Hacker Troubles

I had a hacker that had hacked into my machine, evidently had used “malware” to gain access for a couple of months, so to make a long story short, i have encrypted both the Login, boot and drives on my machine, reload a brand new Leap 15,1 install and set permissions to Secure mode. Now I am thinking about how & what steps to change the IP address to a new number. Basically what I need is the process to change the IP. Do I have to buy a new IP number? Any other information you can provide would be appreciated.

You don’t say how you connect to the internet…DSL, LTE? In any case, assuming that you’re referring to your allocated public IP address, that will depend on your service provider. Changing IP address won’t change any underlying security issues you may have, so best to understand and tackle those first.

If the “Hacker” has infected your account and, they’re executing within your logged in processes then, encryption doesn’t help – when you login, you’re accessing the encrypted directories with the keys you’ve obtained at login and therefore, the “Hacker’s” processes which began executing as a result of your login are also accessing the encrypted directories with, the keys you obtained at login …

Even SELinux will not help if the “Malware” was introduced via your user account: <https://doc.opensuse.org/documentation/leap/security/html/book.security/part.selinux.html&gt;.

Please consider the following actions:

  1. Remove all Administrator privileges from your User account(s).
  2. Set up a separate User Group and User Account for “Internet surfing” – be prepared to completely remove that User’s directories at the first signs of “trouble” and then to recreate that User’s home directory before they login again …
  3. Make sure that the User Group of the “Internet surfing” User Accounts is isolated – the User’s home directories are not located directly below ‘/home/’ – rather in a Sub-Directory which is owned by a pseudo-User (login disabled) belonging to the “Internet surfing” group with, appropriate Group and “Other” directory permissions.
  4. Consider doing this also for “normal” Users. Be aware that, the default directory permission on the (system) “/home/” directory is “Other: Read; Execute”.
  5. Consider setting up a series of top-level “/home-xxx/” directories for each User Group, owned by pseudo-Users related to each User Group and, with the directory permission for “Other” set to «NOTHING


Your ISP may well offer a service to assign the device which you have to connect with them, a new IP address on a daily basis.

  • My German ISP does this, by default, at about 4 o’clock in the morning, every day – I have to pay extra if I want to have a “fixed” IP address …


Do you have a Root Kit checker running on your system?

 # rkhunter --propupd --pkgmgr rpm
 # rkhunter --update
 # rkhunter --config-check

After that, “rkhunter --check” and the daily Cron Job should execute as expected, apart from the following warnings:

Warning: The SSH configuration option 'Protocol' has not been set.
         The default value may be '2,1', to allow the use of protocol version 1.
Warning: Hidden file found: /usr/bin/.hmac256.hmac: ASCII text
Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text

  • The current openSSH daemon used by Leap 15.1 only supports the SSH protocol v2 – rkhunter doesn’t currently know that …
  • The 2 files are provided by “libgcrypt-devel” and “fipscheck” and therefore, are also not an issue …

The basis for what @dcurtisfra said in #3 is this…
When your system is running, anything that is stored encrypted on your ssytem has to be decrypted for even the system to access and use those files… So your system’s encryption is not in effect when your system is powered on. disk encryption is only effective if someone is trying to access your machine when your system is powered off… Like when a physical intruder stealing a laptop or breaking in at night and physically stealing your system.

You should understand that when someone is able to hack your credentials when you’re online, there are a number of attacks which only gains access to the running application like email or websites, but unless your emails or website traffic contains credentials for your system, no one can do more than read your email and won’t be able to gain access to your system logon and do more dastardly things. In fact, unless your compromised app is running or you use the same Username/Password for other running services on your machine, the hacker can’t do more to you.

You should understand that application level hacking has become fairly common, the phishing attacks in the news when email accounts are compromised are somewhat common, particularly if you’re targeted by an attacker and not just some random User the hacker guessed your credentials. Particularly if you run Linux, and if you keep your system updated it’s a lot less common for more than your application to be compromised, although it’s not impossible.

Bottom line, if you keep your system patched, don’t click on unknown attachments and don’t install things just because some website tells you it’s needed to view some video or otherwise view the web page, you won’t likely be hacked.
And, if you do any of those things, you’d likely be overcoming the normal protections in your machine and in that case there’s little that can help you from getting hacked.

If you do get hacked, then you can post a description of how you were hacked and you’ll get advice how to avoid that in the future.



Please take a look at this organisation: <https://www.malwaremustdie.org/&gt; – Wikipedia: <https://en.wikipedia.org/wiki/MalwareMustDie&gt;.

  • If it was a «new
    » Root Kit, you should report it – also, for that case, please notify the Root Kit Hunter folks.


Are you using “Root Kit Hunter” «rkhunter»?

  • If so, be very aware that, if Root Kit Hunter is checking while a system patch or update is executing then, warnings may well appear.

For example, today I had the following warnings:

Warning: The file properties have changed:
         File: /usr/bin/sudo
         Current inode: 1968810    Stored inode: 1977474
Warning: Network TCP port 60922 is being used by /usr/bin/kontact. Possible rootkit: zaRwT.KiT
         Use the 'lsof -i' or 'netstat -an' command to check this.

The cause was, “rkhunter --update” and “rkhunter --propupd” were needed to update the Hunter’s database following the patches which were being applied in parallel to the check which produced the warnings …

Keep in mind that although rootkits exist,
It’s relatively rare that someone would be a victim of one.

For you to be a victim of a rootkit, several conditions have to exist…
The attacker has to pick you, as a Linux user out of the multitude of other MSWindows systems out there…
Your system has to have a vulnerability, like being unpatched, otherwise the vulnerability has to be a “zero day” which means it’s a nation-state kind of attacker with enormous resources behind it to discover and keep secret what it does. Or a vulnerability is so new that you just haven’t gotten a patch for it yet.
You do something really, really inadvisable using root permissions. Rootkits should not ever be installable using ordinary User permissions.
Your firmware is not fully updated. And that means all your firmware, not just your BIOS/EFI.

In summary,
Although I’d say that you can go ahead and test for a rootkit,
Unless you’d consider yourself a particularly well known, juicy target, it’s very, very unlikely you’d be a victim of a rootkit (again, if you do minimal system maintenance and don’t do incredibly stupid installations anytime someone on the Internet says you should do so).