LinuxQuestions.org
Review your favorite Linux distribution.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page nethogs finds a lot of connections directed to my server ip...
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
Page 1 of 3 1 23
  Search this Thread
Old 10-14-2014, 03:15 PM   #1
masavini
Member
 
Registered: Jun 2008
Posts: 285

Rep: Reputation: 6
nethogs finds a lot of connections directed to my server ip...

hi,
a few minutes ago i noticed that my network was contantly sending and receiving data. my server was "almost" idle, so i ran nethogs...

here is the output:
Code:
NetHogs version 0.8.0

  PID USER     PROGRAM                                                                                            DEV        SENT      RECEIVED       
7683  teo      /usr/lib/firefox/firefox                                                                           wlan0    486.785    1431.367 KB
32757 teo      skype                                                                                              wlan0     79.026      73.834 KB
4533  teo      /usr/bin/perl                                                                                      wlan0     33.278      70.025 KB
6447  teo      pidgin                                                                                             wlan0      5.453      25.624 KB
4534  teo      /usr/bin/python3                                                                                   wlan0      2.229      22.196 KB
1317  clamav   /usr/bin/freshclam                                                                                 wlan0      0.880       7.205 KB
?     root     192.168.1.3:3263-91.132.117.231:25238                                                                         7.247       7.052 KB
?     root     192.168.1.3:3263-186.37.202.85:7650                                                                           7.633       6.981 KB
3690  teo      /home/teo/.dropbox-dist/dropbox-lnx.x86_64-2.10.30/dropbox                                         wlan0      7.813       6.835 KB
?     root     192.168.1.3:3263-151.41.181.219:50082                                                                         7.312       6.553 KB
?     root     192.168.1.3:3263-109.115.5.175:34234                                                                          6.965       6.523 KB
?     root     192.168.1.3:3263-62.94.196.48:11238                                                                           5.349       5.489 KB
?     root     192.168.1.3:3263-95.244.187.243:55823                                                                         5.423       5.148 KB
3538  teo      /usr/bin/python                                                                                    wlan0      1.407       3.974 KB
?     root     192.168.1.3:3263-177.25.189.186:51016                                                                         2.727       2.899 KB
?     root     192.168.1.3:3263-93.146.158.105:53437                                                                         2.043       2.336 KB
?     root     192.168.1.3:3263-84.223.126.124:52112                                                                         1.572       2.108 KB
?     root     192.168.1.3:3263-2.36.53.161:60961                                                                            1.709       1.925 KB
?     root     192.168.1.3:61246-49.230.164.210:49544                                                                        0.973       1.073 KB
?     root     192.168.1.3:3263-62.94.196.48:11262                                                                           0.682       0.826 KB
?     root     192.168.1.3:61246-49.230.164.210:49454                                                                        0.644       0.705 KB
22769 teo      wget                                                                                               wlan0      0.465       0.397 KB
?     root     192.168.1.3:61246-49.230.164.210:49574                                                                        0.318       0.381 KB
?     root     192.168.1.3:3263-95.245.42.88:50305                                                                           1.018       0.336 KB
?     root     192.168.1.3:3263-177.25.189.186:51019                                                                         0.137       0.270 KB
?     root     unknown TCP                                                                                                   0.000       0.000 KB

  TOTAL                                                                                                                    690.737    1714.051 KB
192.168.1.3 is my server local ip: what are all of those records? can you please tell me if someone is hacking my network? or maybe has already hacked it?

thanks
Last edited by masavini; 10-14-2014 at 03:21 PM.
 
Old 10-15-2014, 01:50 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by masavini View Post
what are all of those records?
The ones you're talking about, starting with a question mark, are past connections: they're not bound to an active process anymore. Since they've all used ephemeral (meaning >=1024) destination ports it doesn't appear to be connecting to a common known service like HTTP or IRC or something like that. Also when resolving remote IP addresses (as in 'dig -x') they appear to be consumer lines not servers. Third these connections don't appear to have sent much data.


Quote:
Originally Posted by masavini View Post
can you please tell me if someone is hacking my network? or maybe has already hacked it?
While the above, in a time of botnets and without payload inspection, doesn't leave much nfo to be gleaned from it may be cause by benign (your verdict, obviously) processes like Skype or a P2P application. To be able to answer your last question you would need to inspect your network equipment and server(s) and share nfo with respect to (anomalous?) entries in system and daemon log file, login records, any file alterations, foreign files or processes, etc, etc.
 
Old 10-15-2014, 06:21 AM   #3
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware, Slarm64 & Android
Posts: 16,370

Rep: Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335
There certainly is an international feel to your business - Italy, Thailand, Brazil etc.

You're the sysadmin. Have you stuff running as root using those ports?
have you picked up another box on another network and run nmap on your own server? Take your laptop or smart phone down to a local wifi hotspot (even at home) and try it.
Do you know about rkhunter and friends?
What version/system are you using and is it up to date?

Post some results on the questions above and you'll get meaningful responses.
You are right to be seriously concerned.
Last edited by business_kid; 10-15-2014 at 06:23 AM.
 
