Results 1 to 8 of 8

Thread: Hacker Troubles

  1. #1
    Join Date
    Oct 2008
    Location
    Central Texas, in the sticks
    Posts
    148

    Default Hacker Troubles

    I had a hacker that had hacked into my machine, evidently had used "malware" to gain access for a couple of months, so to make a long story short, i have encrypted both the Login, boot and drives on my machine, reload a brand new Leap 15,1 install and set permissions to Secure mode. Now I am thinking about how & what steps to change the IP address to a new number. Basically what I need is the process to change the IP. Do I have to buy a new IP number? Any other information you can provide would be appreciated.

  2. #2
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,395
    Blog Entries
    1

    Default Re: Hacker Troubles

    You don't say how you connect to the internet...DSL, LTE? In any case, assuming that you're referring to your allocated public IP address, that will depend on your service provider. Changing IP address won't change any underlying security issues you may have, so best to understand and tackle those first.
    openSUSE Leap 15.0; KDE Plasma 5

  3. #3
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    2,559

    Default Re: Hacker Troubles

    Quote Originally Posted by cherock1254 View Post
    i have encrypted both the Login, boot and drives on my machine,

    If the “Hacker” has infected your account and, they're executing within your logged in processes then, encryption doesn't help – when you login, you're accessing the encrypted directories with the keys you've obtained at login and therefore, the “Hacker's” processes which began executing as a result of your login are also accessing the encrypted directories with, the keys you obtained at login …

    Quote Originally Posted by cherock1254 View Post
    reload a brand new Leap 15,1 install and set permissions to Secure mode.
    Even SELinux will not help if the “Malware” was introduced via your user account: <https://doc.opensuse.org/documentati...t.selinux.html>.

    Please consider the following actions:
    1. Remove all Administrator privileges from your User account(s).
    2. Set up a separate User Group and User Account for “Internet surfing” – be prepared to completely remove that User's directories at the first signs of “trouble” and then to recreate that User's home directory before they login again …
    3. Make sure that the User Group of the “Internet surfing” User Accounts is isolated – the User's home directories are not located directly below ‘/home/’ – rather in a Sub-Directory which is owned by a pseudo-User (login disabled) belonging to the “Internet surfing” group with, appropriate Group and “Other” directory permissions.
    4. Consider doing this also for “normal” Users. Be aware that, the default directory permission on the (system) “/home/” directory is “Other: Read; Execute”.
    5. Consider setting up a series of top-level “/home-xxx/” directories for each User Group, owned by pseudo-Users related to each User Group and, with the directory permission for “Other” set to «NOTHING».


    Quote Originally Posted by cherock1254 View Post
    Now I am thinking about how & what steps to change the IP address to a new number. Basically what I need is the process to change the IP. Do I have to buy a new IP number?

    Your ISP may well offer a service to assign the device which you have to connect with them, a new IP address on a daily basis.
    • My German ISP does this, by default, at about 4 o'clock in the morning, every day – I have to pay extra if I want to have a “fixed” IP address …

  4. #4
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    2,559

    Question Re: Hacker Troubles

    @cherock1254:

    Do you have a Root Kit checker running on your system?

    Code:
     # rkhunter --propupd --pkgmgr rpm
     # rkhunter --update
     # rkhunter --config-check
    After that, “rkhunter --check” and the daily Cron Job should execute as expected, apart from the following warnings:
    Code:
    Warning: The SSH configuration option 'Protocol' has not been set.
             The default value may be '2,1', to allow the use of protocol version 1.
    Warning: Hidden file found: /usr/bin/.hmac256.hmac: ASCII text
    Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
    • The current openSSH daemon used by Leap 15.1 only supports the SSH protocol v2 – rkhunter doesn't currently know that …
    • The 2 files are provided by “libgcrypt-devel” and “fipscheck” and therefore, are also not an issue …

  5. #5
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,304
    Blog Entries
    2

    Default Re: Hacker Troubles

    The basis for what @dcurtisfra said in #3 is this...
    When your system is running, anything that is stored encrypted on your ssytem has to be decrypted for even the system to access and use those files... So your system's encryption is not in effect when your system is powered on. disk encryption is only effective if someone is trying to access your machine when your system is powered off... Like when a physical intruder stealing a laptop or breaking in at night and physically stealing your system.

