format to ext4. However, after formatting, KDE Partition Manager detected total size 29.32 GB. Available 27.8 GB. Used 1.52 GB. What is using 1.52 GB?

    Earlier in this thread, I reported Toshiba Portege R205 booting to PCLinuxOS GNOME had a's lost+found directory was 957.1 MB. Porteus' lost+found directory is even larger!

    Properties of lost+found folder:

    Contents: Unreadable
    Free space: unknown

    Owner root: read, write, execute
    Group root: execute
    Other: execute

    You are not root so you cannot change.

    Malware is hiding in the lost+found directory. I cannot delete it. Is there a way to format ext2, ext3 or ext4 without a lost+found directory or to delete it afterwards?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts