# hacked gentoo computer

## squirrelsoup

i was listening to music on youtube while all of a sudden my mouse jumped to the top corner of my screen.

after that happened i closed down youtube music and about 20 seconds later i opened up wireshark and noticed there was ip adress: 8.42.17.216 in a red line.

i tryed to whois and traceroute that ip with no result.

i am not sure if i can trust this computer right now, any help is welcome.

----------

## Roman_Gruber

http://tools.tracemyip.org/lookup/8.42.17.216

You don*t play  	runescape.com ?

--

I use an adblocker, flashblocker, java blocker for some sites

and url which annoys me get a new entry in /etc/hosts

---

i run minimalistic desctop. and ~amd64.

I would be worried when running amd64, because thats dated software.

--

I also unplug regulary my DSL modem, once every 24hours. When i leave home I pull the plug. So the modem gets cold reset everytime

----------

## squirrelsoup

i used my root terminal about 1 hour ago, i can not gain root access anymore, i have tried about 30 times to log in as root but it would not accept my password, while it was possible to login a few hours ago, i am afraid i am hacked

----------

## Roman_Gruber

bootup a livecd

chroot and set a new root passphrase

----------

## squirrelsoup

changing the root would not help if the system is compromised, they might have installed backdoors.

i am totally unsure how the hack could have happened, i did test with metasploit for my own network security, and went on some metasploit websites inside a virtualbox, but did a reinstall of the gentoo host after i was done.

i am hopeless on what to do now i am having a breakdown in real life i feel very sick and i can not handle a hacked computer at this point i might end my life it have been enough

----------

## NeddySeagoon

squirrelsoup,

Take a deep breath and think ...

There are lots of things that could have caused what you are seeing. Being hacked is one of the more remote possibilities.

When an attacker breaks in, they can only do whatever the user they break in as can do.  That user should not be root, unless 

you were watching Youtube as root.  

Lets suppose you were your normal everyday unprivileged user.  

To change the root password, the attacher would need to become root.  How would they do that on your system?

There should be a password between your normal user and root. If they don't know that password, they need a local privilege escalation exploit that your user can install and run.  There was one recently, its been fixed for a while.

That's two things your attacker needs to do to change the root password.  Break in, then become root. 

Attackers don't like to advertise that they have root on your system.  It follows that changing the root password, something you would notice fairly quickly, is not something an attacker would do.  In fact, attackers are not interested in passwords.  Once they have a 'way in' they don't need them.

What you should do next depends on how much investigation you want to do into the possibility that you were hacked.  There are lots of other checks to do first.

Do the following from some live media. 

Back up your entire install.  Preferably with dd, so you get all the free space too.  Watch for dd ending with an error.  That could indicate a HDD issue. Check dmesg.

Run 

```
fsck -n
```

 on all your partitions.  Don't allow it to change anything - it can make things worse.  There should be no errors anyway.

Boot into memtest86+  Run a few cycles, let it run all night if you like.  It tests a lot more than your RAM.  Report your results here.

Errors do not always indicate a RAM issue. 

DRAM makes a superb, if small, cosmic ray detector array, all those 1000s of millions tiny capacitors waiting to be charged/discharged as a cosmic ray passes through.  It doesn't happen often, if it did DRAMs would be unusable.  Desktop PCs don't normally have ECC RAM, so a random bit flip would go undetected (and uncorrected). As a result anything could happen.  Servers, using ECC RAM, would detect and either correct the error, or the kernel would panic.  I'll let you read up an ECC RAM.

My primary suspect is a hardware issue, possibly overheating.  

After you have done the above, boot normally, put dmesg onto a pastebin site.  Try to log in as root, as that fails, put dmesg onto a pastebin site again. There may be some errors in dmesg that point to hardware issues.

