LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-31-2007, 10:24 PM   #1
arindom
Member
 
Registered: Nov 2006
Location: India
Distribution: Ubuntu 11.04
Posts: 165

Rep: Reputation: 30
What's being Downladed?


Distro : OpenSuse 10.2

It would be very helpful to know if there is any way to find out what's being downloaded? For the last couple of days I find at times something is getting downloaded while I am neither updating or downloading anything from any site.

Thanks for your help.
 
Old 09-01-2007, 01:34 AM   #2
anonymous-coward
LQ Newbie
 
Registered: Aug 2007
Posts: 3

Rep: Reputation: 0
I'd first run netstat to see what your computer has active connections with. If it's connected to something unfamiliar I'd then start logging with Wireshark to figure out what exactly is going on.

If you think something fishy is going on I'd run Wireshark on a seperate computer that can be trusted on the same network.
 
Old 09-01-2007, 03:26 AM   #3
arindom
Member
 
Registered: Nov 2006
Location: India
Distribution: Ubuntu 11.04
Posts: 165

Original Poster
Rep: Reputation: 30
Thanks for your suggestions. I have tried netstat earlier, it's a great tool, but not being an expert I have not understood the output of netstat properly.

I will start knowing more about Wireshark. In the meantime I came to know about iptraf. It's also a very helpful tool.

Thanks for your help.
 
Old 09-01-2007, 05:55 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,310
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
Quote:
Originally Posted by arindom View Post
For the last couple of days I find at times something is getting downloaded while I am neither updating or downloading anything from any site.
How does this manifest itself then?
Or what hunches do you have?
Or what "seems wrong"?

What (publicly) accessable services does this server provide?
Is all software updated when updates are available?
Is the server hardened?
Is the server audited in any way?
Do the system and daemon logs or login records show any "weird" activity?
 
Old 09-01-2007, 09:11 AM   #5
arindom
Member
 
Registered: Nov 2006
Location: India
Distribution: Ubuntu 11.04
Posts: 165

Original Poster
Rep: Reputation: 30
No I have not noticed any weird activity yet. I noticed the downloading because I observed Kwmnet, which showed a downloading going on. I checked Netstat also and found one particular IP, which I thought the odd one out. I have marked that IP and I will keep on looking for it. Since then nothing weird has happened.

Regarding the Updates I still I have not all the updates installed.

From the Netstat output I could not gather what was being downloaded and what it the file.
 
Old 09-01-2007, 12:11 PM   #6
coolb
Member
 
Registered: Apr 2006
Location: Cape Town, South Africa
Distribution: Gentoo 2006.1(2.6.17-gentoo-r7)
Posts: 222

Rep: Reputation: 30
iptraf works
 
Old 09-02-2007, 02:58 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,310
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
Shame you managed to read or reply to only half of my questions.
 
Old 09-03-2007, 02:25 AM   #8
arindom
Member
 
Registered: Nov 2006
Location: India
Distribution: Ubuntu 11.04
Posts: 165

Original Poster
Rep: Reputation: 30
[QUOTE=Shame you managed to read or reply to only half of my questions.[/QUOTE]

I am really ashamed that I have "managed to read or reply to only half of your "questions". I apologize to you if I have wasted your time and the time of those who might be reading this post. Actually being a basic level user, I couldn't understand those part of your questions which I have not replied.

If I look back at your question and to my reply then I find that the questions were :

Quote:
Originally Posted by unSpawn View Post
How does this manifest itself then?
Or what hunches do you have?
Or what "seems wrong"?

What (publicly) accessable services does this server provide?
Is all software updated when updates are available?
Is the server hardened?
Is the server audited in any way?
Do the system and daemon logs or login records show any "weird" activity?
My reply to part of your question that I could understand was :
'How does this manifest itself then?
Or what hunches do you have?
Or what "seems wrong"? '

My answer to this (what "seems wrong"?) was "No I have not noticed any weird activity yet. I noticed the downloading because I observed Kwmnet, which showed a downloading going on. I checked Netstat also and found one particular IP, which I thought the odd one out. I have marked that IP and I will keep on looking for it. Since then nothing weird has happened." I presumed the above question as one because you used "or".

I failed to understand the following part and thus couldn't reply :
a) "What (publicly) accessable services does this server provide?"
b) "Is the server hardened? Is the server audited in any way?"
c) "Is the server audited in any way?"

I tried to reply on the following part of your question.
a) "Is all software updated when updates are available?"
b) "Do the system and daemon logs or login records show any "weird" activity?"

My reply was :
"No I have not noticed any weird activity yet. I noticed the downloading because I observed Kwmnet, which showed a downloading going on. I checked Netstat also and found one particular IP, which I thought the odd one out. I have marked that IP and I will keep on looking for it. Since then nothing weird has happened.

Regarding the Updates I still I have not all the updates installed.

From the Netstat output I could not gather what was being downloaded and what it the file."

May be I made a mistake in assuming that you will understand why I am not replying to some of your questions. I hope I have explained my position.

Coming back to my original question on what's being downloaded I think "iptraf" is good, which coolb has also replied as "iptraf works". It would be great for me if you can comment more on "iptraf".

I would finish of by asking you a simple question :
Do you feel you have correctly used the word 'shame' in your reply? I think you could have asked the same question in the following manner :
"If you can answer all my questions that would certainly help in solving the problem".

Thank you.
 
Old 09-07-2007, 01:45 AM   #9
walla299
Member
 
Registered: Jul 2007
Location: Phoenix, AZ, US
Distribution: OpenSuse 11.1 x64 (KDE 4.3)
Posts: 35

Rep: Reputation: 15
I have noticed similar behavior with SUSE 10.2 on my system (Dual boot with XP). I'm using the KDE desktop and have noticed the activity also. I have no home network, just the laptop connected to a cable modem at home and dial-up when on the road. The firewall is up, and no servers running.

The download activity is at a low rate, 1-2 kB/s or so, and stops and starts. It is not continuous, and only happens on the eth0 interface when hooked up to the cable modem. It doesn't happen on the ppp interface and it shows no activity unless FF or another program is accessing the net. Tried booting from a Knoppix DVD, and I don't get this activity when running Knoppix or Windows XP. This seems to be happening only in SUSE, and only on my on board eth0 interface.

Have already installed iptraf and wireshark and will do some captures to gather some data once I get home.

I'm not sure what was meant by a "hardened" server.

Last edited by walla299; 09-07-2007 at 06:06 AM.
 
Old 09-08-2007, 01:46 AM   #10
arindom
Member
 
Registered: Nov 2006
Location: India
Distribution: Ubuntu 11.04
Posts: 165

Original Poster
Rep: Reputation: 30
I think iptraf is good. I tried iptraf, chose the all connections and it instantly showed me all the connections. Although it's not a direct solution to the problem that I mentioned but through iptraf, now I can find out the IP's and make an idea about what's going on.

Thanks for mentioning about wireshark. I will check that also.
 
Old 09-08-2007, 04:46 AM   #11
Gethyn
Member
 
Registered: Aug 2003
Location: UK
Distribution: (X)Ubuntu 10.04/10.10, Debian 5, CentOS 5
Posts: 900

Rep: Reputation: 32
I've never used SUSE, but it's possible the traffic is yast periodically checking with SUSE's servers to see if there are any new updates available. unSpawn's question about publically accessible servers might be relevant, he was asking if you are running any internet server programs, such as a web or mail server, or an ssh or ftp daemon? For hopefully obvious reasons, a web server or mail server may well have internet traffic even if you're not accessing the net yourself. If you're running an ssh server for remote access, and someone else is trying to find a login for it, it may be worth taking some extra security measures to prevent a brute force attack from succeeding.

A hardened server has extra security set up on it, I think including things such as SELinux and AppArmor. I've no idea if any of these things are enabled on SUSE by default or not.
 
Old 09-08-2007, 07:37 PM   #12
walla299
Member
 
Registered: Jul 2007
Location: Phoenix, AZ, US
Distribution: OpenSuse 11.1 x64 (KDE 4.3)
Posts: 35

Rep: Reputation: 15
Checked this out with iptraf, and with Wireshark. It seems that the KTraffic Analyzer and some of the kicker apps are picking up the other activity on the network. Its mostly ARP activity, but there are some other things in there also. Netstat, etc. show no connections to the network that shouldn't be there, like ntp, yast updating from the security servers, and things like that. I can post some examples if you like but I don't think it will be necessary.

I would like to find out if this is "normal" behavior for the kicker apps or if I've got something configured wrong, though. If nothing else, I've learned some more about networking in Linux so the time is not wasted.

 
Old 09-08-2007, 10:04 PM   #13
arindom
Member
 
Registered: Nov 2006
Location: India
Distribution: Ubuntu 11.04
Posts: 165

Original Poster
Rep: Reputation: 30
Thanks Gethyn for explaining things.

Since I installed iptraf, I can monitor the network activities better. So whenever I feel that some processes might be using the net, I try to check which one might be using the Net. In my system AppArmor is installed.
 
  


Reply

Tags
monitor, net


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT -5. The time now is 09:28 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration