Hacking

Hello

I had Windows 10 on my computer and was getting hacked…
So i removed Windows and Installed SUSE Linux Leap 42.2 and the hacking continued…

My files were being changed and some deleted…

I got remote logins disabled
I got block all external connections enabled

Its must be a pro hacker , that knows all the govt backdoors…

Is it possible , to make it so the IP packeter will refuse to packet filesystem data… and block future connection attempts from those computers that request file data???

I’m a linux newby and don’t know how to program to make the changes my self in the kernel modules…

The first thing to understand is that in general, any and all well maintained and supported OS(and that goes for both Windows and Linux as well as other OS) are generally secure against any “ordinary” hacking. Windows is by far the most attractive target because it’s deployed on the most Desktops and by reputation Windows Users aren’t particularly knowledgeable and are ridiculously so unsophisticated many can be fooled into doing stupid things, but by default it really is hard for evildoers to compromise systems that are set up according to instructions.

But, once any psrson starts to use their systems, those machines become potentially vulnerable because Users generally cannot consistently make good decisions and they have no willingness to learn what is proper or not. It’s actually rare for machines to be vulnerable without some User bad decision, and those secrets are jealously hidden from view (except when they are stolen and dumped like the Wikileaks dumps).

The most likely reason why even your Linux systems might be compromised isn’t because your machines are vulnerable by default (although they could be if you don’t do simple steps like doing a system update immediately after installation), it’s most likely that the same applications and services you’re using over the Internet have been compromised, and/or you’re re-using same usernames or passwords for multiple services including logging into your machine.

Regarding the “government backdoors,”
First it’s highly unlikely or it’s particularly noteworthy that such a skilled hacker has taken an interest in you.
The second thing to understand is that unless you are a <very> uniquely valuable target to some attacker, you can still generally be safe if you are technically proficient enough to know how to set up your system to guard against intrusions, but that also means considerably increasing your risk losing your system to random anomalies, faulty attacks, and a vast array of other possibilities. This is not recommended or necessary for any but the very, very tiny number of people who access truly secret and sensiitive information.

In other words…

  • Don’t ascribe superpowers to whoever your antagonist might be. It’s very unlikely that person is really as skilled as you say, it’s much more likely you’re doing something that consistently allows that person to penetrate your system.
  • All people use data on their machines they deem secretive, or at least stuff you wouldn’t want made public. It could be simply messages between yourself and someone important to you, but it can also be financial, healthcare or other data which can have a substantive impact if made public. Every person has to decide <how much> money or personal effort needs to be spent to protect yourself. There are resources everywhere and the Internet is a great resource for self-help, but for many that’s not enough and you may need to employ an advisor or service to resolve or meet your needs. At the very least, you would be able to take constructive steps instead of thrashing around, unable to ask the right questions or understand what is happening.

HTH,
TSU

1 Like

Hi
So, you need to provide some pointers as to what files are changing or being deleted, log output, enable auditing, inspect the logs, change ISP, turn off the computer, pack it up and move to pen and paper…

On Sun, 04 Jun 2017 23:56:02 +0000, Albert Redditt wrote:

> So i removed Windows and Installed SUSE Linux Leap 42.2 and the hacking
> continued…

Define “hacked”. You’ve made this claim repeatedly, but you’ve never
actually defined the behaviour you’re seeing or what evidence you have
that your system is being “hacked”.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On Mon, 05 Jun 2017 00:56:01 +0000, tsu2 wrote:

> First it’s highly unlikely or it’s particularly noteworthy that such a
> skilled hacker has taken an interest in you.

A “pro hacker” wouldn’t be so easily caught by someone so inexperienced.

My guess is that there’s a process that’s doing something totally
expected, but the OP has yet again asserted that ‘hacking’ is taking
place because he doesn’t know enough to know about other possible
explanations.

This is not the first time this user has started a thread on this topic,
yet we still have nothing from him that describes exactly what is
happening with any specificity nor how he’s determining he’s being
“hacked” - in spite of his self-described lack of knowledge about Linux.

It’s frankly getting to be old hat, and I expect this time around he’s
not going to provide any substantive information about what he’s seeing
beyond “some files were changed or deleted”. It’s easier to blame the
boogeyman of an unknown hacker and a “government backdoor” that doesn’t
exist than to try to understand what’s actually happened on his system.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

I told you guys that some of my files were being deleted…

Here today , gone tomorrow, mostly its my songs that I’m writing… The latest versions were being deleted…and some had altered the properties to add album art to the mp3 files…
I’ve got them all backed up , as soon as the demo company accepts one , i back it up to USB drive and online as well…
But its just frustrating to go into the folder and find files missing.

Today i just discovered all the files in my “Averaging Multiplier” directory were deleted…
( I discovered a method of multiplying by averaging two numbers, but its too slow it takes a full minute or more to mul 2 , 10,000 digit numbers.)
( also missing in the dir was my mul_4_7_9.bas comparator , i wrote a big number mul that can mul 2 million digit numbers in under 60 seconds.)
( GMP does it in 1 second or less.) So the two multipliers are basically worthless … but they found them interesting enough to steal…

I think it’s the Irish Mafia hacking me…???

YAST says my firewall is running.
I got remote login disabled
and somewhere I clicked , block all external connections.

Maybe you guys should have an info section on the forum to explain the firewall and completely how to configure it…make it always on top sticky.

A firewall tutorial would be a godsend!!

Here’s the Average Multiplier base code , its just double precision and not strings.
I don’t know why they would want to steal it??
It’s FreeBASIC code that works for both windows and Linux

’ First we set up r_botom and l_bottom
’ Then we double those two numbers for r_top and l_top
’ then we average each side.
’ If l_avg is higher than num2 then we set l_top to l_avg and r_top to r_avg
’ if l_avg is lower than num2 then we set l_bottom to l_avg and r_bottom to r_avg

’ eventually l_top and l_bottom are straddling num2 and l_avg = num2
’ at this point r_avg = multplied answer

’ if you divide (l_top / num2) the answer is the same as (r_top / mul answer)

do

dim as ulongint num1 = int(rnd*1e7) 
dim as ulongint num2 = int(rnd*1e7) 
if num2 &gt; num1 then swap num1 , num2 

'=============================================================================== 
'during averaging, 
'if the l_avg ends in .5 then we add .5 to it and 
'the point_5 var (half of num1 ) to the r_avg 
dim as double point_5 = num1/2 
 
dim as string str1 = str(num1) 
dim as string str2 = str(num2) 
 
dim as double l_bottom , l_avg , l_top 
dim as double r_bottom , r_avg , r_top 
'=============================================================================== 
'r_bottom = num1* leftmost digit of num2 + zero padding to make it the right length 
r_bottom = val(str( val(str1) * (val(left(str2,1))) ) + string(len(str2)-1,"0")) 
r_avg = r_bottom 
r_top = r_bottom + r_bottom 
'=============================================================================== 
'l_bottom = left most digit of num2 + zero padding to make it right length 
l_bottom = val( str(val(left(str2,1))) + string( len(str2)-1,"0") ) 
l_avg = l_bottom 
l_top = l_bottom + l_bottom 
'=============================================================================== 
'for each unit on the left side there's a num1 on the right side 
'So if l_top minus l_bottom = 1000 units, then  
'r_top minus r_bottom = (1000 * num1) units.. 
 
dim as ulongint count = 0 
 
do 
    count = count + 1 
     
    l_avg = (l_top + l_bottom) / 2 
    r_avg = (r_top + r_bottom) / 2 
     
    if l_avg = num2 then exit do 
     
    if right(str(l_avg),2) = ".5" then  
        l_avg = l_avg + .5 
        r_avg = r_avg + point_5 
    end if 
     
    if l_avg = num2 then exit do 
     
    if l_avg &gt; num2 then  
        l_top = l_avg 
        r_top = r_avg 
    elseif l_avg &lt; num2 then  
        l_bottom = l_avg 
        r_bottom = r_avg 
    end if 
 
loop until l_avg = num2 
 
print 
locate ,1  : print "loop req = " ; count 
locate ,1  : print "n1       = " ; num1  
locate ,1  : print "n2       = " ; num2  
locate ,1  : print "l_avg   = " ; l_avg 
locate ,1  : print "r_avg   = " ; r_avg 
locate ,1  : print "n1 * n2  = " ; num1*num2 
 
print 
print "Press a key to continue.." 
sleep 

loop until inkey = chr(27)
'===============================================================================
sleep
end

I guess i should just ask the forum:

What part of the Kernel source code does the IP packeting ???
What part of the Kernel source code does the IP unpacketing ???

Then i can just download the kernel source code and have a try at making the packeter and unpacketer , so they won’t packet or unpacket any “file system data”…

How would you set it to ( Not allow any shell commands to be unpacketed ??? or to have the unpacketer to drop shell command packets??? )

It’s unlikely (although always possible) that you were hacked.

Try creating a new folder somewhere… like a subdirectory of /home/Documents/ (not the Documents folder itself) and copy your files to that location.

