High one way network traffic with strange addresses

Connection sharing, Firewall, Samba..etc
Forum rules
Before you post please read this

High one way network traffic with strange addresses

Postby TarasMK on Thu Sep 20, 2012 3:53 pm

Hi all,
I have a WIFI connection (I have no control over router).
When I'm connected there is a strange high one way network traffic. System monitor shows nearly 500KB/s when without any network application running.

I tried to discover which process deals with it but with no success. The only information I was able to receive is from 'jnettop'. It looks like this:
Code: Select all
LOCAL <-> REMOTE                                              TXBPS    RXBPS    TOTALDPC
 (IP)                      PORT   PROTO   (IP)        PORT      TX      RX      TOTAL
10.0.0.101 <-> 239.0.0.43                                     554K/s    0b/s     554K/s
 10.0.0.101                49152   UDP   239.0.0.43  1234      78.4M    0b       78.4M

I couldn't get any info about process involved in it though.

What does it mean and how this can be stopped?

I have LMDE installed.
TarasMK
Level 1
Level 1
 
Posts: 19
Joined: Fri Nov 12, 2010 3:40 pm

Linux Mint is funded by ads and donations.
 

Re: High one way network traffic with strange addresses

Postby naughty_bit on Fri Sep 21, 2012 10:37 am

Do you have sharing set up?
naughty_bit
Level 1
Level 1
 
Posts: 44
Joined: Fri Sep 07, 2012 6:33 am

Re: High one way network traffic with strange addresses

Postby TarasMK on Fri Sep 21, 2012 4:04 pm

Do you mean samba? I didn't configure it by myself. Just used default settings. And there is a link in nautilus for network were other computers can be seen. So I can possibly answer yes, it's been set up.
TarasMK
Level 1
Level 1
 
Posts: 19
Joined: Fri Nov 12, 2010 3:40 pm

Re: High one way network traffic with strange addresses

Postby naughty_bit on Sat Sep 22, 2012 1:50 pm

If you haven't setup any sharing, the most probable cause unfortunately is that your machine is compromised.

Can you
Code: Select all
 apt-get install chkrootkit
and run
Code: Select all
sudo chkrootkit bindshell


or otheriwise just run
Code: Select all
sudo chkrootkit


Also do:
Code: Select all
sudo lsof -i


and post output
naughty_bit
Level 1
Level 1
 
Posts: 44
Joined: Fri Sep 07, 2012 6:33 am

Re: High one way network traffic with strange addresses

Postby sobrus on Mon Sep 24, 2012 8:00 am

Try using netstat or lsof to obtain process ID.
sobrus
Level 2
Level 2
 
Posts: 87
Joined: Thu Aug 30, 2012 1:36 am

Re: High one way network traffic with strange addresses

Postby TarasMK on Mon Sep 24, 2012 2:20 pm

Traffic mentioned before suddenly stopped.

chkrootkit gave mostly 'not found' and 'not infected'. The only things that differ are:
Code: Select all
...
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found: 
/usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/pymodules/python2.7/.path /usr/lib/pymodules/python2.6/.path /usr/lib/python2.6/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/jvm/.java-1.6.0-openjdk-amd64.jinfo /usr/lib/jvm/.java-6-sun.jinfo /usr/lib/jvm/java-6-sun-1.6.0.26/.systemPrefs
...
Checking `sniffer'...                                       lo: not promisc and no packet sniffer sockets
wlan0: PACKET SNIFFER(/sbin/wpa_supplicant[2407], /sbin/dhclient[12522])
...


lsof -i didn't show anything unusual too, but without that traffic it doesn't mean anything.
TarasMK
Level 1
Level 1
 
Posts: 19
Joined: Fri Nov 12, 2010 3:40 pm

Re: High one way network traffic with strange addresses

Postby TarasMK on Mon Sep 24, 2012 2:23 pm

sobrus wrote:Try using netstat or lsof to obtain process ID.


I tried netstat, it didn't show any info about ip and port reported by jnettop.
TarasMK
Level 1
Level 1
 
Posts: 19
Joined: Fri Nov 12, 2010 3:40 pm

Re: High one way network traffic with strange addresses

Postby naughty_bit on Mon Sep 24, 2012 3:10 pm

Netstat is deprecated anyway, lsof should suffice.

What you listed is nothing to worry about. Install rkhunter too, run the update first and then full scan. see --help

Are you running default installation?
Did you enable ufw, since you're using the router out of your control? gufw for gui.
naughty_bit
Level 1
Level 1
 
Posts: 44
Joined: Fri Sep 07, 2012 6:33 am

Re: High one way network traffic with strange addresses

Postby TarasMK on Tue Sep 25, 2012 2:21 pm

Thanks for advices.
rkhunter didn't find anything too.

Yes I'm mostly on default installation, tried to do minimal changes to main system. But my system was installed 2 years ago and get through all upgrades. It works nicely, even got through gnome update :)
ufw is in default state, i.e. turned off. Now I should turn it on.

For several days that traffic is gone. May be there was some other computer in the network, that caused it.
So for now this question can be put aside.

And now, thank you all for the help :)
TarasMK
Level 1
Level 1
 
Posts: 19
Joined: Fri Nov 12, 2010 3:40 pm

Linux Mint is funded by ads and donations.
 

Return to Other networking topics

Who is online

Users browsing this forum: No registered users and 1 guest