Troubleshooting my malware infestation

#1

Rev. 0

** Warning **

This is a very lengthy topic directed toward the need for support in removal of a very complicated malware infestation/hack. To help avoid any confusion and assist readers when searching for similar issues, I have broken the post up into sections which are accessible via the drop-down style menus as advised by by the Ubuntu-Mate Community administration prior to writing this post. I would also like to take a moment to say thank you for the help received thus far and for continued assistance, as this type of topic extends beyond the normal boundaries of support offered by this forum. I hope my search for a solution with this problem ends here. I will try to keep a revision log at the end of the post for any changes I make, indicating the current revision level at the begginging of the post.

Problem:

I am currently running Ubuntu-Mate 19.04 which is heavily infected with malware. I also several other devices infected with the same or similar malware/installed back-doors. This malware is undetectable by traditional anti-virus engines and irremovable by low-level storage device wiping techniques and replacing equipment. I suspect the malware to be located in the firmware of the mother board or possibly other components, such as third party graphics cards, networking adapters, routers, modem, keyboard, etc. but lack the tool-sets and training to thoroughly understand and deal with the issue myself. The malware presence is seen in Ubuntu-Mate among other operating systems. The malware exhibits characteristics of a hypervisor rootkit, worm, and Trojans. I have been battling this problem and looking for help for 2.5 years now after being turned away by some of the biggest names in the anti-malware industry and Microsoft (while using Windows 10) after extensively working with their support teams for up to five month depending on the company.

System Specs & Equipment List

I have (7) PC's (one is a laptop, four are Intel architecture and three are AMD), (1) Raspberry Pie, (2) Android Tablets and (2) Android Smart Phones which are all infected. The PC I am using as an example for this post is listed below. The networking equipment I have consists of (4) cable modems, (8) routers and (2) switches (only one of each in service). I have one printer which does have networking capabilities and up-gradable firmware. I have three smart TV's two of which I highly suspect infection. If additional details are needed on the equipment mentioned, I will provide it upon request.

Dell Optiplex 7010
Processor: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz
RAM: 8Gb DDR3
Storage: 500Gb HDD, Western Digital Blue
Keyboard/Mouse Combo: Logitech K120 (wired)
Monitor: HP VH240a
Network Adapter: On-board
Graphics Adapter: On-board
Optical Drive: OEM Stock drive

Detailed System Specifications can be found at my PasteBin via the link below.
https://pastebin.com/u/dmabe

Detailed History

In January, 2017, the computer I had at the time was getting old and outdated, so I decided to spring for an upgrade. The upgrade was one where I ordered parts and planned on assembling myself. After placing the order, I decided to start looking for some software that I wanted, namely, Blu-Ray burning software.
As temping as it was to find a pirated version, I decided that may not be the best idea and started looking for a trial sample I could evaluate. After some searching, I found one to try and downloaded it. When I ran the executable file I had downloaded the trouble began.
Up to that point in time, I had been familiar with some types of malware having dealt with a couple virus infections in the past and wasn't too concerned with the events that were taking place due to the malware I had inadvertently just installed on my old PC. Even if I was not able to remove the malware, I wasn't concerned because the parts for the new PC were on the way.
During the same time frame, I began to notice abnormalities with my mobile phone. It didn't take lone before I suspected that it had been hacked and what was transpiring was due to the the presence of another (simultaneous) user. Not quite sure how to deal with the situation, I bluntly approached the user by typing a message in the text box, not hitting send. When I received a reply, my suspicions were confirmed.
There was some crude back-and-forth communication, continuing for nearly a week and a half before i was eventually served with an ultimatum to follow some obscure directions, which i answered promptly and rudely. Shortly after, I heard sounds being emitted from two of my smart televisions, resembling what can only be described as catastrophic electronic failure, leaving one of the two TV's inoperable for approximately one week after. I am still unsure what was done to the televisions but suspect it was to allow for an OTA hack, similar to the Samsung smart TV hack discovered in 2017. However, both televisions of mine which were affected are Sony Bravia televisions and it is unknown to me if they are even susceptible to such a hack. I presume they are.
When the parts for my new PC arrived, I knew I would have to isolate it from the any of the older parts and did my best to do that but after finalizing the change over with my ISP and new modem, I fired up the new machine and instantly, it behaved as if it were under the control of someone/something other than me and never behaved much differently there after. I would like to make a note here that the most dramatic of oddities I saw from the new PC at that time seemed to be coming from the optical drive, which is one of the components I still see as being one of the most affected components still.
To clarify what I had purchased when replacing equipment initially, included a new PC wireless keyboard/mouse combo, monitors, web-cam, modem, router, NAS, printer and PC stereo/speaker system*. The only IoT devices that remained in service at the time I made the PC switch were my home stereo receiver, two smart televisions, hand-held GPS, Bluetooth capable heart-rate monitor/exercise bike, Blu-Ray player, Bluetooth ear bud and mobile smart phones. The only devices which had shown any signs of infection were the televisions and the phones but none of the devices were connected in any kind of network at the time the new PC was commissioned.

*See the "Equipment Details" section for specific information

Symptoms

The symptoms associated with the malware have dramatically varried over the timeframe of infection, almost to the point, that it felt as if I were a test sample or this was a trial run for the malware designers. I have used various AV programs which have detected malware in the form of adware, trojans, rootkits, ransomware and worms. Very few AV engines will actually provided detections at all. ClamAV will reliably and consistently provide detections after initial OS installation and there after but no AV I have tired to date has removed the root cause of this problem and I have tried most every major vendors version and others.
After OS reinstallation, it takes some time for the malware to really begin to be noticeabe, which may be in part that there isn't "malware" initially installed but something else taking place similiar to DNS poisloning, where later down the road, I am unknowingly downloading and installing the malware from spoofed/redirected webpages.
What is deffinately noticeable is what is being displayed on the command line during the installation, the info on the command line seen during post and the log files, showing those and several other error messages.
Other notable symptoms which are not always present are increased network traffic, disfucntional applications, malware detections, spoofed webpages, abnormal networking configurations, use of virtualization when virtualization shouldn't be present, presence of logical drives/partitions without my creation or instruction to do so, partion changes and many other.
There is an extreme amount of deception at work with this malware as well as high levels of Bluetooth activity, and nearfield communication if the capability with the hardware permits. The malware exhibits behavior as if it is on a timer but does not follow a set schedule and seems to be most active in the evening through the night until approximately 6 a.m. MST.
Although I cant describe in detail I have seen in the past several indications that there is a direct tie/connection with the phones and the computers but cant factually comment too much more on this without it being considered speculation.
The most notable symptoms I see that indicate this malware may have infected the firmware is after turning off my PC or hard resetting the computer, all but the laptop will imediatly turn back on for a brief moment and then turn back off; this happens approximately 95% of the time and the other 5% it doesn't but for unknown reasons. I have seen changes such as the date and time, missing attributes and other altered values/data in the BIOS. When using Windows 10 pro, I have received error messages stating the the TPM is in a timeout period, from defending against dictionary attacks, and with Linux, there are errors reported during post that include TPM errors/bugs, ACPI errors/bugs, tainted kernels or lack thereof in conjunction with kernel panic and booting issues, spoofed OS windows and complete deny of service/use when there is absolutely no rhyme or reason for lost of permissions to perform those given tasks or functions. I have provided a few examples which can be seen by following the link below to my paste bin, where I've shared the output of a few logs generated by running the fwts-frontend-text, lspci and lsusb applications. The last symptom I will mention for now is believed to be within one of the routers I own as i have been completely denied access to the settings. I tried several methods to re-gain access as per the manufacturers recommended procedures. I momentarily gained access by means of ftps before being denied again and I have not made any more attempts since.