----------

## squirrelsoup

the strange thing is i could login as root with google authenticator within xfce terminal a few hours ago, but after i exit the root terminal i could not log back in:

so i started chroot and changed the root pw as suggested, however with the new root pw i could still not log in.

i then disabled the google-authenticator from within a live chroot, and i was able to login with the new root pw. 

strange thing is that while this all happened my user authenticator + pw was still working.

if the attacker somehow launched a keylogger they could have gotten my root pw and changed it? they could even have set a new authenticator on root for their self?

i agree that is a bit silly for a attacker to change root pw but believe me i seen it happen before.

i noticed with aide i had running that some suspicious things changed, specially the mkpasswd /bin/ file that have been added looks really strange, also i saw that the authenticator file in .home have been changed and i am clueless why that would have happened.

if someone knows more methods for making sure my computer was not hacked please provide i will be really grateful.

```
added: /usr/share/man/man1/mkpasswd.1.bz2

added: /usr/bin/mkpasswd

File: /etc/pam.d/system-auth

 Size     : 555                              , 496

 Mtime    : 2016-12-29 20:44:08              , 2016-12-31 14:33:16

 Ctime    : 2016-12-29 20:44:08              , 2016-12-31 14:33:16

 MD5      : KzwYhtwdF+AaWDfrPZfvHA==         , Cs8BCehEhVKRgFfvLCXUEw==

 SHA1     : KMAGpH6+KWj2tSc4p6ZJtqH+MRo=     , 6ocBrguog077GhD5Yol7DqfUjdc=

File: /etc/shadow

 Mtime    : 2016-12-29 20:39:35              , 2016-12-31 14:14:22

 Ctime    : 2016-12-29 20:39:35              , 2016-12-31 14:14:22

 Inode    : 2621591                          , 2621696

 MD5      : /xoBNHBlFDJM2/7ZrLelhw==         , V2i3ad/7mhGnmvn0IoP5PA==

 SHA1     : bxem0yuz5PDDlsHEzZJ2FlJXd+o=     , 3EmZHHZ1BQoxa8OaDb4triQkP+M=

File: /home/n4rqkw4rk3/.google_authenticator

 Mtime    : 2016-12-30 21:41:02              , 2016-12-31 14:19:04

 Ctime    : 2016-12-30 21:41:02              , 2016-12-31 14:19:04

 MD5      : YUYXjY3dbpedlCL/pWzlLQ==         , 0QouiY2yJPkxvWrJMiNBpQ==

 SHA1     : MTvDpt7xtvaqQuPF71RgCw4C9j8=     , CzLFWnPh2W5KhaujsZylfwthTkk=

```

----------

## squirrelsoup

ok that my mouse jumped to the top of the screen could have been dirt on the laser (i hope)

in the past i created new google-authenticator keys for users/root on gentoo without any problems, however when i create a new google-authenticator key for root now (user is still working)

google-authenticator reports after creating a new key:

```
failed to create "/root/.google-authenticator" (file exists)
```

so i deleted this file, but after creating new key it keeps reporting the file exists error, which i never had before, and google-authenticator on su is still not working.

i now suspect a unlucky bug at the wrong time with the google-authenticator, but i am still not sure if i can trust this computer.

----------

## NeddySeagoon

squirrelsoup,

You have yet to explain how an attacker got root to change the root password.

As google authenticator is involved in all your login attempts, you don't know if the password you entered was incorrect or the time based code required by google authenticator.

I have seen these time based code generator/checkers get out of sync, making logins impossible.

Did you try with a backup code or a telephoned/SMS code?

Where were you running the google authenticator app?

On your PC (don't laugh - I've been forced to do that by a corporate IT) or on your smart phone?

The validity of the google authenticator code is in question now, not just your password.

----------

## squirrelsoup

the file exists error when creating a new key is what worries me, i even tried to emerge -C --ask google-authenticator and reinstall it, however it keeps reporting file exists error only for root, and not for user.

i do not think time sync is the problem.

from the aide.log i seen that mkpasswd /bin file have been added, was there update for gentoo related to passwd or any other authentication files like pam in the past day? that could have been the problem.

at this moment i suspect a bug in google-authenticator package on gentoo.

*edit* as for how attacker could have gotten hands on root pw might have happened with a keylogger 

*edit* i noticed when ls -a /root/ that there was a file named .google-authenticator~ 

notice the ~ at the end

so i removed that file and after created a new key, this time things worked and google-authenticator works again for root, i am clueless on how this could have happened.

as for the hacked gentoo computer things that happened today:

1. mouse jumped (could have been dirt)

2. noticed ip that seems to belong to runescape (game i was playing)

3. authenticator for root stopped working (fixed)

4. i am so paranoid please help me secure my computerLast edited by squirrelsoup on Sat Dec 31, 2016 3:29 pm; edited 3 times in total

----------

## NeddySeagoon

squirrelsoup,

Look at /var/log/emerge.log to see what was updated and when.

If you have package names, genlop will parse the file for you.  For example

```
Pi3 64bit ~ # genlop -t gcc

 * sys-devel/gcc

     Sun Jul 24 04:35:44 2016 >>> sys-devel/gcc-5.4.0

       merge time: 7 hours, 2 minutes and 8 seconds.

     Fri Sep 30 09:31:30 2016 >>> sys-devel/gcc-6.2.0-r1

       merge time: 8 hours, 12 minutes and 54 seconds.

     Mon Dec 26 21:00:35 2016 >>> sys-devel/gcc-6.3.0

       merge time: 3 hours, 53 minutes and 32 seconds.
```

Attackers usually use exploits to gain privileges, not passwords. 

You do not need the root password to change the root password.  Just as well, or you could not set it in the chroot during a Gentoo install.

----------

## squirrelsoup

are you saying neddy that you think that the root pw's is not the problem?

can i still trust the gentoo machine? is wireshark/iftop/netstat/aide enough to ease my mind for a possibly hacked box?

----------

## NeddySeagoon

squirrelsoup,

You cannot tell the difference between an unhacked box and a hacked one with a well hidden rootkit.

You were denied two factor authentication root logins.

We don't know which factor failed. Google authenticator codes are valid for 60 sec, plus a margin of error as they are time based.

If the two clocks involved in the code generation are over 60 apart, the codes won't match and you are locked out.

You don't say what clock sources were in use.

The root password is not required to reset the root password.  You must be root to reset the root password.

You get to be root by either logging in as root, or by privilege escalation (sudo or exploit) after becoming an

ordinary user.

Its for you to determine if you trust your install or not.

If not, save a few key data files and reinstall.

----------

## squirrelsoup

it is really hard for me to trust a computer because i have been diagnosed with schizophrenia since a young age.

i keep reinstalling my computer almost once a week but on gentoo installation takes a bit longer.

the time span on my authenticator is set to 4 minutes and i double checked the time sync.

sadly i keep seeing things like a moving mouse and it makes me really paranoid and sick, sometimes i think its better for me to not use a computer.

so there is no method to make sure a computer is hacked or not?

i had a "friend" who hacked my macbook a few years ago, he deleted my game items, and left desktop notes with personal messages.

then one day i did a netstat and had his ip adress, i called his provider and they have put him on a black list. then i cleared the disk with dd and gdisk and linux actually saved my life there.

however these days i am still paranoid i might get hacked again, even though i have nothing to hide.

i start to think there is no such thing as privacy on internet  :Sad: 

then i guess i have to wait and see if nasty things happen  :Sad: 

----------

## NeddySeagoon

squirrelsoup,

The problem comes down to  *Carl Sagan wrote:*   

> Absence of evidence is not evidence of absence.

 

or just because you can't spot any evidence of being hacked does not me that you are safe.

If the tests I suggested show nothing, it does not mean that you don't have hardware issues.

On the other hand, if they do show something, it may well account for your strange system behaviour.

Its unlikely you will ever have proof either way.

----------

## squirrelsoup

last questions:

is it more secure to wipe the hard disk once a day and do a 30 minute install of debian, in contrast with a 18 hours gentoo install once every month?

if most hacks happen trough exploits, if someone installs a gentoo machine puts the network cable in plays a online game and listens to youtube with add block, and does not visit one page nor downloads anything, does that reduces the chances of getting hacked/rookit?

is there a possibility that making a secure system is possible (without surfing the web only youtube nothing else)

----------

## NeddySeagoon

squirrelsoup,

You can reinstall Gentoo from binaries if you wish. First you need to make your binaries and save a few other files.

