I think my PC is being hacked. What should I do? [closed]
I'm afraid I'm being hacked: My Ubuntu is receiving inbound traffic while my PC is disconnected from Ethernet and WIFI, so my question is, how am I receiving inbound traffic? I even have a firewall that is turned on.
I'm studying to be a developer, so obviously I can't completely disconnect from the web.
How should I proceed?
Solution 1:
If you think you're being hacked personally, below you can find a few very stringent rules to make hacker's lives extremely difficult.
- Remain calm
- Turn off all hardware you don't need to be a developer in the BIOS (this includes: microphones & speakers as they have been shown in the past to be used as communication channels once the PC was hacked, printer ports, USB ports, WiFi, etc)
- Black-list all hardware that cannot be disabled in the BIOS
- Connect through cable connection only and as little as possible (1/day to download mail, updates, upload your work
- Install as little software as possible
- Don't install software known to track you (flash, silverlight)
- Use Firefox with the noscript and modify headers plugins
- Disable all cookies. Only allow cookies per site and only for the session.
- Make system back-ups so you can roll back to previous versions and make the hacker's life a hell.
- Use these backups to create Live DVDs on DVD-Rs that cannot be hacked in case you need longer online exposure.
- You are already using a firewall, keep doing that.
- Only connect to the Internet through a NAT router and protect it with an admin password and use another DND then the one provided by your ISP.
- Don't give anyone physical access to your computer
That should get rid on 99.999% of hackers.
On the analysis of the problem:
Do the following:
- Boot from an Ubuntu LiveCD
- Do not connect to any network
-
go to a terminal by pressing Ctrl+Alt+T and type:
netstat --all
You will receive something like this and that will be your baseline. Ubuntu is not only a client OS but also a server so some applications connect to their server part on your own machine using TCP/IP sockets and this is absolutely normal. Sockets are a very benign and essential part of processes communicating with one-another!
Then connect to the network (still booted from the liveCD) and do the netstat -- all
again. This will be your baseline for a connected computer
Then install Ubuntu again following the above directives and especially: keep a cool head and read some more documentation on how Ubuntu works and if you have more specific questions, ask a new question.
Solution 2:
I am basing much of this on the original post (except for the title).
I think my PC is being hacked. What should I do? ... How should I proceed?
The first thing you should do is remain calm verify that this is the case. Constructively: Many of the comments in your original post indicate a fundamental lack of understanding of how many of the concepts you mentioned work. In the face of technology that is not understood, it is quite easy (and understandable) to draw incorrect conclusions and become paranoid. I suspect that you have misinterpreted the output of commands you do not understand, normal behaviors of a computer, etc., as being hacked. It is important to use proper critical thinking here.
That's not to say that you're not experiencing actual problems, but it is difficult to separate actual problems from suspected problems when concrete information is not given and accurate observations are not made.
My Ubuntu is receiving inbound traffic while my PC is disconnected from Ethernet and WIFI, ...
How have you determined that you are receiving inbound traffic? If you would like to actually determine that you are receiving inbound traffic, use proper tools. For example, use Wireshark (available in Ubuntu's repository) to watch traffic. Apply a filter and look for things coming from external IP addresses (rather than local applications attempting to reach out, which they will still attempt in the absence of an internet connection). You can also view live packet counts on all available interfaces to see which interfaces are being actively used. You may also use ifconfig
to list your interfaces; network usage statistics are given there and can be monitored as well.
... so my question is, how am I receiving inbound traffic?
You aren't! Unless you somehow failed to notice a telephone line sticking out of your PC :) and you established a dial-up connection somewhere, or you actively went through the non-trivial process of tethering through a USB or Bluetooth device then forgot you did this, you are not receiving inbound traffic if you are not connected to a network.
Going back to the first paragraph, I suspect you are misinterpreting information. For example, in your original post, you wrote:
I don't know if it is b/c now they are only keeping tabs on me b/c they know that I have been talking with the FBI, but they are still listening in on my ports, especially "sockets" which is something that I am not familiar with. yesterday, I found information by accident, and I was able to view the "Sockets" information and there were over 50 sockets opened and with someone on the other end listening.
However, this represents a fundamental misunderstanding. First, "listening in on my ports, especially "sockets"" simply does not make sense! Your terminology is not quite right and that statement is therefore unclear, and it is impossible to tell what you mean here or where this idea came from. This lends evidence to a misunderstanding on your part (there is nothing wrong with that).
Sockets can be open while offline, this is not suspicious. The idea of "someone on the other end [of a socket] listening" doesn't make sense as a concept, and there is no tool that can show such information. However, to explain why I'd have to explain how this works, and that is outside the scope of this answer. I suspect that you misinterpreted the LISTENING
statuses in e.g. netstat
or something (which actually refers to local applications on your machine listening for connections from outside, not the reverse).
TL;DR:
There are multiple other statements along those lines in your original post - I can't address them all here. The point is, you must remain calm, gain an understanding, use proper tools to concretely verify that your claims are true, and then organize relevant information in a reasonable way so that you can make correct conclusions. This will let you determine a) that there is not actually a problem, or b) that there is a well-defined problem that you can find a solution to. Have no fear: Easy, reliable, and affordable security solutions absolutely exist, but to use those solutions, you must first verify your problem and get a concrete handle on the details. Perhaps, in your case, it could be helpful to redirect your anxiety towards determination and analyses, rather than panic. :)
As of right now, it seems that, despite your worries, there is not enough hard evidence to suggest a problem yet. If there is a problem, you have not yet given accurate enough information for us to tell you what it might be and how to solve it.
One final obligatory point, though (emphasis mine):
For instance, I was using a Key Scrambler and an Anti Key logger and they would turn them off any time I got on the Net.
I highly recommend against downloading and installing such dubious software tools. Things like this could very well be the source of malware and cause of some of your original problems on your original non-Linux system. Efforts like this to "solve" these types of problems problems can easily make things worse, or even cause the issues in the first place.