https://pastebin.com/u/dmabe

My Efforts of Removal

I'm not even sure where to begin with this section as I have tried nearly everything under the sun I can think of over the past two years but I will try to hightlight the more important efforts in the list below. I have also tried every variation and multiple of each, with similiar attempts made using Windows and FreeDos. I have absolutely no reservations to wipe any of my drives and/or update/downgrade firmware. I am very willing to try anything suggested, even if I have already done it in the past.

Ubuntu-Mate & Other Flavors

  • Run scans with ClamAV, RK Hunter, CHKRootKit, Dr. Web, ESET Nod32, Sophos, BitDefender, etc., all done with each PC completely isolated and disconnected from the internet with hardwired, USB mouse and keyboard.
  • Run scans as described above but from a protected enviroment or offline by using bootable media generated from a clean computer. Bootable media includes CD/DVD optical drives and USB thumb drives, both of which have been 100% new only being inserted into a clean computer one time before using to try to disinfect my devices. The USB's have included PNY, SanDisk and Kingston make thumb drives.
  • Run online scans from AV vendors via their cloud services.
  • Storage drive formating and OS re-installation in normal configurations and partitioning schemes, RAID, nework installations, USB thumb drive installs, external storage drive (SSD) installs, etc, both with MBR and GPT formating, utilizing the secureboot and TPM features and also without. The formating techniques/applications used include but not limitted to, fdisk, gdisk, cfdisk, sfdisk, parted, partx, gparted (online and offline), dd, hdparm (trying every available option), remnux, Active KillDisk, Mini Tool Partition Wizard, MBR Wizard and third party hex editing software, manually altering drive sectors.
  • Updating/Upgrading/Downgrading/Re-installing drivers, BIOS, ME firmware, monitor firmware, mobile phone firmware, smart TV firmware, storage drive firmware and optical drive firmware.
  • I've taken PC's to local repair facilities for repair and also hired professionals to come on site for analysis and repair.
  • Sent a motherboard to ASUS for analysis and talked with the engineers of ASUS and Gigabyte regarding firmware infections, possibilities, detection and removal,
  • Send a SSD of Samsung make back to the manufacture for analysis and repair
  • Worked with AV companies extensively, such as BitDefender, Malwarebytes, Sophos, SpyHunter, RogueKiller, AVG and many others.
  • Implemented software based firewalls and also dedicated computers to act as a firewall appliance using Sophos XG
  • I have replaced every piece of equipment with the exception of RAM, CPU and power supplies all at once and in intervals, while maintaining isolation to the best of my abilities and knowledge.
  • I brought 5 new PC's into this house, having anything that I own with internet capabilites, unplugged or powered off if it coudn't be unpluged and had them become infected within 30-60min of use DONT ASK ME HOW OR TELL ME IT ISN'T POSSIBLE
  • I have had the same experiences as listed above but with mobile smart phones. I have flashed ROMs, changed carriers and replaced component in them as well.
  • I have tried all the above with all the devices connected too and again with using my phone as a modem to see if it was coming from my ISP, which isn't the case.
  • I have attempted to change every password for every online account I could think of that I had at the time. This was interesting becaues I actually lost control 2-3 times with my google account and still see strange things related to google (mainly with the phones but something is also going on with the browsers, where there somehow has a component of Chrome mixed in.....unsure about what is really happening with this, so I'll leave it alone for now.
  • I have tried many things not listed here but too many to share. It may be easier if a particular attempt is in question to just ask me and I can tell you if it is something I have tried in the past.

Revision History:

Rev 0 - Original Published Post 7/15/2019

3 Likes
#2

Welcome again to the community! Hopefully we can help troubleshoot and end this unfortunate scenario.

Since my response is quite detailed, I've separated questions/suggestions into toggles:

Q1 - Messages appearing during Ubuntu MATE installation

Please could you tell us specifically what the messages say during installation? We'll need to distinguish what messages are harmless and any that are unusual.

I'd advise against uploading images here in case the infection is advanced enough to spread through files/images, so we should avoid that risk. Try https://imgur.com/upload or another image hosting service.

Q2 - Check the DNS and reset the router

Have you tried reseting your router to factory settings? Even without admin access, many consumer routers have a small RESET hole that can be pushed with a paper clip for 10 seconds. Additionally, have you reflashed them with its original and up-to-date firmware?

Obtain admin access and check the DNS settings at a router level. If it's pointing to DNS that isn't your ISP's or a trusted public DNS, then somebody might have changed it and this will be the cause of these continuous phishing attacks. This is especially easy for hackers who manage to get inside your home network if the router's password was set to the default.

Try:

  • Regaining access, possibly by resetting it using a hardware button.
  • Change the DNS to a public one you can trust (see below)
  • Reflash the firmware, but be sure to trust and verify the integrity of the file.
  • Change the router's admin password.
    • If you feel your keystrokes are being watched, disconnect the cable that goes to the Internet (phone line?) and change the password from a live CD. :slight_smile:

Here's some public DNS servers you can use:

Owner Primary DNS Secondary DNS
CloudFlare 1.1.1.1 1.0.0.1
Google 8.8.8.8 8.8.4.4

You can also set the DNS settings on your devices individually, to ignore the DNS provided by the router. For example, in Ubuntu MATE - you can do this via the Network Connections configuration.

image
image.png723×593 108 KB

Be sure to re-connect to the network for changes to take effect.

Q3 - Network setup

It might be worth letting us know how your devices connect together and the purpose of the network switch. The switch in particular makes me think it's not a typical home network.

I'd normally think of a typical home network like this:

:desktop_computer: Wired/Wireless devices ←→ :level_slider: (Wi-Fi) Router (w. integrated modem) ←→ :earth_americas: Internet

Some may still have the modem separate to the router:

:desktop_computer: Wired/Wireless devices ←→ :level_slider: (Wi-Fi) Router ←→ :phone: Modem ←→ :earth_americas: Internet

Q4 - Log suspicious activity

It might be worth installing Wireshark and analyse for unusual activity across the network to/from the computer (and even USB devices). Leave this overnight or in the background while you use the internet to collect a log of activity.

sudo apt install wireshark
sudo wireshark

Analysing will get technical, but as a starting point, you can filter for suspicious DNS entries by filtering:

dns

To inspect USB devices, run this prior to opening Wireshark:

sudo modprobe usbmon

Some USB devices can be "noisy" if they continuously poll, but aside from that, what to do with USB analysis goes outside my knowledge.

It sounds like DNS Hijacking could be a possible suspect. The only possible way for a new computer to be infected is if your portal to the Internet has a dodgy road. For example, you could be thinking you're downloading Google Chrome for a new Windows laptop, but it was actually a phishing website that spoofed Google's domain.

We will need to isolate and understand where it's going from. At the moment, it seems any device you connected became infected, so the router/modem should be a starting point. Once we can be sure the router/modem is clean and secured from tampering, it would be safe to start focusing efforts on other devices for any firmware infections and to zero wipe its storage.

1 Like
#3

I have had similar issues for almost a decade, so I hear and understand your frustration. I would like to ask a clarifying question: "if traditional antivirus cannot detect this malware, what are the symptoms that lead you to believe you have a malware/infestation hack?" If they are similar to what I have experienced, I may be able to offer some insights - but I'm afraid to say that the solutions are anything but tolerable at best.

EDITED: I found your posting of symptoms and it answers my question.

Welcome to my world, I thought only I held the record for the highest number of installations of various Linux flavors to date! I applaud your writing skills in detailing the lengthy process you have endured, well done. But if my investigations have proven anything regarding my personal experience, then it is that I am the target of some state/bad actors using an NSA style of software/s, because the level of complexity involved, it's complete under-the-radar invisibility to traditional security solutions, and the relentless invasiveness of all my systems cannot be explained otherwise - unless of course you believe in aliens.

So unless you can resolve the "why me??" question, which I am personally at an utter loss to answer, then you are left to find a way to isolate the points off ingress as best you can, develop a strategy that involves a goal that is more oriented towards prioritizing what you can afford to lose, as opposed to "I think I stopped it this time " and continuing down the path of repeated time investment, and keep your most important data and software tools on an isolated machine. Having fresh clean copies of various OS to reinstall at a moments notice helps.
The most security oriented flavours of linux I've run only seem to slow them down over time for a few days to a week - but they exploit the same holes in all the distro's, as revealed in the journal/system logs, and there are MANY of them, which I won't bother to list. The most time consuming part of an OS reinstall is masking out a fair number of the weak security services each time I do.

If you would like to further investigate HOW this is being done, and it seems your "near field" comments allude to one possible explanation - then may I suggest exploring the subjects of POE in relation to the AC/DC that enters each device - the nature of telephone communications, and a very powerful programming language called "R".

#4

Very interesting infection, I have not hear in my life such thing like this.

  • It does not mater it is phone hardware, raspberry hardware, router hardware, pc, laptop hardware, or even TV hardware.
  • It does not matter if it is Android OS, Linux OS, Some TV OS (Linux based or what it is) or even a router OS (Linux based,...)

I don't think is possible such a infestation like this, only if is done by a some professional/ some hack organization that will target you directly, if you have something special, even like this is a little bit wired.
Maybe your equipment is malfunctioning from bad power supply on your housing....as you don't specify anything concrete regarding symptom of infection, just everything is malfunctioning

It just amaze me, I don't think such a thing is possible under Linux,

Start with a proper router,

  • trash your commercial routers are just junk, they only protect you from outside, not from inside so it can be considered trash for Microsoft Windows Home Users.
  • replace your router with a professional one, or convert your raspberry pi in a linux professional firewall with iptables and start from there, (add of course an external USB Ethernet adapter, so you can split external network from local)
  • use Linux tools on your new router to analyze traffic and what is happening...
1 Like
#5

@mircea I was concerned that my post may come off to the readers as if there wasn't enough substantial evidence to clearly see that the devices are infected. I have run into this problem many times and with many skeptics but regardless of belief, the machines are infected. Unfortunately, with this type of infection, it is very difficult to show or prove because there isn't a surefire way of telling to begin with and believe me, there is an explanation for virtually any instance, which someone could argue to refute infection and be legitimate.
I encourage you and others to take a closer look at the detailed system specifications in my Paste Bin, which is the output generated by running the application "System Profiler and Benchmark" offered via the Software Boutique. I think if you look closer at some of the values, you will see they don't make a lot of sense. Pay close attention to anything related to USB, PCI, APCI, Input Devices, DMI, I/O, IRQ, and DNS/Networking configuration (which I haven't changed anything from factory default and only have a router in front of a cable modem).
To comment on your advice with respect to the firewall, I have attempted to implement Sophos XG on a dedicated machine but it does no good because the machine is also infected and the malware changes things to the point that I lose functionality of protection or I lose access to the internet. It is not a mis-configuration on my behalf as Sophos tech support set this up for me while I was on the phone discussing the issues with them trying to trouble shoot.

I can't agree with you more about how impossible it seems and I don't think there is anyone who feels stronger about that than I do. I have a strong background in physics and even some of the things I have experienced have me somewhat puzzled as to what is taking place, but I'm certain it isn't magic and it is something being overlooked on my behalf because I am unaware of this type of backdoor, which is allowing for the persistence if this is not an infection in the firmware as I suspect it is.

#6

@hambone Thank you for your input and compliment. If I may ask, did you find out what the root cause of your problem was and how you eradicated it?

I seriously doubt that any of this is caused by aliens even if that were to be my belief. No, this has been done out of anger because of what I said to whoever I busted hacking my phone. There is nothing more to it than that because that IS the only motivation as I'm not rich, I'm not in politics, I don't work for a prestigious high end company where trade secrets are at stake and i don't have anything of considerable value per-say. i don't think this is the NSA either but who knows right?
One question for you.... Would you please explain just a little more about POE, so I an look into it? I'm not familiar with that acronym. I have found other information with respect to the vertical blanking interval associated with televisions and data transfer, which is now linked directly with VOIP, which I have seen indication that it is present on my PC's but I don't use that service. Thanks for the info.

#7

@lah7 I'm not trying to dodge your questions but before I answer them, I would like to share some other information, primarily the results from what you initially wanted me to do.....rule out if this is indeed a firmware infection. I was planning on including this in the original post but it was quite lengthy and I wanted to get something submitted without spending any more time including too many details and instigating a rabbit chase.
What I did, was as you instructed. I removed the storage drive and CMOS battery, disconnected power and shorted the jumper on the MB, gave it some time brefore replacing the jumper and re-connecting power. After applying voltage, I used a store purchased (reputable vendor) copy of Ubuntu-Mate v19.04 optical disk (DVD) and booted the machine, finding the exact same information being displayed during post as I did with the HDD/SDD connected and infected OS installed. The information I am referring to, are the errors in the ACPI BIOS / AML code / ACPI tables etc. I think it may be safe to conclude this is infection is in the firmware. The questions I am still left with though, are:

  1. Which device's firmware is compromised?
  2. Is more than one devices firmware infected?
  3. Where is the source of infection originating from or how I can determine that?
  4. Is it realistically possible and probable that whoever has targeted me has the necessary resources, the programing skills, time and money, to create or purchase malware that is effective on multiple devices, made by multiple manufactures on varying architectures and on varying OS's? To me, that doesn't seem plausible but lets not discard the possibility just yet. If those conditions are met, there would have to be a very serious motive I would think; not just some vengeful act over some insults with a random strangers who caught you in the act of a hack. People have better things to do and it usually involves $$....you can almost always count on that. Now, having said that, I can assure you they are not getting that from me. I have just gone through a miserable divorce, losing nearly everything. I haven't been employed for almost the same amount of time that I've endured this problem and as much as I don't want to say it, my credit right now sucks due to the previous two points.

The way I see it, something is being overlooked and it is probably not as impressive as it seems (which would explain it being overlooked). I know for certain that there is a lot of deception going on and I will try to elaborate on that in a moment. Quite often I get the very distinct impression that this is a hoax and I am chasing my own tail in circles, fighting an infection in a closed system, where that system is my residence and all that is going on within, stays within. I would just about be convinced of this, had I not had problems with accounts being tampered with, blatant evidence of a hacker (I haven't gotten this far in explanation yet), and identity theft with credit cards (which also has affected some other family members who are blindly suffering from this problem too).

I see Google's presence, stronger than ever before any of this transpired. I know they have their hands is almost everything but what I see, appears to be more than that or more than usual. I don't think I'm reading into it too much and I think it is tied in with services offered by google, but don't see where a link can be made other than when I log into my Google account from an infected PC, but problems are evident long before I ever do that, IF I even do log into an account. I see trackers following every move I make online that are related to Google this and Google that, I have Google Services app and Play Sore app downloading immediately after I factory reset my phone and before I ever connect an account but my ROM is the latest version and the permissions required aren't typical I don't think, being too weighted with administrative networking access. I wouldn't think it would do that within moments after acquiring internet access but it does and periodically continues to do that more often than what is normally seen based on past experience.

On top of that, the applications I download are only from the play store, yet the same thing takes place with the phone as with the PC's, where it seems that no matter what I download, it is malicious. The applications have this not so clear look to them (almost fuzzy) and I see that very same thing with the applications on the PC's. i have seen lots of references of overlays (not sure exactly what that consists of or what normal application it is used in). I have seen where after installing the OS, some sort of migration takes place as if my install is being transferred to a VM (this is seen in both Windows and Linux but more predominate with Windows). This is some of what I meant about the deception taking place.

The same deception is seen in a very similair aspect with the phone. I will see my home page completely change within a reboot; customized before and then only partially customized or not at all after. Same thing with the desktops with wallpaper, icon arrangement and themes on the PC's. I see duplicate users as if the OS I installed has been cloned and relocated but the original exists with the same usernames and passwords so the information is accessible to both installs. I see permission changes galore and file share creation when i have not created any (primarily seen in Windows but not entirely). In Ubuntu, I see reference to Windows but Windows isn't installed. I've see reference to Microsoft UEFI encryption keys, stored in the TPM but again, no Windows installation and TPM cleared. I have also seen with the PC's, abnormally high quantity/volume of files/apps associated with audio/video/image files (especially .png format and especially when using Windows) and believe that this is directly related to deception techniques employed to trick the user into forfeiting passwords and other sensitive information.

The list goes on and on with time zone changes to settings changes in the BIOS. I also get the distinct impression some of the time (probably more often than not) that when I think I'm in the BIOS I'm actually not but being deceived that I am, again giving up sensitive information; I believe this to be true based on other things that I see. For example, I will think I'm installed on a GPT partition and booting with UEFI firmware but I will see somewhere later down the road, something else that shows me I'm not booted in a secure environment, like I thought I was and the change seems to take place over a boot cycle.

Just the other night, I was booted to a live USB with Ubuntu and upon inspection of the partition layout of the USB, notices that there were two partitions on the drive but only having a maximum of a few Mb capacity and one of them being empty. I decided to delete the second partition, /dev/sdb2, and then as if I ruined a magic trick, the sheet fell and several other partitions appears on the drive. I then saw where there was a folder (among others) located on my primary storage drive, named "sdb2" but in the /home folder if I remember correctly, not the /dev folder.

The number of symbolic and hard links is through the roof on both Windows and Linux as well as the gross file count (enough for 2-4 installs at times with 60,000+ symlinks on a windows install directly after installation and before booting for the first time (not sure how to get the number with Linux)). I would also like to note that iSCSI is being used, hidden from the user for more deception and trickery as well as for hiding network communications but I don't know enough about the topic to make any more claims than that and will quit here and let what I've written, be digested.

I do believe the user is the weakest link and that hackers take advantage of that, instead of trying to break security and what I've mentioned about deception and how I've seen it deployed in this instance, is genius if you ask me.

There are many things about these PC's I am unsure of or flat out don't know. What I am sure of, but may not be able to prove or explain, is that there is a link between the PC's, television(s), mobile phone and the persistence. I have seen too many things along this journey which have lead me to believe this and I hope you can take it at face value and believe me. It's kind of like listening to a conversation in another language that you've had 2-3 semesters of education in......you can't quite speak the language but you certainly get the gist of the conversation without misconstruing the fundamental message that is being conveyed.

1 Like
#8

POE stands for Power Over Ethernet. But I'm afraid the depth and complexity of the problem really falls into the realm of Certified Engineers. The solutions offered here by people in this group are excellent starting points to begin your learning journey. But the software being utilized against you has been created by multiple teams of the best and the brightest, and it really is a rabbithole your going down. You have to balance out the choice of investment of your time educating yourself with this sad fact if you are indeed a victim. It would take VOLUMES to write out what I've logged, tested, proven and observed. I discontinued that route and developed a method of isolating my devices, networks, and any physical or wireless connections and networking hardware between them. Some devices use email only, some browsers only, some only share data between usb or sdcard connections, and never see the internet. Multiple backups are a given, as is reinstalling linux on a semi-regular basis. The logical boolen method of hardware and software testing and solution finding is your task, and when viewed in the correct positive light, there's a learning opportunity of a lifetime in front of you - or the frustration of failure. But from what I've seen in your posts so far, you clearly possess the intelligence. After trying the solutions offered here in the MATE Community, your next option is to tackle the kernel, because that is where the capabilities you are trying to understand are being written too. Understanding GRUB and examining your grub.cfg and what ancient and powerful systems it is capable of loading, and researching those systems capabilities should lead you to a better understanding of what can be done, and then you can develop methods from there to attempt to tackle them. Patience is going to be your greatest ally, and I wish you the best in your journey.

1 Like
#9

Well put and even more felt. I believe everything you have stated and have already had many of the same or similiar thoughts. Not married anymore and have a lot of time on my hands that could be filled in worse ways than education and research but it it worth the chase and endless frustration? Time will tell I suppose. Thanks again for the heads up, advice and info. I'm haven't looked at this sites policy regarding exchaning info but I would like to hear more if possible.

#10

10 years ago, you could walk away from computers, credit cards and cellphones. You cannot any longer and still live in the real world. Law enforcement can do very little about it. They are quite aware and admit as much.
Remember it's ok to take short breaks, step away, then return to the task. Otherwise, they have achieved there objective ...

Im still here :slight_smile:

#11

@ dmabe

can I suggest you post in other Linux forums.
eg https://www.linuxquestions.org/questions/linux-security-4/

Good luck

#12

@dmabe my friend
....Software Boutique ... Sophos XG ... Windows 10 ... my friend I think you have messed up the forum, in looking for a Windows 10 support forum ... or maybe you mess up forums and arrive here as a result of being hacked up my friend.

Based on a lot of talk without substance, in the end I am very sure that your problem is technical by nature, and not related to IT equipment, so this is why I recommend to start with Windows 10 Home User Support Forum, is more appropriate than this forum for you...

I don't own this forum, so is just my opinion that you just don't fit here so well... maybe you should try some support to NASA, maybe you are hacked from outer spaces... and here on this forum we we are not able to deal with this high staffs... good luck my friend...

#13

@dmabe
Somehow I reed further down to see another answer, of you. I think you should let down to IT problems, I think you have bigger problems than this, as you mention you divorce, have no income,... I am somehow sory for you ... you should ask close friend to help you, as I think you don't see the ligh...

I also think some administrator on this forum should close this topic, as not relevant for this forum.

#14

@dmabe, I'm sorry to hear about the difficulties in your personal life. As extremely uncommon this scenario is, I do believe such an infection is technically possible if somebody (in this case, a spiteful hacker) is persistent.

@mircea Our newcomer @dmabe is entitled to have a chance, so I won't close the topic. We may be small in numbers, but we do permit general computing topics in #uncategorized. Nothing says we can't have detailed and in-depth discussions, as long as it's civilised. :+1:

Hours have been invested in this topic already, so it would be unfair to brush it under the carpet. :clear:

Android (with Google Apps), even on freshly installed phones can take their time on the "Just a sec..." screen, that would be normal. The speed of the internet connection can influence that.

What's NOT normal is unknown apps downloading after a factory reset (except if they part of the ROM, in which they'll be updating). There's always the option to flash custom recovery (TWRP), wipe /system, /data and /storage and install a custom ROM (like LineageOS or a privacy-optimised ROM) that's supported for your phone, then optionally Open GApps.

It's possible your Android things were "rooted" through exploits, granting somebody superuser access to them. Once they're king of one device, they can start poking with the rest of your home network.

I use a dark theme on my phone, which installs "overlay" apps to accomplish this feature. Not sure if it's the same thing, but overlays might refer to being able to display content over the app, like a fake login screen. :open_mouth: Here's an example:

https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/

I would probably suggest uninstalling app packages that end with .overlay.

On both Windows and Ubuntu MATE?

Definitely zero wiping the entire drive at least 7 times should be on the to-do list. You can do it with Linux's dd or commercial software like DriveScrubber by iolo, which I have a bootable CD somewhere... it was based on DOS. :smirk:

shred is another tool:

This is where I get lost. Hopefully somebody more technical knowledge with low-level aspects of computers can assist you with this.

To me, this sounds tricky, as we could be easily devised if it is BIOS malware and it did patch up the "BIOS Update" option. If that's that clever, then the only possible way is to flash the BIOS via hardware methods - like JTAG, if the motherboard provides anything like that.

BIOS can just be buggy too. If someone has the same hardware as yours, they could send you their output, to cross-reference.

To summarise, some good troubleshooting starting points:

Software:

  • Post #2 - Check (and change) the DNS Server.
  • Post #2 - What are the error messages during Ubuntu MATE installs?
  • Post #2/#4 - Start analysing the network/USB with Wireshark

Hardware:

  • Post #2 - What's the purpose of the network switch?
    • --> More complex the network, more places to hide!
  • Post #3 - Are devices affected by Power Over Ethernet (POE)?
    • --> I've witnessed a network switch destroying brand new Wi-Fi routers as they were POE...
  • Post #4 - Is your power supply clean?
  • Post #7 - Investigate the firmware

I did think of one other tool - nmap can scan the ports of other devices, this might reveal open ports to provide any clue to the protocol used to remotely control devices. zenmap is a GUI interface, available in the :ubuntu_mate: Software Boutique.

#15

Rev. 1 - Added additional notes to reference screen shots uploaded to Imgur.

@mircea I just want to clarify with you and others that have had the same thought based on what I've written, that I am only trying to describe as many issues as possible and explain in as much detail as possible, the entirety of the problem. I have decided I like Linux by far more than Windows and switched to using Ubuntu-Mate, where I still see the same effects of infection. I'm not in the wrong place, but will try keep the descriptions of problematic events directed towards Ubuntu-Mate.

@aus9 Thank you for the suggeston. I will follow up on that forum.

@lah7 @mdooley :wink: better this time....LOL? Okay, back to your questions. I did forget to share one other visible problem, which I am taking other measures to find out more about but where it directly relates to this topic and I wanted to include it in the details. Please see the images of the hardware tests run after I crashed the PC before, but before it rebooted, which i've uploaded to Imgur as you suggested along with screen shots taken of the scan results (ran while typing this post) from ClamAV. I don't exactly remember what I did to cause the crash, but I was aware of what I was doing at the time and new that I could expect results of a crash but not permanent or irreparable damage to the OS (not the current install but one of the more recent ones).

Starting from your previous post:

Q1 - Messages appearing during Ubuntu MATE installation

Answer 1: Here are some examples but not limit to these alone. I have also pasted the entire kernel log to my Paste Bin for additional review.

   Example 1 - Low memory corruption / Base memory trampoline at [(____ptrval____)] / Early checksum verification disabled

Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001396] mtrr_cleanup: can not find optimal value
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001397] please specify mtrr_gran_size/mtrr_chunk_size
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001400] e820: update [mem 0xdb800000-0xffffffff] usable ==> reserved
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001403] last_pfn = 0xdae11 max_arch_pfn = 0x400000000
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.009928] check: Scanning 1 areas for low memory corruption
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.009930] Base memory trampoline at [(____ptrval____)] 97000 size 24576
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.009934] BRK [0x50201000, 0x50201fff] PGTABLE
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.009935] BRK [0x50202000, 0x50202fff] PGTABLE
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.009936] BRK [0x50203000, 0x50203fff] PGTABLE
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.009970] BRK [0x50204000, 0x50204fff] PGTABLE
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.009972] BRK [0x50205000, 0x50205fff] PGTABLE
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.010157] BRK [0x50206000, 0x50206fff] PGTABLE
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.010158] BRK [0x50207000, 0x50207fff] PGTABLE
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.010426] BRK [0x50208000, 0x50208fff] PGTABLE
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.010531] BRK [0x50209000, 0x50209fff] PGTABLE
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.010626] BRK [0x5020a000, 0x5020afff] PGTABLE
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.010716] BRK [0x5020b000, 0x5020bfff] PGTABLE
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.010818] BRK [0x5020c000, 0x5020cfff] PGTABLE
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.010958] RAMDISK: [mem 0x3c3c7000-0x3fffdfff]
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.010968] ACPI: Early table checksum verification disabled
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.010971] ACPI: RSDP 0x00000000D7FF4000 000024 (v02 DELL  )
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.010973] ACPI: XSDT 0x00000000D7FF4080 000084 (v01 DELL   CBX3     01072009 AMI  00010013)
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.010978] ACPI: FACP 0x00000000D7FFE270 00010C (v05 DELL   CBX3     01072009 AMI  00010013)
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.010983] ACPI: DSDT 0x00000000D7FF4198 00A0D6 (v02 DELL   CBX3     00000022 INTL 20091112)
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.010985] ACPI: FACS 0x00000000D97ED080 000040  


Rev 1 - Added additional notes regarding the included screen shots uploaded to Imgur



  Example 2 - *BAD* gran size....
Total RAM covered: 8126M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001298]  gran_size: 64K 	chunk_size: 64K 	num_reg: 10  	lose cover RAM: 2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001299]  gran_size: 64K 	chunk_size: 128K 	num_reg: 10  	lose cover RAM: 2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001300]  gran_size: 64K 	chunk_size: 256K 	num_reg: 10  	lose cover RAM: 2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001301]  gran_size: 64K 	chunk_size: 512K 	num_reg: 10  	lose cover RAM: 2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001301]  gran_size: 64K 	chunk_size: 1M 	num_reg: 10  	lose cover RAM: 2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001302]  gran_size: 64K 	chunk_size: 2M 	num_reg: 10  	lose cover RAM: 2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001303] *BAD*gran_size: 64K 	chunk_size: 4M 	num_reg: 10  	lose cover RAM: -2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001304] *BAD*gran_size: 64K 	chunk_size: 8M 	num_reg: 10  	lose cover RAM: -2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001304] *BAD*gran_size: 64K 	chunk_size: 16M 	num_reg: 10  	lose cover RAM: -8M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001305] *BAD*gran_size: 64K 	chunk_size: 32M 	num_reg: 10  	lose cover RAM: -24M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001306] *BAD*gran_size: 64K 	chunk_size: 64M 	num_reg: 10  	lose cover RAM: -56M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001307] *BAD*gran_size: 64K 	chunk_size: 128M 	num_reg: 10  	lose cover RAM: -112M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001308] *BAD*gran_size: 64K 	chunk_size: 256M 	num_reg: 10  	lose cover RAM: -240M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001308] *BAD*gran_size: 64K 	chunk_size: 512M 	num_reg: 10  	lose cover RAM: -480M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001309] *BAD*gran_size: 64K 	chunk_size: 1G 	num_reg: 10  	lose cover RAM: -448M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001310] *BAD*gran_size: 64K 	chunk_size: 2G 	num_reg: 10  	lose cover RAM: -1472M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001310]  gran_size: 128K 	chunk_size: 128K 	num_reg: 10  	lose cover RAM: 2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001311]  gran_size: 128K 	chunk_size: 256K 	num_reg: 10  	lose cover RAM: 2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001312]  gran_size: 128K 	chunk_size: 512K 	num_reg: 10  	lose cover RAM: 2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001313]  gran_size: 128K 	chunk_size: 1M 	num_reg: 10  	lose cover RAM: 2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001313]  gran_size: 128K 	chunk_size: 2M 	num_reg: 10  	lose cover RAM: 2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001314] *BAD*gran_size: 128K 	chunk_size: 4M 	num_reg: 10  	lose cover RAM: -2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001315] *BAD*gran_size: 128K 	chunk_size: 8M 	num_reg: 10  	lose cover RAM: -2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001316] *BAD*gran_size: 128K 	chunk_size: 16M 	num_reg: 10  	lose cover RAM: -8M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001316] *BAD*gran_size: 128K 	chunk_size: 32M 	num_reg: 10  	lose cover RAM: -24M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001317] *BAD*gran_size: 128K 	chunk_size: 64M 	num_reg: 10  	lose cover RAM: -56M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001318] *BAD*gran_size: 128K 	chunk_size: 128M 	num_reg: 10  	lose cover RAM: -112M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001319] *BAD*gran_size: 128K 	chunk_size: 256M 	num_reg: 10  	lose cover RAM: -240M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001319] *BAD*gran_size: 128K 	chunk_size: 512M 	num_reg: 10  	lose cover RAM: -480M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001320] *BAD*gran_size: 128K 	chunk_size: 1G 	num_reg: 10  	lose cover RAM: -448M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001321] *BAD*gran_size: 128K 	chunk_size: 2G 	num_reg: 10  	lose cover RAM: -1472M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001322]  gran_size: 256K 	chunk_size: 256K 	num_reg: 10  	lose cover RAM: 2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001322]  gran_size: 256K 	chunk_size: 512K 	num_reg: 10  	lose cover RAM: 2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001323]  gran_size: 256K 	chunk_size: 1M 	num_reg: 10  	lose cover RAM: 2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001324]  gran_size: 256K 	chunk_size: 2M 	num_reg: 10  	lose cover RAM: 2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001324] *BAD*gran_size: 256K 	chunk_size: 4M 	num_reg: 10  	lose cover RAM: -2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001325] *BAD*gran_size: 256K 	chunk_size: 8M 	num_reg: 10  	lose cover RAM: -2M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001326] *BAD*gran_size: 256K 	chunk_size: 16M 	num_reg: 10  	lose cover RAM: -8M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001327] *BAD*gran_size: 256K 	chunk_size: 32M 	num_reg: 10  	lose cover RAM: -24M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001327] *BAD*gran_size: 256K 	chunk_size: 64M 	num_reg: 10  	lose cover RAM: -56M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001328] *BAD*gran_size: 256K 	chunk_size: 128M 	num_reg: 10  	lose cover RAM: -112M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001329] *BAD*gran_size: 256K 	chunk_size: 256M 	num_reg: 10  	lose cover RAM: -240M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001329] *BAD*gran_size: 256K 	chunk_size: 512M 	num_reg: 10  	lose cover RAM: -480M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001330] *BAD*gran_size: 256K 	chunk_size: 1G 	num_reg: 10  	lose cover RAM: -448M
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.001331] *BAD*gran_size: 256K 	chunk_size: 2G 	num_reg: 10  	lose cover RAM: -1472M

  


  Example 3 - Embedded 46 pages/cpu @(____ptrval____) / Calgary: Unable to locate Rio Grande table in EBDA - bailing! / x2apic: IRQ remapping doesn't support X2APIC mode

Booting paravirtualized kernel on bare hardware
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.055855] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645519600211568 ns
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.055863] random: get_random_bytes called from start_kernel+0x97/0x516 with crng_init=0
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.055869] setup_percpu: NR_CPUS:8192 nr_cpumask_bits:4 nr_cpu_ids:4 nr_node_ids:1
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.056008] percpu: Embedded 46 pages/cpu @(____ptrval____) s151552 r8192 d28672 u524288
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.056014] pcpu-alloc: s151552 r8192 d28672 u524288 alloc=1*2097152
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.056015] pcpu-alloc: [0] 0 1 2 3 
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.056037] Built 1 zonelists, mobility grouping on.  Total pages: 2043849
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.056038] Policy zone: Normal
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.056039] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-5.0.0-20-generic root=UUID=828893f7-a347-40b4-83fa-ddc4832267c9 ro quiet splash vt.handoff=1
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.059052] Calgary: detecting Calgary via BIOS EBDA area
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.059054] Calgary: Unable to locate Rio Grande table in EBDA - bailing!
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.077467] Memory: 7929772K/8305264K available (14339K kernel code, 2335K rwdata, 4292K rodata, 2576K init, 5204K bss, 375492K reserved, 0K cma-reserved)
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.077566] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.077571] Kernel/User page tables isolation: enabled
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.077584] ftrace: allocating 41550 entries in 163 pages
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.090902] rcu: Hierarchical RCU implementation.
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.090903] rcu: 	RCU restricting CPUs from NR_CPUS=8192 to nr_cpu_ids=4.
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.090904] 	Tasks RCU enabled.
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.090904] rcu: RCU calculated value of scheduler-enlistment delay is 25 jiffies.
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.090905] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=4
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.093331] NR_IRQS: 524544, nr_irqs: 456, preallocated irqs: 16
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.093531] vt handoff: transparent VT on vt#1
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.093535] Console: colour dummy device 80x25
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.093541] printk: console [tty0] enabled
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.093552] ACPI: Core revision 20181213
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.093706] clocksource: hpet: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 133484882848 ns
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.093716] hpet clockevent registered
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.093720] APIC: Switch to symmetric I/O mode setup
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.093789] x2apic: IRQ remapping doesn't support X2APIC mode
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.094213] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.113722] clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x2e0639ba137, max_idle_ns: 440795300630 ns
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.113732] Calibrating delay loop (skipped), value calculated using timer frequency.. 6385.87 BogoMIPS (lpj=12771748)
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.113734] pid_max: default: 32768 minimum: 301
Jul 15 05:25:44 dmabe-OptiPlex-7010 kernel: [    0.115938] LSM: Security Framework initializing


https://pastebin.com/u/dmabe
Q2 - Check the DNS and reset the router

Answer 2: Yes, I have verified that all my router settings are correct and I have also changed my DNS to a static address such as 8.8.8.8 and performed hard resets, ensuring the NVRAM is cleared as per the instructions provided by DDWRT. I have also flashed DDWRT firmware in attempts to find a solution but that also did not work. This doesn't seem to do much for me as the networking configuration setup within Ubuntu seems to take precedence over the router settings but I don't know enough about all the different ways that Ubuntu networking can be configured, to manually check and correct issues. I have tried the changes you have shown in the screen shots provided, with no success but continue to make those and other changes religiously on all re-installs.

Q1 to Q2: Does anyone know if a cable modem can be infected and how can you tell if possible? I have concerns this is a possibility but I can't update the firmware myself and the settings are very limited. I have set a password but that is it and resetting it and/or the router do not provide a solution. Neither does replacement of the components as I've done on more than one occasion along with the complete PC replacements.

Q3 - Network setup

Answer 3: The second arrangement is how I have things setup as of now, with the exception of a 4 port switch in front of the router, behind the modem, so I can attach another router (if desired) for other devices I don't want having access to the same LAN the PC(s) are on. I change things up when trying different things but for the most part and for the purposes of this topic, I have it set up as shown in your example but with the 4 port switch in place behind the modem (nothing attached to it).

Q4 - Log suspicious activity

Please see the next post as i exceed max characters allowed if I include it in this post

1 Like
#16

@lah7

Q4 - Log suspicious activity cont.
Q4 - Log suspicious activity

Answer 4: I have done this and will have to look for some of the logs I've saved in the past but will begin a new log starting after this post until the next one, where I will share those result. It's been from my experience in the past that not too much out of the "norm" is shown which is one reason I suspected any "odd" traffic is being concealed with iSCSI protocol (still unsure about this theory) or that all this is contained within my home and this is some sort of "tail chasing hoax".
With respect to nmap, I have found odd results when scanning my router ip address in the past, where it has told me that the OS is Android but I can't recall if I saved those results and will look for them too. I just ran a similiar scan and posted the results below.

 
<?xml version="1.0" encoding="iso-8859-1"?>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-17 07:57 MDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 07:57
Completed NSE at 07:57, 0.00s elapsed
Initiating NSE at 07:57
Completed NSE at 07:57, 0.00s elapsed
Initiating ARP Ping Scan at 07:57
Scanning 192.168.2.1 [1 port]
Completed ARP Ping Scan at 07:57, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:57
Completed Parallel DNS resolution of 1 host. at 07:57, 0.06s elapsed
Initiating SYN Stealth Scan at 07:57
Scanning _gateway (192.168.2.1) [1000 ports]
Discovered open port 80/tcp on 192.168.2.1
Discovered open port 53/tcp on 192.168.2.1
Discovered open port 22/tcp on 192.168.2.1
Discovered open port 1900/tcp on 192.168.2.1
Completed SYN Stealth Scan at 07:57, 1.25s elapsed (1000 total ports)
Initiating UDP Scan at 07:57
Scanning _gateway (192.168.2.1) [1000 ports]
Increasing send delay for 192.168.2.1 from 0 to 50 due to max_successful_tryno increase to 5
Increasing send delay for 192.168.2.1 from 50 to 100 due to max_successful_tryno increase to 6
Warning: 192.168.2.1 giving up on port because retransmission cap hit (6).
Increasing send delay for 192.168.2.1 from 100 to 200 due to 11 out of 14 dropped probes since last increase.
UDP Scan Timing: About 9.90% done; ETC: 08:03 (0:04:42 remaining)
Increasing send delay for 192.168.2.1 from 200 to 400 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 192.168.2.1 from 400 to 800 due to 11 out of 11 dropped probes since last increase.
UDP Scan Timing: About 13.31% done; ETC: 08:05 (0:06:37 remaining)
UDP Scan Timing: About 16.49% done; ETC: 08:07 (0:07:41 remaining)
UDP Scan Timing: About 19.46% done; ETC: 08:08 (0:08:21 remaining)
UDP Scan Timing: About 25.57% done; ETC: 08:09 (0:08:56 remaining)
Discovered open port 53/udp on 192.168.2.1
UDP Scan Timing: About 36.69% done; ETC: 08:11 (0:08:19 remaining)
UDP Scan Timing: About 44.06% done; ETC: 08:11 (0:07:38 remaining)
UDP Scan Timing: About 50.50% done; ETC: 08:11 (0:06:56 remaining)
UDP Scan Timing: About 56.34% done; ETC: 08:12 (0:06:13 remaining)
UDP Scan Timing: About 62.17% done; ETC: 08:12 (0:05:27 remaining)
UDP Scan Timing: About 67.70% done; ETC: 08:12 (0:04:42 remaining)
UDP Scan Timing: About 73.23% done; ETC: 08:12 (0:03:56 remaining)
UDP Scan Timing: About 78.44% done; ETC: 08:12 (0:03:12 remaining)
UDP Scan Timing: About 83.83% done; ETC: 08:12 (0:02:25 remaining)
UDP Scan Timing: About 89.14% done; ETC: 08:12 (0:01:38 remaining)
UDP Scan Timing: About 94.17% done; ETC: 08:13 (0:00:53 remaining)
Completed UDP Scan at 08:13, 950.34s elapsed (1000 total ports)
Initiating Service scan at 08:13
Scanning 53 services on _gateway (192.168.2.1)
Service scan Timing: About 11.32% done; ETC: 08:19 (0:04:50 remaining)
Service scan Timing: About 16.98% done; ETC: 08:20 (0:05:37 remaining)
Service scan Timing: About 67.92% done; ETC: 08:16 (0:00:48 remaining)
Service scan Timing: About 77.36% done; ETC: 08:17 (0:00:46 remaining)
Completed Service scan at 08:16, 170.07s elapsed (53 services on 1 host)
Initiating OS detection (try #1) against _gateway (192.168.2.1)
NSE: Script scanning 192.168.2.1.
Initiating NSE at 08:16
Completed NSE at 08:16, 5.49s elapsed
Initiating NSE at 08:16
Completed NSE at 08:16, 2.42s elapsed
Nmap scan report for _gateway (192.168.2.1)
Host is up (0.00036s latency).
Not shown: 1947 closed ports, 48 open|filtered ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        Dropbear sshd 2012.55 (protocol 2.0)
| ssh-hostkey: 
|   1024 REMOVED (DSA)
|_  1040 REMOVED (RSA)
53/tcp   open  tcpwrapped
80/tcp   open  http       ROUTER http admin
| http-methods: 
|_  Supported Methods: GET POST
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
1900/tcp open  upnp       Portable SDK for UPnP devices 1.6.19 (Linux 2.6.36; UPnP 1.0)
53/udp   open  domain     (generic dns response: NOTIMP)
|_dns-recursion: Recursion appears to be enabled
| fingerprint-strings: 
|   DNSVersionBindReq: 
|     version
|     bind
|   NBTStat: 
|     CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|     root-servers
|     nstld
|_    verisign-grs
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-UDP:V=7.70%I=7%D=7/17%Time=5D2F2D23%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReq,1E,"\0\x06\x81\x82\0\x01\0\0\0\0\0\0\x07version\x04bind\0
SF:\0\x10\0\x03")%r(DNSStatusRequest,C,"\0\0\x90\x04\0\0\0\0\0\0\0\0")%r(N
SF:BTStat,7D,"\x80\xf0\x80\x93\0\x01\0\0\0\x01\0\0\x20CKAAAAAAAAAAAAAAAAAA
SF:AAAAAAAAAAAA\0\0!\0\x01\0\0\x06\0\x01\0\x01Qt\0@\x01a\x0croot-servers\x
SF:03net\0\x05nstld\x0cverisign-grs\x03com\0xX\x96\xd4\0\0\x07\x08\0\0\x03
SF:\x84\0\t:\x80\0\x01Q\x80");
MAC Address: MAC REMOVED (Tp-link Technologies)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.23 - 2.6.38
Uptime guess: 0.341 days (since Wed Jul 17 00:06:00 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; Device: WAP; CPE: cpe:/o:linux:linux_kernel, cpe:/h:tp-link:td-w8968, cpe:/o:linux:linux_kernel:2.6.36

TRACEROUTE
HOP RTT     ADDRESS
1   0.36 ms _gateway (192.168.2.1)

NSE: Script Post-scanning.
Initiating NSE at 08:16
Completed NSE at 08:16, 0.00s elapsed
Initiating NSE at 08:16
Completed NSE at 08:16, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1132.72 seconds
           Raw packets sent: 2703 (97.653KB) | Rcvd: 2048 (99.449KB)
#17

@lah7 In reply to your most recent questions, I think I've answered the questions below but if I haven't please let me know.

To answer the remaining questions....

.....I will have to research more on POE to answer. Yes, my power supply is clean assuming you mean the power coming into the home. Can you elaborate more on what you mean by "investigate" the firmware? I can obtain clean, downloaded firmware from a trusted computer and put it on a new (never used USB) for installation but would assume wait for recommendations on installing it if this is what you mean, because as you mentioned, the Dell PC's are a bit different. The previous info I supplied with regard to the tests run without the storage drive and CMOS battery installed, after clearing the memory, were done on (2) PC's, not just one. The other PC I ran the tests on was my HP Pavilion laptop and I saw the same results.

#18

I think by mentioning problem associate with the other devices, I have opened a can of worms I didn't want to open here, so we can forget about those devices and I will deal with them separately and want to clarify again I am only seeking help from this community for problems directly related to Ubuntu-Mate. The personal issues I mentioned wasn't to gain sympathy but thank you all for offering it none the less. I mention my personal problems only to show lack of motivation for what is/has been done other than pure vengeance.
@lah7 Thanks for the advice mentioned with respect to the phone and I will look into those items separately.

#19

Do you live in a home, apartment, condo? What is the age of your residence? Everyone ASSUMES there home AC is clean, but you might be surprised if you delve into it...

1 Like
#20

I understand where you're coming from and why you ask. I own an older home which I have remodeled (essentially rebuilt) from the ground up, including replacing the original electrical wiring. The house is older but that has no effect on the incoming power and I am sure of this as I worked for 10+ years as a design engineer for Virginia Transformer and actually was one of the designers for the transformer that is now in service, feeding my home.

2 Likes