Caught my computer cheating on me this morning.

logging on to csis.org

Since when are they in the business of spying on american citizens?

They're supposed to be a right-wing think tank.

Been watching them for a couple of weeks on my computer.

WTF are you talking about? Please explain.

Every time I boot up, it logs into csis.org and sets up a connection to my computer.

Whoever did it knows how to break into secure UNIX systems.

It's all in the background. Usually by the time Xwindows comes up, the deed is done and they've erased their tracks.

I don't think i've ever logged onto their site.

They usually show up just after I log onto DU.

"They are watching"

If you don't believe me, don't.

Since it appears connected to my activity on DU, I thought to warn other members.

since I don't know exactly what website you are talking about (and don't really want to log on so they don't watch me) I thought that what you were describing sounded fishy i.e. someone is watching your activity on the net. Hence my "they are watching" comment.

Take a chill pill, I am on your side

My chill pill just kicked it and my jets are back to normal temperature. :hi:

ha, get it, I make a funny.....at least to me......:rofl:

:rofl:

Inside joke to someone who understands the vernacular.

nt

and how are you aware of it at all?

even before Xwindows completes loading.

someone would spike my connection.

They were being very obvious.

It was getting really obvious when Xwindows would freeze befor I could finish typing out a post.

Someone was watching me type in real time.

I'm sorry, you aren't making any sense to me.

but I don't know at what point they began to watch.

Their activity didn't seem active until after logging into DU. If I just read DU without logging in, there didn't seem to be any activity. As soon as I log in, the fun starts.

but it really starts after logging on to du?

their obvious activity starts after I log onto DU. They might be passively monotoring the connection from the beginning. Once they have my IP Number, it's not a big deal to monitor my traffic without doing anything on my computer. I suspect it logs in and gives them my IP Number since it changes from time to time.

I was, in essence, being shut down, shut up.

I wonder how many others have had the same experience and just figuring a glitch or virus or something.

:shrug:

How many times do you have to rebuild your OS before you say"fuck it!?"

well, not really sure if they're similar but sometimes when I get on DU and one or two other sites, my keyboard goes all to hell. I cant type anything. The keys seem to change functions like when I am trying to type and hit the left arrow key, instead of the curser moving left, the browser goes back to the previous page. If I hit the backspace key when trying to type messages, everything I've typed is deleted and I have to start over. the right arrow does nothing then and other strange things. I usually have to restart to fix it. :shrug: I thought it was just a glitch with this computer.

On a former Windows machine they modified my BIOS to make it appear the Motherboard was defective.

I'm still using the same Motherboard after I flashed another copy of the BIOS and went to UNIX.

when I go to certain sites. Or maybe I'm just paranoid but it only seems to happen when posting certain subjects like on DU and a cpl others. I almost think it's someone here sometimes but that's just too paranoid I guess.

I only trust my cat. A cat can never be a rat.

or only in X?

I'm not going to reward them by modifying my behavior. If they have time to waste on me, then there must not be a real terrorist threat or they would be busy elsewhere.

Also if you want to publish any more about it you'd best do it before you get a gag letter in the mail. As long as all you know is that it's going to some RW think tank, I think you are probably still within your legal rights to expose details until you have been served some sort of official certified mail telling you you're not allowed to talk about it.

I hope they don't get much sleep tonight.

assholes.

You have a Unix based system... which one? And what version?

You run Xwindows on it.

When you start Xwindows and then a browser and point it at DU, a virus starts some sort of connection to an IP address of csis.org, and you believe it to start covering its tracks.

OK, most TCP stacks have logging facilities, so are they altering the log file?
How do you know it connected to csis.org? What type of "connection" was made? (UDP? TCP? ICMP? something else?)

If you have another unix system laying about, make it a gateway to the internet and route your traffic from your infected system through the gateway and turn on the maximum tracing on the gateway (down to capturing and recording the packet contents. Then use a filter to find only those packets going to the suspected IP address... dump them in HEX and post them here or email them to me... I'll might be able to figure it out).

