ATTENTION: Virus, spy-ware, or harmless?
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
ATTENTION: Virus, spy-ware, or harmless?
Hi, everyone!
My first post (Internet connection upon startup) seems to have stirred little interest or perhaps no one has an answer. But something very suspicious is occurring in my Linux Mint 2.1 installation, and I DON'T LIKE IT!! Here is what is occurring:
Beyond what was stated in my first post, I now know that starting almost ANY Gnome application initiates the opening of an internet connection (to where?) and the transmission of data of some sort or other This happens, for example, when starting Nautilus, gedit, Gnome Control Center, the menu layout editor (alacarte), and others.
I have downloaded the simple editor mousepad, and see there: no internet connection is opened when mousepad starts!
When I turn off my router, starting any of the Gnome applications mentioned (and those not mentioned that open internet connections) takes about 24 seconds and longer before their GUI appears on the screen -- apparently the opening of an internet connection is being attempted, and this eventually times-out, whereupon the application GUI finally appears.
I view this as a grave security threat and want to know just what the hell is going on here, how can I prevent it from occurring and who else among you is having this problem
Thanks in advance,
-- Dr.U
My first post (Internet connection upon startup) seems to have stirred little interest or perhaps no one has an answer. But something very suspicious is occurring in my Linux Mint 2.1 installation, and I DON'T LIKE IT!! Here is what is occurring:
Beyond what was stated in my first post, I now know that starting almost ANY Gnome application initiates the opening of an internet connection (to where?) and the transmission of data of some sort or other This happens, for example, when starting Nautilus, gedit, Gnome Control Center, the menu layout editor (alacarte), and others.
I have downloaded the simple editor mousepad, and see there: no internet connection is opened when mousepad starts!
When I turn off my router, starting any of the Gnome applications mentioned (and those not mentioned that open internet connections) takes about 24 seconds and longer before their GUI appears on the screen -- apparently the opening of an internet connection is being attempted, and this eventually times-out, whereupon the application GUI finally appears.
I view this as a grave security threat and want to know just what the hell is going on here, how can I prevent it from occurring and who else among you is having this problem
Thanks in advance,
-- Dr.U
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: ATTENTION: Virus, spy-ware, or harmless?
Are you on dial-up or on broadband? Can you please do the following when this happens again: Open a terminal and type this command:Dr.U wrote: But something very suspicious is occurring in my Linux Mint 2.1 installation, and I DON'T LIKE IT!!
Code: Select all
sudo ps -efH
Code: Select all
sudo lsof -n -i -P
Chances are that this is the update-checker checking for software updates.
Regards,
scorp123
Thanks for quick replies!
Here is the output from ps -efH when a connection has been opened:
And here is the output of lsof -i -n -P when a connection was open:
Thanks for your help.