Old 10-15-2014, 07:32 AM   #4
masavini
Member
 
Registered: Jun 2008
Posts: 285

Original Poster
Rep: Reputation: 6
thanks for your replies, you gave me several hints...

this is what i came to:

- the only daemon that could be responsible for those "suspicious" nethogs entries is tor. i think it has been installed with torsocks, do you think it could be possibile?
- i ran rkhunter and got a VERY long log ending with:
Code:
[13:30:29] System checks summary
[13:30:29] =====================
[13:30:29]
[13:30:29] File properties checks...
[13:30:29] Files checked: 139
[13:30:29] Suspect files: 1
[13:30:29]
[13:30:29] Rootkit checks...
[13:30:29] Rootkits checked : 307
[13:30:29] Possible rootkits: 0
[13:30:29]
[13:30:29] Applications checks...
[13:30:29] All checks skipped
[13:30:30]
[13:30:30] The system checks took: 1 minute and 29 seconds
the suspect file is /usr/bin/unhide.rb, but i can't go any further... i can post the full log if it may help...

my system is ubuntu 14.04 lts almost up to date (i fully updated a couple of weeks ago).

later i'll try with nmap from another network and i'll tell you what i got...

thanks
 
Old 10-16-2014, 09:49 AM   #5
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware, Slarm64 & Android
Posts: 16,370

Rep: Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335
Forget about unhide.rb. From the Debian site
Quote:
Unhide.rb is a tentative of rewrite in Ruby of the original Unhide, which is written in C. While being much faster, it does not implement all the diagnostics of the original version. It is also less secure as it cannot be statically compiled.
It's for daily rootkit scans :-). It needs ruby.

What upsets me is so many high and unusual port numbers claimed by root doing things. What services have you got communicating as root? It sounds crazy. It could be innocent, but I would hunt it down as far as possible.
 
Old 10-16-2014, 06:03 PM   #6
masavini
Member
 
Registered: Jun 2008
Posts: 285

Original Poster
Rep: Reputation: 6
Quote:
Originally Posted by business_kid View Post
What upsets me is so many high and unusual port numbers claimed by root doing things. What services have you got communicating as root? It sounds crazy. It could be innocent, but I would hunt it down as far as possible.
i don't really know... root's crontab is empty and there is no "visudo" command starting with teo's crontab.

i have another computer with the same os and almost the same programs and configurations. if i launch nethogs on that system, i don't get those weird records...
the main differences between the 2 systems are that the server is also running:
- tor daemon (but user should be "debian-to"...)
- pidgin and skype (but user should be "teo")
 
Old 10-17-2014, 08:11 AM   #7
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware, Slarm64 & Android
Posts: 16,370

Rep: Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335
OK then, something like the following? (do it as root)

Code:
ps -u root -U root u > some_file 
lsof -i |less
The first line lists all root processes
The second links processes to ports. If you have a rootkit, this kind of basic check may return false information. Make sense of it and post your results. for any process, in a quiet moment, you should be able to kill it and clear any suspicious ports.
 
Old 10-17-2014, 08:54 AM   #8
alexs3
LQ Newbie
 
Registered: Oct 2014
Posts: 7

Rep: Reputation: Disabled
Hi,

Another Ubuntu 14.04 user here.

Code:
nc -4nv -l 48623
gives
Code:
Connection from [217.118.95.78] port 48623 [tcp/*] accepted (family 2, sport 49887)
BitTorrent protocoly����=z��҂�Ƌp-MG21�0-H65wxAlsPpBk
In masavini's case the port would be 3263
Code:
nc -4nv -l 3263
 
Old 10-17-2014, 09:38 AM   #9
masavini
Member
 
Registered: Jun 2008
Posts: 285

Original Poster
Rep: Reputation: 6
here you are:

Code:
$ cat some_file 
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  33908  3252 ?        Ss   14:54   0:02 /sbin/init
root         2  0.0  0.0      0     0 ?        S    14:54   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    14:54   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   14:54   0:00 [kworker/0:0H]
root         7  0.0  0.0      0     0 ?        S    14:54   0:05 [rcu_sched]
root         8  0.0  0.0      0     0 ?        S    14:54   0:01 [rcuos/0]
root         9  0.0  0.0      0     0 ?        S    14:54   0:02 [rcuos/1]
root        10  0.0  0.0      0     0 ?        S    14:54   0:02 [rcuos/2]
root        11  0.0  0.0      0     0 ?        S    14:54   0:02 [rcuos/3]
root        12  0.0  0.0      0     0 ?        S    14:54   0:01 [rcuos/4]
root        13  0.0  0.0      0     0 ?        S    14:54   0:01 [rcuos/5]
root        14  0.0  0.0      0     0 ?        S    14:54   0:01 [rcuos/6]
root        15  0.0  0.0      0     0 ?        S    14:54   0:01 [rcuos/7]
root        16  0.0  0.0      0     0 ?        S    14:54   0:00 [rcu_bh]
root        17  0.0  0.0      0     0 ?        S    14:54   0:00 [rcuob/0]
root        18  0.0  0.0      0     0 ?        S    14:54   0:00 [rcuob/1]
root        19  0.0  0.0      0     0 ?        S    14:54   0:00 [rcuob/2]
root        20  0.0  0.0      0     0 ?        S    14:54   0:00 [rcuob/3]
root        21  0.0  0.0      0     0 ?        S    14:54   0:00 [rcuob/4]
root        22  0.0  0.0      0     0 ?        S    14:54   0:00 [rcuob/5]
root        23  0.0  0.0      0     0 ?        S    14:54   0:00 [rcuob/6]
root        24  0.0  0.0      0     0 ?        S    14:54   0:00 [rcuob/7]
root        25  0.0  0.0      0     0 ?        S    14:54   0:00 [migration/0]
root        26  0.0  0.0      0     0 ?        S    14:54   0:00 [watchdog/0]
root        27  0.0  0.0      0     0 ?        S    14:54   0:00 [watchdog/1]
root        28  0.0  0.0      0     0 ?        S    14:54   0:00 [migration/1]
root        29  0.0  0.0      0     0 ?        S    14:54   0:00 [ksoftirqd/1]
root        30  0.0  0.0      0     0 ?        S    14:54   0:00 [kworker/1:0]
root        31  0.0  0.0      0     0 ?        S<   14:54   0:00 [kworker/1:0H]
root        32  0.0  0.0      0     0 ?        S    14:54   0:00 [watchdog/2]
root        33  0.0  0.0      0     0 ?        S    14:54   0:00 [migration/2]
root        34  0.0  0.0      0     0 ?        S    14:54   0:00 [ksoftirqd/2]
root        36  0.0  0.0      0     0 ?        S<   14:54   0:00 [kworker/2:0H]
root        37  0.0  0.0      0     0 ?        S    14:54   0:00 [watchdog/3]
root        38  0.0  0.0      0     0 ?        S    14:54   0:00 [migration/3]
root        39  0.0  0.0      0     0 ?        S    14:54   0:00 [ksoftirqd/3]
root        40  0.0  0.0      0     0 ?        S    14:54   0:00 [kworker/3:0]
root        41  0.0  0.0      0     0 ?        S<   14:54   0:00 [kworker/3:0H]
root        42  0.0  0.0      0     0 ?        S    14:54   0:00 [watchdog/4]
root        43  0.0  0.0      0     0 ?        S    14:54   0:00 [migration/4]
root        44  0.0  0.0      0     0 ?        S    14:54   0:00 [ksoftirqd/4]
root        46  0.0  0.0      0     0 ?        S<   14:54   0:00 [kworker/4:0H]
root        47  0.0  0.0      0     0 ?        S    14:54   0:00 [watchdog/5]
root        48  0.0  0.0      0     0 ?        S    14:54   0:00 [migration/5]
root        49  0.0  0.0      0     0 ?        S    14:54   0:00 [ksoftirqd/5]
root        50  0.0  0.0      0     0 ?        S    14:54   0:00 [kworker/5:0]
root        51  0.0  0.0      0     0 ?        S<   14:54   0:00 [kworker/5:0H]
root        52  0.0  0.0      0     0 ?        S    14:54   0:00 [watchdog/6]
root        53  0.0  0.0      0     0 ?        S    14:54   0:00 [migration/6]
root        54  0.0  0.0      0     0 ?        S    14:54   0:00 [ksoftirqd/6]
root        55  0.0  0.0      0     0 ?        S    14:54   0:00 [kworker/6:0]
root        56  0.0  0.0      0     0 ?        S<   14:54   0:00 [kworker/6:0H]
root        57  0.0  0.0      0     0 ?        S    14:54   0:00 [watchdog/7]
