Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have recently been hacked by my last two ISPs (long story to explain here, but believe it or not, they've been installing malware, troyans and keyloggers in my PC). Now, I've been checking my netstat output and this is what I get with "netstat -a":
Code:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:domain 0.0.0.0:* LISTEN
tcp 0 0 localhost:ipp 0.0.0.0:* LISTEN
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN
tcp 0 0 DESKTOP-P5JSNTM:38244 <some_remote_address_here> ESTABLISHED
tcp 0 0 DESKTOP-P5JSNTM:52770 <some_remote_address_here> ESTABLISHED
tcp 0 0 DESKTOP-P5JSNTM:56836 <some_remote_address_here> ESTABLISHED
tcp 0 0 DESKTOP-P5JSNTM:38254 <some_remote_address_here> ESTABLISHED
tcp 0 0 DESKTOP-P5JSNTM:37410 <some_remote_address_here> ESTABLISHED
(snipped)
Now, the weird thing is that my linux box name is NOT "DESKTOP-P5JSNTM" (it seems to be a Windows installation name, actually). I guess the local address should be the one that shows up on the CLI, right? (For instance "username@username-X301FG").
What could be the explanation for this weird netstat output? Also, is there a way to get the MAC address of this "DESKTOP-P5JSNTM" PC (whatever it is)?
Thanks in advance for any help!
Last edited by jazzy_mood; 05-17-2019 at 04:41 AM.
Try netstat -an to get the IPs of your connections.
If you want to resolve DESKTOP-P5JSNTM. Use the command getent hosts DESKTOP-P5JSNTM
The command arp -n to get the MAC associated with that IP in your ARP table. It may not be in your PATH. If it doesn't work try /sbin/arp -n or /usr/sbin/arp -n
I have hard time believing your ISP hacked you. I don't know about your local laws, but that would be a crime under the Computer Fraud and Abuse Act in the US. It can get you prison time in the states. Read up on Kevin Mitnick if you don't believe me. If it is true, have you informed the appropriate law enforcement agency?
Last edited by tyler2016; 05-17-2019 at 11:25 AM.
Reason: Typed stuff in wrong window
I don't think your ISP hacked you either. Not only would the spontaneous and malicious nature of such a move be a crime as was pointed out, but your hard drive data (assuming you're not involved in illegal activities yourself) just isn't interesting enough to a provider that likely has to watch many petabytes of data go back-and-forth through their servers each day.
Have you checked /etc/hosts to see if you can find that name anywhere?
Last edited by RickDeckard; 05-17-2019 at 11:09 AM.
Try netstat -an to get the IPs of your connections.
If you want to resolve DESKTOP-P5JSNTM. Use the command getent hosts DESKTOP-P5JSNTM
The command arp -n to get the MAC associated with that IP in your ARP table. It may not be in your PATH. If it doesn't work try /sbin/arp -n or /usr/sbin/arp -n
I have hard time believing your ISP hacked you. I don't know about your local laws, but that would be a crime under the Computer Fraud and Abuse Act in the US. It can get you prison time in the states. Read up on Kevin Mitnick if you don't believe me. If it is true, have you informed the appropriate law enforcement agency?
Well, this is the weird part, running netstat -an returns 192.168.1.129 as my local address (which is my local IP as returned by ifconfig -a). However, arp -n returns my router's IP and MAC address:
Not sure if this is the expected result. Anyway, the "DESKTOP-P5JSNTM" part of the netstat command (instead of my own linux install name) does seem VERY strange. Any clues?
Last edited by jazzy_mood; 05-17-2019 at 12:09 PM.
Does this network have wireless access points or a router? Possible could be a neighbor that cracked or guessed your wifi password and is on your network. Would explain the appearance of a strange computer on your network.
Does this network have wireless access points or a router? Possible could be a neighbor that cracked or guessed your wifi password and is on your network. Would explain the appearance of a strange computer on your network.
It's a modem-router (provided by my ISP). It's a wireless AP, but the list of connected clients when I enter the router's configuration page are my laptop and my cellphone . Anyway, I'm just curious about this.
(And yes, my previous ISP hacked me. It's a long story to mention it here, but it happened... Crazy stuff :|).
Well, it doesn't return anything; it just brings me back to the prompt.
I'm almost sure this is something going on between my previous and my current ISP (maybe some sniffer in the line since it's just plain ADSL, not optical fiber), but I was just curious.
As in they are conspiring together to sniff your traffic?
Yes, something like that (it's a long and unreal story ). They can sniff my traffic without anything else anyway, because all my traffic goes through their servers. Maybe the modem-router itself is the sniffer, I don't know. I'm just curious about the technical part of this.
running netstat -an returns 192.168.1.129 as my local address (which is my local IP as returned by ifconfig -a). However, arp -n returns my router's IP and MAC address
maybe your router has that "windows-like label" stored somewhere?
the IP is local, that sounds good enough to me?
maybe your router has that "windows-like label" stored somewhere?
the IP is local, that sounds good enough to me?
Yes, maybe the Windows naming format is something related to the router, but shouldn't netstat -a return my linux install name?
By the way, I executed netstat -a again after booting my PC and it returned my local box name this time (the name after the '@' symbol on the CLI prompt). A few minutes later I executed it again and it returned "DESKTOP-P5JSNTM". Weird stuff. I guess someone around is playing naughty games .
What does the DHCP lease table/list look like in your router? What puzzles me is that Linux picks up a host name but your router does not. What type of PC do you have, laptop?
Code:
netstat -a
on my box (albeit FreeBSD) only returns my host name. I ask about your PC because if it is a laptop, it more than likely used to be Windows. Perhaps there is a name in the BIOS/UEFI that is getting picked up. Grasping at straws there.
Have you set a host name in your Linux box?
The LEAST likely explanation is that your ISP hacked you. That's is about as likely as winning the lotto. An individual at the ISP may have, but that is also unlikely. If you are a criminal and are under surveillance, that is also a possibility but you haven't mentioned whether you are criminal Corporations could care less about individuals. There are 2 other possible scenarios but out of respect, I will not mention them.
Likely scenarios are going to be technical: someone is on your network, or there is some sort of host name somehow tied to your PC that you are unaware of.
What does the DHCP lease table/list look like in your router? What puzzles me is that Linux picks up a host name but your router does not. What type of PC do you have, laptop?
Code:
netstat -a
on my box (albeit FreeBSD) only returns my host name. I ask about your PC because if it is a laptop, it more than likely used to be Windows. Perhaps there is a name in the BIOS/UEFI that is getting picked up. Grasping at straws there.
Have you set a host name in your Linux box?
Yes, it's a laptop (dual booting Windows 10 and Linux). I haven't manually set a hostname in my Linux box, but it was set automatically while installing, I guess. This is part of the contents of /etc/hosts:
Hmm, definitely something looks weird here. I only have one android device (the first one), and the third device is not mine. I guess I have to check my router settings and restrict the number of dvices that cab connect.
Quote:
Originally Posted by sevendogsbsd
The LEAST likely explanation is that your ISP hacked you. That's is about as likely as winning the lotto. An individual at the ISP may have, but that is also unlikely. If you are a criminal and are under surveillance, that is also a possibility but you haven't mentioned whether you are criminal Corporations could care less about individuals. There are 2 other possible scenarios but out of respect, I will not mention them.
I'm a very dangerous criminal and that's why my ISPs are hacking me but don't tell anyone . Seriously though, there were indeed some security incidents with my previous ISP (it's not worth delving into details) and (I guess) it's all being sorted out now between my previous and my current ISP, so yes, definitely the router is somehow taking over my linux box (either itself or through this third unknown device on the lease table). What I'd like to know is what is really going on in the background (i.e. the technical details, and what they can access and do while I'm using my Linux install).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
. Anyway, I'm just curious about this.
). They can sniff my traffic without anything else anyway, because all my traffic goes through their servers. Maybe the modem-router itself is the sniffer, I don't know. I'm just curious about the technical part of this.
Corporations could care less about individuals. There are 2 other possible scenarios but out of respect, I will not mention them.
