How can i know what programm generates virus traffic to 127.0.0.1 ?

james.brown · 02-27-2015, 06:00 AM

How can i know what programm generates virus traffic to 127.0.0.1 ?

Please, watch screenshot from wireshark for more information about virus traffic.
I have iptables, who blocked this traffic.

I want delete software, who generates virus traffic, how can i do it?

273 · 02-27-2015, 06:13 AM

What makes you think this is the result of a virus?
Plenty of things could generate traffic to localhost including, if memory serves me correctly, X11.

james.brown · 02-27-2015, 06:24 AM

well.

how to find out what PID of process generates this traffic?

273 · 02-27-2015, 06:28 AM

Something like:

Code:

netstat -tupl

As root (or with sudo, as appropriate).

james.brown · 02-27-2015, 06:31 AM

i get next strings:

Quote:

root@james:/home/james# netstat -tupl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 user:domain *:* LISTEN 1579/dnsmasq
udp 0 0 user:domain *:* 1579/dnsmasq
udp 0 0 *:bootpc *:* 1372/dhclient
udp 0 0 *:55572 *:* 1372/dhclient
udp6 0 0 [::]:38718 [::]:* 1372/dhclient

cepheus11 · 02-27-2015, 06:34 AM

localhost (127.0.0.1) is your local machine. The screenshot shows something talking from your machine to something on your machine. That is normal in most cases. More specifically, tcp port 631 is the printing service, which is most likely implemented by "cups". If you want to get rid of that traffic (on your machine), stop the service "cupsd" or search an installed package like "cups" and uninstall. You will not be able to print though. I would recommend keeping everything as it is if you do not know exactly what you are doing.

james.brown · 02-27-2015, 06:39 AM

no no no..this is virus traffic, because,
in iptables i was allowed traffic from "localhost my pc" to "localhost my PC"
and blocked from "localhost my pc" to "localhost other pc".

in next screenshot we can view next situation: we have traffic from localhost to "ipp" ..and traffic want send "syn" packets for generate connection...and connect is false, because we get answer with "rst,ack" packets.

273 · 02-27-2015, 06:40 AM

Quote:

Originally Posted by james.brown

i get next strings:

Looks fine to me, what makes you worried?

james.brown · 02-27-2015, 07:12 AM

what is "ipp"?

cepheus11 · 02-27-2015, 07:14 AM

Quote:

Originally Posted by james.brown

in next screenshot we can view next situation: we have traffic from localhost to "ipp"

You are confusing "ipp" (the port/protocol) with "localhost" (the host). The first red line shows a packet from localhost:ipp to localhost:54420. Perfectly normal for an answer of your local printing service to some program querying the printers or jobs.

273 · 02-27-2015, 07:20 AM

Please just read the documentation for the program you are using to view these things rather than claiming to have a virus.
Sorry if that is a little abrupt but posts by people who "have a virus" without a shred of evidence are frequent and are extremely harmful to Linux as a whole as they are much like "The Boy Who Cried 'Wolf!'" In that when somebody actually does have a problem they can be dismissed.
So, again, please do not post unsubstantiated virus claims out of ignorance and please read some documentation.

cepheus11 · 02-27-2015, 07:27 AM

Quote:

Originally Posted by james.brown

what is "ipp"?

Internet Printing Protocol

james.brown · 02-27-2015, 07:27 AM

no no no..it is not cups.

i get next strings with command "netstat -tuwapn":

Quote:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 1579/dnsmasq
udp 0 0 127.0.1.1:53 0.0.0.0:* 1579/dnsmasq
udp 0 0 0.0.0.0:68 0.0.0.0:* 1372/dhclient
udp 0 0 0.0.0.0:55572 0.0.0.0:* 1372/dhclient
udp6 0 0 :::38718 :::* 1372/dhclient

result has not cups.

273 · 02-27-2015, 07:35 AM

Quote:

Originally Posted by 273

Please just read the documentation for the program you are using to view these things rather than claiming to have a virus.
Sorry if that is a little abrupt but posts by people who "have a virus" without a shred of evidence are frequent and are extremely harmful to Linux as a whole as they are much like "The Boy Who Cried 'Wolf!'" In that when somebody actually does have a problem they can be dismissed.
So, again, please do not post unsubstantiated virus claims out of ignorance and please read some documentation.

Please just read some documentation.

Habitual · 02-27-2015, 09:00 AM

Says Destination Port 631. Cups. Printer.