Home » I think my PC is being hacked. What should I do? [closed]

I think my PC is being hacked. What should I do? [closed]


If you think you’re being hacked personally, below you can find a few very stringent rules to make hacker’s lives extremely difficult.

  • Remain calm
  • Turn off all hardware you don’t need to be a developer in the BIOS (this includes: microphones & speakers as they have been shown in the past to be used as communication channels once the PC was hacked, printer ports, USB ports, WiFi, etc)
  • Black-list all hardware that cannot be disabled in the BIOS
  • Connect through cable connection only and as little as possible (1/day to download mail, updates, upload your work
  • Install as little software as possible
  • Don’t install software known to track you (flash, silverlight)
  • Use Firefox with the noscript and modify headers plugins
  • Disable all cookies. Only allow cookies per site and only for the session.
  • Make system back-ups so you can roll back to previous versions and make the hacker’s life a hell.
  • Use these backups to create Live DVDs on DVD-Rs that cannot be hacked in case you need longer online exposure.
  • You are already using a firewall, keep doing that.
  • Only connect to the Internet through a NAT router and protect it with an admin password and use another DND then the one provided by your ISP.
  • Don’t give anyone physical access to your computer

That should get rid on 99.999% of hackers.

On the analysis of the problem:

Do the following:

  • Boot from an Ubuntu LiveCD
  • Do not connect to any network
  • go to a terminal by pressing Ctrl+Alt+T and type: netstat --all

    You will receive something like this and that will be your baseline. Ubuntu is not only a client OS but also a server so some applications connect to their server part on your own machine using TCP/IP sockets and this is absolutely normal. Sockets are a very benign and essential part of processes communicating with one-another!

Then connect to the network (still booted from the liveCD) and do the netstat -- all again. This will be your baseline for a connected computer

Then install Ubuntu again following the above directives and especially: keep a cool head and read some more documentation on how Ubuntu works and if you have more specific questions, ask a new question.

I am basing much of this on the original post (except for the title).

I think my PC is being hacked. What should I do? … How should I proceed?

The first thing you should do is remain calm verify that this is the case. Constructively: Many of the comments in your original post indicate a fundamental lack of understanding of how many of the concepts you mentioned work. In the face of technology that is not understood, it is quite easy (and understandable) to draw incorrect conclusions and become paranoid. I suspect that you have misinterpreted the output of commands you do not understand, normal behaviors of a computer, etc., as being hacked. It is important to use proper critical thinking here.

That’s not to say that you’re not experiencing actual problems, but it is difficult to separate actual problems from suspected problems when concrete information is not given and accurate observations are not made.

My Ubuntu is receiving inbound traffic while my PC is disconnected from Ethernet and WIFI, …

How have you determined that you are receiving inbound traffic? If you would like to actually determine that you are receiving inbound traffic, use proper tools. For example, use Wireshark (available in Ubuntu’s repository) to watch traffic. Apply a filter and look for things coming from external IP addresses (rather than local applications attempting to reach out, which they will still attempt in the absence of an internet connection). You can also view live packet counts on all available interfaces to see which interfaces are being actively used. You may also use ifconfig to list your interfaces; network usage statistics are given there and can be monitored as well.

… so my question is, how am I receiving inbound traffic?

You aren’t! Unless you somehow failed to notice a telephone line sticking out of your PC 🙂 and you established a dial-up connection somewhere, or you actively went through the non-trivial process of tethering through a USB or Bluetooth device then forgot you did this, you are not receiving inbound traffic if you are not connected to a network.

Going back to the first paragraph, I suspect you are misinterpreting information. For example, in your original post, you wrote:

I don’t know if it is b/c now they are only keeping tabs on me b/c they know that I have been talking with the FBI, but they are still listening in on my ports, especially “sockets” which is something that I am not familiar with. yesterday, I found information by accident, and I was able to view the “Sockets” information and there were over 50 sockets opened and with someone on the other end listening.

However, this represents a fundamental misunderstanding. First, “listening in on my ports, especially “sockets”” simply does not make sense! Your terminology is not quite right and that statement is therefore unclear, and it is impossible to tell what you mean here or where this idea came from. This lends evidence to a misunderstanding on your part (there is nothing wrong with that).

Sockets can be open while offline, this is not suspicious. The idea of “someone on the other end [of a socket] listening” doesn’t make sense as a concept, and there is no tool that can show such information. However, to explain why I’d have to explain how this works, and that is outside the scope of this answer. I suspect that you misinterpreted the LISTENING statuses in e.g. netstat or something (which actually refers to local applications on your machine listening for connections from outside, not the reverse).


There are multiple other statements along those lines in your original post – I can’t address them all here. The point is, you must remain calm, gain an understanding, use proper tools to concretely verify that your claims are true, and then organize relevant information in a reasonable way so that you can make correct conclusions. This will let you determine a) that there is not actually a problem, or b) that there is a well-defined problem that you can find a solution to. Have no fear: Easy, reliable, and affordable security solutions absolutely exist, but to use those solutions, you must first verify your problem and get a concrete handle on the details. Perhaps, in your case, it could be helpful to redirect your anxiety towards determination and analyses, rather than panic. 🙂

As of right now, it seems that, despite your worries, there is not enough hard evidence to suggest a problem yet. If there is a problem, you have not yet given accurate enough information for us to tell you what it might be and how to solve it.