You also need to save the binaries when you update.

Debian is more out of date than Gentoo.  You can't make an apples for apples comparison.

Gentoo only gives you what you need. Debian gives you what the packagers think you should have.

The vulnerability footprints are different.

Security is always a trade off of with usability.  You need to pick a trade off you are happy with.

Security is not an absolute either.  Once you define your threat model, you can define the security measures you need to take to guard against those threats.

Consider security like the layers of an onion.  The idea is to make it difficult to get in and difficult to do anything useful if you do get in and difficult to phone home.

You cannot make it impossible.  Don't think of defending against a targeted attack from a government.

----------

## squirrelsoup

ty neddy for the information

is there a guide/wiki somewhere on how to make bin install for gentoo?

about the threat model being a government, in the country i live they are pushing a new law that the government can use the same tools as hackers do to break into citizens computer, so all we can do is watch how this happen? is there nothing else we can do to prevent this?

----------

## NeddySeagoon

squirrelsoup,

If a government wanted your secrets on your PC, they would take you and your PC away and beat your passwords out of you.

Its much more effective than trying to break into your PC from the outside. In fact with physical access, they only need you if you run encrypted filesystems.

The UK has just got a law referred to as the snoopers charter.  ISPs are required to log the web pages we visit. It means we all have to connect to the internet via a VPN or ssh tunnel. Good luck listening in on that.  That's still legal to use.

Install your Gentoo as normal, then make a stage4 backup.  That's covered on the forums and maybe even the wiki.

Its a way to revert to the as installed Gentoo.  If you make further stage4 backups when your Gentoo is still trusted, you can revert to any one of them. 

Some block devices offer snapshots.  That's another way of quickly rolling back to a trusted state. 

A snapshot does not take up much space either, close to zero in fact, as changed information isn't copied until its written. (Copy on Write, or COW)

Another option, is to keep binaries of everything you trust was built correctly.  Set FEATURES=buildpkg.

Keep your world file and /etc/portage  you can then reinstall with emerge -ek @world.

----------

## squirrelsoup

exactly neddy, in my country the government have to physically take your computer to break in, and they can monitor the pages you visit trough your ISP, but they are pushing a law now the government can use the same tools as hackers do, to hack remotely.

can i feel slightly secure on gentoo? i suffer from schizophrenia, is there a possibility i can play my video game without constantly thinking i am being monitored?

if a (government) hacker breaks into a system remotely they might leave some traces right?

----------

## NeddySeagoon

squirrelsoup,

Can you play your video game in a throw away virtual machine?

Make a virtual machine ... Virtualbox, KVM ... whatever you like.

Clone it.

Play your video game in the clone.  When you are done, destroy the clone.

The clone process only takes a few minutes, while the Virtual hard drive is copied.

Next time ... make a new clone,

Now an attacker has to break into your virtual machine and out of the virtual machine to get to your real install.  That's harder.

When you finish gaming - you delete the virtual machine that was at risk.

There is a linux distro, that runs every application in its own 'container', like this but I forget its name.

----------

## squirrelsoup

sadly i can not play this game in virtual machine or live distro  :Sad: 

but if someone breaks into my gentoo pc they might leave some traces right?

----------

## NeddySeagoon

squirrelsoup,

They might ... it depends how good they are.

----------

## jonathan183

 *NeddySeagoon wrote:*   

> There is a linux distro, that runs every application in its own 'container', like this but I forget its name.

 

maybe https://www.qubes-os.org/ ?

----------

## lebarondemerde

If you are in paranoid mode would be a lot more effective to grab a second machine, install some kind of UTM like OPNsense/pfSense/Sophos/etc. where you can easily have more control of what is going on on your network, instead of do frequent desktop reinstalls.

EDIT: Sophos need a lot of more power than other options.

----------

