Data Rate transmission discrepancy suggesting hijack
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Data Rate transmission discrepancy suggesting hijack
Hi,
I think my computer has been hijacked. I have a miserable dialup service here in rural Ireland that operates at Max. 5-6 Kb/s. (usual is 3Kb/s)
Recently I have been uploading photos onto Picasa, at Gmail and noticed several times that a larger amount of traffic was going through on the Receive portion of "Data Rate-Kinternet panel" rather than the Send portion. No other connections were open and I was receiving nothing (that I know about ) I have a solitary Desktop and run Susse 10.2
This evening, whilst uploading some photos, it was painfully obvious that something wasn't exactly right.
The Receive Data Rate showed a Rx rate of 3.5Kb/s (average) and Transmit, a Data Rate of about 100B/s Tx (about) .
I let the program run out and watched as the photos were uploaded. At that point, the Tx dropped to Zero and the Receive was boosted up to almost 5Kb/sec.I watched this for a short time and it gave no indication of slacking. I then terminated the connection.
I am pretty much of a Newbie and would like to know:
1/ Does this mean with certainty that I've got a problem ?
2/ If it does, how can I ascertain what the problem is ?
Any help is much appreciated.
drmjh
Hi,
I think my computer has been hijacked. I have a miserable dialup service here in rural Ireland that operates at Max. 5-6 Kb/s. (usual is 3Kb/s)
Recently I have been uploading photos onto Picasa, at Gmail and noticed several times that a larger amount of traffic was going through on the Receive portion of "Data Rate-Kinternet panel" rather than the Send portion. No other connections were open and I was receiving nothing (that I know about ) I have a solitary Desktop and run Susse 10.2
This evening, whilst uploading some photos, it was painfully obvious that something wasn't exactly right.
The Receive Data Rate showed a Rx rate of 3.5Kb/s (average) and Transmit, a Data Rate of about 100B/s Tx (about) .
I let the program run out and watched as the photos were uploaded. At that point, the Tx dropped to Zero and the Receive was boosted up to almost 5Kb/sec.I watched this for a short time and it gave no indication of slacking. I then terminated the connection.
I am pretty much of a Newbie and would like to know:
Quote:
1/ Does this mean with certainty that I've got a problem ?
yeah, most likely... we'd need to know more in order to say it's a security breach, though...
Quote:
2/ If it does, how can I ascertain what the problem is ?
let's start by having a look at what this command's output looks like while the problem is manifesting itself (make sure you run the command as root):
Code:
netstat -pantu
try to not have anything else using the network when you run this test... that way it'll be much easier to spot which program is connecting and to where... also, make sure your terminal window is maximized when you do this, cuz if not then the copy/paste will be missing some details...
a few questions which would be great if you could comment on: when did this start?? was it after you did something specific?? is your box firewalled?? anyone else have an account on it?? have you seen anything funny in any log files recently?? do you have an ssh daemon running on it (or any other daemon for that matter)?? if possible, let us see the outputs of these commands also:
Code:
ps aux
Code:
iptables -nvL
BTW: please remember to use [ code ] tags when you post command outputs...
mathay is the sole user on this machine. I noticed a discrepancy one other time, about 6 Mos. ago, when the data continually showed Receiving, while the mail program had finished downloading the mail. I watched for a while to make sure I was seeing correctly and it continued until I terminated the connection. I do have a simple firewall activated through Yast. I hate to admit it but 99% of what I see when I seldom look at log file is opaque for me.
I'll try to run the netstat -pantu this evening.
Thanks much for your help.
drmjh
Well, I don't know whether to laugh or cry. I tried at least 6 times yesterday and evening to tempt my hi-jacker(?) to usurp the transmission but was unable to see the same discrepancy I have in the past. I'll continue to monitor things and see what happens.
BTW, I can't seem to send a message if it's wrapped in text quotes. I get an err. Msg. that the "Msg. is too short" This also happened yesterday when I tried to wrap the Msg. in code quotes. That was resolved by choosing the option 'ADVANCED'.
cool, let us know how it goes... meanwhile, it probably wouldn't be a bad idea to run Rootkit Hunter through your system and see if it spots anything suspicious...
tcp 0 0 159.134.157.54:1308 80.237.136.138:80 ESTABLISHED 8766/parse-metadata
let's focus on this one, as it's the only established connection at the time you ran netstat... parse-metadata seems to be the name of a process that's part of zmd (which is one of the other processes you are running)... this isn't anything factual, it's just the impression i got after a quick google... but let's assume that is correct for a second... i am not familiar with suse and its tools, but zmd seems to be some kind of update manager (i'm not sure)... if you go to the remote IP with which the connection was established, it does look like a mirror, and it does have a suse directory... the IP reverse-resolves to ftp.hosteurope.de... the domain hosteurope.de checks-out at siteadvisor.com... based on these things, i think your next step should be to see if disabling zmd stops the weird network activity...
I think you are on to something. I'm not sure what zmd stands for but I do have a pesky 'auto online update Mgr' icon in my kicker. Back in Suse 10.0, I engaged this by mistake and can't seem to locate it, to disable it.Since it hasn't been pestering me to 'Update' etc. since 10.1, I thought it was inactive . It would make sense that this is usurping my meagre bandwidth intermittently. Last night, I 'quit' the auto-online-updater' and then went to google to upload photos, something that consumes every inch of bandwidth and which slows to impossible if the BW is compromised. The upload went smoothly and quicker than usual. I'll work on finding out where I can permanently disable this process(Cron? some Config?) and see how it goes. I did download the root kit and detarred it. I'll put off using it until it looks like I need to.
Many thanks for your help. BTW, I just got April's Linux Mag. and it is featuring "Detecting Intruders". There is a neat "Port Monitoring Script" in awk and a Perl module which takes advantage of the kernel's 'Inotify' interface.
Now, if I only really understood. what the output actually means...sigh
I located zmd and it is a daemon found in /etc/sysconfig/zmd
Trouble is, I can't seem to read anything in it, i.e., cat or view doesn't return info I can use ?
before you permanently disable zmd, you could do a test by doing a kill on its process number or by doing a:
Code:
killall zmd
while the problem is happening...
that should let you see if killing that process stops the bandwidth usage right away... i'm not sure how to permanently disable zmd (maybe chmod 644 its init file?), but googling for "disable zmd" should provide the necesarry clues i think...
Hi,
A quick trip to the Suse site here provided the answer I needed.
Through YAST-> System Services/Run Level-> disable Novel Zen.
It makes a big difference!
Many thanks for your answer, I would still be thrashing around looking for a worm/intruder etc. without it.
drmjh
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.