Okay, here’s a shit story. I was doing a routine scan with ClamAV feb 4th. Out of nowhere it popped for a trojan. Thought it was a bit weird, probably a false positive. Nope. I discovered a weird .DLL in WINE, not in their repos, not something I installed. listed as .BRM for windows 6. I hashed it and ran it against everything I’d pulled from my .DLL files. No match. I went digging and found the schroot under /run/ I took a look at the properties and the env showed 128.7TB of storage. The program I use with WINE requires network access to authenticate and because it was for audio production, it had access to my filesystem for samples.
Broke out wireshark and confirmed they were exfiltrating data. I always have the camera covered and the Mic disabled, but only through a blacklist. As soon as they saw me, they wiped everything from my home folder, everything that wasn’t a base part of kde was gone. They got my passport, resumes, had just downloaded all my data from google and deleted my accounts. Wedding photos, contact lists, phone numbers, Everything. Immediately unplugged the router, disconnected the modem.
Found the roommate, he uses windows 10. No security updates, no antivirus. Rooted into his machine as well. 7 foreign IPs routing traffic over privoxy, shut down all the ports, airplane mode, took his important data and burned a windows 10 iso. He’s okay now. I’m currently running photorec, foremost and autopsy on an image of my drive trying to get what I can. Reopened a bank account, changed the phone number now I’m paranoid. Network password was stupid easy (not my connection, I don’t own it) and he had it set up so everyone with the password was admin. Every machine in the house is potentially compromised. He had a whole host of web 3.0 bullshit, chinese wifi camera,(probably watching through that) old google home assistant, ps4, xbox, light controls.
We ditched the router, the people I share this place with have no idea what a computer even is and I am trying to explain to them why this is a problem. My synthesiser’s OS is based on montevista linux, I connect it to the laptop all the time. There’s a server farm out there trying to get into insecure connections. I was rooted with 32x linux using a fake .DLL in WINE, he was rooted into by a Windows 10 machine. Of course he uses an admin account for everything. I pulled a shit tonne of persistence off my computer. Cron jobs, Startup scripts for privoxy and schroot, services, grub configuration, SSH keys, User Logins, Key loggers. This is sophisticated enough that they could tailor something on a per machine basis and I never would have found it if I hadn’t been actively looking because since they schroot, none of those processes were available to me to view. I just had a funny feeling the last time I used WINE because the configuration kept updating and it normally only does that if you add a library, or make a change to the program and I hadn’t done that in a month.
I need some help, fellas because I went to the cops and the cybercrime unit stops at “He posted my nudes on Facebook.” This was not intended for me, this is meant to spread across as many machines as possible. ISP in our area recently put in fibre in a bunch of different houses and I’m worried they may be piggy backing our connection off our neighbours. How many people out there are using older versions of android with no security updates? What if they get someone who works in power generation, law enforcement, a nurse on the way to the hospital. It is so bad and I cannot get any one to listen to me. They think I’m a lunatic. Last thing, can you give me some advice on containerising applications in docker, command line docker. I’m not giving a company my personal information to use their stupid GUI and I want to cut this off at the head. No more free access to the file system, every application and all the files I use with them on their own container. How do I build something from source in a leak proof Docker environment? how do I install a web browser with no access to geoclue, date and time or files? Resources, if you can, would be incredibly helpful. I am only doing linux for 2 years as a hobby, this is out of my wheelhouse. Just a blank container with one program, so I can inspect files coming in and out of and decide if something gets access to my home directory or not. stay frosty out there.
Edit: finally figured out how to add pictures to this. You’ll notice the tree from home folder that it’s basically fucking empty. You’ll also see ventoy which I had to have to get my housemate’s stupid ASUS laptop to let me burn Microsoft’s spyware onto it. You’ll also see photorec which is currently digging through all the data left on the disk.img, you’ll also see the output of my first attempt using foremost, which failed because the disk was mounted and live. Here is the audit.txt https://files.catbox.moe/picf4y.txt If you scroll down just a little bit, you will see the poisoned .DLL and the .exe that was hidden in it. Listed as created year 2000 and 1998. I don’t use social media, like at ALL because it’s all poison. Don’t you call me a fucking liar. You have ABSOLUTELY no idea what I have been through in the last 3 days. I have talked to local police, state police, had to img my entire drive and send it to them. I have lost copies of all my personal identification documents, immigration documents, I have had law enforcement visit me repeatedly. THIS IS NOT a fucking joke.
Edit: Christ the way this website handles image hosting, I can’t. 3 days of chainsmoking, talking to cops, reinstalling OSes and explaining to a 45 year old man that your router password cannot be 1love[name of his cat that he posts about on instagram]
Here all the images in one place. Sorry, incredibly stressful period right now, I use GNUicecat and since all of my user settings are gone I don’t know what’s working and what isn’t because I haven’t had 3 hours to sit down and configure it yet:
I need a fucking smoke
Explain to me what the troll is here. I read the entire post. Seems like someone got access to one thing and then tried their hand at others. Easy to do when your first point of access (the router) is setup poorly.
I saw this happen years ago with a collocated Apache web server that the company failed to update Plesk on. Find one doorway and things fall like dominoes. We found hacks that weaved all the way into individual websites.