Page 1 of 1

Bluetooth active though removed bluetooth card

Posted: 31 Oct 2014, 19:14
by badbiosvictim
I suspect Intel has a secret bluetooth mesh in its chipset starting with 945 chipset. http://www.reddit.com/r/badBIOS/comment ... tart_with/

I removed the Broadcom bluetooth card and Atheros wifi card from my Asus 1005HA netbook that unfortunately has an Intel 945 chipset. Porteus KDE detected bluetooth activity but not wifi activity. Snippets of logs is at http://www.reddit.com/r/badBIOS/comment ... inux_logs/

Correction: Porteus is not a crunchbang remix. Porteus is a slackware remix. Why are there bluetooth modules? Why is there bluetooth activity?

Re: Bluetooth active though removed bluetooth card

Posted: 31 Oct 2014, 22:16
by brokenman
Firstly, Porteus is NOT a crunchbang remix. Not sure where you got that from.

Secondly I read the links you provided and was quite surprised at your claims.

The first line says MUCH. "Using a public computer, I custom built and downloaded porteus KDE linux to my flashblu flashdrive"

Then you go on to say that hackers somehow tampered with the ISO, the filemanager and also created .exe files.
Did you consider the possibility (and highly likely probability) that your USB device was infected the minute you plugged it into a public computer? I've worked in a couple of places with public access computers that allow USB access and they are a haven for virii and malware propagation. One such symptom (a dead giveaway) is that the virus removes folders and creates an .exe file in its place with the same name in the hope that you will double click on one.

Hackers tampered with porteus file manager to by pass the delete option in settings forcing trash to go to a trash folder.
Ah, no I don't believe 'they' hacked your file manager. That's what happens to files on a flash drive in linux when you delete them.

Hackers converted Porteus KDE ISO to porteus KDE.exe
Highly unlikely. As I stated above, this is a sign of an infected public computer.

I suspect that clicking on my directories executes the fork or string and that it infects every computer I insert my SD card into.
Now this part sounds VERY likely. That's exactly how the virii propagate ... but not under Porteus or ANY linux like OS. You can test this easy enough. Reformat an SD card, go to the public computer, insert the SD card and open it. Then without doing anything else take the SD card to a private computer and scan it.

Hackers circumvented my formatting a brand new Patirot 32 micro SD card to ext 2
Oh my. I have more questions than answers.

Edit: Porteus KDE KInfoCenter could not detect Samba status. Error: "Unable to open config file "smb.conf." Error: "Could not open file /var/log/samba.log. I went to /var/log. Ticked on show hidden files. /var/log/samba.log is not visible.
KDE does not come with samba installed. This may explain the lack of a log file.

Porteus is tampered. Browser and package manager database are missing.
Porteus does not come ith the package manager database. You need to download the database files.

bluetoothd has one thread. Using 160 KB memory and 1 MB shared memory.
Depending on the desktop environment you chose. In xfce for example the bluetooth daemon is not there.

My understanding is linux loads modules for specific hardware. If hardware does not exist, modules are not loaded. Since I removed the bluetooth card, linux should not have loaded bluetooth modules.
My system, although having no bluetooth package installed lists the following under: lsmod
rfkill 8196 3 cfg80211,bluetooth

Linux loaded the following bluetooth modules:
bluedevil-1.3.1-i486-1, bluez-4.99-i486-1ftm, bluez-firmware-1.2-i486-1, broadcom-sta-6.30.223.248-i486-1ftm and obex-data-server-0.4.6-i486-1ftm, obexd-0.46-i486-1ftm, openobex-1.5-i486-1

I think you are confused between what is a module and what is a package. May I ask where you gleaned this information? It looks like a list of /var/log/packages.

Subsequently, hackers converted the porteus ISO to a tampered portable app

That is not a tampered portable app. YOUR SD CARD IS INFECTED.

While I certainly do not deny that there are super hackers out there that can infect 'air gapped' computers via sound frequency using microphones and speakers ... I hardly think this is the case here. The symptoms are that of well documented virii and not the work of uber hackers. The level of infiltration you are speaking of would be achieved in a far more stealthy manner and would not leave such large telltales. It would require breaching the firmware of one or more pieces of hardware and implanting the code there. Again this level of penetration would not leave such obvious signals around. The only real way to know if you have been hit by this would be to remove the wireless/bluwtooth cards and then externally monitor the bandwidth of said cards for data transmission.

Re: Bluetooth active though removed bluetooth card

Posted: 31 Oct 2014, 22:32
by francois
@brokenman:
According with the deepness of your answers, if these are warranted, I might have to intervene.

I would surely like to get that reference where porteus is a remix of crunchbang. :)

Re: Bluetooth active though removed bluetooth card

Posted: 01 Nov 2014, 09:54
by fanthom
Why is there bluetooth activity?
because bluetooth service is enabled by default in KDE4 desktop. you may disable it by running following command as root:

Code: Select all

chmod -x /etc/rc.d/rc.bluetooth
make sure you have persistence working.

Re: Bluetooth active though removed bluetooth card

Posted: 01 Nov 2014, 11:32
by badbiosvictim
I edited my thread to make the correction Porteus is a slackware remix.

To answer brokenman's question, Porteus System Information listed: bluedevil-1.3.1-i486-1, bluez-4.99-i486-1ftm, bluez-firmware-1.2-i486-1, broadcom-sta-6.30.223.248-i486-1ftm and obex-data-server-0.4.6-i486-1ftm, obexd-0.46-i486-1ftm, openobex-1.5-i486-1

Brokenman, thank you for advising xfce desktop does not enable bluetooth daemon by default. I will build and download porteus xfce and check whether bluetooth becomes activated. This week, I shipped my flashblu flashdrive #1 and Asus 1005HA netbook to a forensics volunteer. I will need to wait to receive them back or purchase an older laptop no later than Intel GMA 900 chipset.

Fathom, thank you for advising bluetooth service is enabled by default in KDE4 desktop and how to disable it. I will disable bluetooth and check whether bluetooth becomes activated.

Brokenman, the infiltration is a stealthy manner and does breach the firmware of hardware. BadBIOS infects BIOS, videocard, etc. BadUSB infects USB firmware. http://www.reddit.com/r/badBIOS/comment ... s_so_does/

Hackers infected my removable media with badUSB. The code is encrypted and inside multiple hidden partitions on my internal hard drive and removable media including MP3 players and smartphones. Disk hex editor dumped encrypted code. Disk hex dumps of hidden partitions are at:

http://www.reddit.com/r/badBIOS/comment ... agnostics/
http://www.reddit.com/r/badBIOS/comment ... y_western/
http://www.reddit.com/r/badBIOS/comment ... _flashblu/
http://www.reddit.com/r/badBIOS/comment ... image_and/
http://www.reddit.com/r/badBIOS/comment ... ntfs_boot/
http://www.reddit.com/r/badBIOS/comment ... ifi_video/

My removable media infect what ever computer they are connected to. Public Windows computers have infected my removable media only with conficker worm which is easy to see and remove in linux. Conficker

I used a public computer to download porteus because I had air gapped my netbooks and laptops due to hacking. I could have used an USB network adapter to connect to a wifi hotspot but that would make performing forensics harder as that would blur the distinction between hacking 'air gapped' netbooks on battery power vs online hacking. Unfortunately, computers with an Intel chipset 950 or later cannot be air gapped due to Intel's secret bluetooth mesh.

Hackers tampered with the porteus ISO. The download was not the custom build that I had created. I rebuilt several times. Each download was not the custom built I created. For example, KDE has two file managers (Caja and Dolphin), two partition managers (Gparted and KDE partition manager) and two system monitors (GNOME and KDE).

Caja file manager offers the option of ticking a delete setting. Instead of trash going into a trash folder on removable media, trash is deleted. I ticked the delete setting. However, my trash was still going into a trash folder.

Hackers tampered with KDE partition manager and Gparted to circumvent partitioning my new Patriot micro SD card to ext2. They have done this in other linux distros.

Previously, hackers attached a fork or alternate data stream to my personal files on FAT32 removable media. The alternate data streams and forks are hiding in the slack space of my personal files. Their cluster size is much larger than FAT32 default cluster size. File hex editors dumped substantial slack space after every file, null terminated string, etc.

http://www.reddit.com/r/badBIOS/comment ... _by_fat32/
http://www.reddit.com/r/badBIOS/comment ... er_end_of/
http://www.reddit.com/r/badBIOS/comment ... text_text/
http://www.reddit.com/r/badBIOS/comment ... ices_have/
http://www.reddit.com/r/badBIOS/comment ... ack_space/
http://www.reddit.com/r/badBIOS/comment ... _performs/
http://www.reddit.com/r/badBIOS/comment ... converted/

Disk hex editor detected my FAT32 removable media have a hidden HFS partition and a hidden NTFS partition. HFS partitions enable forks. NTFS enable alternate data streams.

Western Digital Lifeguard Diagnostics was the only tool that wiped all the hidden partitions including the GPT protective partition:

http://www.reddit.com/r/badBIOS/comment ... y_western/
http://www.reddit.com/r/badBIOS/comment ... ard_drive/
http://www.reddit.com/r/badBIOS/comment ... agnostics/
http://www.reddit.com/r/badBIOS/comment ... ry_little/
http://www.reddit.com/r/badBIOS/comment ... d_mbr_and/

However, I cannot format the wiped removable media nor brand new removable media to only ext2. I need to move my personal files to an ext2 formatted removable media to break up the forks and alternate data streams. Hackers tampered with KDE Partition Manager and GParted in Porteus and MIniTools Partition Wizard in Windows XP causing them to freeze while they recreate hidden partitions.
http://www.reddit.com/r/badBIOS/comment ... as_secret/

After I deleted porteus ISO on my SanDisk SD card, Hackers converted porteus ISO to a portable app .exe inside the trash folder and then made it a hidden file inside the trash folder. See the analysis by VirusTotal.com. http://www.reddit.com/r/badBIOS/comment ... _exe_that/

Re: Bluetooth active though removed bluetooth card

Posted: 01 Nov 2014, 12:31
by donald
@ badbiosvictim
I read some of your links....wow.... :crazy:

Quoting an answer you have got at linuxforums.org:

You either have your reasons for thinking you are being hacked or in some other way harassed or you don't.If you do I wish you well with it but suggest you focus on the possible not the fantastical.
If you are simply a troll then all I can say is, good luck with that.


thats all...

Re: Bluetooth active though removed bluetooth card

Posted: 01 Nov 2014, 12:54
by badbiosvictim
Donald, the linuxforum thread was posted four months ago, on July 4, 2014. Last month, I learned how to use a file hex editor and a disk hex editor. The file and disk hex editors dumped substantial evidence. I link to the evidence in my earlier reply this morning.

Re: Bluetooth active though removed bluetooth card

Posted: 01 Nov 2014, 18:12
by brokenman
The first rule of deduction is to eliminate all impossible reasons. Then look at what is left. You seem to have jumped this step and gone right for the improbable.

For example ... if you have two file managers then it is highly likely that when porteus boots it is loading 2 desktop modules. KDE and MATE. That explains why Caja/Dolphin exist together with gparted/kparted. Instead of eliminating this possibility your immediately assume a 'tampered' ISO. You also believe that your firmware has been adversely modifiied by hackers, yet you haven't ruled this option out by reflashing it or even reinstalling the OS to see if the infection persists. You can save yourself a LOT of complex work by adhering to the first rule of logical deduction.

I would recommend you lose the windows XP version your are using if you are worried about being infiltrated. This is a tempting invitation to would be hackers. Lastly, I don't have the time nor the inclination to read through your hex dumps, but something tells it would be a 'wild goose chase'. I wish you well and hope that you are not being targeted by government or state level hackers. That would suck.

Re: Bluetooth active though removed bluetooth card

Posted: 01 Nov 2014, 18:44
by badbiosvictim
I rebuilt, redownloaded and reinstalled Porteus several times. They were tampered.

True, I haven't reflashed the BIOS of my Asus 1005HA which I just purchased three weeks ago. I have flashed the BIOS of my Asus 1015PE netbook and two MSI netbooks. Flashing is misleading as it does not completely flash the BIOS. Afudos engineering versions do complete flash. None of the afudos engineering flash versions worked on my netbooks. Flashing with Asus' built in utility in the BIOS didn't help.

Firmware rootkit in a hidden partition on the internal hard drive or removable media or videocard would reinfect the BIOS. I removed the internal hard drive from my prior netbooks. But how to move personal files to brand new removable media without infecting the new removable media and the flashed BIOS or the clean replacement netbook? My personal files on removable media have infected every replacement laptop.

I agree with loosing XP. My linux boxes don't dual boot. XP was on public computers I was using.

Thanks for wishing me well. The hackers are hired by a private investigator.

Re: Bluetooth active though removed bluetooth card

Posted: 02 Nov 2014, 14:07
by francois
Thanks for wishing me well. The hackers are hired by a private investigator.
Is it possible for you to develop a little more on this line?

Re: Bluetooth active though removed bluetooth card

Posted: 06 Nov 2014, 12:22
by badbiosvictim
Yesterday, using a different public Dell desktop computer, I built XFCE and tried downloading twice. Hackers terminated the download. This morning, I tried twice. Hackers switched the build to razor. I terminated the download. Rebuilt. Download was razor. This also happened the first week I was building and downloading KDE.

I will answer the question why a private investigator hired hackers when I have time.