I’d guess that the files in the new location won’t disappear on you.

If I were to hazard a <really> wild guess, you might have a Cloud storage service (like Dropbox, Google Drive, etc) installed, with sync settings to <move> your files to the Cloud. If that’s the case, then your files might be in the Cloud and no longer where you thought you stored them.

Another possibility could be that your chosen file location is really a link to somewhere else, and not a real folder.

Hard to say exactly what is going on without knowing your machine in detail.

TSU

Does anybody know the Kernel source for above ??? Don’t answer otherwise!!!

On 06/23/2017 06:16 PM, Albert Redditt wrote:
>
> Albert_Redditt;2827474 Wrote:
>
> Does anybody know the Kernel source for above ??? Don’t answer
> otherwise!!!

I’m going to risk answering, even though you do not want it, and you do
not deserve it if you are going to yell (I presume this was yelling) at
people who want to help you by fixing the most-likely problem rather than
your own interpretation of the problem, however unlikely.

First, the kernel code is in C; the only code you have posted was in
something that resembed visual basic. Maybe you know C, and maybe you
know it well enough to analyze kernel code, but I seriously doubt that
both of those are true (one or the other may be, though) because you are
not following the logical path to the conclusion, are not using the
understood networking terms, and are apparently not familiar with how
file-based data are transferred across networks.

The place to look for a vulnerability in kernel code would not be anything
that had to do with TCP or IP, but probably with applications that use
them (SCP, NFS, SMB) and then only if you have those services enabled. As
a self-described Linux newbie (you wrote “newby”) you may not be expected
to understand this, but that should also mean you are aware enough that
you should accept counsel from those who do, or at least may. Even if you
get the kernel source (https://github.com/torvalds/linux if you are
interested) you’re not going to find anything about file transfers in the
IP or TCP code, at least not in any meaningful way.

Your next troubleshooting step is to describe exactly ho you created
files, and when you noticed them missing. Describe services you have
added to your box, or those you enabled from the start, and what they do,
how they are configured. Also be sure that if you are synchronizing data
to/from something online, that you have that account secured. It would be
easy to cause your symptoms, without any access to your computer directly,
by logging into something like dropbox and deleting the files there, which
would then delete them locally too.

Finally, if you have been hacked by somebody who can pull off what you
have described, as you have described it, they either have physical access
to your machine (probably when you are out), or your chances of keeping
them out otherwise are smaller than you realize. Hacking isn’t trivial,
and getting through basic security of something like Linux isn’t trivial,
but at the end of the day if you have been targeted by somebody who seems
magical then they are using methods you are not considering, from the
hacking you see on TV, to social engineering their way past your
roommate/spouse, to just breaking and entering and installing malware on
your box. Linux isn’t too big to fail (be hacked), but there are many
likely ways to explain what you are observing without blaming the kernel
TCP/IP stack.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.

I think the best way to stop any and all hackers is:

To block their IP packets from running any shell commands…

So they cannot run LS , RM , DEL , COPY etc.

So I want to know what part of the Kernel un-packets the incoming IP packets…
So i can modify the code to block shell commands from being run remotely.

Then i don’t need a FIREWALL. It will be totally secure and no hackers can penetrate it no matter how hard they try.

You all should want the same thing , a totally secure system…

If you want to allow remote login , then you can set up a certain IP address that’s allowed to access the system remotely and only that other IP address can get in.

On Sat, 24 Jun 2017 02:26:01 +0000, Albert Redditt wrote:

> To block their IP packets from running any shell commands…

Sorry, but this statement is complete nonsense, and demonstrates that you
really don’t understand how computer networking works, nor how firewalls
operate.

If you have remote shell disabled and the firewall turned on - and don’t
have things like ssh enabled - then there’s no way for an “incoming
packet” to “execute a shell command”. That’s not how networks work.

Start with this:

I have a problem where files in my system are disappearing for some
reason. I don’t understand why, and would like to troubleshoot that
problem.

Don’t start with:

My system has been hacked by hackers unknown, and I want to reconfigure
my network so that data that is unpacketed is unable to execute shell
commands.

We want to help you, but starting with “my problem is a hacker” is the
wrong approach. Proceeding to tell people who are trying to help you
“don’t answer if you can’t tell me ‘x’” is going to get you ignored.

Starting with “this thing is happening on my system, and I don’t
understand what is causing it, and I would like some assistance” is the
way to start.

See http://www.catb.org/esr/faqs/smart-questions.html for some
suggestions on how to ask questions that will get you help. And consider
as well that esr’s use of “hacker” is not “someone who breaks into
systems for fun or profit”, but refers to people who hack away at code to
make things work.

One other thing I’d suggest - don’t do drive-by posting and then vanish
for two weeks if you can avoid it. That makes it look like you’re just
trolling the forums.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On Fri, 23 Jun 2017 22:36:01 +0000, Albert Redditt wrote:

> Maybe you guys should have an info section on the forum to explain the
> firewall and completely how to configure it…make it always on top
> sticky.

Documentation: https://en.opensuse.org/SuSEfirewall2

No need to duplicate existing documentation in the forums when there’s a
wiki that has a lot of useful information in it.

But again, you are starting with the conclusion (hackers) and a proposed
solution (rewriting the network stack) rather than starting with a
problem statement (files are disappearing on my system and I want to
understand why - where do I start?).

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On Sat, 24 Jun 2017 00:16:02 +0000, Albert Redditt wrote:

> Albert_Redditt;2827474 Wrote:
>> I guess i should just ask the forum:
>>
>> What part of the Kernel source code does the IP packeting ???
>> What part of the Kernel source code does the IP unpacketing ???
>>
>> Then i can just download the kernel source code and have a try at
>> making the packeter and unpacketer , so they won’t packet or unpacket
>> any “file system data”…
>>
>> How would you set it to ( Not allow any shell commands to be unpacketed
>> ??? or to have the unpacketer to drop shell command packets??? )
>
>
> Does anybody know the Kernel source for above ??? Don’t answer
> otherwise!!!

kernel.org has the Linux kernel source code. While the terminology
you’re using makes no sense at all (“packeting” and “unpacketing” are not
actual networking terms, and are just meaningless). “Shell command
packets” are not a thing.

But if you want to hack away at the Linux kernel network stack,
kernel.org is where you get the kernel source code. Questions about the
kernel source code aren’t really in scope for support here - the place
where those questions typically are asked are in the Linux kernel mailing
list.

HOWEVER…

I would VERY STRONGLY urge you to NOT ask these kinds of questions there,
because the developers will literally laugh you off the list until you
know what you’re talking about.

There are lots of excellent books on the Linux kernel, and that’s
probably the place you should start educating yourself if you’re
determined to follow this approach rather than getting help by asking
about the problem rather than your assumed explanation for your problem.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

I found that my firewall network cards , weren’t set to a zone , so i set it to “External Zone” , that might stop the hacker ? We’ll see.

How do you configure SUDO under YAST ? for the best security ?

Can you please stop this. YOU ARE NOT HACKED. For the rest: Please read Jim’s advice, and stop these silly posts. Consider this a Forums Team warning.

I’m going to make this brief,
But just to tie up a few ends, ie. last Qs asked…

If you’re asking how to manage authorized copy/paste/delete functions, those are file system operations and not normally managed by the kernel. On a Linux system, those are file specific and because a file system is so large is implemented by Security Policy. Again, on Linux we have two major ways (although there are others) that configure Security Policy, SELinux and AppArmoer. If you want to investigate this further, you can read documentation for both. There are alternatives too, like Bastille. Be aware that the ultimate lockdown can render your machine inaccessible even by yourself if you make a mistake, so people rarely tinker with these much.

Re: the SUSEFW configuration, it’s been noted in other Forum threads that by default no network interfaces are listed, and this results in the FW settings being applied to all interfaces. When you specify a network interface, then policy is applied <only> to that interface. So, by setting an interface at best you haven’t changed effective FW settings and could possibly have caused a weakening.

If you want to re-configure SUDO, then you should inspect the MAN page for sudo. It’s not difficult to edit the suooers config file.

And, I do recommend that you do what research you can on a topic before posting… It makes all the world of difference when you can at least use terminology so that you can ask clear questions and understand responses. Even Wikipedia can be a good introductory source written in plain language on any topic . When you improvise with terms like “packeting” and “unpacketing” it’s anyone’s guess what you mean and of course will cause misunderstanding.

TSU

On Sat, 24 Jun 2017 18:46:01 +0000, Albert Redditt wrote:

> I found that my firewall network cards , weren’t set to a zone , so i
> set it to “External Zone” , that might stop the hacker ? We’ll see.

sigh. You might try listening to the decades of experience who are
telling you that you should troubleshoot your actual issue.

> How do you configure SUDO under YAST ? for the best security ?

You could remove it from the system if you really think it’s a security
issue. It isn’t, but you seem determined to ignore the advice of people
with collectively multiple decades of experience in managing *nix systems.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Do not feed trolls …