One final obligatory point, though (emphasis mine):

For instance, I was using a Key Scrambler and an Anti Key logger and they would turn them off any time I got on the Net.

I highly recommend against downloading and installing such dubious software tools. Things like this could very well be the source of malware and cause of some of your original problems on your original non-Linux system. Efforts like this to “solve” these types of problems problems can easily make things worse, or even cause the issues in the first place.

Related Solutions

Building a multi-level menu for umbraco

First off, no need pass the a parent parameter around. The context will transport this information. Here is the XSL stylesheet that should solve your problem: <!-- update this variable on how deep your menu should be --> <xsl:variable...

How to generate a random string?

My favorite way to do it is by using /dev/urandom together with tr to delete unwanted characters. For instance, to get only digits and letters: tr -dc A-Za-z0-9 </dev/urandom | head -c 13 ; echo '' Alternatively, to include more characters from the OWASP...

How to copy a file from a remote server to a local machine?

The syntax for scp is: If you are on the computer from which you want to send file to a remote computer: scp /file/to/send username@remote:/where/to/put Here the remote can be a FQDN or an IP address. On the other hand if you are on the computer wanting to...

What is the difference between curl and wget?

The main differences are: wget's major strong side compared to curl is its ability to download recursively. wget is command line only. There's no lib or anything, but curl's features are powered by libcurl. curl supports FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP,...

Using ‘sed’ to find and replace [duplicate]

sed is the stream editor, in that you can use | (pipe) to send standard streams (STDIN and STDOUT specifically) through sed and alter them programmatically on the fly, making it a handy tool in the Unix philosophy tradition; but can edit files directly, too,...

How do I loop through only directories in bash?

You can specify a slash at the end to match only directories: for d in */ ; do echo "$d" done If you want to exclude symlinks, use a test to continue the loop if the current entry is a link. You need to remove the trailing slash from the name in order for -L to...

How to clear journalctl

The self maintenance method is to vacuum the logs by size or time. Retain only the past two days: journalctl --vacuum-time=2d Retain only the past 500 MB: journalctl --vacuum-size=500M man journalctl for more information. You don't typically clear the journal...

How can I run a command which will survive terminal close?

One of the following 2 should work: $ nohup redshift & or $ redshift & $ disown See the following for a bit more information on how this works: man nohup help disown Difference between nohup, disown and & (be sure to read the comments too) If your...

Get exit status of process that’s piped to another

bash and zsh have an array variable that holds the exit status of each element (command) of the last pipeline executed by the shell. If you are using bash, the array is called PIPESTATUS (case matters!) and the array indicies start at zero: $ false | true $...

Execute vs Read bit. How do directory permissions in Linux work?

When applying permissions to directories on Linux, the permission bits have different meanings than on regular files. The read bit (r) allows the affected user to list the files within the directory The write bit (w) allows the affected user to create, rename,...

What are the pros and cons of Vim and Emacs? [closed]

I use both, although if I had to choose one, I know which one I would pick. Still, I'll try to make an objective comparison on a few issues. Available everywhere? If you're a professional system administrator who works with Unix systems, or a power user on...

How do I use pushd and popd commands?

pushd, popd, and dirs are shell builtins which allow you manipulate the directory stack. This can be used to change directories but return to the directory from which you came. For example start up with the following directories: $ pwd /home/saml/somedir $ ls...

How to forward X over SSH to run graphics applications remotely?

X11 forwarding needs to be enabled on both the client side and the server side. On the client side, the -X (capital X) option to ssh enables X11 forwarding, and you can make this the default (for all connections or for a specific connection) with ForwardX11 yes...

What does “LC_ALL=C” do?

LC_ALL is the environment variable that overrides all the other localisation settings (except $LANGUAGE under some circumstances). Different aspects of localisations (like the thousand separator or decimal point character, character set, sorting order, month,...

What is a bind mount?

What is a bind mount? A bind mount is an alternate view of a directory tree. Classically, mounting creates a view of a storage device as a directory tree. A bind mount instead takes an existing directory tree and replicates it under a different point. The...

Turn off buffering in pipe

Another way to skin this cat is to use the stdbuf program, which is part of the GNU Coreutils (FreeBSD also has its own one). stdbuf -i0 -o0 -e0 command This turns off buffering completely for input, output and error. For some applications, line buffering may...

Can less retain colored output?

Use: git diff --color=always | less -r --color=always is there to tell git to output color codes even if the output is a pipe (not a tty). And -r is there to tell less to interpret those color codes and other escape sequences. Use -R for ANSI color codes only....

How do I copy a folder keeping owners and permissions intact?

sudo cp -rp /home/my_home /media/backup/my_home From cp manpage: -p same as --preserve=mode,ownership,timestamps --preserve[=ATTR_LIST] preserve the specified attributes (default: mode,ownership,timestamps), if possible additional attributes: context, links,...

Can I zip an entire folder using gzip?

No. Unlike zip, gzip functions as a compression algorithm only. Because of various reasons some of which hearken back to the era of tape drives, Unix uses a program named tar to archive data, which can then be compressed with a compression program like gzip,...