root        58  0.0  0.0      0     0 ?        S    14:54   0:00 [migration/7]
root        59  0.0  0.0      0     0 ?        S    14:54   0:00 [ksoftirqd/7]
root        60  0.0  0.0      0     0 ?        S    14:54   0:00 [kworker/7:0]
root        61  0.0  0.0      0     0 ?        S<   14:54   0:00 [kworker/7:0H]
root        62  0.0  0.0      0     0 ?        S<   14:54   0:00 [khelper]
root        63  0.0  0.0      0     0 ?        S    14:54   0:00 [kdevtmpfs]
root        64  0.0  0.0      0     0 ?        S<   14:54   0:00 [netns]
root        65  0.0  0.0      0     0 ?        S<   14:54   0:00 [writeback]
root        66  0.0  0.0      0     0 ?        S<   14:54   0:00 [kintegrityd]
root        67  0.0  0.0      0     0 ?        S<   14:54   0:00 [bioset]
root        69  0.0  0.0      0     0 ?        S<   14:54   0:00 [kblockd]
root        70  0.0  0.0      0     0 ?        S<   14:54   0:00 [ata_sff]
root        71  0.0  0.0      0     0 ?        S    14:54   0:00 [khubd]
root        72  0.0  0.0      0     0 ?        S<   14:54   0:00 [md]
root        73  0.0  0.0      0     0 ?        S<   14:54   0:00 [devfreq_wq]
root        74  0.0  0.0      0     0 ?        S    14:54   0:01 [kworker/2:1]
root        76  0.0  0.0      0     0 ?        S    14:54   0:00 [khungtaskd]
root        77  0.0  0.0      0     0 ?        S    14:54   0:00 [kswapd0]
root        78  0.0  0.0      0     0 ?        SN   14:54   0:00 [ksmd]
root        79  0.0  0.0      0     0 ?        SN   14:54   0:00 [khugepaged]
root        80  0.0  0.0      0     0 ?        S    14:54   0:00 [fsnotify_mark]
root        81  0.0  0.0      0     0 ?        S    14:54   0:00 [ecryptfs-kthrea]
root        82  0.0  0.0      0     0 ?        S<   14:54   0:00 [crypto]
root        94  0.0  0.0      0     0 ?        S<   14:54   0:00 [kthrotld]
root        95  0.0  0.0      0     0 ?        S    14:54   0:00 [kworker/6:1]
root        98  0.0  0.0      0     0 ?        S    14:54   0:03 [kworker/4:1]
root       118  0.0  0.0      0     0 ?        S<   14:54   0:00 [deferwq]
root       119  0.0  0.0      0     0 ?        S<   14:54   0:00 [charger_manager]
root       129  0.0  0.0      0     0 ?        S    14:54   0:00 [kworker/5:1]
root       179  0.0  0.0      0     0 ?        S<   14:54   0:00 [kpsmoused]
root       180  0.0  0.0      0     0 ?        S    14:54   0:00 [scsi_eh_0]
root       181  0.0  0.0      0     0 ?        S    14:54   0:00 [scsi_eh_1]
root       182  0.0  0.0      0     0 ?        S    14:54   0:00 [scsi_eh_2]
root       183  0.0  0.0      0     0 ?        S    14:54   0:00 [scsi_eh_3]
root       184  0.0  0.0      0     0 ?        S    14:54   0:00 [scsi_eh_4]
root       185  0.0  0.0      0     0 ?        S    14:54   0:00 [scsi_eh_5]
root       192  0.0  0.0      0     0 ?        S    14:54   0:01 [kworker/3:1]
root       201  0.0  0.0      0     0 ?        S    14:54   0:01 [kworker/7:1]
root       205  0.0  0.0      0     0 ?        S    14:54   0:00 [jbd2/sda2-8]
root       206  0.0  0.0      0     0 ?        S<   14:54   0:00 [ext4-rsv-conver]
root       406  0.0  0.0  19740   916 ?        S    14:54   0:00 upstart-udev-bridge --daemon
root       411  0.0  0.0  51752  1988 ?        Ss   14:54   0:00 /lib/systemd/systemd-udevd --daemon
root       416  0.0  0.0      0     0 ?        S    14:54   0:00 [jbd2/sda3-8]
root       417  0.0  0.0      0     0 ?        S<   14:54   0:00 [ext4-rsv-conver]
root       486  0.0  0.0  15276   640 ?        S    14:54   0:00 upstart-file-bridge --daemon
root       605  0.0  0.0      0     0 ?        S    14:54   0:00 [irq/45-mei_me]
root       609  0.0  0.0      0     0 ?        S<   14:54   0:00 [kvm-irqfd-clean]
root       614  0.0  0.0      0     0 ?        S<   14:54   0:00 [cfg80211]
root       660  0.0  0.0  19292  1900 ?        Ss   14:54   0:00 /usr/sbin/bluetoothd
root       702  0.3  0.0      0     0 ?        S    14:54   0:20 [irq/46-iwlwifi]
root       705  0.0  0.0      0     0 ?        S<   14:54   0:00 [krfcommd]
root       711  0.0  0.0      0     0 ?        S    14:54   0:00 [kworker/2:2]
root       723  0.0  0.0  43532  1932 ?        Ss   14:54   0:00 /lib/systemd/systemd-logind
root       736  0.0  0.0      0     0 ?        S<   14:54   0:00 [hd-audio0]
root       775  0.0  0.0 272700  7880 ?        Ss   14:54   0:00 smbd -F
root       787  0.0  0.0      0     0 ?        S<   14:54   0:00 [iwlwifi]
root       820  0.0  0.0 330236  6456 ?        Ssl  14:54   0:00 /usr/sbin/ModemManager
root       852  0.0  0.0      0     0 ?        S<   14:54   0:00 [led_workqueue]
root       854  0.0  0.0  15652  1032 ?        S    14:54   0:00 upstart-socket-bridge --daemon
root       886  0.0  0.0 339536  6544 ?        Ssl  14:54   0:00 NetworkManager
root       892  0.0  0.0 281276  5316 ?        Sl   14:54   0:00 /usr/lib/policykit-1/polkitd --no-debug
root       900  0.0  0.0 272700  4780 ?        S    14:54   0:00 smbd -F
root       907  0.0  0.0  30608  2608 ?        Ss   14:54   0:00 /sbin/wpa_supplicant -B -P /run/sendsigs.omit.d/wpasupplicant.pid -u -s -O /var/run/wpa_supplicant
root      1125  0.0  0.0  14544   956 tty4     Ss+  14:54   0:00 /sbin/getty -8 38400 tty4
root      1129  0.0  0.0  14544   960 tty5     Ss+  14:54   0:00 /sbin/getty -8 38400 tty5
root      1137  0.0  0.0  14544   968 tty2     Ss+  14:54   0:00 /sbin/getty -8 38400 tty2
root      1138  0.0  0.0  14544   956 tty3     Ss+  14:54   0:00 /sbin/getty -8 38400 tty3
root      1142  0.0  0.0  14544   968 tty6     Ss+  14:54   0:00 /sbin/getty -8 38400 tty6
root      1179  0.0  0.0  61364  2928 ?        Ss   14:54   0:00 /usr/sbin/sshd -D
root      1221  0.0  0.0  23656  1044 ?        Ss   14:54   0:00 cron
daemon    1232  0.0  0.0  19140   164 ?        Ss   14:54   0:00 atd
root      1255  0.0  0.0  19188   744 ?        Ss   14:54   0:00 /usr/sbin/irqbalance
root      1351  0.0  0.0  75484  3660 ?        Ss   14:54   0:00 /usr/sbin/cups-browsed
root      1407  0.0  0.0   4488   508 ?        S    14:54   0:00 /usr/sbin/hddtemp -S 60 /dev/sda
root      1436  0.0  0.0   4368   696 ?        Ss   14:54   0:00 acpid -c /etc/acpi/events -s /var/run/acpid.socket
root      1518  0.0  0.0 351612  6480 ?        SLsl 14:54   0:00 lightdm
root      1550  3.2  1.1 747880 91044 tty7     Ssl+ 14:54   3:12 /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
root      1553  0.0  0.0 288640  5512 ?        Sl   14:54   0:00 /usr/lib/accountsservice/accounts-daemon
root      1557  0.0  0.0  25344  1700 ?        Ss   14:54   0:00 /usr/lib/postfix/master
root      1625  0.0  0.0      0     0 ?        S<   14:54   0:00 [iprt]
root      1738  0.0  0.2 392728 18216 ?        Ss   14:54   0:00 /usr/sbin/apache2 -k start
root      1748  0.0  0.0  36228  1756 ?        Ss   14:54   0:00 /usr/sbin/bumblebeed --use-syslog --driver nvidia --driver-module nvidia-304 --ldpath /usr/lib/nvidia-304:/usr/lib32/nvidia-304 --module-path /usr/lib/nvidia-304/xorg,/usr/lib/xorg/modules
root      1768  0.0  0.0      0     0 ?        S    14:54   0:00 [kauditd]
root      1815  0.0  0.1 332564  8212 ?        Sl   14:54   0:00 lightdm --session-child 12 19
root      1845  0.0  0.0 305020  4788 ?        Sl   14:54   0:00 /usr/lib/upower/upowerd
root      2116  0.0  0.0      0     0 ?        S    14:54   0:01 [kworker/1:2]
root      2184  0.0  0.0  14544   960 tty1     Ss+  14:54   0:00 /sbin/getty -8 38400 tty1
root      2802  0.0  0.0 445144  7476 ?        Sl   14:54   0:00 /usr/lib/udisks2/udisksd --no-debug
root      4350  0.0  0.0 191448  2552 ?        Ss   14:54   0:00 nmbd -D
root      5808  0.1  0.4 145992 38196 ?        Ss   14:54   0:08 Xorg :8 -config /etc/bumblebee/xorg.conf.nvidia -configdir /etc/bumblebee/xorg.conf.d -sharevts -nolisten tcp -noreset -verbose 3 -isolateDevice PCI:01:00:0 -modulepath /usr/lib/nvidia-304/xorg,/usr/lib/xorg/modules
root      6768  0.0  0.0 151652  5336 ?        Ssl  14:54   0:00 /usr/sbin/cupsd -f
root      7208  0.0  0.0      0     0 ?        S<   15:56   0:00 [kworker/u17:0]
root      9714  0.0  0.0      0     0 ?        S    16:21   0:00 [kworker/u16:0]
root      9716  0.0  0.0      0     0 ?        S<   16:21   0:00 [kworker/u17:3]
