Hi,

Since the early morning, system monitor shows internet traffic that I'm not responsible of. What made me suspicous is that most of it was uploading, and I'm not running any application that needs to upload - like a bittorrent client for instance.

This behaviour shows significantly while I'm running google-chrome, and the uploading rises to 30+ KB/s. My OS is Ubuntu 14.04, with lxde desktop, and compiz+emerald. I began searching the web about a way to tell out what's going on. I stumbled on a page about lsof, and the page stated that the command running with theses options lsof +L1 will show processes using deleted files, which might correspond to an attack. I ran the command, and the result is in the chrome_attack.txt file attached to this post.

User-name is my user name.

So what I did, is

to kill any suspecious process.

But there is still small internet traffic that runs without any corresponding command - that I know of - to cause it, and it's the first time such traffic shows. A screenshot of the system monitor window showing what I'm talking about is attached to the post.

Please any help is appreciated. I know zero about security, and I just don't know where to start. I thought linux is immune to such stuff. I only have avast anti-virus scanner installed, and that's it. The irony is that chrome was last updated just two days ago, which is rather hillariously pathetic.

Thanks.

Attached Thumbnails

 

Attached Files

chrome_attack.txt (37.5 KB, 20 views)

Thank you smallpond for your reply. I still didn't tryout the options suggested on the page you mentioned, I'll try it in a couple of minutes then post the results. Yet this doesn't explain the ghost traffic that appeared out of the blue this morning, and still here, usually the third graph in the shot I posted is zero, or there is no synchro traffic like this, do you have any explanation?

also the strange upload bandwidth occupation by chrome, what it is uploading exactly? and to where?

maybe this is rather a feature of chrome than anything else?
like, calling home to google to reprot on your browsing habits to "be able to offer optimized serach results"?

how about just using a different browser?

or at least set up chrome to not use any of those wonderful "enhancements"?

esp. those "keep background processes running after closing chrome"?

Try using Chromium instead (and COMPLETELY unistalling Chrome!!) Chromium is open source and managed by the community that uses it, so no monkey business on the part of Google.

Also, make sure you don't have any fishy extensions. Even the simplest of things can be spyware, as proven by the flashlight apps on the Play Store.

Please take a look at the third graph in the window screenshot I attached, and tell me is this a normal behavior of a web browser?

I mean if it was download bandwidth I would think it's a page with a buggy refresh timing, a buggy jscript, but what would make a web browser take such upload bandwidth? and to upload what? and this is no joke I swear it, the browser is behaving this way on it's own.

The option on the page posted by smallpond didn't work and it seems that it's not supported, it doesn't appear in the man page. And I've got the message, that having deleted files invoked by chrome is how it goes, but still that doesn't explain the traffic behavior.

Attached Thumbnails

 

This is a very nice suggestion Ihatewindows522, and a sound one too but I need to make sure my system isn't infected with any thing.

I remember I chose chrome over chromium after a search about "chrome vs. chromium", and it led me to this page http://askubuntu.com/questions/6253/...are-the-advant, which says that both chrome and chromium have usage-tracking code, but chrome is more stable than chromium.

Try

and see if the uploading stops. If it does, you can most likely just uninstall Chrome and be safe. If another process takes it's place, or the Chrome process starts again you've got deeper problems. If it is the case that you have something deeper, then you need to completely re-install, and wipe your harddrive with DBAN.

Also, what extensions do you have in Chrome?

EDIT: Come to think of it, it could be something with Ubuntu itself. Install WireShark and see where the packets are going. If they go to Amazon, get rid of Ubuntu altogether.

Hi again, sorry for the delayed reply, I had to crash for a couple of hours.

I continued digging, and began to use iftop. I searched for a program that gives output like iftop and pipe/redirect to txt but found no other than iftop, but a newer version, as the one included in Trusty doesn't support but ncurses output. Downloaded the latest tar ball, and compiled it.

I used this command chain to output the addresses directly while idle - without any internet client running - ;

The output is attached to the post.

What appeared in the text file are four ip addresses ;

1. all-systems.mcast.net
2. 220-133-86-83.HINET-IP.hinet.net
3. 192.168.1.254
4. 224.0.0.251

The first and the last are multicast dns service calls, and I'm not fully aware yet of their importance. The third is my routers address on the lan. The second is my proof of the validity of my suspecions, it's reported to be a spammer address, one of the largest http://spam-vs-freedom.blogspot.com/...-hinetnet.html. WTF IS THAT DOING ON MY SYSTEM.

Now what should I do with that?

I will dig more and report back, any help is appreciated.

Thanks

Attached Files

iftop.out.txt (12.0 KB, 22 views)

i can only repeat previous advice that chrome is not the best choice if you are security/privacy aware.

you can also install some sort of hostsblock (this is my favorite, but there are various scripts like that) to get system-wide, browser-independent domain blocking.

i use this, and no need for adblock anymore.

ps: some very simple and basic advice about browsing habits, e.g. close your browser completely every now and then and delete all cookies and offline storage and cache. don't allow 3rd party cookies (from unknown domains).
don't blindly open all tabs from your previous session - because that just reloads all the (potentially suspicious) cookies and other content.
don't use google as your home page.

It was suggested you use wireshark (and to that I add running 'lsof -Pwlni 2>&1>/tmp/lsof.log' as root user once). One of the reasons for running a full packet capture (tcpdump, tshark, etc, etc) is that you get the full payload which makes it easier to assess what traffic is actually sent. (Running 'lsof' gives you a netstat-like output with PID and UID.) By not following the packet capture suggestion you waste time and effort.


*Please don't change browser (and delay installing something past-millennium and crude like "hostsblock") until you've found out what's causing this traffic.

Sorry for taking so long to reply but I had to learn how to set up wireshark to capture interfaces without running as root. Simple trick, but quirky and takes some time to make it.

I hope I didn't leave the impression of not following advice, It's just that command line tools manual pages are simple - usually - and rather straight forward to setup - even compile - and apply. I have tried to use wireshark some time ago, and couldn't make it run without being root, and I knew that time there should be some twist in the setup, and it had to be dug out, and that had to take time, etc., etc.....so I dropped it back then, cause I didn't need it. This is why I opted to simple tools, which were savvy too.

Now that I have wireshark up and running, I don't know how to use it, or how can it be useful in the current situation?...further help is needed.

The output of lsof is of limited use, because it doesn't show the ip address/dns resolution of the remote source/destination, it just shows an asterisk.

This is how I'm thinking too, I have to know first to what extent the creepy stuff has infested my system, and how. And that doesn't mean I wont follow advice, It's just that I need to make sure.

Load your packet capture then head over to:
- Statistics > Summary: check the average packets/sec, MBit/sec and see if that's reason for concern,
- Statistics > Protocol Hierarchy: this shows you what the most used protocol will be,
- Analayse > Expert Info: see the "chats" tab and select "count" to get an idea what most of the request are (if any).
Finally selecting a line in the packet list pane will show its protocol contents and payload in the other two panes.
*Should you think it beneficial to share your packet capture then please contact me via email.


IMHO one should avoid using address resolution when using command line tools until it's absolutely necessary as it takes time. Usually there's a "-n" switch to prohibit it. And I'd rather see the output of (sudo) 'lsof -Pwlni 2>&1>/tmp/lsof.log' for myself if you don't mind.