ssh is something that really should be configured before using.
Though I’m pretty sure that protocol 2 is the default … disallowing root is a good idea.
I also might suggest
PasswordAuthentication no
AuthenticationMethods publickey
But of course that requires any/all participants make use of keys.
No, even whipping out my main M.2 drive and installing the Manjaro on my second drive didn’t help. It seems that it’s written to the BIOS. If I can’t figure this out, I’ll have to purchase a new MB, RAM, and CPU as well as the new M.2 that I just ordered. My MB is a DDR3 board.
Thank you for the advice, I’ll add that to my backup PC.
systemctl status sshd.service
Disable it completely and prevent that it runs again:
systemctl disable --now sshd.service
systemctl mask sshd.service
Ok the signs:
I certainly don’t want to downplay this, but it could also be a Windows virus. Unless the Wine prefix is sandboxed, or at least the symlinks to your home folder are removed, a Windows virus can access anything. If it actually only accesses game files, then I can at least conclude that it’s limited to the Wine prefix.
Game cracks may contain Windows viruses. Just to mention that.
RDO or GTAV Multiplayer works as P2P, so there is no central server. It is not hard to find all IPs here, which connects to each other. If you are not behind a router with a NAT/Firewall, then every service on your computer is reachable on the net. A software firewall should solve it.
@Mr.Man
Welcome to the Forums 
Thanks for this amusing thread where a Micro$@$ user pretends tobe a LInux user and spread fear for Linux users 
(Take note of how many times he used the product name for search engine purposes)
Don’t feed with ideas how to open the possibility to give external root access, because that is what the OP is actually after, to use that info to create his own viruses…
Simple “fix” for the OP: Please do a full reinstall in cases like this as you are used to in Micro$@$, and don’t perform things you don’t understand yourself just because others online want to “help” you with cheating in your game…
Very amusing topic indeed. A user gives full remote access to his/her machine to a stranger on the internet and then wonders that something nasty happened. It is about that smart to give the keys to your car to a stranger on the street to “keep them for me” and then wonder that the car magically disappeared later.
But one (the beginner/noob user) can still learn something from the whole story:
So the entry point was somehow a more or less open SSH connection. If you don’t use SSH on your PC the service should be masked or uninstalled, if possible.
Now lets break it down:
Yes it seems you got somehow hacked. Finding out what goes on might be a hassle. Here is some interesting read about some UEFI malware: Stealthy UEFI malware bypassing Secure Boot enabled by unpatchable Windows flaw | Ars Technica. Since you run Manjaro you most likely have Secure Boot disabled anyway.
What you can try is to reflash your BIOS with a new or the latest and check with a Manjaro Live-Session if your machine acts normal. Then you can try to install Manjaro on a new SSD and test your PC for a while.
If you have important stuff like you do for work, maybe keep that on a separate machine on which you use the Internet in a more moderate way.
Avoid the normal pit falls like adult pages, dating pages and other funky sites on the web.
And yes, there can be always be bad people on the web, especially when you have direct contact with them somehow and made them angry.
i always wondered why all Ladies last-names end on *.jpg
That doesn’t sound like someone accessing SSH. Everyone runs with the story of you being SSH hacked. Are you not behind an ISP router which would then require you to redirect SSH port to your computer? Did you do that?
Sounds like to me you are playing cracked infected game with remote access, the simple fact you see things happening in your desktop environment like files being selected doesn’t match your assumption of being “SSH hacked”.
//EDIT: any log of SSH access? That could be a starting point to give some weight to your assumptions.
There are dangerous ladies that end on .cmd or .sh 
If i had to rescue such a black box PC and i do not know what is infected, i would:
That woul give a new, secure and healthy system. The problem begins if you want to rescue some data from the drive. The more you rescue/backup, the greater the chance to rescue/backup the malware too…if you do this - scan with a proper antimalware suite on live media. But then again if you decide to go that way you can spare youself the reinstall probably. But there are a lot of threats that are not easily detectable by antivirus programs, once in the pc. Like rootkits, uefi virus, etc.
default config does not require this to be disabled explicitly
Your changes may have opened you up to threats that where not existent before.
and:
sshd does not run by default - you have to actually want that and enable/start it
If you are behind a bog standard router device as almost everyone who is a customer to an ISP is
you’d have to actively have set up port forwarding for someone from the outside to actually be able to even try to connect to the sshd (that doesn’t even run if you did not enable it).
The “playing a cracked game through wine” scenario sounds slightly more plausible.
But just slightly.
All in all: you facilitated it - very, very unlikely that this happened through ssh
much less due to what you “learned of the threat posed by SSH” - which is … what?
