Hi,

Ever since getting my 'BlueYonder Cable modem' my PC occasionally turns on at night. The simple fix is to turn the power of from the back!

But I get a little lazy, I worked out someone must be 'pinging' my PC. Which activates the WOL fuction on my network card. I disabled this from windows and all seemed fine.

Recently I installed Mandrake8 and the problems back. It didn't bother me, as the PC will boot into Mandrake by default. I figured Linux was secure enough to not worry about anything.

Today, I came home and my PC was already on. As expected it was in Mandrake(KDE), but the mouse wouldn't work and there were some strange green dots flashing along the top of my screen. Then I noticed a file on my desktop, which I most certainly did not create! :(

The spooky part is, the file was named with my name :eek:
I make a point of not saving any personal details on my PC, not in windows and not in Linux. Only my false aliases are stored on the PC. All the official documents are on CD/floppy.

- Any ideas on what the hell is going on?
- Can I increase mandrakes security with a firewall? (Anything simple like zonealarm?)
- How do I stop Mandrake by booting straight into KDE? I'd rather have it booting into the console, where I have to login before proceeding to KDE, I gather this would make it 'hack-proof'?

Thanks for listening ;)

[Edited by Space~GhOst~ on 16-06-2001 at 10:32 PM]

Well if you don't remotely access the machine at all, then comment out(#) the lines for telnet/SSH and FTP in /etc/services and /etc/inetd.conf (if there ran off inetd).

Then(as root), do:
ps aux | grep inetd
(once again assuming the services are ran off inetd)
Get the process number for inetd and then:
kill -HUP that_number

Oh and comment out finger as well.
You could try this page for firewall stuff: http://www.suse.de/~marc/SuSE.html

Andy

Hmm... the green dots and frozen mouse would lead me to think that the system has crashed. This could have happened because Linux itself crashed (possible but rare), or because of a hardware failure, or because you've been cracked.

If you are /really sure/ that your name isn't stored in your machine in any way, then it is difficult to see any way in which that file could have been created, save for a security breach. I'm not sure why an attacker would create that file, though. What is in this file? It would be nice to be able to confirm an attack or otherwise explain these effects.

The points made above are good ones, but there is no point in securing a machine which has already been cracked (horse, door, bolted). To be more precise, the only way to secure a cracked machine is to re-install all systems and code. You need to back up your data somewhere (think also about Word files that may have had macros inserted into them). Then you need to wipe Linux and Windows, and reinstall both of them.

You probably want to see if you can confirm an attack before going to all this trouble. Also watch your modem and see if your machie suddenly starts using the connection a lot - this may indicate that it's being used as part of a DDOS attack. (Pull the 'phone plug if it is.)

AEF

On a slight side note, I have heard people complain about their PC switching on with wake on lan enabled, the guy who posted about it was using an NTL cable modem however.

What you really want to do is disable Wake On Lan in your BIOS settings rather than through windows and see if that makes a difference, it should at least stop the PC being switched on when you are not there.

Thanks for the replies guys :)

ybw, that's some hardcore stuff mate :eek:
I've only just started using Linux and I can barely find my way around KDE... let alone the console-stuff :)
But I'll give it a go and see how far I get, thanks.

Jiveman, WOL has been disabled in the BIOS since I installed the mobo. I made sure of it!
But, it seems windows 'overides' the BIOS setting and forces the PC to wake-up!

aef, I agree with what you say... have you ever seen the film 'Heat'? R.Deniro/Al Pacino...etc..
In the film, R.deniro has his own 'personal philosophy' which he lives by, something like:
"Never get so attached to anything, so if you smell the heat, you can drop everything and run in 10 seconds!"

It goes something like that, but that's how I run my PC. If I so much as suspect a virus/intrusion, I can format the drive and install everything from scratch! A bit of an over-kill but you can never be too sure!

Anyway > The PC hadn't 'crashed' as the keyboard was still working. As for the file, I managed to open it in a text-editor and there was nothing contained in the file!
I can only assume, a hacker of some sort is trying to fumble me in his own perverse way!
Again, this file was definately not created by me or anyone else in my house... and no, I don't drink or take drugs, so intoxicated use of the PC is out of the question!

Before I go ahead with the re-install, I had a couple of more questions:
- Does Linux keep a log of all internet activity, Could I recover the IP of this attacker?
- I want to buy a second hardisk and use RAID-0, does Linux have any issues with this, or will it work fine?

Cheers :)

There are a variety of logs in /var/log and subdirectories. These logs may have been tampered with if your system has been compromised, of course. I can't really explain what to look for in a short post (it really requires significant Unix knowledge). One other thing to check is the file modification times of system files, to see if they are likely to have been intefered with. Be aware that an attacker may have used a root-kit (or r00tkit) which may have replaced certain files and utilities to help hide the intrusion.

Linux can do IDE and SCSI RAID. SCSI RAID is better, of course. Some potential problems with IDE RAID can be avoided if you use two identical disks.

AEF