Regards,
-- Dr.U
Code: Select all
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 15:47 ? 00:00:01 /sbin/init splash nopcmcia
root 2 1 0 15:47 ? 00:00:00 [migration/0]
root 3 1 0 15:47 ? 00:00:00 [ksoftirqd/0]
root 4 1 0 15:47 ? 00:00:00 [watchdog/0]
root 5 1 0 15:47 ? 00:00:00 [events/0]
root 6 1 0 15:47 ? 00:00:00 [khelper]
root 7 1 0 15:47 ? 00:00:00 [kthread]
root 9 7 0 15:47 ? 00:00:00 [kblockd/0]
root 10 7 0 15:47 ? 00:00:00 [kacpid]
root 11 7 0 15:47 ? 00:00:00 [kacpi_notify]
root 81 7 0 15:47 ? 00:00:00 [kseriod]
root 112 7 0 15:47 ? 00:00:00 [pdflush]
root 113 7 0 15:47 ? 00:00:00 [pdflush]
root 115 7 0 15:47 ? 00:00:00 [aio/0]
root 1769 7 0 15:47 ? 00:00:00 [khubd]
root 1848 7 0 15:47 ? 00:00:00 [kjournald]
root 2817 7 0 15:47 ? 00:00:00 [shpchpd]
root 2869 7 0 15:48 ? 00:00:00 [kgameportd]
root 3367 7 0 15:48 ? 00:00:00 [kjournald]
root 3369 7 0 15:48 ? 00:00:00 [kjournald]
root 3371 7 0 15:48 ? 00:00:00 [kjournald]
root 3373 7 0 15:48 ? 00:00:00 [kjournald]
root 3375 7 0 15:48 ? 00:00:00 [kjournald]
root 114 1 0 15:47 ? 00:00:00 [kswapd0]
root 1950 1 0 15:47 ? 00:00:00 //sbin/logd
root 2128 1 0 15:47 ? 00:00:01 /sbin/udevd --daemon
root 3709 1 0 15:48 tty1 00:00:00 /sbin/getty 38400 tty1
root 3710 1 0 15:48 tty2 00:00:00 /sbin/getty 38400 tty2
root 3711 1 0 15:48 tty3 00:00:00 /sbin/getty 38400 tty3
root 3913 1 0 15:48 ? 00:00:00 /usr/sbin/acpid -c /etc/acpi/events -s /var/run/acpid.socket
root 4013 1 0 15:48 ? 00:00:00 /sbin/syslogd
root 4045 1 0 15:48 ? 00:00:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
klog 4047 1 0 15:48 ? 00:00:00 /sbin/klogd -P /var/run/klogd/kmsg
root 4164 1 0 15:48 ? 00:00:00 /usr/sbin/gdm
root 4165 4164 0 15:48 ? 00:00:00 /usr/sbin/gdm
root 4190 4165 9 15:48 tty7 00:00:23 /usr/X11R6/bin/X :0 -br -audit 0 -auth /var/lib/gdm/:0.Xauth -nolisten tcp vt7
jvu 4630 4165 0 15:48 ? 00:00:00 x-session-manager
jvu 4665 4630 0 15:48 ? 00:00:00 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session x-session-manager
cupsys 4208 1 0 15:48 ? 00:00:00 /usr/sbin/cupsd
103 4253 1 0 15:48 ? 00:00:00 /usr/bin/dbus-daemon --system
106 4274 1 2 15:48 ? 00:00:05 /usr/sbin/hald
root 4275 4274 0 15:48 ? 00:00:00 hald-runner
106 4281 4275 0 15:48 ? 00:00:00 /usr/lib/hal/hald-addon-acpi
106 4289 4275 0 15:48 ? 00:00:00 /usr/lib/hal/hald-addon-keyboard
106 4298 4275 0 15:48 ? 00:00:00 /usr/lib/hal/hald-addon-storage
root 4342 1 0 15:48 ? 00:00:00 /usr/sbin/dhcdbd --system
root 4365 1 0 15:48 ? 00:00:00 /usr/sbin/NetworkManager --pid-file /var/run/NetworkManager/NetworkManager.pid
root 4385 1 0 15:48 ? 00:00:00 /usr/sbin/NetworkManagerDispatcher --pid-file /var/run/NetworkManager/NetworkManagerDispatcher.pid
root 4405 1 0 15:48 ? 00:00:00 perl /usr/share/system-tools-backends-2.0/scripts/SystemToolsBackends.pl
daemon 4501 1 0 15:48 ? 00:00:00 /usr/sbin/atd
root 4520 1 0 15:48 ? 00:00:00 /usr/sbin/cron
