Announcement

Collapse
No announcement yet.

Need urgent help with my passwd conf file

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    http://www.thomas-krenn.com/en/wiki/Partition_Alignment

    A tad technical, but newer disk tools (including fdisk) default to starting the first partition at 2048.

    Comment


      #17
      Originally posted by kubicle View Post
      You can't really trust the output of those if you have been compromised, most attack kits would replace all these binaries with versions that would hide all suspicious output.
      thats very true,
      and the indication of a rootkit in this situation is?

      oh wait,

      "/dev/sdg1 1 3907029167 1953514583+ ee GPT"

      that is definately a compromised hard disk
      K 14.4 64 AMD 955be3200MHz 8GB 1866Mhz 6TB Plex/samba.etc.+ Macbook Air 13".

      Comment


        #18
        Originally posted by millusions View Post
        and the indication of a rootkit in this situation is?
        You can't reliably detect the presence of most rootkits on machines that are booted with one. You need to attach the disk to another machine and analyze the disk's contents with forensics tools.

        Originally posted by millusions View Post
        "/dev/sdg1 1 3907029167 1953514583+ ee GPT"

        that is definately a compromised hard disk
        I'll assume, by the smile, that you know you're just joking. But that output is not any kind of sign of compromise. It's what you'd expect when running fdisk on a disk that has a GUID partition table (GPT) rather than MBR. The proper tool to use in this case is gdisk.

        Originally posted by johndoe View Post
        I have programs installed I did NOT install. Such as ubuntu-server
        ubuntu-server could be present if you built your machine using the Ubuntu server ISO to obtain a basic command-line setup and then added kubuntu-desktop after. This is how I build my machines, in fact. What other programs do you see that you didn't install?

        Originally posted by johndoe View Post
        when I log on, I have gkrellm, it states 2 users are active, when the computer starts up, 1 user pops up, I cannot do anything on the desktop until user #2 pops up
        Explain this more, please. What are the user accounts? What does "pop up" mean?

        Originally posted by johndoe View Post
        I fear that a bluetooth enabled device was inserted into my computer or something of that nature, if it is possible, for instance, I can hear clicking inside my computer (not anywhere near a hard drive ). Is that possible, for someone to insert a device to take over control?
        If an attacker has physical access to your machine, it isn't your machine any longer. Based on your next statement...

        Originally posted by johndoe View Post
        Someone changed my bios password a few days ago and I had to use the jumpers on my motherboard to clrcmos and EZflash my bios
        ...I'm of the opinion that you can no longer trust your computer. Don't even bother trying to fix it -- pave and rebuild. Now.

        Comment


          #19
          "You can't reliably detect the presence of most rootkits on machines that are booted with one. You need to attach the disk to another machine and analyze the disk's contents with forensics tools."

          of course!
          however
          you have to ask yourself why,
          if you hack in to my laptop, well i'd be flattered lol


          this is RTFM issue
          K 14.4 64 AMD 955be3200MHz 8GB 1866Mhz 6TB Plex/samba.etc.+ Macbook Air 13".

          Comment


            #20
            Originally posted by millusions View Post
            you have to ask yourself why,
            if you hack in to my laptop, well i'd be flattered lol
            Your laptop isn't the subject of this thread.

            Kubicle rightfully pointed out that, in the event of compromise, tools on the system can't be trusted.

            Originally posted by millusions View Post
            this is RTFM issue
            Which FM are you suggesting johndoe (the OP) read? Granted, we don't know a lot yet, but we do know someone changed the firmware password on the machine. Given this, the machine is in an unknown and possibly dangerous state. It should be wiped clean and rebuilt.

            Comment


              #21
              I dont have your patience Steve, so I tip my hat.

              i can think of a few things, like puppy linux, but im bowing out.

              good luck
              K 14.4 64 AMD 955be3200MHz 8GB 1866Mhz 6TB Plex/samba.etc.+ Macbook Air 13".

              Comment


                #22
                Originally posted by SteveRiley View Post
                ubuntu-server could be present if you built your machine using the Ubuntu server ISO to obtain a basic command-line setup and then added kubuntu-desktop after. This is how I build my machines, in fact. What other programs do you see that you didn't install?
                I used the 1gb install from http://www.kubuntu.org/getkubuntu , clicked the 1gb image iso, does that include a server? I did not have to install kubuntu-desktop, a gui popped up asking to either try or install, I picked install, set up my partitions for / , /home and /swap , although not really sure why I bothered with the swap since I have 16gb of ram, which again, might be being used for a VM I don't know about.

                Originally posted by SteveRiley View Post
                Explain this more, please. What are the user accounts? What does "pop up" mean?


                Do you see the 2 users, when I log on, I see 1 user, I can't do anything other than move the mouse around, can't manipulate any icons. The only fan speed listed is my loop pump which for some reason reads as 1400~ although the actual rpm's are 2800~ (but this was the same issue on Windows)

                Originally posted by SteveRiley View Post
                If an attacker has physical access to your machine, it isn't your machine any longer. Based on your next statement...
                ...I'm of the opinion that you can no longer trust your computer. Don't even bother trying to fix it -- pave and rebuild. Now.
                I was thinking of literally taking apart the machine, should take half a day, then inspect all the pieces attached and rebuild. It could use a good cleaning anyway, I have a lot of fans in there and it gets dusty (14 fans total gpu included)
                Last edited by SteveRiley; Aug 15, 2014, 01:22 AM. Reason: fixed quoting

                Comment


                  #23
                  @johndoe
                  gkrellmd is a system monitor (similar to conky or various plasma widgets)...it's only a concern if you haven't installed it yourself (I didn't check the reverse depends, but I'd assume there isn't much that one could install that would pull it in as a dependency)

                  Originally posted by SteveRiley View Post
                  Granted, we don't know a lot yet, but we do know someone changed the firmware password on the machine. Given this, the machine is in an unknown and possibly dangerous state. It should be wiped clean and rebuilt.
                  I concur with Steve. Am I convinced the machine has been hacked...no. But there are the red flags that shouldn't just be shrugged away. Wipe and reinstall is a quick and easy way to be sure (it might fix things even if the red flags are just herrings). Like the saying goes, it's better to be safe than Nick Nolte.

                  Comment


                    #24
                    You have some things I don't understand. A normal installation from the Kubuntu ISO will not install ubuntu-server. Your GKrellim shows two users, but no account names. The folder on your desktop that contains two folders doesn't necessarily have any relationship to two logged in users. The inability to move the mouse when logging into only one user is perplexing.

                    You have a botched install -- either accidentally or deliberately. Pave it and rebuild.

                    Comment

                    Working...
                    X