Hacked??

[benc]

Powered up the machine this morning on a decent bandwidth Ethernet DSL connection. The machine is monitored by gkrellm. I watched as the internet interface went wild with traffic. It got as high as 100kB.

I shut off the update script. The traffic continued. I turned off the interface and traffic stopped. Turn the interface on and the traffic resumes. What's the best way to troubleshoot this down?

[Moem]

Interface? I have no idea what you're talking about but I'll eat my hat if there were hackers involved.

Can you at least tell us what OS and exact version you're running? That would be a good start.

[Pierre]

it is most unlikely that your system has been hacked.

it's more likely that your "update script." is the prime issue,
& was still running - even though you had manually stopped it . .

this is somewhat proven, from when you also stopped the actual 'net connection itself.

[xenopeek]

I very much doubt this is a case of "hackers".

Are you on Linux Mint 18.3 and have you installed something from the Flatpak category in Software Manager? Flatpaks are updated shortly after you login and if there are updates, those would easily be more than a hundred megabytes to download.

To look at which processes have established a network connection, to what remote domain and for what service you can use the command:
ss -prtu

[Cosmo.]

It got as high as 100kB.

Not more? 100 KB is flyspeck.

[benc]

Interface? I have no idea what you're talking about but I'll eat my hat if there were hackers involved.

Can you at least tell us what OS and exact version you're running? That would be a good start.

Ethernet interface. Mint/Mate 18.2.

Just got in and fired up the box. TOP shows java (running under my account) intermittently gobbling up lots of CPU. I was showing intermittent traffic on the ethernet interface in pretty good amounts before I launched Firefox. After launching Firefox, ss -prtu shows 6 connections -- all of them owned by Firefox.

How would I determine what these are:

tcp ESTAB 0 0 10.8.8.19:56712 cloudproxy10008.sucuri.net:https users:(("firefox",pid=3854,fd=63))
tcp ESTAB 0 0 10.8.8.19:37758 ec2-35-160-182-201.us-west-2.compute.amazonaws.com:https users:(("firefox",pid=3854,fd=84))


Amazon??

[Pippin]

Mint forum

[benc]

Mint forum

Does not appear to be related to the forum. When I bring up the browser, it goes to my home page -- a search engine. Opening an xterm and typing ss -prtu still shows multiple connections to amazonaws.

Here's an oddity. All the bookmarks for both versions of Firefox have just disappeared (52.5.2 & 57.0.1).

[Moem]

Sucuri is related to this forum, for sure. That's the firewall we're using.
Amazonaws is not Amazon the bookseller... it's a cloud hosting provider.

And the browser going to your homepage when you start it is completely expected behaviour, if that's how you've set it up. That doesn't give any indication whatsoever.

Does your gkrellm monitoring thingie show you anything interesting? I've never used it but it seems to be capable of exactly that: logging stuff that goes on.

I'm seeing no indication of hackers being in any way involved, and that's a shame; if you had any hacker friends, they could probably explain what's going on and reassure you. I have plenty of hacker friends and I can assure you that they are fine people. So I'm glad you removed the 'Hackers suck' remark from your message.

[benc]

Sucuri is related to this forum, for sure. That's the firewall we're using.
Amazonaws is not Amazon the bookseller... it's a cloud hosting provider.

And the browser going to your homepage when you start it is completely expected behaviour, if that's how you've set it up. That doesn't give any indication whatsoever.

Does your gkrellm monitoring thingie show you anything interesting? I've never used it but it seems to be capable of exactly that: logging stuff that goes on.

I'm seeing no indication of hackers being in any way involved, and that's a shame; if you had any hacker friends, they could probably explain what's going on and reassure you. I have plenty of hacker friends and I can assure you that they are fine people. So I'm glad you removed the 'Hackers suck' remark from your message.

I turned off the browser and left only an xterm running as another test. Xterm was the only app running. I then started Firefox and it went to the search engine as normal. With my browser resting at the search engine, I typed in ss -prtu in the xterm and this is 4 of the 7 entries:

tcp ESTAB 0 0 10.8.8.19:54240 a88-221-134-48.deploy.akamaitechnologies.com:http users:(("firefox",pid=7682,fd=37))
tcp ESTAB 0 0 10.8.8.19:56632 ec2-52-72-108-51.compute-1.amazonaws.com:https users:(("firefox",pid=7682,fd=70))
tcp ESTAB 0 0 10.8.8.19:56634 ec2-52-72-108-51.compute-1.amazonaws.com:https users:(("firefox",pid=7682,fd=87))
tcp ESTAB 0 0 10.8.8.19:48486 ec2-54-229-105-92.eu-west-1.compute.amazonaws.com:https users:(("firefox",pid=7682,fd=96))



Gkrellm is still showing intermittent CPU and ethernet traffic (up to 100-- kBps), even if nothing is being done. It's odd. I'm beginning to think it's time to wipe and reinstall. Java being so active nags at me.

[karlchen]

Hi, benc.

TOP shows java (running under my account) intermittently gobbling up lots of CPU.
I was showing intermittent traffic on the ethernet interface in pretty good amounts before I launched Firefox.

To the best of my knowledge there is no Java application which will be started up automatically on any Linux Mint default installation, right after the system has come up or right after you have logged in.
So I assume that you have added the corresponding Java application to your personal startup list.

Can you identify this Java application in the startup application list? Can you tell which purpose it serves? Maybe this will explain why it opens internet connections.

About the connections which are opened by Firefox: it depends on which Firefox functionality you have enabled. E.g. if you make use of Firefox Sync then of course Firefox will open a connection to the Mozilla sync server (in intervals of 10 minutes, if I remember right).

If you have enabled the Firefox functionality to protect you against fraudulent content and malicious software then Firefox will regularly contact webpages which check whether the webpages which you navigate to are on some negative lists.

If you have not explicitly disabled telemetry in Firefox then Firefox will send out anonymized status data to Mozilla in regular intervals as well.

And in order not to feed any kind of Firefox phobia by only mentioning things which Firefox might/will do, let us turn to your browser startpage, the search engine: What do you think your browser does when opening it? Well, it establishes a connection to the corresponding website. And that website may initiate more connections to business partners of your search engine provider.

Best regards,
Karl

[benc]

Hi, benc.

TOP shows java (running under my account) intermittently gobbling up lots of CPU.
I was showing intermittent traffic on the ethernet interface in pretty good amounts before I launched Firefox.

To the best of my knowledge there is no Java application which will be started up automatically on any Linux Mint default installation, right after the system has come up or right after you have logged in.
So I assume that you have added the corresponding Java application to your personal startup list.

Can you identify this Java application in the startup application list? Can you tell which purpose it serves? Maybe this will explain why it opens internet connections.

About the connections which are opened by Firefox: it depends on which Firefox functionality you have enabled. E.g. if you make use of Firefox Sync then of course Firefox will open a connection to the Mozilla sync server (in intervals of 10 minutes, if I remember right).

If you have enabled the Firefox functionality to protect you against fraudulent content and malicious software then Firefox will regularly contact webpages which check whether the webpages which you navigate to are on some negative lists.

If you have not explicitly disabled telemetry in Firefox then Firefox will send out anonymized status data to Mozilla in regular intervals as well.

And in order not to feed any kind of Firefox phobia by only mentioning things which Firefox might/will do, let us turn to your browser startpage, the search engine: What do you think your browser does when opening it? Well, it establishes a connection to the corresponding website. And that website may initiate more connections to business partners of your search engine provider.

Best regards,
Karl

I went into start apps and removed a few things like bluetooth, etc. Everything in there looks fairly stock. I rebooted and when the desktop came up, the cpu went to 49% and there was moderate ethernet traffic. ss -prtu at boot revels no connections. ss -prtu gives various reading when the browser is launched and resting at the search engine.

TOP reveals a very weird entry "web content" at the number one spot. It's chewing up varying amounts of CPU and memory. ?? I xkilled the PID and this page crashed. Lol.