Why bother with a browser under Xwindows? I have experience with other emulators (but not recent). But why not Firefox or some other browser from your unix desktop?

Just curious.

on a term window and caught the site login before it was erased.

I use firefox generally.

FreeBSD 6.2.

I checked all the log files and there was only a stub with 0 bytes.

I have FreeBSD 6.1 on one of my systems, I tried using Firefox on it to browse DU and then looked for the "tracks" of malware or other, and found nothing out of the ordinary.

You say that the virus truncated your log files... which isn't very smart of them as that lets the aware sys admin know something hincky is up with the system...

do you have another computer that you can set up as a gateway? (you will need some unix or linux machine, two network interfaces, and some ability to configure things and, if your current network interface is DHCP and so on, some ability to configure NAT and domain resolution services (/etc/hosts, /etc/resolv.conf).

If you do this (make a Unix machine into a gateway/firewall), it will be very easy to trap this little bugger and find out lots of info on it.

I got on a clean Mac to reply. Got 3 replies done and working on yours when my browser crashed and a window came up that said

Firefox is installing updates and will restart momentarily.

Yeah, right.


Looks like i'm going to have to rebuild that machine.

Did you use a packet sniffer?

Also wondering what flavor of UNIX you are using. I once had a Linux Box rooted, but I am sure it was by scriptkiddeez and not more nefarious sources.

I understand if you would rather not disclose the specifics of the OS, but hey I am always curious when someone who seems to know what they are doing with regard to security gets hacked.

Log in to DU from another system, once, and check your pm box. Don't check it while on your current system.

K?

Thanks for the explanation--and I agree--something strange is going on for sure. How do the rest of us check and see if anything is hidden on our PC's?

Work computer?

There's nothing on it that anyone can't see on DU for the most part.

I'm really not too concerned about what they might find. I does concern me that they are sufficienty savvy to break into a system that is much more secure than a Windows machine.
Every service I don't absolutely need is turned off and the firewall doesn't allow any incoming connections, not even localhost.

and I try to lock it down as much as I can beyond the base install.

I have used DOS,windows, Zeta, BeOS, MAC OS and linux <FreeBSD, SuSe, Mandrake/driva, RedHat yadda yadda> since.. well a long time and have never got a virus or been hacked. Maybe the OS is not the key factor here after all.

and did the same at your workplace?

I find that a little hard to believe, if you don't mind me saying so. To what purpose would someone hack two different computers that you use? Do you ever transfer files to/from work on a flash card or by email?

It's more likely that you clicked on a bad link or opened a bad email or installed a corrupted file or are simply mistaken about what you found.

and since two people have asked for a pcap and the OP author won't even acknowledge the request, raises more questions. Why not just show a capture with the suspected established connection?

Technology is too far advanced for us.

to check to see if the same thing is going on? Are there things to watch for to know that someone is getting into your computer?

but if you don't have anything to reference it, there's not much to see. I did find the stub of a file in /var/log, but it had been cleaned out.

These guys cover their tracks well.

Your tax dollars at work.

i know what /var/log is...tell me what you mean by "the stub of a file"

not a very clever way to hide their tracks.

More clever would be to open the log file, read it and parse it, remove only the lines pertaining to the connection they wish to hide, rewrite it without those entries, and then set the time stamp back to the last modified time.

Of course, they could omit the time stamp change, as a log file is constantly updating and so, with the next entry, will hide their modification.

3 additional users in the passwd file.

They weren't satisfied with just one.

little humming noises when I'm not running anything that should cause it to do so. I have suspected that's when SOMEBODY from outside is doing something with my computer behind my back. I have DSL so it's always connected to the internet even when it's not, if you get my drift.

They won't find much other than my anti-fascist screeds here on DU, lol. And my visits to icanhascheezburger.com.

