Welcome to Linux Forums!

With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.

Linux Forum ArticlesLinux ForumsLinux Forum DownloadsLinux Hosts
Home|Register|FAQ|Member List|Calendar|Unanswered Posts|Forum Rules|Today's Posts|Advanced Search|
SEARCH FOR IN
Go Back   Linux Forums > Your Distro > SuSE Linux Help
Reload this Page Am I hacked? Help on how to know and protect myself
Linux Forums
Linux Forums
Welcome To The Linux Forums!
Welcome to Linux Forums. We pride ourselves in being one of the largest Linux communities on the web, we encourage you to REGISTER on our forums and participate in the community. There are over 150,000 members ready to answer your questions. JOINING US today will allow you to make new posts, get support, send messages to other members and submit downloads to our downloads directory and many other great features!

SuSE Linux Help For help and discussions related to SuSE Linux

Reply
 
Thread Tools Display Modes
Old 02-16-2008   #1 (permalink)
mjolnir
Just Joined!
 
Join Date: Jan 2008
Location: Fullerton,CA
Posts: 13
Am I hacked? Help on how to know and protect myself

I am and have been the target of hackers hired by a world wide multi-million dollar company after a Wikipedia slip exposed my ip and a bunch of things that they didn't want people to know were exposed. It has been years since and if I plug my system to the internet on a Windows(xp,vista)OS, within seconds my computer is hacked tried all firewalls(Norton, Zonealarm) nothing.

So i'm at SUSE cause of the security, but recent issues have caused me to think about if i'm still being hacked.

First my system is all default settings cause im a noob, and my system was installed a few days ago using the network method(opensuse.org, 10.3 repo)I do all updates. I don't download anything, no p2p, no crazy sites, just browse the internet in firefox and do my work. I had my system kinda crash,("kinda" cause not like windows would) but Yast wouldn't open, couldn't shut down computer, most programs if they did do something would display a blank screen, but I was able to logout and did. I then logged in as root but wasn't asked for my password, never happened before didn't set autologin or anything. It went to the "are you sure" prompt, clicked continue but just grey screen. Now when my SUSE starts up its alot slower then before and the system up-to-date icon takes a really long time to check.

I should mention that the only thing i've installed is codecs that SUSE referred me to when I tried to play a mpeg, thats it. What I was doing when this happened I was browsing in Firefox, had Banshee running and was taking notes using Tomboy(coincidently stuff about the companies corruption). I was trying to quit Banshee but it wouldn't, when I noticed all these problems started cascading.

Anyway to know if my system is hacked? I know I have to reinstall cause its not running right. But are there ways to know if a IP is pinging or portscanning me or other ways to monitor whats going on, on the internet.

Any help or info is much appreciated, Thanks.
mjolnir is offline   Reply With Quote
Old 02-16-2008   #2 (permalink)
gogalthorp
Linux Guru
 
gogalthorp's Avatar
 
Join Date: Oct 2006
Location: West (by God) Virginia
Posts: 1,659
This sound more like hard disk corruption.

Press esc when booting it will then show the details.

You should run a low level disk test program like SpinRite ( note this is not a free program) to test and correct sector level problems.
gogalthorp is offline   Reply With Quote
Old 02-17-2008   #3 (permalink)
mjolnir
Just Joined!
 
Join Date: Jan 2008
Location: Fullerton,CA
Posts: 13
Ok thanks you probably right cause I did some partitioning before installing SUSE, might have done something wrong. I always press esc to see if I can see if everything ok, but most info that goes by I have no idea and it goes by way to quick.

Hey I have a boot disk UBCD would that have anything that would help me? Or is there something else i can do?
mjolnir is offline   Reply With Quote
Old 02-17-2008   #4 (permalink)
Jonathan183
Linux Engineer
 
Join Date: Oct 2007
Location: Bristol, UK
Posts: 1,003
gogalthorp is probably right ... there are a couple of things you should do though ...
1. do not login as root user unless this is absolutely essential, particularly don't login as root when on the net.
2. if you think the system has been compromised backup data files only and do a clean install.
3. a chkrootkit scan is probably worth doing every now & then ... do the first scan after a clean install and save the output to log files, so if necessary you can compare things in future.
Jonathan183 is offline   Reply With Quote
Old 02-17-2008   #5 (permalink)
Dapper Dan
Trusted Redneck
 
Dapper Dan's Avatar
 
Join Date: Oct 2004
Location: The Sovereign State of South Carolina
Posts: 3,370
Send a message via AIM to Dapper Dan
Hi mjolnir, on the other... assuming your IP address is static, why don't you simply ask your ISP to give you a new address? Or are you running DHCP? If so, shut the machine off overnight. In the morning when you boot up, you should be assigned a new IP address.