Java is still there -- chewing moderate amounts of cpu and memory. It's typically the 2nd or 3rd item after web content. I don't have a java entry in the plugins area of firefox. How do I kill java?

[Arch_Enemy]

Powered up the machine this morning on a decent bandwidth Ethernet DSL connection. The machine is monitored by gkrellm. I watched as the internet interface went wild with traffic. It got as high as 100kB.

I shut off the update script. The traffic continued. I turned off the interface and traffic stopped. Turn the interface on and the traffic resumes. What's the best way to troubleshoot this down?

Have a look at this thread on a different forum:
http://www.hyundai-forums.com/off-topic ... e-box.html

I could not BELIEVE what I was seeing for traffic! (using ETHERAPE. It's quick, simple and gives you a graphical view of traffic)

Everything listed (akamaitechnologies, amazonaws, etc) are all large hosting sites that various companies use to host their software.
Amazonaws usually comes into play by Firefox checking for updates, among other things. I don't know if MINT uses it for their update service, but a lot of 'nixes do, so every time you start up it "phones home to look for updates. Likewise with amazonaws coming up all the time. Companies like nVidia and ATi use it for driver updates, and if your driver does self-checking that may be what's going on there. All of those sites listed are readily explained as being used by software companies to do updates and checks.

Wanna really freak out? Turn your firewalls off as mentioned in the post at the other forum and WATCH how many people in different places are scanning openly for compromised computers! I've had my firewall for about 8 years now and I could not BELIEVE what I was seeing coming down the pike straight at my nose! I used to do similar checks before I had a firewall and never saw such traffic!

I was really surprised my ISP does not filter all of this put!

[greerd]

Java is still there -- chewing moderate amounts of cpu and memory. It's typically the 2nd or 3rd item after web content. I don't have a java entry in the plugins area of firefox. How do I kill java?

You could run System Monitor - Processes, then right click java and check the properties. I know Universal Media Server runs java and when first started sends out its hello, I'm here, to the local network.

[benc]

I de-installed java with synaptic. CPU and traffic are looking normal.

Last experiment. Running only xterm. Launch firefox, it goes to homepage. I type ss -prtu while firefox idles on home page:


tcp ESTAB 0 0 192.168.1.145:34696 ec2-34-232-245-151.compute-1.amazonaws.com:https users:(("firefox",pid=2434,fd=96))
tcp ESTAB 0 0 192.168.1.145:48854 151.101.0.201:https users:(("firefox",pid=2434,fd=90))
tcp ESTAB 0 0 192.168.1.145:47560 72.21.91.29:http users:(("firefox",pid=2434,fd=100))
tcp ESTAB 0 0 192.168.1.145:34694 ec2-34-232-245-151.compute-1.amazonaws.com:https users:(("firefox",pid=2434,fd=93))
tcp ESTAB 0 0 192.168.1.145:45784 ec2-23-21-193-184.compute-1.amazonaws.com:https users:(("firefox",pid=2434,fd=94))
tcp ESTAB 0 0 192.168.1.145:52994 ec2-52-7-138-57.compute-1.amazonaws.com:https users:(("firefox",pid=2434,fd=92))
tcp ESTAB 0 0 192.168.1.145:51584 a96-16-12-81.deploy.akamaitechnologies.com:http users:(("firefox",pid=2434,fd=38))



Kill firefox. Running only xterm. Launch Palemoon, it goes to homepage. I type ss -prtu while Palemoon idles on home page:

tcp SYN-SENT 0 1 192.168.1.145:55796 185.159.158.50:http users:(("palemoon",pid=4303,fd=52))
tcp ESTAB 0 0 10.8.8.17:53528 93.184.220.29:http users:(("palemoon",pid=4303,fd=58))
tcp ESTAB 0 0 10.8.8.17:47516 a88-221-89-25.deploy.akamaitechnologies.com:http users:(("palemoon",pid=4303,fd=60))
tcp SYN-SENT 0 1 192.168.1.145:55804 185.159.158.50:http users:(("palemoon",pid=4303,fd=70))
tcp ESTAB 0 0 10.8.8.17:47514 a88-221-89-25.deploy.akamaitechnologies.com:http users:(("palemoon",pid=4303,fd=59))
tcp SYN-SENT 0 1 192.168.1.145:55806 185.159.158.50:http users:(("palemoon",pid=4303,fd=71))
tcp ESTAB 0 0 10.8.8.17:33054 ec2-176-34-155-20.eu-west-1.compute.amazonaws.com:https users:(("palemoon",pid=4303,fd=57))
tcp SYN-SENT 0 1 192.168.1.145:55814 185.159.158.50:http users:(("palemoon",pid=4303,fd=77))




Kill Palemoon. Running only xterm. Launch Brave, it goes to homepage. I type ss -prtu while Brave idles on home page:

tcp CLOSE-WAIT 1 0 10.8.8.17:58424 lhr25s01-in-f10.1e100.net:https users:(("brave",pid=4407,fd=148))
tcp ESTAB 337 0 10.8.8.17:54100 lhr25s01-in-f3.1e100.net:https users:(("brave",pid=4407,fd=158))
tcp ESTAB 0 0 10.8.8.17:58848 ec2-54-225-177-165.compute-1.amazonaws.com:https users:(("brave",pid=4407,fd=124))
tcp ESTAB 337 0 10.8.8.17:54104 lhr25s01-in-f3.1e100.net:https users:(("brave",pid=4407,fd=161))
tcp ESTAB 0 0 10.8.8.17:48570 104.28.22.242:https users:(("brave",pid=4407,fd=123))
tcp ESTAB 0 0 10.8.8.17:40164 ec2-184-73-247-198.compute-1.amazonaws.com:https users:(("brave",pid=4407,fd=162))
tcp ESTAB 0 0 10.8.8.17:35556 s3-1.amazonaws.com:https users:(("brave",pid=4407,fd=121))
tcp ESTAB 0 0 10.8.8.17:40162 ec2-184-73-247-198.compute-1.amazonaws.com:https users:(("brave",pid=4407,fd=160))
tcp ESTAB 0 0 10.8.8.17:35552 s3-1.amazonaws.com:https users:(("brave",pid=4407,fd=119))
tcp ESTAB 337 0 10.8.8.17:54110 lhr25s01-in-f3.1e100.net:https users:(("brave",pid=4407,fd=164))
tcp ESTAB 337 0 10.8.8.17:54102 lhr25s01-in-f3.1e100.net:https users:(("brave",pid=4407,fd=159))
tcp ESTAB 0 0 10.8.8.17:58850 ec2-54-225-177-165.compute-1.amazonaws.com:https users:(("brave",pid=4407,fd=120))
tcp ESTAB 0 0 10.8.8.17:58422 lhr25s01-in-f10.1e100.net:https users:(("brave",pid=4407,fd=122))
tcp ESTAB 0 0 10.8.8.17:58854 ec2-54-225-177-165.compute-1.amazonaws.com:https users:(("brave",pid=4407,fd=149))
tcp ESTAB 0 0 10.8.8.17:54108 lhr25s01-in-f3.1e100.net:https users:(("brave",pid=4407,fd=163))
tcp ESTAB 0 0 10.8.8.17:58846 ec2-54-225-177-165.compute-1.amazonaws.com:https users:(("brave",pid=4407,fd=103))
tcp ESTAB 0 0 10.8.8.17:58856 ec2-54-225-177-165.compute-1.amazonaws.com:https users:(("brave",pid=4407,fd=154))
tcp ESTAB 0 0 10.8.8.17:48584 104.28.22.242:https users:(("brave",pid=4407,fd=157))
tcp ESTAB 0 0 10.8.8.17:58852 ec2-54-225-177-165.compute-1.amazonaws.com:https users:(("brave",pid=4407,fd=138))





These browsers are leaking like a darn sieve. Isn't Amazon tied at the hip with the three-letter-agencies? Bad news.

SInce this system is so wonky, guess I'm going to wipe and reinstall. Is there a way to block all of the amazonaws/akamaitechnologies traffic?



Note: Dillo and Dooble do not show any leakage whatsoever.

[benc]

Powered up the machine this morning on a decent bandwidth Ethernet DSL connection. The machine is monitored by gkrellm. I watched as the internet interface went wild with traffic. It got as high as 100kB.

I shut off the update script. The traffic continued. I turned off the interface and traffic stopped. Turn the interface on and the traffic resumes. What's the best way to troubleshoot this down?

Have a look at this thread on a different forum:
http://www.hyundai-forums.com/off-topic ... e-box.html

I could not BELIEVE what I was seeing for traffic! (using ETHERAPE. It's quick, simple and gives you a graphical view of traffic)

Excellent info. Thanks. I downloaded etherape and will be playing with it.

[benc]

Java is still there -- chewing moderate amounts of cpu and memory. It's typically the 2nd or 3rd item after web content. I don't have a java entry in the plugins area of firefox. How do I kill java?

You could run System Monitor - Processes, then right click java and check the properties. I know Universal Media Server runs java and when first started sends out its hello, I'm here, to the local network.

That's a sweet utility. I had not seen that before. Thanks.

[xenopeek]

These browsers are leaking like a darn sieve. Isn't Amazon tied at the hip with the three-letter-agencies? Bad news.

SInce this system is so wonky, guess I'm going to wipe and reinstall. Is there a way to block all of the amazonaws/akamaitechnologies traffic?



Note: Dillo and Dooble do not show any leakage whatsoever.

They aren't leaking anything. Amazon AWS, Akamai, Fastly (151.101.0.201) and EdgeCast (72.21.91.29) that you see in Firefox output are all CDNs (https://en.wikipedia.org/wiki/Content_delivery_network). Those are used to efficiently distribute content around the globe. Firefox checks for add-ons updates, for search engine updates, gets information from safe browsing project and other such updates. Those as a rule would be downloaded from a CDN near you. Depending on what you have set as your browser's homepage, the same might go for that (if it's not a local file).

So when you start up and run Firefox it does some things on its own to update stuff and uses CDNs for that.

In practice you won't be able to use the Internet if you block CDNs. CDNs are little more than mirror servers. Have the same content on multiple servers around the world and when trying to access a resource (image file, script file, stylesheet file, font file, and the like) direct the user's browser to the server that is geographically closest to them. Most websites use CDNs for this purpose, so that their users experience a very fast website. If you block CDNs, you're effectively blocking entire websites from working.

(Also applications and games use CDNs to deliver server-side content swiftly to their users around the globe. That's beyond what you're worried about here though.)

So no, there's nothing wrong with your Linux Mint install at this point. Nor will reinstalling Linux Mint (or installing another operating system) change anything in this regard if you use the same web browsers. That Dillo and Dooble or whatever don't show the same at start up is entirely meaningless. Perhaps they don't have add-ons, search engines or other things that they update. Or perhaps they do have them but never update them. Or perhaps they have them but update them not at start up but after x minutes. But when you visit a major website with Dillo or Dooble you will see connections to CDNs as most websites uses CDNs to make their website experience fast for their users.

Blocking CDNs like Amazon AWS or Akamai will prevent Dillo and Dooble from being able to display most websites as well. CDNs are nothing "spooky" and certainly have nothing to do with three-letter-agencies. CDNs are a core infrastructure component of the Internet today, which allows websites to deliver content very fast to their users—regardless of where on the globe their users are.

[Flemur]

Those are used to efficiently distribute content around the globe. Firefox checks for add-ons updates, for search engine updates, gets information from safe browsing project and other such updates.

I have all that stuff turned off and FF still contacts akamaitechnologies after starting, and before opening a web page.

"vivaldi" starts up without contacting anything until you open a web page, which is the correct answer.

[xenopeek]

That has nothing to do with the concern about being hacked. And it doesn't take away from the fact that you basically can't use the Internet if you start blocking common CDNs used by websites to accelerate their content delivery. Let's stay on topic.