jvu 4668 1 0 15:48 ? 00:00:00 /usr/bin/dbus-launch --exit-with-session x-session-manager
jvu 4669 1 0 15:48 ? 00:00:00 /usr/bin/dbus-daemon --fork --print-pid 8 --print-address 6 --session
jvu 4671 1 0 15:48 ? 00:00:00 /usr/lib/libgconf2-4/gconfd-2 5
jvu 4674 1 0 15:48 ? 00:00:00 /usr/bin/gnome-keyring-daemon
jvu 4677 1 0 15:48 ? 00:00:00 /usr/lib/control-center/gnome-settings-daemon
jvu 4688 1 0 15:48 ? 00:00:00 /bin/sh -c /usr/bin/esd -terminate -nobeeps -as 1 -spawnfd 19
jvu 4689 4688 0 15:48 ? 00:00:00 /usr/bin/esd -terminate -nobeeps -as 1 -spawnfd 19
jvu 4696 1 0 15:48 ? 00:00:02 /usr/bin/metacity --sm-client-id=default0
jvu 4701 1 1 15:48 ? 00:00:03 gnome-panel --sm-client-id default1
jvu 4703 1 4 15:48 ? 00:00:08 nautilus --no-default-window --sm-client-id default2
jvu 4707 1 0 15:48 ? 00:00:00 /usr/lib/bonobo-activation/bonobo-activation-server --ac-activate --ior-output-fd=16
jvu 4711 1 0 15:48 ? 00:00:00 /usr/lib/gnome-vfs-2.0/gnome-vfs-daemon
jvu 4715 1 0 15:48 ? 00:00:00 gnome-volume-manager --sm-client-id default4
jvu 4717 1 0 15:48 ? 00:00:00 /usr/lib/evolution/2.8/evolution-alarm-notify
jvu 4726 1 0 15:48 ? 00:00:00 nm-applet --sm-disable
jvu 4732 1 0 15:48 ? 00:00:00 gnome-cups-icon --sm-client-id default3
jvu 4738 1 0 15:48 ? 00:00:00 gnome-power-manager
jvu 4746 1 0 15:48 ? 00:00:00 /usr/lib/gnome-applets/trashapplet --oaf-activate-iid=OAFIID:GNOME_Panel_TrashApplet_Factory --oaf-ior-fd=19
jvu 4761 1 0 15:48 ? 00:00:00 /usr/lib/nautilus-cd-burner/mapping-daemon
jvu 4774 1 0 15:48 ? 00:00:00 /usr/lib/gnome-applets/mixer_applet2 --oaf-activate-iid=OAFIID:GNOME_MixerApplet_Factory --oaf-ior-fd=23
jvu 4786 1 1 15:49 ? 00:00:02 mono /usr/lib/tomboy/Tomboy.exe --panel-applet --oaf-activate-iid=OAFIID:TomboyApplet_Factory --oaf-ior-fd=25
jvu 4802 1 23 15:49 ? 00:00:43 /usr/lib/firefox/firefox-bin
jvu 4803 1 0 15:49 ? 00:00:00 gnome-screensaver
jvu 4862 1 1 15:50 ? 00:00:01 gnome-terminal
jvu 4867 4862 0 15:50 ? 00:00:00 gnome-pty-helper
jvu 4868 4862 0 15:50 pts/0 00:00:00 bash
root 4930 4868 0 15:52 pts/0 00:00:00 ps -efH
Code: Select all
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
gdm 4164 root 3u IPv4 9758 UDP *:177
cupsd 4208 cupsys 2u IPv4 9906 TCP 127.0.0.1:631 (LISTEN)
firefox-b 4802 jvu 58u IPv4 12643 TCP 192.168.16.2:55007->72.14.221.91:80 (ESTABLISHED)
Regards,
-- Dr.U
Are you on dial-up? I think it's the update manager (though I didn't see it in the listed tasks) or the Network manager, auto-establishing connections upon system start. What interfaces are listed in the Network manager? And what interfaces are listed in the System ==> Administration ==> Networking menu?
In the "Network Settings" app, the "Connections" tab has only two entries: a modem connection entry (that has a minus-sign in front of it) and a wired connection entry that is for my only interface: eth0scorp123 wrote:