LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-17-2019, 04:39 AM   #1
jazzy_mood
Member
 
Registered: Mar 2019
Posts: 41

Rep: Reputation: 25
Weird netstat output


Hi guys,

I have recently been hacked by my last two ISPs (long story to explain here, but believe it or not, they've been installing malware, troyans and keyloggers in my PC). Now, I've been checking my netstat output and this is what I get with "netstat -a":

Code:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address               State      
tcp        0      0 localhost:domain        0.0.0.0:*                     LISTEN     
tcp        0      0 localhost:ipp           0.0.0.0:*                     LISTEN     
tcp        0      0 localhost:smtp          0.0.0.0:*                     LISTEN     
tcp        0      0 DESKTOP-P5JSNTM:38244   <some_remote_address_here>    ESTABLISHED
tcp        0      0 DESKTOP-P5JSNTM:52770   <some_remote_address_here>    ESTABLISHED
tcp        0      0 DESKTOP-P5JSNTM:56836   <some_remote_address_here>    ESTABLISHED
tcp        0      0 DESKTOP-P5JSNTM:38254   <some_remote_address_here>    ESTABLISHED
tcp        0      0 DESKTOP-P5JSNTM:37410   <some_remote_address_here>    ESTABLISHED
(snipped)
Now, the weird thing is that my linux box name is NOT "DESKTOP-P5JSNTM" (it seems to be a Windows installation name, actually). I guess the local address should be the one that shows up on the CLI, right? (For instance "username@username-X301FG").

What could be the explanation for this weird netstat output? Also, is there a way to get the MAC address of this "DESKTOP-P5JSNTM" PC (whatever it is)?

Thanks in advance for any help!

Last edited by jazzy_mood; 05-17-2019 at 04:41 AM.
 
Old 05-17-2019, 05:32 AM   #2
tyler2016
Member
 
Registered: Sep 2018
Distribution: Debian, CentOS, FreeBSD
Posts: 231

Rep: Reputation: Disabled
Try netstat -an to get the IPs of your connections.

If you want to resolve DESKTOP-P5JSNTM. Use the command getent hosts DESKTOP-P5JSNTM

The command arp -n to get the MAC associated with that IP in your ARP table. It may not be in your PATH. If it doesn't work try /sbin/arp -n or /usr/sbin/arp -n

I have hard time believing your ISP hacked you. I don't know about your local laws, but that would be a crime under the Computer Fraud and Abuse Act in the US. It can get you prison time in the states. Read up on Kevin Mitnick if you don't believe me. If it is true, have you informed the appropriate law enforcement agency?

Last edited by tyler2016; 05-17-2019 at 11:25 AM. Reason: Typed stuff in wrong window
 
3 members found this post helpful.
Old 05-17-2019, 11:04 AM   #3
RickDeckard
Member
 
Registered: Jan 2014
Location: Acworth, Georgia, USA
Distribution: Arch Hardened, Ubuntu 18.04, Fedora 30
Posts: 160

Rep: Reputation: Disabled
I don't think your ISP hacked you either. Not only would the spontaneous and malicious nature of such a move be a crime as was pointed out, but your hard drive data (assuming you're not involved in illegal activities yourself) just isn't interesting enough to a provider that likely has to watch many petabytes of data go back-and-forth through their servers each day.

Have you checked /etc/hosts to see if you can find that name anywhere?

Last edited by RickDeckard; 05-17-2019 at 11:09 AM.
 
2 members found this post helpful.
Old 05-17-2019, 11:52 AM   #4
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: FreeBSD, OpenSUSE
Posts: 968

Rep: Reputation: Disabled
Exactly - ISPs have better things to do than hack their customers.
 
1 members found this post helpful.
Old 05-17-2019, 12:04 PM   #5
jazzy_mood
Member
 
Registered: Mar 2019
Posts: 41

Original Poster
Rep: Reputation: 25
Quote:
Originally Posted by tyler2016 View Post
Try netstat -an to get the IPs of your connections.

If you want to resolve DESKTOP-P5JSNTM. Use the command getent hosts DESKTOP-P5JSNTM

The command arp -n to get the MAC associated with that IP in your ARP table. It may not be in your PATH. If it doesn't work try /sbin/arp -n or /usr/sbin/arp -n

I have hard time believing your ISP hacked you. I don't know about your local laws, but that would be a crime under the Computer Fraud and Abuse Act in the US. It can get you prison time in the states. Read up on Kevin Mitnick if you don't believe me. If it is true, have you informed the appropriate law enforcement agency?
Well, this is the weird part, running netstat -an returns 192.168.1.129 as my local address (which is my local IP as returned by ifconfig -a). However, arp -n returns my router's IP and MAC address:

Code:
arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.1.1              ether   c8:d1:2a:c7:e7:b8   C                     wlp2s0
Not sure if this is the expected result. Anyway, the "DESKTOP-P5JSNTM" part of the netstat command (instead of my own linux install name) does seem VERY strange. Any clues?

Last edited by jazzy_mood; 05-17-2019 at 12:09 PM.
 
Old 05-17-2019, 12:15 PM   #6
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: FreeBSD, OpenSUSE
Posts: 968

Rep: Reputation: Disabled
Does this network have wireless access points or a router? Possible could be a neighbor that cracked or guessed your wifi password and is on your network. Would explain the appearance of a strange computer on your network.
 
Old 05-17-2019, 12:26 PM   #7
jazzy_mood
Member
 
Registered: Mar 2019
Posts: 41

Original Poster
Rep: Reputation: 25
Quote:
Originally Posted by sevendogsbsd View Post
Does this network have wireless access points or a router? Possible could be a neighbor that cracked or guessed your wifi password and is on your network. Would explain the appearance of a strange computer on your network.
It's a modem-router (provided by my ISP). It's a wireless AP, but the list of connected clients when I enter the router's configuration page are my laptop and my cellphone . Anyway, I'm just curious about this.

(And yes, my previous ISP hacked me. It's a long story to mention it here, but it happened... Crazy stuff :|).
 
Old 05-17-2019, 12:29 PM   #8
tyler2016
Member
 
Registered: Sep 2018
Distribution: Debian, CentOS, FreeBSD
Posts: 231

Rep: Reputation: Disabled
what is the output of
Code:
getent hosts DESKTOP-P5JSNTM
 
Old 05-17-2019, 12:38 PM   #9
jazzy_mood
Member
 
Registered: Mar 2019
Posts: 41

Original Poster
Rep: Reputation: 25
Quote:
Originally Posted by tyler2016 View Post
what is the output of
Code:
getent hosts DESKTOP-P5JSNTM
Well, it doesn't return anything; it just brings me back to the prompt.

I'm almost sure this is something going on between my previous and my current ISP (maybe some sniffer in the line since it's just plain ADSL, not optical fiber), but I was just curious.
 
Old 05-17-2019, 12:45 PM   #10
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: FreeBSD, OpenSUSE
Posts: 968

Rep: Reputation: Disabled
As in they are conspiring together to sniff your traffic?
 
Old 05-17-2019, 02:19 PM   #11
jazzy_mood
Member
 
Registered: Mar 2019
Posts: 41

Original Poster
Rep: Reputation: 25
Quote:
Originally Posted by sevendogsbsd View Post
As in they are conspiring together to sniff your traffic?
Yes, something like that (it's a long and unreal story ). They can sniff my traffic without anything else anyway, because all my traffic goes through their servers. Maybe the modem-router itself is the sniffer, I don't know. I'm just curious about the technical part of this.
 
Old 05-18-2019, 03:41 AM   #12
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 12,476
Blog Entries: 9

Rep: Reputation: 3377Reputation: 3377Reputation: 3377Reputation: 3377Reputation: 3377Reputation: 3377Reputation: 3377Reputation: 3377Reputation: 3377Reputation: 3377Reputation: 3377
Quote:
Originally Posted by jazzy_mood View Post
running netstat -an returns 192.168.1.129 as my local address (which is my local IP as returned by ifconfig -a). However, arp -n returns my router's IP and MAC address
maybe your router has that "windows-like label" stored somewhere?
the IP is local, that sounds good enough to me?
 
Old 05-18-2019, 07:08 AM   #13
jazzy_mood
Member
 
Registered: Mar 2019
Posts: 41

Original Poster
Rep: Reputation: 25
Quote:
Originally Posted by ondoho View Post
maybe your router has that "windows-like label" stored somewhere?
the IP is local, that sounds good enough to me?
Yes, maybe the Windows naming format is something related to the router, but shouldn't netstat -a return my linux install name?

By the way, I executed netstat -a again after booting my PC and it returned my local box name this time (the name after the '@' symbol on the CLI prompt). A few minutes later I executed it again and it returned "DESKTOP-P5JSNTM". Weird stuff. I guess someone around is playing naughty games .
 
Old 05-18-2019, 07:29 AM   #14
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: FreeBSD, OpenSUSE
Posts: 968

Rep: Reputation: Disabled
What does the DHCP lease table/list look like in your router? What puzzles me is that Linux picks up a host name but your router does not. What type of PC do you have, laptop?
Code:
netstat -a
on my box (albeit FreeBSD) only returns my host name. I ask about your PC because if it is a laptop, it more than likely used to be Windows. Perhaps there is a name in the BIOS/UEFI that is getting picked up. Grasping at straws there.

Have you set a host name in your Linux box?

The LEAST likely explanation is that your ISP hacked you. That's is about as likely as winning the lotto. An individual at the ISP may have, but that is also unlikely. If you are a criminal and are under surveillance, that is also a possibility but you haven't mentioned whether you are criminal Corporations could care less about individuals. There are 2 other possible scenarios but out of respect, I will not mention them.

Likely scenarios are going to be technical: someone is on your network, or there is some sort of host name somehow tied to your PC that you are unaware of.
 
Old 05-18-2019, 10:24 AM   #15
jazzy_mood
Member
 
Registered: Mar 2019
Posts: 41

Original Poster
Rep: Reputation: 25
Quote:
Originally Posted by sevendogsbsd View Post
What does the DHCP lease table/list look like in your router? What puzzles me is that Linux picks up a host name but your router does not. What type of PC do you have, laptop?
Code:
netstat -a
on my box (albeit FreeBSD) only returns my host name. I ask about your PC because if it is a laptop, it more than likely used to be Windows. Perhaps there is a name in the BIOS/UEFI that is getting picked up. Grasping at straws there.

Have you set a host name in your Linux box?
Yes, it's a laptop (dual booting Windows 10 and Linux). I haven't manually set a hostname in my Linux box, but it was set automatically while installing, I guess. This is part of the contents of /etc/hosts:

Code:
cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	<my_linux_box_name>
The <my_linux_box_name> is the same hostname that appears after the '@' symbol on the CLI.

And this is the contents of the router's lease table:

Code:
1	N/A	192.168.1.128	<my_phone_MAC_address_here>	2days 20:28:2
2	<my_linux_box_name>	192.168.1.129	<my_MAC_address_here>	2days 21:11:45
3	<some_android_hostname>	192.168.1.130	<some_MAC_address_here>	1days 13:42:31
Hmm, definitely something looks weird here. I only have one android device (the first one), and the third device is not mine. I guess I have to check my router settings and restrict the number of dvices that cab connect.


Quote:
Originally Posted by sevendogsbsd View Post
The LEAST likely explanation is that your ISP hacked you. That's is about as likely as winning the lotto. An individual at the ISP may have, but that is also unlikely. If you are a criminal and are under surveillance, that is also a possibility but you haven't mentioned whether you are criminal Corporations could care less about individuals. There are 2 other possible scenarios but out of respect, I will not mention them.
I'm a very dangerous criminal and that's why my ISPs are hacking me but don't tell anyone . Seriously though, there were indeed some security incidents with my previous ISP (it's not worth delving into details) and (I guess) it's all being sorted out now between my previous and my current ISP, so yes, definitely the router is somehow taking over my linux box (either itself or through this third unknown device on the lease table). What I'd like to know is what is really going on in the background (i.e. the technical details, and what they can access and do while I'm using my Linux install).

Any clues?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: NETSTAT Command: Learn to use netstat with examples LXer Syndicated Linux News 0 12-06-2017 12:24 PM
HP Photosmart weird weird weird.... Vlad_M Linux - General 5 02-20-2005 05:41 AM
netstat -nap acting weird Donboy Linux - Networking 5 09-01-2004 11:16 PM
Weird results with netstat nekromancer Linux - Networking 3 02-17-2004 01:36 AM
netstat output... WeNdeL Linux - Networking 3 03-20-2003 09:45 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration