Tiny Core Linux
Tiny Core Base => TCB Q&A Forum => Topic started by: genju on February 25, 2017, 12:05:51 AM
-
Hi. First of all Im not a Linux user, hope you dont hate me or tell me to delete system32 because of it :p (Joke)
So, I got a samsung evo 840 ssd 120gb which I think it got infected by a virus because I started seeing a lot of unknown processes going on so now Im trying to fully format it and tried with different tools already.
But I get the message "rebuild fstab --- killed by signal 9".
After googling a little it Ive found out that this is related to Tiny Core Linux, is that correct?
The thing is: I never installed Linux and thats why I think theres something wrong going on here. Besides the weird processes showing up on Linux, I also noticed that windows shows up as Activated/Genuine copy even tho I didnt activate it yet. All those things combined make me think that this partition is malicious and is set as Read-only so it can come back everytime, so I need to know how to completely remove this or these partitions.
If anyone can help me out, I will really appreciate it.
Thanks.
edit: sorry If I posted it in the wrong section.
-
But I get the message "rebuild fstab --- killed by signal 9"
In Tiny Core there exists a file called rebuildfstab , this might have lead your search engine here.
But while you're at it, you might want to try the dd command to destroy everything on your disk (doesn't need mounting the drive).
Something like this (just to give you a clue) would fill the entire drive sdb (output file) with zeros (input file).
dd if=/dev/zero of=/dev/sdb
Don't just run this command! Further googling would be needed.
IIRC, I have heard that SSD drives don't like to be written with zeros, so different command options may apply.
You can do this with Tiny Core, or, if it gives you a hard time, any Linux will do.
-
..or you can use the secure-erase extension, which is probably the quickest for an ssd.
..or you can use shred from the coreutils extension (be very careful about using this command): $ sudo shred -vfz -n 10 /dev/sdxy
-
Thanks guys for being so polite and cool helping me :).
Now, I got some questions:
@Misalsf: isn't that exactly what Asus secure erase does tho? If so, I can do that from my BIOS.
But: the program that gave me the error was KillDisk and it was the free version and said one pass all zeros (cant select another format method because free edition). So I guess both Asus secure erase snd killdisk do the same? But asus secure erase didnt show any errors. Do I have to assume that my SSD is good now? The problem is that I already did an Asus secure erase 2 weeks ago (im fighting against this virus/whatever it is that is infecting my entire network for 2 months now) and then when I used killdisk today (bootable dvd linux version) it showed that error anyways.
@juanito: could you link me to that extension or some instructions maybe maybe? For a windows noob like myself.
Thanks.
edit Or maybe the Linux version of KillDisk uses tiny core and shows that as an error but not an actual partition?
edit2 It cant be that tho because according ot killdisk i have 6 partitions whereas windows only shows 4. Damn this is looking complicated.
-
These extensions Juanito is mentioning are software packages / applications that you can install on (Tiny) Core Linux from the repository via the Apps browser.
I don't know what KillDisk does.
If you still see the partitioning after you've "KillDisk'ed" your drive, I think KillDisk might have not done enough (i.e. just wiping the data). Malware can hide in MBR/PBR as well.
-
Ok, where can I start downloading all this? What commands will I need? Can I use an USB?
Sorry for the cringeworthy noob questions.
-
A few questions.
Which version of windows are you using ?
Does it boot by legacy BIOS or UEFI ? (it helps determining whether it is MBR or GPT)
Is the partition table MBR or GPT ? (if it's MBR, run dd if=/dev/zero of=/dev/sdx bs=440 count=1)
Does any other computer under the same domain having the similar issue ? (could be a virus infecting the entire network, consider that you've been fighting for 2 month)
Do you have a spare computer that has a running OS ? (preferably windows since your unfamiliar with linux)
If you end up trying tiny core, gparted is a helpful GUI tool for beginner.
-
A few questions.
Which version of windows are you using ?
Does it boot by legacy BIOS or UEFI ? (it helps determining whether it is MBR or GPT)
Is the partition table MBR or GPT ? (if it's MBR, run dd if=/dev/zero of=/dev/sdx bs=440 count=1)
Does any other computer under the same domain having the similar issue ? (could be a virus infecting the entire network, consider that you've been fighting for 2 month)
Do you have a spare computer that has a running OS ? (preferably windows since your unfamiliar with linux)
If you end up trying tiny core, gparted is a helpful GUI tool for beginner.
Im running w10 uefi.
Yes, its a virus affecting my whole network, more info here https://forum.xda-developers.com/g4/help/rootkit-lg-g4-takes-network-remove-t3563103/post71184870#post71184870
People interacted with me on twitch chat because they could see me through my webcam (im not joking). Lot of people subtweeted about it. I could show you via pm in case you think im trolling. This is a nightmare.
-
Also a good start with tiny core linux is to read the good book.
That can be downloaded with this url:
http://tinycorelinux.net/corebook.pdf
-
Hi genju
edit Or maybe the Linux version of KillDisk uses tiny core and shows that as an error but not an actual partition?
According to the KillDisk website their Linux console version uses Tinycore.
edit2 It cant be that tho because according ot killdisk i have 6 partitions whereas windows only shows 4. Damn this is looking complicated.
Computers come with a recovery partition and sometimes a utilities partition. It's possible Windows does not see them
where Linux does. It's also possible you have a couple of hidden partitions where your virus keeps its payload.
-
Ok, where can I start downloading all this? What commands will I need? Can I use an USB?
Perhaps the easiest is to burn tinycore to cd/dvd and boot from that - you can then use dd/fdisk/shred/secure-erase as you please.
http://www.tinycorelinux.net/7.x/x86/release/TinyCore-7.2.iso
-
Is your disk a solid state disk? If so, I would choose secure-erase. It will wipe the disk in seconds, other methods will take hours.
-
Regarding an SSD, writing "Zero's" (programmed) will harm your SSD. Maybe Harm is too strong a word, but with Zero's an SSD will have reduced write cycles remaining and the drive's controller will be tasked with a huge maintenance cleaning job before those blocks can be written to again, causing a severe performance hit at best. Writing Zero's to an HDD leaves the drive in an empty clean state. However the opposite occurs to an SSD which will be left with all blocks full. These blocks have to be erased before they can be used again, writing 1's (erased) to an SSD is equivalent to writing 0's to a HDD.
Regardless of a modern HDD or SSD, the actions of a secure erase is programmed into he drive's controller, so the correct action will be taken when 'Secure erase" is commanded. Remember not to confuse "Erase" options of partitioning and format utilities with "Secure Erase" which is totally different.
Look after your SSD's using Secure Erase ONLY. To restore like new(if possible) performance to an SSD use ONLY Secure Erase,. Unlike Secure Erase for a HDD which can take hours, the actual secure Erase of an SSD completes instantaneously since the task is purely electrical. I think it's safe to say all SSD manufactures provide a Secure Erase utility, however a Secure Erase extension is available in the repo for this.
With all MLC devices, SSD's, SD card's, USB Thumb drives etc. etc. use secure erase to restore like new condition and performance.
Format with 1MB offset for best write performance. Align by 1MB covers a multitude of scenarios, after all 1MB of space is a small price to pay for performance. Whatever, do not align by Cylinder mode on a SSD (or any MLC device), even HDD's perform better aligned to 512KB or 1MB rather than cylinders.
8)
-
If you have a Windows PC that works, go here: https://www.samsung.com/semiconductor/minisite/ssd/download/tools.html, download and install the Samsung Magician Software for Consumer SSD(3), which, according to the instructions, includes Secure Erase. You'll have to move the disk, of course.
-
@newuser, yes, tried with samsung magic and it says "device not supported".
Tried with asus secure erase from the bios but the virus keeps coming back.
Ran tinycorelinux, fdisk and got this
http://i.imgur.com/SteUZDX.jpg
What does this mean? Did it find a hidden ntfs partition on it or thats the memory?
Tried to run the dd command but nothing happened.
All this was using terminal.
Any help is appreciated.
-
Because actions like these can be very dangerous for your system (i.e. choosing the wrong drive by accident) you need to run them as root / super-user (administrator). To do so, precede the command you want to run with the sudo command.
sudo dd ...
-
Some manufacturer's utilities are designed to perform only on their drives. For example Samsung utilities will likely work only on Samsung branded and possibly selected drives.
Use the utility provided by your drive's manufacturer for your SSD model, or use the Secure Erase extension provided in the tinycore repo which is unaware of manufacturer.
These are your only two choices to correctly secure erase the drive and restore like new performance. There are so many other tools to wipe a drive but they were written for Hard Disk Drives, not SSD's which are a different animal. Any other method, for example DD, etc. etc. as said earlier will hurt your SSD.
After a secure Erase, you can then use FDISK to partition as intended.
-
What i can see in samsung webpage the firmware for evo 840 is very popular.
http://www.samsung.com/semiconductor/minisite/ssd/download/overview.html
http://www.samsung.com/semiconductor/minisite/ssd/downloads/software/Samsung_SSD_840_EVO_EXT0DB6Q.iso
-
Ok, the virus is in the ram. Booted from usb with no ssd whatsoever and the partition that contains the viruses and all that crap was still there.
I cant even flash bios anymore. I tried to go back to an old version and every single one is the same. I remember the old versions and didnt have some features that now I can see.
I cant use my computer since two months now. Lost tons of stuff, cant even work at thome because I had that hdd unplugged.. They have access to everything.
So, how can I remove this stuff from the ram? It sounds unbelievable but its true.
-
Are you sure that the virus isn't on the usb stick? If the ssd is not connected, then how can you see a partition with a virus on it unless it is on the usb stick?
If you can boot from cd/dvd, it would be better to burn a tinycore iso to cd/dvd on a clean machine and boot your infected machine with that to clean it.
-
Because I can still browse the infected partition (X:) with no ssds, usbs nothing.
It is there.
Same thing happens when I try to install windows from an usb. I tested, unplugged everything and still cna browse the X: partition. I need to get rid of it, its literally making me lose a lot of time and money.
-
What is the partition x on? It must be on some kind of non-volatile device?
Did you try to boot from a tinycore cd/dvd?
-
Tried both, CD and USB.
On BIOS I see a lot of dram related stuff with very weird values. I was suspecting the it was located in the ram but this confirms it. Forgot to mention, I got this virus when I tried to install an app called manageiq. One of the strps was to install a virtual machine, and another step was wrong on purpose. It instructed the user to pate someone elses json on a cloud instead of instructing the usrr to create his own private key. It was late and I honestly I didnt known how dangerous that was but after that, they have control over my computer/network.
Here, to prove my point, this right now is being broadcasted and here are some threads of people mocking me for being a linux noob.
http://forum.tinycorelinux.net/index.php/topic,20755.0.html
http://forum.tinycorelinux.net/index.php/topic,20762.0.html
http://forum.tinycorelinux.net/index.php/topic,20765.0.html --> notice the screencap w cellphone just like I did earlier today. The did this before aswel. They follow me to every forum I ask help on and start making fun of me (linustechtips network section last month for example) for... getting hacked in a very tricky way.
http://forum.tinycorelinux.net/index.php/topic,20771.0.html
http://forum.tinycorelinux.net/index.php/topic,20736.0.html
http://forum.tinycorelinux.net/index.php/topic,20793.0.html
http://forum.tinycorelinux.net/index.php/topic,20798.0.html
They also interacted with me through my webcam.
Sorry for not knowing how to remove a virus that was installed by people that I really trusted (it was a targeted attack, not random.. One of them said I was "selected" just because I have a nice pc). And I dont know what did I do to get all this undeserved humilliation. Tried to talk nicely with these guys but they dont reply/act like they dont know anything when I know that they stream my ipad/pc screens and subtweet about it.
