You are not logged in.

#1 2012-12-08 01:30:09

dxxvi
Member
Registered: 2011-07-23
Posts: 122

Why is my machine sending / receiving a lot of data to the Internet?

Hi All,

After a few hours of running, my machine starts receiving and sending data from and to the Internet at about 275kbps each way (the maximum speed that my Internet connection supports). Here is what I saw:

http://sprunge.us/STOT

Does anybody know what is happening on my machine? I'm really worried because the machines with ip addr of 111.*.*.* are from China and Taipei.


Please use a pastebin for HUGE dumps like this

Last edited by jasonwryan (2012-12-09 20:52:13)

Offline

#2 2012-12-08 01:47:41

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Why is my machine sending / receiving a lot of data to the Internet?

What services are you running? That is, what services are supposed to be running?

Are you using a firewall?


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#3 2012-12-08 02:13:22

dxxvi
Member
Registered: 2011-07-23
Posts: 122

Re: Why is my machine sending / receiving a lot of data to the Internet?

cfr wrote:

What services are you running? That is, what services are supposed to be running?

I only want to run openssh, apache httpd and samba

cfr wrote:

Are you using a firewall?

No, I'm not.

Offline

#4 2012-12-08 02:27:19

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Why is my machine sending / receiving a lot of data to the Internet?

I'm no expert but wouldn't a firewall be... er... wise if you are running those services on the public net?

Have you taken steps to secure those services themselves?

What is rdp? That looks like stuff going from your machine to those ips. Is that something to do with samba or apache?

Note: I've never run apache or samba so for all I know what you are seeing is normal.

EDIT: rdp is remote desktop protocol?

Last edited by cfr (2012-12-08 02:35:46)


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#5 2012-12-08 02:43:25

dxxvi
Member
Registered: 2011-07-23
Posts: 122

Re: Why is my machine sending / receiving a lot of data to the Internet?

cfr wrote:

if you are running those services on the public net?

I run them on my home network and have these port forwardings on the router: port 22, 80 and 443.

cfr wrote:

Have you taken steps to secure those services themselves?

What steps did you mean?

cfr wrote:

What is rdp? That looks like stuff going from your machine to those ips. Is that something to do with samba or apache?

I'm not very sure what that rdp is. Usually, rdp is remote desktop protocol which can be used to display the screen of a remote Windows machine on your machine (it's like when you use Remote Desktop Connection on windows). But I don't have the rdesktop installed, so I don't know why rdp is there.

By the way, could anybody who knows iptables please check if I write these rules correctly:

iptables -A INPUT -s 111.0.0.0/255.255.0.0 -j REJECT
iptables -A INPUT -s 111.1.0.0/255.255.0.0 -j REJECT
iptables -A OUTPUT -d 111.0.0.0/255.255.0.0 -j REJECT
iptables -A OUTPUT -d 111.1.0.0/255.255.0.0 -j REJECT

My intention is to block all incoming / outgoing packets from / to 111.0.*.* and 111.1.*.*. I want to put those rules on my router which runs dd-wrt.

Offline

#6 2012-12-08 05:25:53

moetunes
Member
From: A comfortable couch
Registered: 2010-10-09
Posts: 1,033

Re: Why is my machine sending / receiving a lot of data to the Internet?

To me it looks like your computer is connecting to lots of microsoft web servers then making ftp connections to each address of the ms web servers. Since it is your computer doing the connecting using the root account I would suggest looking for a rootkit (and researching how to secure services open to the wan before enabling them again).


You're just jealous because the voices only talk to me.

Offline

#7 2012-12-08 05:57:49

dxxvi
Member
Registered: 2011-07-23
Posts: 122

Re: Why is my machine sending / receiving a lot of data to the Internet?

moetunes wrote:

To me it looks like your computer is connecting to lots of microsoft web servers then making ftp connections to each address of the ms web servers. Since it is your computer doing the connecting using the root account I would suggest looking for a rootkit (and researching how to secure services open to the wan before enabling them again).

Is there any way to find a rootkit?

Offline

#8 2012-12-08 06:01:27

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: Why is my machine sending / receiving a lot of data to the Internet?

The first step is google...


Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#9 2012-12-08 18:33:35

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: Why is my machine sending / receiving a lot of data to the Internet?

... or just ask pacman:   pacman -Ss rootkit


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#10 2012-12-08 20:45:36

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Why is my machine sending / receiving a lot of data to the Internet?

Boy ya, if you are sure, and it seems you are that you do not intend to be making RDP or FTP connections to those remote systems.....

Backup your files and Re-Install. Forget trying to find rootkit's, and just assume your box is rooted.

After you re-install, "i" would suggest using arno-iptables-firewall
found in the AUR
arno-iptables-firewall
systemd-arno-iptables-firewall (this provides you with the systemd UNIT file)

The main config is found in /etc/arno-iptables-firewall/firewall.conf
Then you can enable SSH brute force protection by changing the "0" to "1" in this config
/etc/arno-iptables-firewall/plugins/ssh-brute-force-protection.conf

Then secure your OpenSSH sshd_config create Key's for your client's and enable Key auth,
https://wiki.archlinux.org/index.php/SSH_Keys

As for Apache. Well there are many things to secure there. You will want to spend some time with that.

(arno-iptables-firewall plugins also make many other cool things easy to do like, traffic-accounting, traffic-shaping, multiroute, ipv6-over-ipv4, ids-protection,...)

My guess would be that you probaly go owned through Apache,... or Samba (from an infected Windows box on your LAN).

Last edited by hunterthomson (2012-12-08 20:54:40)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#11 2012-12-09 04:02:45

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Why is my machine sending / receiving a lot of data to the Internet?

You also need to be careful about what you backup and restore.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#12 2012-12-09 05:59:31

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Why is my machine sending / receiving a lot of data to the Internet?

dxxvi wrote:
iptables -A INPUT -s 111.0.0.0/255.255.0.0 -j REJECT
iptables -A INPUT -s 111.1.0.0/255.255.0.0 -j REJECT

Use DROP instead of REJECT, for less useless traffic.

This is useful info:

netstat -tulpn

Kill your rdp process! Investigate further, before wiping your system, to increase the chance of not making the same mistake next time.

Offline

#13 2012-12-09 18:37:25

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

Re: Why is my machine sending / receiving a lot of data to the Internet?

@dxxvi:
Listen to brebs, do not reinstall. Also, you might want to run rkhunter (look for DISABLE_TESTS in /etc/rkhunter.conf and make this array empty -- you'll get lots of warnings but more thorough scan as well). And finally, since there are people also running similar services, please post your httpd.conf (and possibly .cgi scripts etc) and smb.conf so that we cann learn dangerous configs.

On the other note, blocking specific public IPs in a firewall config is stupid because those are most likely dynamic, so you'll end up blocking the entire web. You don't need a firewall in principle, but if you still want to set up one, make the rules as generic as possible...

@cfr:
What do you expect a firewall to do? You do realize that for a simple ssh and web server facing the internat you don't need a firewall, if there are no specific access requirements to the services, right? Besides, the box is NATed and the router provides a firewall.

@hunterthomson:
Great lesson from microsoft: if it doesn't work -- reinstall, it's all because of an angry virus. Before assuming that apache/samba is hacked, perhaps it is wise to learn about configs first...


Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

#14 2012-12-09 19:15:42

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: Why is my machine sending / receiving a lot of data to the Internet?

What is the output of netstat -p
??


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#15 2012-12-09 20:46:44

moetunes
Member
From: A comfortable couch
Registered: 2010-10-09
Posts: 1,033

Re: Why is my machine sending / receiving a lot of data to the Internet?

This thread is very slow to open, it hangs on the first post. There doesn't seem to be too many lines in the code tag though.


You're just jealous because the voices only talk to me.

Offline

#16 2012-12-09 20:53:28

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: Why is my machine sending / receiving a lot of data to the Internet?

moetunes wrote:

This thread is very slow to open, it hangs on the first post. There doesn't seem to be too many lines in the code tag though.

There were some commands in square brackets, like sudo; not sure if that is the cause, but I removed them to be safe...

Turns out, the dump was several thousand lines long, hence the delay loading


Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#17 2012-12-09 22:19:24

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Why is my machine sending / receiving a lot of data to the Internet?

Leonid.I wrote:

@cfr:
What do you expect a firewall to do? You do realize that for a simple ssh and web server facing the internat you don't need a firewall, if there are no specific access requirements to the services, right? Besides, the box is NATed and the router provides a firewall.

Indeed. The fact that the box is behind a router emerged in response to my question/comment about the firewall. I never said that the router did not provide this. (Although routers do vary and anything being forwarded to the box is obviously not firewalled. Depending on the router, you might or might not be able to make the controls there as fine-grained as you could using iptables. (With the router I've got, you have very little fine-grained control so it would certainly make sense to run iptables if you wanted more control.)

I completely agree that blocking particular ips is pointless.

@hunterthomson:
Great lesson from microsoft: if it doesn't work -- reinstall, it's all because of an angry virus. Before assuming that apache/samba is hacked, perhaps it is wise to learn about configs first...

As far as I can tell, nobody has suggested that a virus is involved. The suggestion is that a rootkit is involved. That is hardly the same. If that's the case, then learning to configure things securely is clearly wise but reinstalling is likely to be the only way to be certain the system is trustworthy simply because the system is compromised in that case. Configuring the services correctly will not do any good if there's a rootkit inside.

This is not to say that forensics is not a good idea prior to reinstalling. I guess that will depend on a whole range of factors.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#18 2012-12-09 23:36:36

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Why is my machine sending / receiving a lot of data to the Internet?

Leonid.I wrote:

@hunterthomson:
Great lesson from microsoft: if it doesn't work -- reinstall, it's all because of an angry virus. Before assuming that apache/samba is hacked, perhaps it is wise to learn about configs first...

Who said "it doesn't work" ?

The OP said...

dxxvi wrote:

After a few hours of running, my machine starts receiving and sending data from and to the Internet at about 275kbps each way (the maximum speed that my Internet connection supports). Here is what I saw. . .

>here he showed his box doing what looked like a port scan of a whole China IP subnet from a process owned by the root user<

Rootkit or no rootkit. Someone other then him can preform actions on his box as the root user. At that point you MUST assume that the whole box is compromised until you can prove otherwise. Not the other way around, i.e. assume the box is not compromised until you prove it is.

I wish more people learned that lesson from Microsoft.


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#19 2012-12-10 00:29:22

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Why is my machine sending / receiving a lot of data to the Internet?

In fact, it all seems to be working only too well - just not for the OP sad.

Last edited by cfr (2012-12-10 00:30:00)


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

Board footer

Powered by FluxBB