I have read through the list of processes several times. I don't see anything that looks out of the ordinary: no strange processes, nothing appears to be running as root that I wouldn't expect, etc. You do seem to have a lot of terminal prompts open and have stuff going on in the tty windows you get from the ctrl-Fx windows, but as long as this is your usage it isn't indicative of a compromise. If you are only running one desktop, with one application open it may be another story. Again, it is interesting that multiple window managers have running processes and open files at the same time. The activity is indicative of what I would consider a "power" user on a linux system (e.g. you are using mutt and fetchmail), going beyond normal desktop-like internet browsing, but that is about it.

Given the situation with your router, somebody could have gotten in on the LAN side. Depending on the complexity of your wireless setup, this might not have been too difficult. This would have allowed them to see your machines, and piggyback off your internet service and could explain the bandwidth usage.

One other thing that comes to mind is could it have been a download of a large number of application updates and a kernel update?

Was the activity a one time thing or is it continuing currently?

1 members found this post helpful.

Answering you in lifo.... The activity is continuing currently.
I see high usage when doing nothing!
Usage is high right now. I have only this machine running.
I'm not a power using (in my opinion). I do keep several tabs open in a terminal emulator (gnome-terminal):
mutt, shell, mc, slrn, iftop etc. But hold everything! You say:Wow! Your statement above seems to indicate something extraordinary. I'm not consciously running any tty windows with ctrl-Fx and
consciously running only one desktop although I have 3 installed (gnome, xfce and fluxbox).
This is very weird!
I installed ubuntu 10.04 on another set of partitions last night and didn't see the high usage even tho'
I was doing considerable downloading. I'm going to devote the day to set up my workstation on that
OS and monitor activity with iftop. I will report back sometime later.
thanks again

It does strike me as weird that you have open connections to each of these window managers via an inode stream socket AND it is showing all of them as active processes running. When I wrote my post this morning, I was running on Slackware64-current which also has KDE, Fluxbox, WindowMaker, and a few other desktop managers installed. I was running KDE and only had open sockets and process for KDE, none of the others. It makes me think remote desktop connections, but I don't know what that would look like in the process and connection logs to offer a comparison.

2 members found this post helpful.

I think at this point that is probably a decent idea. If you need to capture packets, you could look into doing so with wireshark or tcpdump, but at this point I think that figuring out where the traffic is headed is probably a key point. You've said that Mint has pretty much always done this, so I think we need to rule out "normal" kinds of phone-home activity. At any rate, some hard data should help.

By the way, I agree with Noway2, there doesn't appear to be anything obviously evil in the ps log.

1 members found this post helpful.

I've spent the day configuring ubuntu 10.04 on fresh partitions. The first thing I installed was iftop,
since I can read transmitted data and track in real time. Historically, my average usage has been 200 - 250 MB per
day. I'm seeing pretty much that now, down from several times greater on the mint distro. Does it not look
like some serious downloading was going on with mint? Not happening now, only when I so choose. When I get caught up,
maybe I will link the mint forum or LQ/mint forum to this topic with some observations. I know that the
developer for mint actually gets on their forum from time to time. I wonder if I didn't engage some data
gathering device unknowingly..... But I shouldn't be engaged in conjecture.
Thanks for all of the help, I appreciate it very much, I'm not going to call this solved until
I've interacted directly with some mintmeisters.
cheers
tim

Based on the evidence you've posted so far, there really isn't much to draw a conclusion from. If we look at the facts of the case (and please feel free to correct where I'm wrong):

- Mint is using more bandwidth than expected, or Ubuntu, apparently since initial install
- Machine in question is inaccessible from the Internet
- Logs of netstat and ps show no unusual/unexpected processes

And that's pretty much it. What we're really lacking here is some sort of look at the traffic Mint is generating.

Could you explain this further? Are you doing something specific that causes Mint to generate traffic?

This is why I've been asking for you to look at the network traffic. There could be some update mechanism gone wild. Knowing where the bulk of the traffic is going may help clear up what process is causing the traffic.

2 members found this post helpful.

No.
I need a "recipe" for that. I've started the following but I am unclear as to what to expect. ntop does not appear to be writing to the logfile ntoplog.txt.
Once I have an understanding of how to do the logging, I can reboot to the mint partition and run a logging session
for as long as you think is necessary.
tim

I'm pretty non-conversant with ntop, but my playing around with it a bit suggests you can do dumps of various types from the web interface. Check out the Data Dump entry in the Utils menu of ntop.

As for the lenght of time to capture, you probably need to let it go long enough to generate the unusual traffic you've seen. From what you've posted, it probably isn't very long.

Holy Moly, there's all kinds of cool stuff there.
(running ntop -w <portnumber> for web interface)
There is also a log option in the Utils Menu.
I'm awaiting further instructions. Once I have a plan I will boot into the mint partition and
try what is suggested here.
thanks

I'm thinking that letting ntop run for a bit (couple of hours?) and see what hosts have been contacted.

Sounds like a plan. I'm running out of time here, so
I may not have any results for you good people until tomorrow, but
I'll get something either to this forum or at one of my sites as
soon as I've had a couple of hours on the mint partition.
Thanks again

Booted into mint partition, started iftop,
ntop -w 1000 and pointed firefox to localhost:1000.
I did just a little bit of surfing. Left ntop running for 3 hours: 7:40 Alaska Standard Time
to 10:40. Did not see any unusual activity. You'll be able to
see results at http://www.johnsons-web.com/ntop - indexing is on.
Don't know what to think, except that I had noticed before that activity could
start out slow in the early morning and then suddenly increase exponentially, but
usually by 11:00.