mushroom, anybody, do you know of any security sites for linux?

I am looking for online scans, anti-virus, hacking info, intrusion detection etc.

As far as Windows goes, my situation is completely out of my control here. I can see all kinds of unauthorized activity, but any changes I try to make are overrode by whatever is in my system.

I get BIOS checksum errors


The CMOS (Complementary Metal-Oxide Semiconductor) error message is referring to a battery-backed chip on your motherboard that holds hardware configuration information. This information is ALL important.

Protect this data. If you don't have a program like Norton Utilities or Nuts & Bolts that backs up the CMOS information, you need to print it out or write it down: Enter the PC setup program by pressing Delete or some other key (often noted on screen) early in the boot-up process--before Windows starts loading. Go to each screen of the program and press Print Screen to make a printout, or write down the info.

About that error: Your PC generates the error if it thinks the CMOS information has changed without your having changed it. A virus, a dying battery, or a one-time anomaly can cause this situation.

When you get this error message, you need to restore the CMOS settings. If you have Norton's or Nuts & Bolts' Rescue Disk, reboot from that emergency boot floppy and follow the prompts. If your backup is on paper, you'll have to enter your system's setup program and restore the settings manually. If you don't have a backup, research your system's configuration using printed documentation, or call the vendor.

When you've reentered the information, save your changes and boot your PC. Make sure everything is working properly, then close Windows and turn off your computer. After a few minutes, turn it on again. If the error returns, you've got a dying battery. You'll have to open your PC, find the battery, and replace it--or find a technician to do the job for you. If your battery is soldered on to the motherboard, you'll have to replace the motherboard, too.

Unless you have confidence in your soldering or want to take it to the local Computer Shop

(Computer batteries last about five years.)

If the problem isn't the battery, update your antivirus program and run a scan. Todays Motherboards come with new "Flashable" Bios technology. The downside is there is a "Block" removed that allows viruses to infect your Cmos/bios.

Other things to try if you still have the error.
Check your System Files and Delete Windows 98 uninstall information; if you find either of these. Uninstall un-necessary files.

ROOT DIRECTORY GARBAGE.
In Explorer, go to C:, select View, Details, click the Type header, and use a text editor (like WordPad) to look at files with the extension .txt, .old, .log, .prv, or .---. Chances are they're all deletable. If you regularly back up the Registry, kill System.1st. If you don't dual-boot, delete any .dos files.

It is not my battery or motherboard, everything checks out.

i have to try and get this out using Linux.

How do I know I am 'infiltrated'?
The presense of files like 'msdos.sys', 'autoexec.bat', in my root. There are all kinds of dos files in my 'windows directory like 'xcopy' etc, etc, I don't have a list handy, but there are hundreds.
These are not supposed to be there when I use NTFS.

I am in serious trouble here, i am not even sending emails to anyone for fear of spreading this crap.

Thanks man.

mikmik:

I run The Tech FAQ (http://www.tech-faq.com), which is pretty close to what you are looking for.

However, don't look. Really. Don't look.

Instead:
1. Back up your data.
2. Disconnect your system from the Internet.
3. Format your drives.
4. Install your OS and applications from known good sources.
5. Restore your data, but no executables.
6. Secure your network as much as is possible.
7. Secure your OS as much as is possible.
8. Secure your applications as much as is possible.
9. Reconnect your system to the Internet.

When things go that bad, it is effectively impossible to get the system to a known-good state through cleaning. The only appropriate response is to get the machine to a known good state by starting over.

Sorry. :(

Will Spencer, CISSP

mushroom, anybody, do you know of any security sites for linux?

I am looking for online scans, anti-virus, hacking info, intrusion detection etc.

Sorry Mike I keep my M$ machines of the net (from dec 2001 on) and am not on the look-out for them.

http://www.dshield.org/ will tell you if some one has reported a firewall hit from your IP but you already know that your machine has been cracked. Their links page maybe usefull to you.

Intrusion dectection info can be found by looking up Honey Pots. And http://www.sans.org/resources/ has some good info.

http://cipherdyne.org/ has a intrustion dectection that runs on Linux.

Mik I just replied to your other post in this thread (http://www.webproworld.com/viewtopic.php?t=23864). Only because I didn't see this post first. :)

I am behind in posting and it shows!!!


Okay - Linux you said?

I don't care what you use the first program you should always have is...........drum roll please.........

HIJACKTHIS (http://mjc1.com/mirror/hjt/) - Description: HijackThis examines certain key areas of the Registry and Hard Drive and lists their contents. These are areas which are used by both legitimate programmers and hijackers. It's up to you to decide what should be removed. Some items are perfectly fine. You should not remove them. Never remove everything. Doing that could leave you with missing items needed to run legitimate programs and add-ins. This Page will help you work with the Experts to clean up your system. For those of you needing instructions on how to Copy and Paste the contents of a text file into a Forum Post, please look at the Table of Contents. A link to the instructions is included.

Packet Defense (http://www.packetdefense.com/)(you have to sign up in order to get to their links, it's a headache!!} has the following information:

Clam Antivirus (http://clamav.elektrapro.com/) - Description: Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a commandline scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software.

IP Armor (http://www.luosoft.com/index.htm) - Description: Iparmor will detect and kill both known and unknown trojans. This useful system-tray utility packs a lot of punch and the known virus database can be updated daily. It has a host of tools to help protect you from Internet-borne harm. Upon startup, it scans your memory for trojan-like activity and immediately disables any suspicious tasks and reports its findings. You can restore any system critical files for the next reboot. Iparmor allows you to view all remaining currently active processes, scan currently active ports, and lists those applications that are registered to start when Windows next loads.

PEriscope (http://ntsecurity.nu/) - Description: PEriscope is a PE file inspection tool. For example you can use it as an aid when you are looking for malicious code in files.

AET Network Scanner (http://www.aetdata.com/netscanner/) - Description: AET Network Scanner is a distributed network scanner with five different scan methods. Fast multi threaded TCP port, UDP port, Ping, NetBIOS and Nslookup scanners. Works both as server/client or as a stand alone client. Scan single IPs, IP-ranges or customized lists of IPs. Import lists of IPs and/or ports from file. Save and load scanner sessions to and from file. Innovative GUI with both a tree view and a plain text console to display results. Manage and manipulate scanner results easily in many ways.

Linux Security Auditing Tools (http://usat.sourceforge.net/) - Description: The Linux Security Auditing Tool (LSAT) is a post install security auditor for Linux/Unix. It checks many system configurations and local network settings on the system for common security/config errors and for packages that are not needed. It (for now) works under Linux (x86: Gentoo, RedHat, Debian, Mandrake; Sparc: SunOS (2.x), Redhat sparc, Mandrake Sparc; Apple OS X)

Nessus (http://www.nessus.org/index2.html) - Description: The "Nessus" Project aims to provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner.


They have a ton of downloadable files at Packet Defense. As for online scans, I'm still looking.

I don't know if bitdefender (http://www.bitdefender.com/scan/licence.php) would work or not?

Just found this http://sourceforge.net/project/showfiles.php?group_id=99853 a bootable linux CD with
Release Name: insert-1.2.13

Notes:
This is a major new release. The kernel was updated to version 2.4.26. INSERT is now based on KNOPPIX 3.4.
The result is even better hardware support and detection.
The bug with the file system on the image not being readable from Windows OS is fixed. Also other minor issues have been addressed.
Various feature requests have been dealt with.
Support for virus scanning is improved with clamav being updated to the latest version.
Most of the other packages come in newer versions now.

Oops, forgot F-prot (http://www.f-prot.com/download/home_user/)!

They also offer a DOS virus scanner. Not a bad product. Still need more info though Mik. ummm the next time you're around that is lol

Oh boy!

Thanks everyone, so much.
I have two hard drives, one for windows and the other for Linux. Exclusively.

However, it may be to late, they were both connected together before, and what ever this is, it migrates instantly, and relentltessly.

What I know is that my Windows disk seems to be okay, I have used it to test install on another machine, and everything was perfect.

I have used disk reader utilities to view my MBR and partion information, and even after a clean install on a 'zeroed' disk (low level formated), there were already problems.

I tried installing windowsXP without any networking capabilities, no windows network client, no QoRSVP packet scheduling, no network logon, tcp/ip...nothing.
Then when the instal is done, I boot into safe mode and try to delete the Netmeeting remote and windows messenger, and I disable all services that have to do with telephony and all of the above, all the remote registry stuff, everything.

Then I try to edit the registry to stop these from having even a record of existence, I delete reg keys to do with Telephoney, Direct Animation, Netmeeting remote, Run, Run once, Run etc (I don't delete these ones, just clear them).

I do all this, I also delete any any DOS documents etc.

The problem is that there are already MSDOS.SYS, and AUTOEXEC.BAT in my root directory already - they should not be there.


Will.Spencer wrote
1. Back up your data.
2. Disconnect your system from the Internet.
3. Format your drives.
4. Install your OS and applications from known good sources.
5. Restore your data, but no executables.
6. Secure your network as much as is possible.
7. Secure your OS as much as is possible.
8. Secure your applications as much as is possible.
9. Reconnect your system to the Internet.



When things go that bad, it is effectively impossible to get the system to a known-good state through cleaning. The only appropriate response is to get the machine to a known good state by starting over.

I have low level formatted my hard drive and done all that.
I think I may have to get a new motherboard!

This is just beyond anything I though possible.

Wen, I am going to try all that you suggest above as well.

I have been low level formatting my 'windows' hard drive lol, and it is wiped, only prob is that the utilities were made with windows in this state I disuss.

But according to my 'Killdisk' (love that name ), every single sectore is zero, eg 00 00 00 00 etc, all the way through.

I have Norton internet Security on my motherboard driver disk, I can install that and go from there, but I have tried all this, several times before.

The worst is the 'Direct Show' and all the thousands of registry entries that get made through the use of the !BLEEPING buffer overflows. Every entry is preceded by a 'query', a not found, a buffer overflow, a 'priveledge' or credential write, then the entry is written to the registry.
(I am using RegMon from SysInternals)
This happens sometimes hundreds od times each second, even whil I have NOTHING running....just sitting idle.

My hard drive light is always flashing on and off, and I have indexing turned off, everything I can do without completely disabling my system.

Another relentless entry that I cannot get rid of, is the Webfolders.

Did I mention that I also go into 'Add/Remove' Windows components and uninstall all this Netmeeting remote etc?

I am almost sure that I need to buy new hardware.

But I don't know enough about all this.

I just feel kind of stupid, that is how I am beginning to feel, helpless. Sorry, but it is taking its toll.

It is a logistical nightmare, there are so many things going on at once.

But i will not quit, and all your support means much.

I will let you know how it goes.

I am almost sure that I need to buy new hardware.

If you do, don't discard the old stuff away turn it into a linux only box.