I really give a shit, but there might be others who would like a heads-up.

fromer ASA

:rofl:

Could you change your root password?

I don't think it matters with a root kit.

More likely they installed some executable or script file somewhere with SUID privileges. Which, for hackers, isn't that hard to do, especially from something you might have downloaded (like a java program or similar).

I surprised they bother to hack a FreeBSD OS... since something like 99 percent of the worlds computers are either Winblows, Linux, or Mac. Course, the same hack could work with Mac machines as well, given the basis for MacOS is, in fact, FreeBSD.

I saw it scrolling by in the terminal.

They probably tunnel through the kernel to bypass the firewall too.

It's a shame to find out that an outfit that is supposed to be white hats are in fact black hats.

It makes a great cover.

...without at least a pcap of the suspect traffic.

However, gibberish it aint, just overly terse. Everything he's said is technically consistent with a rootkit on a UNIX box and the terminology is correctly used.

I can't convince everybody and i'm not trying to. It's terse because I don't want to give away too much that might make their next attack easier yet still give knowledgeable people an idea where to look on their machine.

It's only gibberish to someone that is ignorant of the technology.

I've run a linux server in corporate environs for over 6 years, run linux on my personal computers since 100 Mhz chips were the latest and greatest, along with a smattering of freeBSD on old Sun workstations.

And i think you are pulling our collective legs.

On second thought, maybe this is all legit. It just popped in mind:
Could it be that they forked your TCP stack, and instead of tunnelling thru the kernel they went straight to the hardware abstraction layer? As you are surely aware, this would enable them to scrub some unused cycles from your graphics card processor rather than your CPU, making things harder to detect. That would certainly explain the stubs, wouldn't it?

:rofl:

You're just a barrel of laughs.

no issues about having extra drives with a fresh copy installed.

It only takes a few minutes to backup my directory and swap drives.

I've been playing this game with the boys for a long time.

box when I get a new Mac.

,...and I have all kinds of shit I've never touched show up.

My system crashed not so long ago. A 'techie' buddy of mine went through everything. He said my activities were being tracked but that wasn't unusual, these days. So, I just figure I am being tracked and there is nothing I can do about it.

Wow. I guess I've slipped into accepting 'big brother', huh. x(

and make them read stuff that will really raise their hackles.

You might even convert one or two.

I have assumed that they will track all I do, read my email, read my posts

Hi agent Mike...

And listen to my conversations

We went through that door back then

you just discovering on your system what I suspect is going on all the time... and just because we post here, we are at a higher risk, since we are freedom loving, constitution loving freaks (from their POV) and a theat to the strenth of the nation.

Your choice, now that you know this for sure, is to live free, or be afraid

Me... if they ultimately win I will pay for it... FUCK HOOVER...

Carry on...

I assumed they have been watching all along.

I just thought others might be interested.

Fuck them.

hell by now they found out I have a new machine... I wonder how long it took them to "crack" it.

It probably has at least one back door built into the OS.

When I'm able to afford it, I'll go MAC, I reckon.

:shrug:

I suppose you could get out the old soldering iron and build a firewall from scratch if you were really, really paranoid, and even that's not going to protect you if someone wants to snoop bad enough.

In the end these huge piles of data they are collecting will probably turn out to be as useless as any other compulsive hoarder's stash.



They'll be so busy sifting through text messages they won't even see the truck that runs them over.

But for all you know this could be the work of some untalented right wing script kiddy who thinks he's defending the United States against libruls.

Edited because I was in a bad mood, but now I'm not. :P

And get a new IP from your carrier. Wouldn't hurt to roll back to Win2000 or XP.
Run a few good spyware programs too (ewidow?).

with the kid sitting down at a computer and saying, "It's a UNIX system! I know this!"

:rofl:

that get their kicks trashing other peoples' boxes.

About 20 years in the can might change their attitude.

Somebody had to say it.

:hi:

:rofl:

:rofl: