01-07-2012
1,
0
Join Date: Jan 2012
Last Activity: 7 January 2012, 12:56 AM EST
Posts: 1
Thanks Given: 0
Thanked 0 Times in 0 Posts
Strange system activity no matter what I try
When I choose to encrypt my drive during a Linux install, it encryps it, but I receive errors in dmesg and in ~/.xsessions-errors during use. The first error is in dmesg where it sometimes shows errors writing to the encypted device. The second error is in ~/.xsessions-errors with an error about writing to a cleartext device With the above errors noted, I've also discovered some strange events:
1. gvfsd-burn running with several instances while I'm not using any burning application
2. The .gvfs directory showing up in ls -l result with question marks, googled and told to enter fusermount -u .gvfs and log out and log back in but this event occurs again I don't know what it's doing this for.
3. When backing up a large amount of files to an external drive, I receive a nautilus popup saying a file has changed, would I like to replace it, when I haven't changed any of the files. Who is doing the changing?
4. Hard disk drive light flashes on and off with a second or two in between the flickers, running top and lsof, and checking logs, I can't find anything causing this activity?
5. Running unhide, which installs with rkhunter, shows several ports open when I'm not using them, I've firewalled most outgoing ports, nothing is listed as using any of these hidden ports.
6. Chkrootkit shows tty7 gnome desktop as being hidden from wtmp.
7. Console-kit-daemon runs several times, cannot pin down why this is.
8. Rkhunter and chkrootkit scans come out as clean, no rootkits or problems found, other than #6 from chkrootkit. What is recommended? It sounds like a rootkit's installed, and when I check binaries with chkrootkit -x command some of the strings sound weird, some binaries contain "mmap, mmove, fork, shell, shell always, fake, anonymous" and more I've wiped the drive and installed several times, these problems continue regardless of my efforts.
When I examined my wiped HDD from an "ultimate boot cd" disk utility, I saw a garbled message followed by "virus detected!" "booting hd1" I wasn't sure if a bad burn of the ubcd was placing it there, or if my BIOS is infected and is the source of the constant re-infection. I scanned my hdd with an antivirus and it discovered memtest+ in a kernel directory was infected, but it didn't elaborate. Even when I install disk without encryption, the hdd light flashes constantly, like someone is doing something, but no extra programs are running except a gnome desktop,
I've even tried smaller window managers but the disk keeps accessing. I'm guessing whatever is running has poisoned certain binaries like ls, ps, who, last, and so on. What is recommended in this condition? Any tips on what could be happening?