A few things you can do:

Run nmapfe to see which ports are open and closed. You can download it from yast if it isn't installed. Also run rkhunter, a command line utility that looks for root kits and other malicious programs. To run:
Code:
rkhunter -c -sk --display-logfile
To see if any ports have possibly been tampered with to listen that shouldn't be:
Code:
netstat -ltun
Have a close look at /var/log/messages to see if there is something amiss there, like someone is entering through ssh (port 22). Having a router configured for security is also a good idea. There are other things you can do, but that should give you enough to keep occupied for now.
__________________
Distro: Crux 2.3 Window Manager: IceWM Registered Linux User: #371367 New to Linux? Frustrated? Please read this.
Dapper Dan is offline   Reply With Quote
Old 02-17-2008   #6 (permalink)
mjolnir
Just Joined!
 
Join Date: Jan 2008
Location: Fullerton,CA
Posts: 13
No i never login as a root user when connected to the net.

Im wondering how to fix my partitions and get a clean install.

And also what tools do you use in SUSE to monitor your network to see if IPs are pinging you or trying to portscan or something.
mjolnir is offline   Reply With Quote
Old 02-17-2008   #7 (permalink)
mjolnir
Just Joined!
 
Join Date: Jan 2008
Location: Fullerton,CA
Posts: 13
Thanks gogalthorp and Dapper Dan

But to Dapper Dan I do use DHCP through a router and I will always get hacked if running Windows even with Zonealarm on Vista, XP doesn't matter. I tried so many thing for months and regardless within seconds im hacked.

If their is a actual way to hide from whoever I would be ecstatic and could run a Windows and SUSE system, cause I like thing about SUSE alot but haven't been able to run Windows for awhile. If thats possible please let me know how.
mjolnir is offline   Reply With Quote
Old 02-17-2008   #8 (permalink)
Jonathan183
Linux Engineer
 
Join Date: Oct 2007
Location: Bristol, UK
Posts: 1,003
Quote:
No i never login as a root user when connected to the net.

Im wondering how to fix my partitions and get a clean install.

And also what tools do you use in SUSE to monitor your network to see if IPs are pinging you or trying to portscan or something.
Download the DVD or CD (from the OpenSUSE website) to do the install from. You can confirm the e5checksum before you burn the CD (the e5checksums are on the OpenSUSE web site).

Backup the data you want and wipe the partitions, if you need Windows as well do a fresh install of that from the Windows installation media (I don't use Windows on the web - but do have machines setup to dual boot).

Ed: I'd always wipe the disk on a compromised system & do a fresh install. Restore only the data you need back to the hard drive otherwise you increase the risk of compromising the freshly installed system. Use new user logins and passwords for all users especially change the root user password.

Make sure you have the firewall enabled and your web access is considered an external zone (you setup the firewall during the install).

I don't monitor for portscans but I do a chkrootkit scan fairly regularly & compare with the scan log from the initial install with the latest scan.
Jonathan183 is offline   Reply With Quote
Old 02-17-2008   #9 (permalink)
mjolnir
Just Joined!
 
Join Date: Jan 2008
Location: Fullerton,CA
Posts: 13
Yea I will wipe my partitions and do another clean install, and I do have the firewall active,all the default stuff cause im a noob.

But I am very intrigued at actually being able to run a Windows system online, as i'm hacked within seconds of connecting to the net. I know its not a SUSE question but if someone can tell me how, i'd be very greatfull.
mjolnir is offline   Reply With Quote
Old 02-17-2008   #10 (permalink)
Jonathan183
Linux Engineer
 
Join Date: Oct 2007
Location: Bristol, UK
Posts: 1,003
Quote:
Originally Posted by Jonathan183 View Post
(I don't use Windows on the web - but do have machines setup to dual boot).
Quote:
Originally Posted by mjolnir View Post
But I am very intrigued at actually being able to run a Windows system online, as i'm hacked within seconds of connecting to the net. I know its not a SUSE question but if someone can tell me how, i'd be very greatfull.
As I said I don't use Windows on the net. If I did, I would download the firewall using Linux. Do the Windows install and install the firewall while disconnected from the net. The other thing I would do is use dynamic IP address (and make sure port forwarding is not set on the router).
Jonathan183 is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


All times are GMT. The time now is 12:10 AM.

Powered by vBulletin 3.6.8 ©2000 - 2007, content relevant URLs by vBSEO, Property of Core Root.

Content Relevant URLs by vBSEO 3.0.0