root     12370  0.0  0.0      0     0 ?        S    16:01   0:00 [kworker/0:1]
root     16515  0.0  0.0      0     0 ?        S<   16:27   0:00 [kworker/u17:1]
root     17695  0.0  0.0 4197568 3944 ?        Sl   15:40   0:00 /usr/sbin/console-kit-daemon --no-daemon
root     18721  0.2  0.0      0     0 ?        S    15:40   0:09 [kworker/4:2]
root     19374  0.0  0.0      0     0 ?        S    15:41   0:01 [kworker/0:2]
root     19602  0.0  0.0      0     0 ?        S    16:29   0:00 [kworker/u16:1]
root     22541  1.0  0.0 239100  6296 pts/5    S+   16:31   0:00 sudo ps -u root -U root u
root     22560  0.0  0.0  17172  1304 pts/5    R+   16:31   0:00 ps -u root -U root u
root     24742  0.0  0.0      0     0 ?        S    16:11   0:00 [kworker/u16:3]
root     31323  0.0  0.0 233292  4808 ?        S    16:16   0:00 CRON
Code:
$ sudo lsof -i
COMMAND     PID       USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae   767      avahi   13u  IPv4    928      0t0  UDP *:mdns 
avahi-dae   767      avahi   14u  IPv6    929      0t0  UDP *:mdns 
avahi-dae   767      avahi   15u  IPv4    930      0t0  UDP *:54399 
avahi-dae   767      avahi   16u  IPv6    931      0t0  UDP *:48314 
smbd        775       root   30u  IPv6  13612      0t0  TCP *:microsoft-ds (LISTEN)
smbd        775       root   31u  IPv6  13613      0t0  TCP *:netbios-ssn (LISTEN)
smbd        775       root   32u  IPv4  13614      0t0  TCP *:microsoft-ds (LISTEN)
smbd        775       root   33u  IPv4  13615      0t0  TCP *:netbios-ssn (LISTEN)
sshd       1179       root    3u  IPv4  11899      0t0  TCP *:ssh (LISTEN)
sshd       1179       root    4u  IPv6  11901      0t0  TCP *:ssh (LISTEN)
cups-brow  1351       root    6u  IPv6  30207      0t0  TCP bolide:39205->bolide:ipp (CLOSE_WAIT)
cups-brow  1351       root    8u  IPv4  25121      0t0  UDP *:ipp 
mysqld     1352      mysql   10u  IPv4  14582      0t0  TCP localhost.localdomain:mysql (LISTEN)
master     1557       root   12u  IPv4   9180      0t0  TCP *:smtp (LISTEN)
master     1557       root   13u  IPv6   9181      0t0  TCP *:smtp (LISTEN)
tor        1603 debian-tor    7u  IPv4   1781      0t0  TCP localhost.localdomain:9050 (LISTEN)
apache2    1738       root    4u  IPv6   1815      0t0  TCP *:http (LISTEN)
apache2    1738       root    6u  IPv6   1819      0t0  TCP *:http-alt (LISTEN)
apache2    1740   www-data    4u  IPv6   1815      0t0  TCP *:http (LISTEN)
apache2    1740   www-data    6u  IPv6   1819      0t0  TCP *:http-alt (LISTEN)
apache2    1767   www-data    4u  IPv6   1815      0t0  TCP *:http (LISTEN)
apache2    1767   www-data    6u  IPv6   1819      0t0  TCP *:http-alt (LISTEN)
dnsmasq    2230     nobody    4u  IPv4  13943      0t0  UDP bolide:domain 
dnsmasq    2230     nobody    5u  IPv4  13944      0t0  TCP bolide:domain (LISTEN)
apache2    2419   www-data    4u  IPv6   1815      0t0  TCP *:http (LISTEN)
apache2    2419   www-data    6u  IPv6   1819      0t0  TCP *:http-alt (LISTEN)
apache2    2420   www-data    4u  IPv6   1815      0t0  TCP *:http (LISTEN)
apache2    2420   www-data    6u  IPv6   1819      0t0  TCP *:http-alt (LISTEN)
apache2    2462   www-data    4u  IPv6   1815      0t0  TCP *:http (LISTEN)
apache2    2462   www-data    6u  IPv6   1819      0t0  TCP *:http-alt (LISTEN)
apache2    2463   www-data    4u  IPv6   1815      0t0  TCP *:http (LISTEN)
apache2    2463   www-data    6u  IPv6   1819      0t0  TCP *:http-alt (LISTEN)
apache2    2464   www-data    4u  IPv6   1815      0t0  TCP *:http (LISTEN)
apache2    2464   www-data    6u  IPv6   1819      0t0  TCP *:http-alt (LISTEN)
vino-serv  2663        teo   11u  IPv6  17991      0t0  TCP *:7900 (LISTEN)
vino-serv  2663        teo   12u  IPv4  17992      0t0  TCP *:7900 (LISTEN)
vino-serv  2663        teo   13u  IPv6  15840      0t0  TCP *:5800 (LISTEN)
dropbox    3681        teo   20u  IPv4 280341      0t0  TCP bolide:40709->snt-re4-9c.sjc.dropbox.com:http (ESTABLISHED)
dropbox    3681        teo   25u  IPv4 351566      0t0  TCP bolide:40718->ec2-50-19-215-65.compute-1.amazonaws.com:https (ESTABLISHED)
