Computer connecting to malicious IPs

emerald1475 · 05-09-2019, 12:46 PM

Linux forums>

Setup ->

Linux Mint 19, ubuntu, ubuntu MATE on one drive

Windows 10 on the second

Problem ->

PC connects to 192.241.240.89 on startup

https://www.virustotal.com/#/ip-address/192.241.240.89

Also, when opening browser, PC connects to 93.184.220.29

https://www.virustotal.com/#/ip-address/93.184.220.29

Attempts ->
Run multiple anti-rootkit scanners on windows 10 drive with no positives

Created a new partition table on the linux drive and re-installed Linux Mint 19 with root and swap partitions

Added windows defender and ufw rules for both IPs

Sophos and Clam-AV full system scans

Rkhunter scan, which produced some warning, but im not sure how to act on them further than I have:

Checking for suspicious (large) shared memory segments [ Warning ]

Checking for hidden files and directories [ Warning ]

Suspect files: 0
Rootkit checks...
Rootkits checked : 480
Possible rootkits: 6

However these haven't worked so far. I am not sure what the next steps would be, I am considering wiping both drives but I would like to avoid this.

Thanks for any help

joe_2000 · 05-09-2019, 02:12 PM

If I understand you correctly, the problems you are having are related to the windows installation?

If so, you'd better post this question in a windows-related forum. That being said: On an important system that has been compromised I'd never trust some antivirus to clean it. Nuke and pave is the way to go imho.

If on the other hand you find that unexpected connections to remote servers are being made under the linux installation, you might want to run something like

Code:

sudo netstat -A inet -p

to find the offending process.

RickDeckard · 05-09-2019, 02:37 PM

Rkhunter is a combination signature/anomaly based checker, it's up to you to determine whether or not those are false positives. A false positive could be caused by as little as installing a new version of a core Linux program such as bash. I'd be more concerned if you had active rootkit strings being found in the second part of the scan - after file integrity checks and before suspicious activity checks.

You can check to see what kind of data you're sending - if anything even is going out - to these IPs with tcpdump or something similar.

I can't speak for Windows, but monitoring inode numbers of partitions/files from packages can help if rkhunter doesn't fill you with enough confidence. It's possible for a malicious party to fake atime, mtime and ctime of a co-opted file to cover their tracks, but not so much the inodes themselves.

Of course this last is purely academic and in 90% of cases going to that extent to answer the question of *if* you are compromised isn't needed.

frankbell · 05-09-2019, 08:16 PM

I'm not as skeptical of AV programs joe2000, but I would recommending downloading a reputable AV program on another computer, burning the installation routine to disk, and disconnecting your computer from the network before scanning. Even if the AV wants to connect to the net for an upgrade, run a scan first.

You may find this article helpful: https://www.computerweekly.com/tip/T...re-for-Windows