High one way network traffic with strange addresses

Archived topics about LMDE 1 and LMDE 2
Locked
TarasMK
Level 1
Level 1
Posts: 19
Joined: Fri Nov 12, 2010 3:40 pm

High one way network traffic with strange addresses

Post by TarasMK »

Hi all,
I have a WIFI connection (I have no control over router).
When I'm connected there is a strange high one way network traffic. System monitor shows nearly 500KB/s when without any network application running.

I tried to discover which process deals with it but with no success. The only information I was able to receive is from 'jnettop'. It looks like this:

Code: Select all

LOCAL <-> REMOTE                                              TXBPS    RXBPS    TOTALDPC
 (IP)                      PORT   PROTO   (IP)        PORT      TX      RX      TOTAL
10.0.0.101 <-> 239.0.0.43                                     554K/s    0b/s     554K/s
 10.0.0.101                49152   UDP   239.0.0.43  1234      78.4M    0b       78.4M
I couldn't get any info about process involved in it though.

What does it mean and how this can be stopped?

I have LMDE installed.
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
naughty_bit

Re: High one way network traffic with strange addresses

Post by naughty_bit »

Do you have sharing set up?
TarasMK
Level 1
Level 1
Posts: 19
Joined: Fri Nov 12, 2010 3:40 pm

Re: High one way network traffic with strange addresses

Post by TarasMK »

Do you mean samba? I didn't configure it by myself. Just used default settings. And there is a link in nautilus for network were other computers can be seen. So I can possibly answer yes, it's been set up.
naughty_bit

Re: High one way network traffic with strange addresses

Post by naughty_bit »

If you haven't setup any sharing, the most probable cause unfortunately is that your machine is compromised.

Can you

Code: Select all

 apt-get install chkrootkit
and run

Code: Select all

sudo chkrootkit bindshell
or otheriwise just run

Code: Select all

sudo chkrootkit
Also do:

Code: Select all

sudo lsof -i
and post output
sobrus

Re: High one way network traffic with strange addresses

Post by sobrus »

Try using netstat or lsof to obtain process ID.
TarasMK
Level 1
Level 1
Posts: 19
Joined: Fri Nov 12, 2010 3:40 pm

Re: High one way network traffic with strange addresses

Post by TarasMK »

Traffic mentioned before suddenly stopped.

chkrootkit gave mostly 'not found' and 'not infected'. The only things that differ are:

Code: Select all

...
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:  
/usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/pymodules/python2.7/.path /usr/lib/pymodules/python2.6/.path /usr/lib/python2.6/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/jvm/.java-1.6.0-openjdk-amd64.jinfo /usr/lib/jvm/.java-6-sun.jinfo /usr/lib/jvm/java-6-sun-1.6.0.26/.systemPrefs
...
Checking `sniffer'...                                       lo: not promisc and no packet sniffer sockets
wlan0: PACKET SNIFFER(/sbin/wpa_supplicant[2407], /sbin/dhclient[12522])
...
lsof -i didn't show anything unusual too, but without that traffic it doesn't mean anything.
TarasMK
Level 1
Level 1
Posts: 19
Joined: Fri Nov 12, 2010 3:40 pm

Re: High one way network traffic with strange addresses

Post by TarasMK »

sobrus wrote:Try using netstat or lsof to obtain process ID.
I tried netstat, it didn't show any info about ip and port reported by jnettop.
naughty_bit

Re: High one way network traffic with strange addresses

Post by naughty_bit »

Netstat is deprecated anyway, lsof should suffice.

What you listed is nothing to worry about. Install rkhunter too, run the update first and then full scan. see --help

Are you running default installation?
Did you enable ufw, since you're using the router out of your control? gufw for gui.
TarasMK
Level 1
Level 1
Posts: 19
Joined: Fri Nov 12, 2010 3:40 pm

Re: High one way network traffic with strange addresses

Post by TarasMK »

Thanks for advices.
rkhunter didn't find anything too.

Yes I'm mostly on default installation, tried to do minimal changes to main system. But my system was installed 2 years ago and get through all upgrades. It works nicely, even got through gnome update :)
ufw is in default state, i.e. turned off. Now I should turn it on.

For several days that traffic is gone. May be there was some other computer in the network, that caused it.
So for now this question can be put aside.

And now, thank you all for the help :)
Locked

Return to “LMDE Archive”