I dont wish this to anyone, not even my worst enemy.
-
Even if the virus was in ram, if you turn the machine off, disconnect any storage devices (hd, ssd, usb stick, etc) diable wired and wireless networking and then turn it back on again with only a cd/dvd drive connected I don't see how it can be re-infected unless you have some non-volatile ram.
Have you booted from a tinycore cd/dvd after doing the above?
-
I tried everything. cd, usb, I evne tried with a different stick of ram (which tbf it was installed when I got infected so theres that). Ram is ddr4 mushkin and as I said before, Ive never seen so many virtualization-related items on my bios ever.
Tbh im surprised that you are asking that to me. I dont want to sound like an assole but google partition x vm or virtual mchine or ramdisk. I say I dont want to sound like an asshole because they are filtering my google results right now so I cant post any links (yes, it is THIS bad).
-
What Juanito is trying to say is that, it is impossible for anything to stay in RAM when it is uncharged.
(i.e. shutdown your pc and unplug the power cable)
Remove the ethernet cable, boot the computer with tiny core CD and your SSD.
However, the hackers probably have attacked your network service provider as well, since they can filter your google results.
-
I dont think so. It all started when I tried to install the program I mentioned before.
They can inject javascript stuff into my ipad, thats how can they filter google results etc.
So, no possible way to remove this X: partition using tinycore despite the fact that is mentioned everywhere when it comes to VMs, right?
edit forgot to mention I even changed the modem two momths ago and still got the damn x partition. It survives all kind of formats... You guys created a monster without even knowing it,
-
X: partition
Sounds like you're booting with a MS-DOS bootale media or something related to M$.
linux doesn't assign a partition the way M$ does, are you exploring the disk with M$ ?
If the mysterious X partition can not be seen with gdisk, it could be a virtual disk.
If so, unmounting it might help.
Oh, BTW,
Ran tinycorelinux, fdisk and got this
http://i.imgur.com/SteUZDX.jpg
What does this mean?
Disk /dev/sda is your samsung SSD with GPT partition table.
fdisk can't read it.
Dowload gdisk to see what's inside.
Disk /dev/sdb (I guess) is your tiny core boot media.
8G USB stick I think.
Disk /dev/sdb1 is something I'm unfamiliar with.
A partition inside a partition ???
forgot to mention I even changed the modem two momths ago
I mean the network service provider upstream to your modem.
-
Here are some important things to consider..
1. Logically and most importantly, a Virtual Machine has to be loaded into memory from non volatile storage, otherwise the software does not exist after a shutdown and reboot.
if you disconnect every Hard Disk Drive, SSD and mSATA device then there is nowhere a VM can be loaded from. ASUS motherboards come with all kinds of mSATA and variant types of additional storage devices.
To learn more about mini SSD's look here https://rog.asus.com/articles/hands-on/easy-guide-to-ssds-sata-msata-m-2-and-u-2/ (https://rog.asus.com/articles/hands-on/easy-guide-to-ssds-sata-msata-m-2-and-u-2/)
Have you really disconnected all these devices and tried to boot only the tinycore cd?? I believe you've missed something, a device still connected..
2. Only thing I noticed is the partition within a partition, how you managed that I don't know.. sdb1p1 is a mistake which needs fixing.
Is sdb1p1 a USB thumb drive? or a motherboard mSATA storage device like M.2 ? secure-erase.tcz extension will definitely erase the Samsung SSD, however it may not have access to the mSATA or variant device to command a secure erase.
gparted.tcz extension will also remove any partition tables form any device it recognizes.
Note: when using the command line it's easy to make a mistake. if using fdisk to create a partitions use
fdisk /dev/sdbnot fdisk /dev/sdb1
gparted has a graphical user interface which makes things easier
and remember: when working with SSD's, mSATA devices, USB thumb drives, etc etc. stay away from any utility option that writes Zero's to the drive. zero's are for the dinosaur hard disk drives.