How to extract log files from a compromised distro
by liquidglass from LinuxQuestions.org on (#5KXC4)
I am totally reluctant to post this as I fear a torrent of scorn and ridicule. Yes, I have installed - previously - an ISO that was insufficiently verified. I was still running Windows so it is harder to check the signature in particular. Obviously, if I had googled the significance of verifying the signature I would not be writing this post now.
The image had checked out and I finally decided to install it. I installed it without persistence using Rufus directly over Windows 7 and it seemed to have gone well. I am using a wireless connection with an adapter I especially ordered which works with Linux out of the box.
After I adjusted a few things I logged off but not before looking at Netstat where I saw several IP addresses connected to my computer. I copied them down and checked them on my Windows laptop with a special utility. All three addresses were universities, one of them in Europe.
I was puzzled by this. Subsequently I also noticed that my modem would show someone logged in to my wireless network after I had already logged off. Apparently there are some installations that come with malware that gives a hacker access every time the user is logged in.
I decided to download another ISO from a different place and install it over the old one. I used my Windows laptop for this, of course, and yes, this time I did manage to verify the signature. Unfortunately and quite stupidly I did not reset my modem and the hacker was back within a day or two.
The trouble is, I'm not sure how these types of malware work. Is it a Trojan, a worm, a keylogger? Would resetting the modem eliminate this issue?
But more importantly, how did they gain access to the new installation which was clean as far as verifiable with checksums and sig??
I need to export those system log files (all the logs actually) but how do I do this without exporting the virus as well? I have heard people say that once you're hacked the log files can get altered to hide the evidence but in a post inUbuntu somewhere it says there are signs, including the attempts at obfuscating.
Thanks for reading. Any constructive feedback is appreciated.
The image had checked out and I finally decided to install it. I installed it without persistence using Rufus directly over Windows 7 and it seemed to have gone well. I am using a wireless connection with an adapter I especially ordered which works with Linux out of the box.
After I adjusted a few things I logged off but not before looking at Netstat where I saw several IP addresses connected to my computer. I copied them down and checked them on my Windows laptop with a special utility. All three addresses were universities, one of them in Europe.
I was puzzled by this. Subsequently I also noticed that my modem would show someone logged in to my wireless network after I had already logged off. Apparently there are some installations that come with malware that gives a hacker access every time the user is logged in.
I decided to download another ISO from a different place and install it over the old one. I used my Windows laptop for this, of course, and yes, this time I did manage to verify the signature. Unfortunately and quite stupidly I did not reset my modem and the hacker was back within a day or two.
The trouble is, I'm not sure how these types of malware work. Is it a Trojan, a worm, a keylogger? Would resetting the modem eliminate this issue?
But more importantly, how did they gain access to the new installation which was clean as far as verifiable with checksums and sig??
I need to export those system log files (all the logs actually) but how do I do this without exporting the virus as well? I have heard people say that once you're hacked the log files can get altered to hide the evidence but in a post inUbuntu somewhere it says there are signs, including the attempts at obfuscating.
Thanks for reading. Any constructive feedback is appreciated.