    Also,
    You should understand that when someone is able to hack your credentials when you're online, there are a number of attacks which only gains access to the running application like email or websites, but unless your emails or website traffic contains credentials for your system, no one can do more than read your email and won't be able to gain access to your system logon and do more dastardly things. In fact, unless your compromised app is running or you use the same Username/Password for other running services on your machine, the hacker can't do more to you.

    You should understand that application level hacking has become fairly common, the phishing attacks in the news when email accounts are compromised are somewhat common, particularly if you're targeted by an attacker and not just some random User the hacker guessed your credentials. Particularly if you run Linux, and if you keep your system updated it's a lot less common for more than your application to be compromised, although it's not impossible.

    Bottom line, if you keep your system patched, don't click on unknown attachments and don't install things just because some website tells you it's needed to view some video or otherwise view the web page, you won't likely be hacked.
    And, if you do any of those things, you'd likely be overcoming the normal protections in your machine and in that case there's little that can help you from getting hacked.

    Lastly,
    If you do get hacked, then you can post a description of how you were hacked and you'll get advice how to avoid that in the future.

    HTH,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  6. #6
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    2,559

    Cool Re: Hacker Troubles

    Quote Originally Posted by tsu2 View Post
    If you do get hacked, then you can post a description of how you were hacked and you'll get advice how to avoid that in the future.
    @cherock1254:

    Please take a look at this organisation: <https://www.malwaremustdie.org/> – Wikipedia: <https://en.wikipedia.org/wiki/MalwareMustDie>.
    • If it was a «new» Root Kit, you should report it – also, for that case, please notify the Root Kit Hunter folks.

  7. #7
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    2,559

    Question Re: Hacker Troubles

    @cherock1254:

    Are you using “Root Kit Hunter” «rkhunter»?
    • If so, be very aware that, if Root Kit Hunter is checking while a system patch or update is executing then, warnings may well appear.

    For example, today I had the following warnings:
    Code:
    Warning: The file properties have changed:
             File: /usr/bin/sudo
             Current inode: 1968810    Stored inode: 1977474
    Warning: Network TCP port 60922 is being used by /usr/bin/kontact. Possible rootkit: zaRwT.KiT
             Use the 'lsof -i' or 'netstat -an' command to check this.
    The cause was, “rkhunter --update” and “rkhunter --propupd” were needed to update the Hunter's database following the patches which were being applied in parallel to the check which produced the warnings …

  8. #8
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,304
    Blog Entries
    2

    Default Re: Hacker Troubles

    Keep in mind that although rootkits exist,
    It's relatively rare that someone would be a victim of one.

    For you to be a victim of a rootkit, several conditions have to exist...
    The attacker has to pick you, as a Linux user out of the multitude of other MSWindows systems out there...
    Your system has to have a vulnerability, like being unpatched, otherwise the vulnerability has to be a "zero day" which means it's a nation-state kind of attacker with enormous resources behind it to discover and keep secret what it does. Or a vulnerability is so new that you just haven't gotten a patch for it yet.
    You do something really, really inadvisable using root permissions. Rootkits should not ever be installable using ordinary User permissions.
    Your firmware is not fully updated. And that means all your firmware, not just your BIOS/EFI.

    In summary,
    Although I'd say that you can go ahead and test for a rootkit,
    Unless you'd consider yourself a particularly well known, juicy target, it's very, very unlikely you'd be a victim of a rootkit (again, if you do minimal system maintenance and don't do incredibly stupid installations anytime someone on the Internet says you should do so).

    IMO,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •