(UN)Networking help wanted :D

techwatcher · 12-26-2007, 10:03 PM

Sorry this is so long! ANY help, any lead to more relevant manual pages, appreciated. (Would also appreciate if you can refrain from suggesting I'm crazy!) I have had serious hacker problems this past year, and they are continuing. Two PC's, one OFFLINE, have been destroyed wholly or partially so far. So, I am now using, as my online PC, a 2001 NetVista (256 RAM) with NO hd or floppy or usb -- no storage at all, in fact. It is running from a CD-ROM drive (yes, ROM), system is a 32-bit version of MEPIS 6.5.

Here is the problem: I am being hacked by someone physically very close by (in apartment building) before I finish booting up, let alone plug in Ethernet cable. Yes, I know, you don't believe me. I don't blame you! Well, here is some of my evidence:

(1) On Oct. 25th, I had fast-speed access (which I had disconnected in early August following death of one PC) reinstalled. A few days later, the BIOS settings I had entered were ignored as the PC booted up. For example, I disable serial port & game/midi ports, but they are referenced anyway as I watch bootup process.

Even more telling, I tried booting up with the noacpi option: At first there would be a message about black or blacklisted acpi not used. Now, it just loads acpi anyway.

Remember, all this is happening on a PC which has no installed OS, just running from boot/install CD.

(2) The opening screen of my CD does not look like it looked when I used it in a previous PC (one of the destroyed ones) this summer. It doesn't look the way it looked when I first started using it after October 25th, either. The new screen (F-keys at the top of the screen, a blue box with the start-up options inside a large white border) is apparently from a later version -- maybe 6.504 instead of mine, which might be 6.502...

(3) A few weeks ago as I was shutting down the PC, I saw a message about shutting down the rsync daemon. So I read the manual pages about rsync, and deleted the rsync.conf file (which I found easily enough, iirc in /etc/). Now the rsync.conf file is no longer found, except in something like a .../share/documentation/examples folder.

(4) I no longer see this, but earlier I was using some of the GUI interfaces to try to alter network settings (such as trying to shut down SAMBA or NetBIOS) and they would reset themselves, as I saw screen 'flashes.' (Now I just use the konsole, and work mostly from netstat -lanap listings.)

(5) These days, I have learned from experience which processes (listed as result of netstat -lanap or in the system guard process table) to kill, and a few files in certain directories to remove. I learned this largely by trial and error. After a couple months, I am now very familiar with processes which are necessary or safe, and reasonably well able to distinguish processes which are unusual (or should normally be killed).

So now, at a certain stage (usually after about 20 minutes of furious typing in konsole!), I feel able to load Firefox. Note that even with my very limited system, I am able to have several apps open at a time, including multiple instances of Firefox, Patience (card game), Kate (editor), the system log, etc. Before I learned to stop the hackers, though, I would try to load an app (Firefox, or even just something like Patience), and it would start to load -- hourglass would appear on the bar at the bottom of the screen -- but then die! No message, it just died.

Since the documentation (in the Manual) is listed by process rather than function, it's hard for me to try to look up helpful information. (I have no storage to save any downloaded information that may be online.) QUESTION: Is there some way I can get information from my system about what is happening here? Some way to affect the rsync being run from the hacker's PC (which, I still see in messages as I log OFF, is still running somehow on my system, although the file is not where it used to be)?

Although I am a very experienced user of diverse systems and programs, I have very little understanding of networks. An overview (pointers to one) might be helpful. What I really need, though, is commands or methods to reverse the commands like Bind, Listen, Accept, etc. Mepis is great at making networks "just work," but how do I stop an unwanted networking user? (Btw, since there's no installed system & I need the privileges, I run as root. Why not, on CD-based OS? :D )

Deleriux · 12-28-2007, 05:45 AM

Code:

lsof -Pc rsync | grep IPv4

This should give you something back if rsync is running (note it might also be rsyncd) and also give you the port it is listening on.

If you want to stop it just type

Code:

pkill rsync

Frankly, if your compromised you cant trust your system anyway. Backup your /home directory and reinstall the o/s.

Oh and take a look at iptables. It is the best firewall you can get for free.

12-26-2007, 10:03 PM	#1 (permalink)
techwatcher Registered User Join Date: Dec 2007 Posts: 2 OS: MEPIS 6.5 (32-bit)	(UN)Networking help wanted :D Sorry this is so long! ANY help, any lead to more relevant manual pages, appreciated. (Would also appreciate if you can refrain from suggesting I'm crazy!) I have had serious hacker problems this past year, and they are continuing. Two PC's, one OFFLINE, have been destroyed wholly or partially so far. So, I am now using, as my online PC, a 2001 NetVista (256 RAM) with NO hd or floppy or usb -- no storage at all, in fact. It is running from a CD-ROM drive (yes, ROM), system is a 32-bit version of MEPIS 6.5. Here is the problem: I am being hacked by someone physically very close by (in apartment building) before I finish booting up, let alone plug in Ethernet cable. Yes, I know, you don't believe me. I don't blame you! Well, here is some of my evidence: (1) On Oct. 25th, I had fast-speed access (which I had disconnected in early August following death of one PC) reinstalled. A few days later, the BIOS settings I had entered were ignored as the PC booted up. For example, I disable serial port & game/midi ports, but they are referenced anyway as I watch bootup process. Even more telling, I tried booting up with the noacpi option: At first there would be a message about black or blacklisted acpi not used. Now, it just loads acpi anyway. Remember, all this is happening on a PC which has no installed OS, just running from boot/install CD. (2) The opening screen of my CD does not look like it looked when I used it in a previous PC (one of the destroyed ones) this summer. It doesn't look the way it looked when I first started using it after October 25th, either. The new screen (F-keys at the top of the screen, a blue box with the start-up options inside a large white border) is apparently from a later version -- maybe 6.504 instead of mine, which might be 6.502... (3) A few weeks ago as I was shutting down the PC, I saw a message about shutting down the rsync daemon. So I read the manual pages about rsync, and deleted the rsync.conf file (which I found easily enough, iirc in /etc/). Now the rsync.conf file is no longer found, except in something like a .../share/documentation/examples folder. (4) I no longer see this, but earlier I was using some of the GUI interfaces to try to alter network settings (such as trying to shut down SAMBA or NetBIOS) and they would reset themselves, as I saw screen 'flashes.' (Now I just use the konsole, and work mostly from netstat -lanap listings.) (5) These days, I have learned from experience which processes (listed as result of netstat -lanap or in the system guard process table) to kill, and a few files in certain directories to remove. I learned this largely by trial and error. After a couple months, I am now very familiar with processes which are necessary or safe, and reasonably well able to distinguish processes which are unusual (or should normally be killed). So now, at a certain stage (usually after about 20 minutes of furious typing in konsole!), I feel able to load Firefox. Note that even with my very limited system, I am able to have several apps open at a time, including multiple instances of Firefox, Patience (card game), Kate (editor), the system log, etc. Before I learned to stop the hackers, though, I would try to load an app (Firefox, or even just something like Patience), and it would start to load -- hourglass would appear on the bar at the bottom of the screen -- but then die! No message, it just died. Since the documentation (in the Manual) is listed by process rather than function, it's hard for me to try to look up helpful information. (I have no storage to save any downloaded information that may be online.) QUESTION: Is there some way I can get information from my system about what is happening here? Some way to affect the rsync being run from the hacker's PC (which, I still see in messages as I log OFF, is still running somehow on my system, although the file is not where it used to be)? Although I am a very experienced user of diverse systems and programs, I have very little understanding of networks. An overview (pointers to one) might be helpful. What I really need, though, is commands or methods to reverse the commands like Bind, Listen, Accept, etc. Mepis is great at making networks "just work," but how do I stop an unwanted networking user? (Btw, since there's no installed system & I need the privileges, I run as root. Why not, on CD-based OS? :D )

12-28-2007, 05:45 AM	#2 (permalink)
Deleriux Registered User Join Date: Dec 2007 Posts: 18 OS: Fedora Core 8	Re: (UN)Networking help wanted :D Code: lsof -Pc rsync \| grep IPv4 This should give you something back if rsync is running (note it might also be rsyncd) and also give you the port it is listening on. If you want to stop it just type Code: pkill rsync Frankly, if your compromised you cant trust your system anyway. Backup your /home directory and reinstall the o/s. Oh and take a look at iptables. It is the best firewall you can get for free. Last edited by Deleriux; 12-28-2007 at 05:46 AM.