• We had to restore from a backup today after a failed software update. Backup was from 0000 EDT and restored it at 0800 EDT so we lost about 8hrs. Today is 07/20/2024. More info here.

Willing to pay for someone to get me through this monster RAT/ hacket

Status
Not open for further replies.
For the most part I concur with David @KGIII above.



The OP is not from the USA but I am not at liberty to say from where he is.

I note the OP has said



and that is in reference to the following (brought to my attention by a Member, thank you)

https://forum.xda-developers.com/t/hello-all-kind-of-heavy-first-post.4568145/

and here

https://www.linuxquestions.org/questions/linux-newbie-8/first-question-not-a-small-one-4175723333/

and here

https://www.linuxquestions.org/questions/linux-newbie-8/urgent-help-needed-4175723450/

although I note that one of those has since been closed by the forum concerned.

To that end, and in addition to the advice posted above, I would, if it were me

  1. Contact the cyber crime authorities in my state or nation and ask what I can do
  2. Subject to their advice Contact a cyber professional who can clean my systems and implement safeguards for the future.
I also note he said elsewhere that he may lose his job over this, and that is something only he can weigh up.

Chris Turner
wizardfromoz
Its rather crazy but my work is somewhat related to what you want me to contact. Its out of the question unfortunately and so is any sort of police unless I want to make things worse for myself. This whole thing has been extremely suspicious from the get go because I know this trojan or what it is exists on my work laptop too, but Ive been told to not worry about it and that the security department has everything under control, that Sophos hasnt registered anything strange etc.


So i dont care or worry about it on my work laptop, but when it has infilitrated and invaded my own privacy, I can not do anything but worry. I did not want to go on sick leave to sort this so i took a 2 week vacation, and this is my final week.
 


Ive done a full crypto sanitizier wipe this morning on my NvMe ssd
Do you have a SED Drive (Self-Encrypting Drive)? Because that is the only drive I know of that can use cypto sanitizer, which requires a key or drive access password by using the OneFS key manager process. This password is used each time the drive is accessed by the node. Without the password, the drive is completely inaccessible
 
I have been reluctant to get involved in this thread, because there is so much that we do not know. We do not know anything about the network configuration and the devices on the network. We do not know which devices are infected, nor the nature of the infection on each device.

I see people here jumping to conclusions and recommending solutions from an incomplete understanding of what may be happening. If the malware is in the firmware of an infected device, then it will persist through drive wipes or replacements. (To be clear, we do not know what we are dealing with here.)

One of the first things that is needed is a trusted, secure connection to the internet from a trusted, secure device ... and you need to be sure that they will stay trusted and secure. After that, you can begin to deal with device issues, always making sure that you won't re-infect your good network or known safe devices.

Without more information and a better understanding of @Mikez77's situation, it would be difficult to coach him through fixing his issues, which seem extensive and complex.
 
I have been reluctant to get involved in this thread, because there is so much that we do not know. We do not know anything about the network configuration and the devices on the network. We do not know which devices are infected, nor the nature of the infection on each device.

I see people here jumping to conclusions and recommending solutions from an incomplete understanding of what may be happening. If the malware is in the firmware of an infected device, then it will persist through drive wipes or replacements. (To be clear, we do not know what we are dealing with here.)

One of the first things that is needed is a trusted, secure connection to the internet from a trusted, secure device ... and you need to be sure that they will stay trusted and secure. After that, you can begin to deal with device issues, always making sure that you won't re-infect your good network or known safe devices.

Without more information and a better understanding of @Mikez77's situation, it would be difficult to coach him through fixing his issues, which seem extensive and complex.
I know it is not in the firmware, or rather began in it, but I do know that the hacker was able to manipulate and control my firmware. I saw files of that he had signed (I did not even know I had an UEFI firmware to begin with) the latest .fd files in a package from windows catalogue along with a .cat file, to install/manipulate the UEFI in his EFIVARS kernel.
So it definitely looks like this was more of a remote hacker team (I say team because I was sometimes awake 35 hours straight and they were manually operating against me for the entire period)
It seems I am safe so far, I read that the /cow and what I have now is actually coming from my USB drive.

Sphen is correct, is extreme and extensive, this is why I offered payment as incentive, because I believe(d) that it would take real effort and a couple of hours from a person to actually help me, rather than just one or two pieces of suggestions based on the information I wrote
Either way, im trying to get etcher working now, i want to burn a completely new windows installation to my physically read-only USB, the kangaroo usb and install from that.
If it comes back, im just physically removing every wan/wifi card from every device in my home.
 
I have been reluctant to get involved in this thread, because there is so much that we do not know. We do not know anything about the network configuration and the devices on the network. We do not know which devices are infected, nor the nature of the infection on each device.

I see people here jumping to conclusions and recommending solutions from an incomplete understanding of what may be happening. If the malware is in the firmware of an infected device, then it will persist through drive wipes or replacements. (To be clear, we do not know what we are dealing with here.)

One of the first things that is needed is a trusted, secure connection to the internet from a trusted, secure device ... and you need to be sure that they will stay trusted and secure. After that, you can begin to deal with device issues, always making sure that you won't re-infect your good network or known safe devices.

Without more information and a better understanding of @Mikez77's situation, it would be difficult to coach him through fixing his issues, which seem extensive and complex.
I agree that a secure connection to the internet from a trusted, secure device is needed.
Without that OP can't really get into the modem/router safely.

The advise that Lord Boltar has given is good, correct and makes perfect sense.
 
  • Like
Reactions: Zev
I know it is not in the firmware, or rather began in it, but I do know that the hacker was able to manipulate and control my firmware. I saw files of that he had signed (I did not even know I had an UEFI firmware to begin with) the latest .fd files in a package from windows catalogue along with a .cat file, to install/manipulate the UEFI in his EFIVARS kernel.
So it definitely looks like this was more of a remote hacker team (I say team because I was sometimes awake 35 hours straight and they were manually operating against me for the entire period)
It seems I am safe so far, I read that the /cow and what I have now is actually coming from my USB drive.

Sphen is correct, is extreme and extensive, this is why I offered payment as incentive, because I believe(d) that it would take real effort and a couple of hours from a person to actually help me, rather than just one or two pieces of suggestions based on the information I wrote
Either way, im trying to get etcher working now, i want to burn a completely new windows installation to my physically read-only USB, the kangaroo usb and install from that.
If it comes back, im just physically removing every wan/wifi card from every device in my home.
If the wireless network interface card is attached to the motherboard you will have to use a soldering tool to remove it and have to be extremely careful not to damage the mobo or any of the other components.

 
I almost got him purged once i believe when I executed this right after a windows installation, it made me think i was safe for awhile due to how long it took him compared to normally, to get in and wreck me. After that, every time i tried to click the final button of that software at the end, it would hang, like some sort of hook or injection to its executing.
 
Do you have a SED Drive (Self-Encrypting Drive)? Because that is the only drive I know of that can use cypto sanitizer, which requires a key or drive access password by using the OneFS key manager process. This password is used each time the drive is accessed by the node. Without the password, the drive is completely inaccessible
I dont believe so, but crypto sanitize was supported when I checked. Its an NvMe ssd from Seagate. I used the nvme-cli to check and sanitize and performed the crypto sanitize since he used LUKS a lot, i dont know if its related or not, i just wanted the heaviest sanitizing possible.
 
The original question still hasn't been answered:-
How did this happen in the first place?
Yes, i guess i can go in a bit on that now that I seem to have purged him, i was about to flip a table when my desperation was met with irrelevant (to my problem) questions and demands on proof. Plus you have contributed with serious answers
I can not go in to details because of the sensitivity tied to my work. I can say that once, I believe one of them forgot to spoof the MAC and I had like 15 different IP collecting apps and mac identifiers to find out what was going on.

During this i also found that the biggest ISP in my country has been delivering a router to about 200 000 people with the biggest security hole EVER. One of them being there was a login and password that even had higher permissions than the ISP support people who would remote in to you to assist router issues. The guy i talked to had worked there 15 years and was in disbelief when i showed him the security holes, about 10 of them, all equal or more serious than the one i mentiond. He could not believe it even though he was looking at it and had to call the highest of the bosses there for a meeting, i was dismissed quickly with a promise of a new router, and i got a new one, almost as shitty as the first one, same brand, one upgrade (Wifi L2 instead of Wifi L1, same shitty Compal Networks)

That dont have much to do with this though, its just a finding. This guy had been on my phone for a year at least i noticed. I saw pics of myself when i was asleep , because i sleep near my phone having some light music on, and much more. I noticed it when i started checking permissions seeing apps like Notes etc having 200 permissions and could basically turn the phone on even when shut off and insane things like that.
Anyway, back to the MAC spoofing.

It led me to something that would make sense in a way, but i have not dared confront them and im hesitant of linking, so i will just say this, google pe····a.io
the masked is "nter"

Which would also make perfect sense with what I work with, but these are just guessworking that i cant back up with more than that one time mac address that lead straight to that building basically

It would however not explain why my work would not 1) replace my equipment, as I stated, and could prove, this was related to work and that work machines has this on them right now
2) would rather see me suffer more and take a sick leave, go see a psychiatrist if needed, they would pay for all of that etc, and I said, dollar wise, you it is at least 5 times cheaper to simply buy me a new laptop, phone and a good router, since I work a lot from home too, it should also be in your best interest that my environment online is safe, which it obviously isnt now.


They brought up company policy as an excuse. My closest boss who i have known for 4 years almost now, before we were bough up by this US company, when this started, also reacted in a way that makes me unable to trust him again ever. He would not talk about the virus, if i mentioned it, he would get in a bad mood etc.


I dont know, I was definitely left alone with this, and i said i have no choice but go to the police if i cant sort it, he said do that, and you might as well look for a new job, plus you will get blacklisted on the job market. That is said on skype, with skype history logged and everything, that is downloadable from skypes website.
 
Also, i have been at the shared garbage basement , ice cold, with no possible connection anywhere, along with some fruit, jacket, hat and 20 usb sticks. I was there all night once and an old lady came down 5 in the morning and got so scared haha. Poor lady, i definitely looked like i was hacking people from that place to the ones who dont know much about computers.
 
Also when I was doing windows only, some apps were able to just log straight in to his virtual environment, he was using linux, windows NT, windows 8 i believe. I was using this passfab FixWin or something, and i could mess up stuff there and download bootable stuff to burn with rufus without him exchanging contents on them and messing me up like he was having fun. At some points he would make it so my installation could only pick russian, so i had to install it in russian and guess my way through windows. Might sound like fun, maybe chuckled once or twice, but overall, ive gotten on average 4 hours sleep a night if not less, for a month,

which perhaps explains my aggressive tones in the previous threads the admin here linked
 
Really & truly, why should this individual be targeting you? Doesn't make sense.

Y'know, there's a quick, simple solution to all this.....though it's pretty drastic, and I'm quite sure you don't wish to go down this route.

Shut your computers and phone down, disconnect from the web, chuck the 'puters, phone & router in the trash and never, EVER go online again.

(I said it was drastic, right..? And probably not at all helpful. But it's undeniably a solution..!!)


Mike. o_O
 
I have been reluctant to get involved in this thread, because there is so much that we do not know. We do not know anything about the network configuration and the devices on the network. We do not know which devices are infected, nor the nature of the infection on each device.

I see people here jumping to conclusions and recommending solutions from an incomplete understanding of what may be happening. If the malware is in the firmware of an infected device, then it will persist through drive wipes or replacements. (To be clear, we do not know what we are dealing with here.)

One of the first things that is needed is a trusted, secure connection to the internet from a trusted, secure device ... and you need to be sure that they will stay trusted and secure. After that, you can begin to deal with device issues, always making sure that you won't re-infect your good network or known safe devices.

Without more information and a better understanding of @Mikez77's situation, it would be difficult to coach him through fixing his issues, which seem extensive and complex.
EVERYONE: Please read my post #23 above, which I quoted here ^^^^. Since I posted it, nothing has changed:
  • We do not understand the network configuration or the states of the devices on the network.
  • We do not understand what is happening on the infected device(s).
  • The OP posted many anecdotes (stories).
    • The anecdotes are not organized. They are confusing and do not clarify the situation or answer basic questions.
    • They did not post any practical information that troubleshooters could use to understand the state of the network or infected devices.
  • Some people continue to offer advice.
    • Some of the advice does not make sense to me.
    • Some of the advice is very drastic, such as using a soldering iron to remove the network interface card from the motherboard. In my opinion, this is poor advice, especially considering the lack of a proper diagnosis or basic troubleshooting.
The obvious communications issues demonstrated in this thread make it impractical to assist Mike from Linux.org. Even if we could overcome the communications issues, I question whether it is possible for both sides (Linux.org and Mike) to team up and follow troubleshooting procedures in the systematic way that is necessary to achieve a positive outcome. So far, this thread has shown me clear evidence that it is not likely, and I doubt it can change.

In my opinion, @Mikez77 must find a local expert to assist him, someone who can troubleshoot the problems in a systematic way and give Mike good, practical security advice.
 
The more I read it, the more this whole thing just doesn't add up, y'know?

Is it just me, or does the entire scenario smell just ever so slightly "fishy"?

The OP has been made aware that there's no way we can help - at all! - without specifics.

  • Conveniently, the OP can't be more forthcoming because of the "extremely sensitive" nature of his work, BUT...
  • He's happily discussing his "problem" with complete strangers, whom he doesn't know the first thing about, on a totally random website..! NOT what I would call "wise".

Call me cynical - or insensitive, if ya like - but a little voice in the back of my head is slowly, but steadily, chanting "Troll....troll....troll...."

Huh.

(shrug)


Mike. :(
 
Last edited:
I maintain

Subject to their advice Contact a cyber professional who can clean my systems and implement safeguards for the future.

The below
It seems I am safe so far, I read that the /cow and what I have now is actually coming from my USB drive.

I believe answers

/cow
copy on write

running from a live version....not installed

I think we have done all we can do.

I am closing this Thread.

Chris Turner
wizardfromoz
 
Status
Not open for further replies.

Members online


Top