dropbox    3681        teo   28u  IPv4 351569      0t0  TCP bolide:36350->client-17a.v.dropbox.com:https (ESTABLISHED)
dropbox    3681        teo   29u  IPv4 352609      0t0  TCP bolide:33529->client-8b.v.dropbox.com:https (ESTABLISHED)
dropbox    3681        teo   30u  IPv4 351586      0t0  TCP bolide:db-lsp->mostro:43436 (ESTABLISHED)
dropbox    3681        teo   33u  IPv4  23609      0t0  UDP *:17500 
dropbox    3681        teo   36u  IPv4  23612      0t0  TCP *:db-lsp (LISTEN)
dropbox    3681        teo   39u  IPv4 354565      0t0  TCP bolide:39499->ec2-23-23-229-156.compute-1.amazonaws.com:https (ESTABLISHED)
nmbd       4350       root   11u  IPv4  20479      0t0  UDP *:netbios-ns 
nmbd       4350       root   12u  IPv4  20480      0t0  UDP *:netbios-dgm 
nmbd       4350       root   13u  IPv4  23554      0t0  UDP bolide:netbios-ns 
nmbd       4350       root   14u  IPv4  23555      0t0  UDP 192.168.1.255:netbios-ns 
nmbd       4350       root   15u  IPv4  23556      0t0  UDP bolide:netbios-dgm 
nmbd       4350       root   16u  IPv4  23557      0t0  UDP 192.168.1.255:netbios-dgm 
pidgin     4486        teo   11u  IPv4  26822      0t0  TCP bolide:49075->184.173.147.52-static.reverse.softlayer.com:https (ESTABLISHED)
pidgin     4486        teo   23u  IPv4  24834      0t0  TCP bolide:58901->64.233.166.125:xmpp-client (ESTABLISHED)
pidgin     4486        teo   24u  IPv4  24835      0t0  TCP bolide:34054->50-56-234-31.static.cloud-ips.com:xmpp-client (ESTABLISHED)
my-weathe  4636        teo   10u  IPv4  32898      0t0  TCP bolide:57094->149.3.177.87:http (CLOSE_WAIT)
firefox    4785        teo   50u  IPv4 345872      0t0  TCP bolide:60406->mil02s06-in-f29.1e100.net:https (ESTABLISHED)
firefox    4785        teo   51u  IPv4  28021      0t0  TCP bolide:47719->do-3.lastpass.com:https (ESTABLISHED)
firefox    4785        teo   56u  IPv4 259334      0t0  TCP bolide:49758->mil01s18-in-f22.1e100.net:https (ESTABLISHED)
firefox    4785        teo   62u  IPv4 330909      0t0  TCP bolide:53102->198-101-228-66.static.cloud-ips.com:http (ESTABLISHED)
skype      5963        teo   11u  IPv4  22226      0t0  UDP localhost.localdomain:47527 
skype      5963        teo   30u  IPv4  26602      0t0  TCP bolide:33244->91.190.216.63:12350 (ESTABLISHED)
skype      5963        teo   40u  IPv4  26604      0t0  TCP bolide:45372->db3msgr6012716.gateway.messenger.live.com:https (ESTABLISHED)
skype      5963        teo   44u  IPv4  27050      0t0  TCP *:3263 (LISTEN)
skype      5963        teo   45u  IPv4  27051      0t0  UDP *:3263 
skype      5963        teo   49u  IPv4  26453      0t0  TCP bolide:43612->213.199.179.160:40033 (ESTABLISHED)
skype      5965        teo   11u  IPv4  24091      0t0  UDP localhost.localdomain:52959 
skype      5965        teo   44u  IPv4  22405      0t0  TCP *:61246 (LISTEN)
skype      5965        teo   45u  IPv4  22406      0t0  UDP *:61246 
skype      5965        teo   48u  IPv4  31581      0t0  TCP bolide:50137->157.55.235.175:40004 (ESTABLISHED)
skype      5965        teo   94u  IPv4  30239      0t0  TCP bolide:56062->91.190.216.62:12350 (ESTABLISHED)
skype      5965        teo   95u  IPv4  28023      0t0  TCP bolide:33107->db3msgr6012505.gateway.messenger.live.com:https (ESTABLISHED)
cupsd      6768       root   10u  IPv4  29074      0t0  TCP *:ipp (LISTEN)
cupsd      6768       root   11u  IPv6  29075      0t0  TCP *:ipp (LISTEN)
apache2    7806   www-data    4u  IPv6   1815      0t0  TCP *:http (LISTEN)
apache2    7806   www-data    6u  IPv6   1819      0t0  TCP *:http-alt (LISTEN)
apache2   17405   www-data    4u  IPv6   1815      0t0  TCP *:http (LISTEN)
apache2   17405   www-data    6u  IPv6   1819      0t0  TCP *:http-alt (LISTEN)
apache2   17407   www-data    4u  IPv6   1815      0t0  TCP *:http (LISTEN)
apache2   17407   www-data    6u  IPv6   1819      0t0  TCP *:http-alt (LISTEN)
apache2   17408   www-data    4u  IPv6   1815      0t0  TCP *:http (LISTEN)
apache2   17408   www-data    6u  IPv6   1819      0t0  TCP *:http-alt (LISTEN)
java      29386        teo  147u  IPv6 305579      0t0  TCP *:9980 (LISTEN)
 
Old 10-17-2014, 02:26 PM   #10
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware, Slarm64 & Android
Posts: 16,370

Rep: Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335Reputation: 2335
:-).

You're the sysadmin. The idea was that YOU would look at them, figure out your ports <--> processes, investigate where suspicious, and cry foul if they were not right. If you were curious, YOU can kill those processes. I can't.

I'll start you off: google informs me about rcuos processes
http://ubuntuforums.org/showthread.php?t=2225218

Have fun!
 
Old 10-18-2014, 05:29 AM   #11
masavini
Member
 
Registered: Jun 2008
Posts: 285

Original Poster
Rep: Reputation: 6
Quote:
Originally Posted by business_kid View Post
I'll start you off: google informs me about rcuos processes
http://ubuntuforums.org/showthread.php?t=2225218

Have fun!
nice, rcuos processes were the only that i had already checked out...

what i can see from the logs is that the 2 ports recurring in the first nethogs log (3263 and 61246) only appear in lsof -i output and they're used by skype:
Code:
skype      5963        teo   44u  IPv4  27050      0t0  TCP *:3263 (LISTEN)
skype      5963        teo   45u  IPv4  27051      0t0  UDP *:3263 
[...]
skype      5965        teo   44u  IPv4  22405      0t0  TCP *:61246 (LISTEN)
skype      5965        teo   45u  IPv4  22406      0t0  UDP *:61246
skype instances (i always have 2 running) are not launched by root, but i guess that there must be some skype subprocess running with root privileges...

is this impossible, just possible or even probable?
Last edited by masavini; 10-18-2014 at 05:31 AM.
 
Old 10-18-2014, 06:28 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by masavini View Post
skype instances (i always have 2 running) are not launched by root, but i guess that there must be some skype subprocess running with root privileges... is this impossible, just possible or even probable?
I think you're interpreting things wrong. Else what makes you think there should be "some skype subprocess running with root privileges"? Because your 'lsof' output clearly shows the processes running as user "teo":
Quote:
Originally Posted by masavini View Post
Code:
$ sudo lsof -i
COMMAND     PID       USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
skype      5963        teo   11u  IPv4  22226      0t0  UDP localhost.localdomain:47527 
skype      5963        teo   30u  IPv4  26602      0t0  TCP bolide:33244->91.190.216.63:12350 (ESTABLISHED)
skype      5963        teo   40u  IPv4  26604      0t0  TCP bolide:45372->db3msgr6012716.gateway.messenger.live.com:https (ESTABLISHED)
skype      5963        teo   44u  IPv4  27050      0t0  TCP *:3263 (LISTEN)
skype      5963        teo   45u  IPv4  27051      0t0  UDP *:3263 
skype      5963        teo   49u  IPv4  26453      0t0  TCP bolide:43612->213.199.179.160:40033 (ESTABLISHED)
skype      5965        teo   11u  IPv4  24091      0t0  UDP localhost.localdomain:52959 
skype      5965        teo   44u  IPv4  22405      0t0  TCP *:61246 (LISTEN)
skype      5965        teo   45u  IPv4  22406      0t0  UDP *:61246 
skype      5965        teo   48u  IPv4  31581      0t0  TCP bolide:50137->157.55.235.175:40004 (ESTABLISHED)
skype      5965        teo   94u  IPv4  30239      0t0  TCP bolide:56062->91.190.216.62:12350 (ESTABLISHED)
skype      5965        teo   95u  IPv4  28023      0t0  TCP bolide:33107->db3msgr6012505.gateway.messenger.live.com:https (ESTABLISHED)
 
Old 10-18-2014, 03:15 PM   #13
alexs3
LQ Newbie
 
Registered: Oct 2014
Posts: 7

Rep: Reputation: Disabled
The easiest way for me has been:
Code:
apt-get install auditd
auditctl -A exit,always -S socketcall
auditctl -D
ausearch --host 217.118.95.78
Now waiting for fish.
 
Old 10-19-2014, 03:42 AM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Nice idea yes, but do note that using
Quote:
Originally Posted by alexs3 View Post
Code:
auditctl -A exit,always -S socketcall
traps the syscall for all users and all processes so on a busy system this may cause an excessive amount of logging! It would be better apply a filter and anchor logging to for example one user. Also note that
Quote:
Originally Posted by alexs3 View Post
Code:
auditctl -D
deletes all rules. So that isn't a command you will want to run right after you set the logging rule...
 
Old 10-19-2014, 11:10 AM   #15
masavini
Member
 
Registered: Jun 2008
Posts: 285

Original Poster
Rep: Reputation: 6
Quote:
Originally Posted by unSpawn View Post
I think you're interpreting things wrong. Else what makes you think there should be "some skype subprocess running with root privileges"? Because your 'lsof' output clearly shows the processes running as user "teo":
how can you be that sure? i'm not telling i was right, i'm only saying that skype is proprietary software and i just can't know what programmers stuffed in it, right?
 
  


Reply
Page 1 of 3 1 23



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Zeus GNU/Linux web Server sending spam and lot of http connections to outside IP KinnowGrower Linux - Security 9 10-18-2013 02:22 PM
Slow Internet + A lot of DNS connections Zero Angel Linux - Networking 3 09-20-2011 02:13 PM
How i can block ips with lot of connections DjZoC Linux - Security 5 10-31-2010 10:34 PM
LXer: Monitoring Network Traffic: iftop and nethogs LXer Syndicated Linux News 0 07-28-2010 01:50 AM
LXer: Monitoring Network Traffic: iftop and nethogs LXer Syndicated Linux News 0 07-27-2010 07:41 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:46 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration