You are not logged in.
Hi All,
After a few hours of running, my machine starts receiving and sending data from and to the Internet at about 275kbps each way (the maximum speed that my Internet connection supports). Here is what I saw:
Does anybody know what is happening on my machine? I'm really worried because the machines with ip addr of 111.*.*.* are from China and Taipei.
Please use a pastebin for HUGE dumps like this
Last edited by jasonwryan (2012-12-09 20:52:13)
Offline
What services are you running? That is, what services are supposed to be running?
Are you using a firewall?
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
What services are you running? That is, what services are supposed to be running?
I only want to run openssh, apache httpd and samba
Are you using a firewall?
No, I'm not.
Offline
I'm no expert but wouldn't a firewall be... er... wise if you are running those services on the public net?
Have you taken steps to secure those services themselves?
What is rdp? That looks like stuff going from your machine to those ips. Is that something to do with samba or apache?
Note: I've never run apache or samba so for all I know what you are seeing is normal.
EDIT: rdp is remote desktop protocol?
Last edited by cfr (2012-12-08 02:35:46)
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
if you are running those services on the public net?
I run them on my home network and have these port forwardings on the router: port 22, 80 and 443.
Have you taken steps to secure those services themselves?
What steps did you mean?
What is rdp? That looks like stuff going from your machine to those ips. Is that something to do with samba or apache?
I'm not very sure what that rdp is. Usually, rdp is remote desktop protocol which can be used to display the screen of a remote Windows machine on your machine (it's like when you use Remote Desktop Connection on windows). But I don't have the rdesktop installed, so I don't know why rdp is there.
By the way, could anybody who knows iptables please check if I write these rules correctly:
iptables -A INPUT -s 111.0.0.0/255.255.0.0 -j REJECT
iptables -A INPUT -s 111.1.0.0/255.255.0.0 -j REJECT
iptables -A OUTPUT -d 111.0.0.0/255.255.0.0 -j REJECT
iptables -A OUTPUT -d 111.1.0.0/255.255.0.0 -j REJECT
My intention is to block all incoming / outgoing packets from / to 111.0.*.* and 111.1.*.*. I want to put those rules on my router which runs dd-wrt.
Offline
To me it looks like your computer is connecting to lots of microsoft web servers then making ftp connections to each address of the ms web servers. Since it is your computer doing the connecting using the root account I would suggest looking for a rootkit (and researching how to secure services open to the wan before enabling them again).
You're just jealous because the voices only talk to me.
Offline
To me it looks like your computer is connecting to lots of microsoft web servers then making ftp connections to each address of the ms web servers. Since it is your computer doing the connecting using the root account I would suggest looking for a rootkit (and researching how to secure services open to the wan before enabling them again).
Is there any way to find a rootkit?
Offline
The first step is google...
Offline
... or just ask pacman: pacman -Ss rootkit
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
Boy ya, if you are sure, and it seems you are that you do not intend to be making RDP or FTP connections to those remote systems.....
Backup your files and Re-Install. Forget trying to find rootkit's, and just assume your box is rooted.
After you re-install, "i" would suggest using arno-iptables-firewall
found in the AUR
arno-iptables-firewall
systemd-arno-iptables-firewall (this provides you with the systemd UNIT file)
The main config is found in /etc/arno-iptables-firewall/firewall.conf
Then you can enable SSH brute force protection by changing the "0" to "1" in this config
/etc/arno-iptables-firewall/plugins/ssh-brute-force-protection.conf
Then secure your OpenSSH sshd_config create Key's for your client's and enable Key auth,
https://wiki.archlinux.org/index.php/SSH_Keys
As for Apache. Well there are many things to secure there. You will want to spend some time with that.
(arno-iptables-firewall plugins also make many other cool things easy to do like, traffic-accounting, traffic-shaping, multiroute, ipv6-over-ipv4, ids-protection,...)
My guess would be that you probaly go owned through Apache,... or Samba (from an infected Windows box on your LAN).
Last edited by hunterthomson (2012-12-08 20:54:40)
OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec
Offline
You also need to be careful about what you backup and restore.
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
iptables -A INPUT -s 111.0.0.0/255.255.0.0 -j REJECT iptables -A INPUT -s 111.1.0.0/255.255.0.0 -j REJECT
Use DROP instead of REJECT, for less useless traffic.
This is useful info:
netstat -tulpn
Kill your rdp process! Investigate further, before wiping your system, to increase the chance of not making the same mistake next time.
Offline
@dxxvi:
Listen to brebs, do not reinstall. Also, you might want to run rkhunter (look for DISABLE_TESTS in /etc/rkhunter.conf and make this array empty -- you'll get lots of warnings but more thorough scan as well). And finally, since there are people also running similar services, please post your httpd.conf (and possibly .cgi scripts etc) and smb.conf so that we cann learn dangerous configs.
On the other note, blocking specific public IPs in a firewall config is stupid because those are most likely dynamic, so you'll end up blocking the entire web. You don't need a firewall in principle, but if you still want to set up one, make the rules as generic as possible...
@cfr:
What do you expect a firewall to do? You do realize that for a simple ssh and web server facing the internat you don't need a firewall, if there are no specific access requirements to the services, right? Besides, the box is NATed and the router provides a firewall.
@hunterthomson:
Great lesson from microsoft: if it doesn't work -- reinstall, it's all because of an angry virus. Before assuming that apache/samba is hacked, perhaps it is wise to learn about configs first...
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
What is the output of netstat -p
??
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
This thread is very slow to open, it hangs on the first post. There doesn't seem to be too many lines in the code tag though.
You're just jealous because the voices only talk to me.
Offline
This thread is very slow to open, it hangs on the first post. There doesn't seem to be too many lines in the code tag though.
There were some commands in square brackets, like sudo; not sure if that is the cause, but I removed them to be safe...
Turns out, the dump was several thousand lines long, hence the delay loading
Offline
@cfr:
What do you expect a firewall to do? You do realize that for a simple ssh and web server facing the internat you don't need a firewall, if there are no specific access requirements to the services, right? Besides, the box is NATed and the router provides a firewall.
Indeed. The fact that the box is behind a router emerged in response to my question/comment about the firewall. I never said that the router did not provide this. (Although routers do vary and anything being forwarded to the box is obviously not firewalled. Depending on the router, you might or might not be able to make the controls there as fine-grained as you could using iptables. (With the router I've got, you have very little fine-grained control so it would certainly make sense to run iptables if you wanted more control.)
I completely agree that blocking particular ips is pointless.
@hunterthomson:
Great lesson from microsoft: if it doesn't work -- reinstall, it's all because of an angry virus. Before assuming that apache/samba is hacked, perhaps it is wise to learn about configs first...
As far as I can tell, nobody has suggested that a virus is involved. The suggestion is that a rootkit is involved. That is hardly the same. If that's the case, then learning to configure things securely is clearly wise but reinstalling is likely to be the only way to be certain the system is trustworthy simply because the system is compromised in that case. Configuring the services correctly will not do any good if there's a rootkit inside.
This is not to say that forensics is not a good idea prior to reinstalling. I guess that will depend on a whole range of factors.
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
@hunterthomson:
Great lesson from microsoft: if it doesn't work -- reinstall, it's all because of an angry virus. Before assuming that apache/samba is hacked, perhaps it is wise to learn about configs first...
Who said "it doesn't work" ?
The OP said...
After a few hours of running, my machine starts receiving and sending data from and to the Internet at about 275kbps each way (the maximum speed that my Internet connection supports). Here is what I saw. . .
>here he showed his box doing what looked like a port scan of a whole China IP subnet from a process owned by the root user<
Rootkit or no rootkit. Someone other then him can preform actions on his box as the root user. At that point you MUST assume that the whole box is compromised until you can prove otherwise. Not the other way around, i.e. assume the box is not compromised until you prove it is.
I wish more people learned that lesson from Microsoft.
OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec
Offline
In fact, it all seems to be working only too well - just not for the OP .
Last edited by cfr (2012-12-10 00:30:00)
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline