http://www.thomas-krenn.com/en/wiki/Partition_Alignment

A tad technical, but newer disk tools (including fdisk) default to starting the first partition at 2048.

thats very true,
and the indication of a rootkit in this situation is?

oh wait,

"/dev/sdg1 1 3907029167 1953514583+ ee GPT"

that is definately a compromised hard disk

You can't reliably detect the presence of most rootkits on machines that are booted with one. You need to attach the disk to another machine and analyze the disk's contents with forensics tools.

I'll assume, by the smile, that you know you're just joking. But that output is not any kind of sign of compromise. It's what you'd expect when running fdisk on a disk that has a GUID partition table (GPT) rather than MBR. The proper tool to use in this case is gdisk.

ubuntu-server could be present if you built your machine using the Ubuntu server ISO to obtain a basic command-line setup and then added kubuntu-desktop after. This is how I build my machines, in fact. What other programs do you see that you didn't install?

Explain this more, please. What are the user accounts? What does "pop up" mean?

If an attacker has physical access to your machine, it isn't your machine any longer. Based on your next statement...

...I'm of the opinion that you can no longer trust your computer. Don't even bother trying to fix it -- pave and rebuild. Now.

"You can't reliably detect the presence of most rootkits on machines that are booted with one. You need to attach the disk to another machine and analyze the disk's contents with forensics tools."

of course!
however
you have to ask yourself why,
if you hack in to my laptop, well i'd be flattered lol


this is RTFM issue

Your laptop isn't the subject of this thread.

Kubicle rightfully pointed out that, in the event of compromise, tools on the system can't be trusted.

Which FM are you suggesting johndoe (the OP) read? Granted, we don't know a lot yet, but we do know someone changed the firmware password on the machine. Given this, the machine is in an unknown and possibly dangerous state. It should be wiped clean and rebuilt.

I dont have your patience Steve, so I tip my hat.

i can think of a few things, like puppy linux, but im bowing out.

good luck

I used the 1gb install from http://www.kubuntu.org/getkubuntu , clicked the 1gb image iso, does that include a server? I did not have to install kubuntu-desktop, a gui popped up asking to either try or install, I picked install, set up my partitions for / , /home and /swap , although not really sure why I bothered with the swap since I have 16gb of ram, which again, might be being used for a VM I don't know about.



Do you see the 2 users, when I log on, I see 1 user, I can't do anything other than move the mouse around, can't manipulate any icons. The only fan speed listed is my loop pump which for some reason reads as 1400~ although the actual rpm's are 2800~ (but this was the same issue on Windows)

I was thinking of literally taking apart the machine, should take half a day, then inspect all the pieces attached and rebuild. It could use a good cleaning anyway, I have a lot of fans in there and it gets dusty (14 fans total gpu included)

@johndoe
gkrellmd is a system monitor (similar to conky or various plasma widgets)...it's only a concern if you haven't installed it yourself (I didn't check the reverse depends, but I'd assume there isn't much that one could install that would pull it in as a dependency)

I concur with Steve. Am I convinced the machine has been hacked...no. But there are the red flags that shouldn't just be shrugged away. Wipe and reinstall is a quick and easy way to be sure (it might fix things even if the red flags are just herrings). Like the saying goes, it's better to be safe than Nick Nolte.

You have some things I don't understand. A normal installation from the Kubuntu ISO will not install ubuntu-server. Your GKrellim shows two users, but no account names. The folder on your desktop that contains two folders doesn't necessarily have any relationship to two logged in users. The inability to move the mouse when logging into only one user is perplexing.

You have a botched install -- either accidentally or deliberately. Pave it and rebuild.