Page 1 of 1
High one way network traffic with strange addresses
Posted: Thu Sep 20, 2012 3:53 pm
by TarasMK
Hi all,
I have a WIFI connection (I have no control over router).
When I'm connected there is a strange high one way network traffic. System monitor shows nearly 500KB/s when without any network application running.
I tried to discover which process deals with it but with no success. The only information I was able to receive is from 'jnettop'. It looks like this:
Code: Select all
LOCAL <-> REMOTE TXBPS RXBPS TOTALDPC
(IP) PORT PROTO (IP) PORT TX RX TOTAL
10.0.0.101 <-> 239.0.0.43 554K/s 0b/s 554K/s
10.0.0.101 49152 UDP 239.0.0.43 1234 78.4M 0b 78.4M
I couldn't get any info about process involved in it though.
What does it mean and how this can be stopped?
I have LMDE installed.
Re: High one way network traffic with strange addresses
Posted: Fri Sep 21, 2012 10:37 am
by naughty_bit
Do you have sharing set up?
Re: High one way network traffic with strange addresses
Posted: Fri Sep 21, 2012 4:04 pm
by TarasMK
Do you mean samba? I didn't configure it by myself. Just used default settings. And there is a link in nautilus for network were other computers can be seen. So I can possibly answer yes, it's been set up.
Re: High one way network traffic with strange addresses
Posted: Sat Sep 22, 2012 1:50 pm
by naughty_bit
If you haven't setup any sharing, the most probable cause unfortunately is that your machine is compromised.
Can you
and run
or otheriwise just run
Also do:
and post output
Re: High one way network traffic with strange addresses
Posted: Mon Sep 24, 2012 8:00 am
by sobrus
Try using netstat or lsof to obtain process ID.
Re: High one way network traffic with strange addresses
Posted: Mon Sep 24, 2012 2:20 pm
by TarasMK
Traffic mentioned before suddenly stopped.
chkrootkit gave mostly 'not found' and 'not infected'. The only things that differ are:
Code: Select all
...
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/pymodules/python2.7/.path /usr/lib/pymodules/python2.6/.path /usr/lib/python2.6/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/jvm/.java-1.6.0-openjdk-amd64.jinfo /usr/lib/jvm/.java-6-sun.jinfo /usr/lib/jvm/java-6-sun-1.6.0.26/.systemPrefs
...
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
wlan0: PACKET SNIFFER(/sbin/wpa_supplicant[2407], /sbin/dhclient[12522])
...
lsof -i didn't show anything unusual too, but without that traffic it doesn't mean anything.
Re: High one way network traffic with strange addresses
Posted: Mon Sep 24, 2012 2:23 pm
by TarasMK
sobrus wrote:Try using netstat or lsof to obtain process ID.
I tried netstat, it didn't show any info about ip and port reported by jnettop.
Re: High one way network traffic with strange addresses
Posted: Mon Sep 24, 2012 3:10 pm
by naughty_bit
Netstat is deprecated anyway, lsof should suffice.
What you listed is nothing to worry about. Install rkhunter too, run the update first and then full scan. see --help
Are you running default installation?
Did you enable ufw, since you're using the router out of your control? gufw for gui.
Re: High one way network traffic with strange addresses
Posted: Tue Sep 25, 2012 2:21 pm
by TarasMK
Thanks for advices.
rkhunter didn't find anything too.
Yes I'm mostly on default installation, tried to do minimal changes to main system. But my system was installed 2 years ago and get through all upgrades. It works nicely, even got through gnome update
ufw is in default state, i.e. turned off. Now I should turn it on.
For several days that traffic is gone. May be there was some other computer in the network, that caused it.
So for now this question can be put aside.
And now, thank you all for the help