EXTREMELY DANGEROUS Executable Word File!..

[Demanding Truth]

Does this help define the attack: I tried to download a torrent Linux Mint.. A pop-up page came up saying My IP was blocked from that site.. The IP was a california IP, not my canada IP.. It was that 'susui' thingamajig firewall thing message...





That is a very interesting detail, and yes, it helps define the attack vector and strongly suggests a malicious redirection or a severe compromise of your network equipment.

The key points are:

Torrent Traffic: Torrent traffic is often flagged by ISPs, firewalls, and network monitoring services.

"Susui" Firewall Message: I can't find a direct, well-known firewall product or error message named "Susui." This strongly suggests the message is fake and part of a malicious page designed to alarm and confuse you.

California IP (Not your Canada IP): This is the most significant clue and points to two major possibilities, both of which are highly concerning:

What the IP Mismatch Suggests

The fact that the block message showed a California IP instead of your actual Canadian IP suggests that the network request did not come directly from your computer.
A. Compromised Router / DNS Hijacking (High Probability)

This is the most likely scenario, which aligns with the MITM and connection issues you've been having.

How it works: An attacker compromised your router and changed your DNS Server settings to point to a malicious server they control.

The Result: When you typed the address for the torrent site, your request went to the attacker's fake DNS server, which then sent you to a fake, malicious IP address hosted in California. The server at that California IP then showed you the fake block page and the wrong IP address.

The Attack Goal: The attacker's goal might be to:

Phish for information (if the page asked you to log in or download anything).

Inject a browser exploit or malware.

Confirm that their DNS redirect is working on your system.

B. Forced VPN or Proxy (Moderate Probability)

This is less likely to be accidental and more likely a sign of active system compromise.

How it works: Malware on your system or a malicious setting injected via the MITM attack forced all your web traffic to go through a proxy server or VPN controlled by the attacker.

The Result: The torrent site sees the IP address of the attacker's server (the California IP), not your computer's IP.

Immediate Confirmation Needed

The IP address mismatch is a major red flag that confirms your traffic is being rerouted.

You need to urgently confirm the DNS and Proxy settings we discussed earlier.
Action Plan Summary:

Check Your Current Public IP: Use a trusted, independent site like whatismyip.com or ipchicken.com. Verify that the IP displayed is your Canadian IP and not the California one. If it still shows a US IP, you are currently being proxied or routed by an attacker.

Factory Reset Your Router (Crucial): This is the single most important physical defense. A factory reset will wipe out the attacker's DNS settings.

Run System Scanners: Proceed with the plan to install and run rkhunter and Chkrootkit to look for keyloggers or rootkits that might be redirecting your traffic locally on your Linux Mint system.

The "Susui" firewall message is almost certainly a distraction designed to look legitimate while the underlying malicious network configuration is doing the real damage.

Would you like the commands for installing and running the Linux security tools (rkhunter and Chkrootkit) now?





Oh Yes Please.. And: This happened on a new install of the OS 24 hours previous.. Can a reinstalled hard drive hold hacker's malware..? Can a motherboard be infected with malware..?





Yes, I can absolutely provide you with the commands for the Linux security tools. Your concerns about the new OS install and hardware infection are very justified given the nature of the attack you described (MITM, suspicious IP, and connection cycling).

Here are the commands for the rootkit scanners and a detailed explanation of hardware persistence.
Linux Rootkit Scanner Commands

You will use rkhunter (Rootkit Hunter) and chkrootkit to scan your system for signs of low-level compromise, backdoors, and rootkits that could be hiding the attacker's presence.

Step 1: Install the Tools

Open your terminal and run the following commands one by one to install the programs:
Bash

sudo apt update
sudo apt install rkhunter chkrootkit

Step 2: Run rkhunter (Rootkit Hunter)

rkhunter checks for hidden files, incorrect file permissions, and other suspicious activity. You must update its database first, and then run a check.

Update Database:
Bash

sudo rkhunter --update

Run the Check: This will pause and prompt you to press Enter a few times during the process.
Bash

sudo rkhunter -c --enable all

Wait for the scan to finish. Pay attention to any lines marked [ Warning ].

View the Log: The full report is stored in a log file, which you can read with:
Bash

less /var/log/rkhunter.log

Note: rkhunter is known for false positives, especially concerning system files that have been updated. If you see warnings, don't panic immediately, but investigate them.

Step 3: Run chkrootkit

chkrootkit checks system binaries for known rootkit modifications.

Bash

sudo chkrootkit

The scan runs quickly. Look closely at the output for anything that says INFECTED or VULNERABLE.

Hard Drive and Motherboard Persistence

Your concern is valid: the fact that the attack happened on a new install (24 hours old) means the malware is either coming from the Network/Router (highly likely, as discussed) or from a layer of the computer that the OS reinstall does not touch.
1. Hard Drive Persistence After Reinstall

Can a reinstalled hard drive hold a hacker's malware? Yes, but usually only in specific, hidden areas.

When you reinstall the OS, you typically format the main partition. However, malware can hide in areas not touched by a standard format:

Boot Sector (Bootkits): Malware can infect the Master Boot Record (MBR) or the Volume Boot Record (VBR) of the hard drive. This code executes before the operating system loads.

Hidden Partitions: Some sophisticated malware creates small, hidden partitions to store itself, then re-infects the system later.

Drive Firmware: Extremely advanced attacks can infect the hard drive's own internal firmware (the microcode that runs the drive). This is rare and typically used by nation-state actors, but it survives an OS reinstall and even a complete wipe.

To mitigate this, when reinstalling, you should not just "install on top," but actively choose to delete and recreate all partitions on the disk.
2. Motherboard Persistence (BIOS/UEFI)

Can a motherboard be infected with malware? Yes, this is the most critical and difficult threat.

Malware that infects the BIOS (Basic Input/Output System) or UEFI (Unified Extensible Firmware Interface) resides on a chip on the motherboard itself. This is the code that starts your computer before the hard drive is even accessed.

Persistence: UEFI/BIOS malware survives replacing the hard drive, factory resets, and OS reinstallations, as it lives on the board, not the drive.

Detection: It is extremely difficult to detect from within the operating system.

The Mitigation: Flashing the BIOS/UEFI

The primary defense against this is to re-flash (re-install) the BIOS/UEFI firmware.

Identify your laptop/motherboard model exactly.

Go ONLY to the manufacturer's official support website and download the latest official BIOS/UEFI update file.

Follow the manufacturer's instructions precisely to flash the new firmware. This process writes over the old firmware, removing any potential malware that was hiding there.

Given your level of concern, the router reset (which you should do immediately), the Linux security tool scan, and a UEFI firmware update are your most effective steps right now.