This is the result from my backup PC. (My infected PC is currently dark.)
○ sshd.service - OpenSSH Daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled; preset: disabled)
Active: inactive (dead)
Would it open Dolphin?
I purchased the game through Steam, and I run it and all of my games through the Steam service. What I can say is that they were on my PC at the same time I was. Rkhunter looks for SSH and the ** PermitRootLogin ** setting to be listed as no. When it isn’t it gives a red “Warning”.
That service is disabled hence not enabled on that PC. as stated by others, normally it is not so easy to reach a PC without having the internal IP exposed to the public network. p2p might be different and then it needed to be transferred thru the game. https://www.reddit.com/r/RedDeadOnline/comments/13aha0x/hell_die_eventually_he_didnt/
Teo, thank you for your advice. I don’t know how to to that yet, but I will be looking into tonight. Because of this attack, I’m getting a crash course in Network security. I still haven’t figured out how to copy terminal test results to this page like I see other do.
Thank you, if I’m going to go back to Rockstar’s servers, I’ll have to harden my system. The attack seemed to end with the edit to sshd_config, but I’m really just guessing. My main PC is dark because of the security holes found my rkhunter, but it hasn’t found a listed rootkit. Right now, I’m a nervous wreck.
Which do you think is safer: having to enter a separate password for root access or — as sudo comes set up by default — having to use your regular user’s password for full root access?
There are other (and better) ways to disable root logins — whether remotely or locally — than disabling the root account’s password.
What security flaw?
No, its default configuration is actually fairly safe, albeit not ideal. And modifying /etc/ssh/sshd_config does not change the configuration of an already running sshd server without a deliberate rehash. Furthermore, sshd is disabled by default in Manjaro — one has to explicitly enable it.
Not possible, given that sshd is disabled by default.
Furthermore, if you have an actual root password set and root login is enabled — which I do not believe to be the default, because the documentation explicitly mentions that it should only be enabled with secure passkeys — then they would need to use a brute-force tool to guess your root password, which would take them a lot of time and effort, and with every three failed login attempts, there’s an automatic and increasing timeout during which no logins are allowed anymore.
You sure have a lot of imagination, and I’m also quite convinced that what you’re describing would make a great scenario for a Hollywood movie starring a still very young Angelina Jolie, in which the mere act of inserting a floppy disk with a computer virus written for MS-DOS into a floppy drive on a mainframe can bring down the whole mainframe, but in the real world, things don’t work that way.
That’s impossible. Even if you had already manually enabled sshd and you were editing the configuration file, then your changes to the configuration would not have any effect yet until after a rehash or a restart. Your password would also not magically start working again after unplugging your Ethernet cable.
Nonsense. How did the attacker know what desktop environment you’re running and therefore which graphical file manager to invoke? And why would they need to, when they can do it all from the command line? Because that’s what sshd does: it gives one remote access via a command line only, because X11 forwarding is disabled by default and must be explicitly allowed.
I don’t think you understand what a rootkit is. A rootkit does not force one to log in as root, and it also doesn’t give an attacker access to your computer.
A rootkit is a set of tools that allow an attacker to hide the fact that they already do have access to your computer, and it does that by replacing certain binaries that would betray the fact that they are accessing your system, such as modified versions of ls, ps, et al.
No @philm, the way I see it there are only two possibilities…:
The OP is trolling us, and by way of the Dunning-Kruger effect, he believes that the story that he concocted in his ignorance regarding how a UNIX operating system really works would hold credibility among the masses and — indeed — even the people who do know and use GNU/Linux.
The other possibility is alas a very sad one, but one that I cannot exclude due to my experience with an individual who reported similar things — albeit that this individual was running Windows at the time — which is that the OP is hallucinating, either due to some mental illness or due to substance abuse. In the event of the character I spoke of here-above, it was both — he was a diagnosed schizophrenic and he did drugs. And then Satan had taken over his computer and started typing “666” on IRC and all that.
Either way, those are the only two options. Either the OP is deliberately trolling us — possibly with the intent of scaring off the newbies, and I’ve been on Usenet long enough to have witnessed thousands of such posts from deliberate trolls — or the OP is hallucinating.
Either way, this thread is not doing the community of members and lurkers alike any good, so I’m unlisting it. I’ll leave it open for discussion for the time being, albeit that I don’t know whether there’s any point. There are so many red flags going off with what the OP reports that I don’t even know where to begin counting them.
True, that. I do have a separate password, sometimes I’m asked for that rather than my user password depending on the application or process. This comes from my time with Mint where the policy seemed to be not to set one. It’s been a while since I set up a Manjaro system, these two about 5 years ago and a newer machine some time last year.
Cheers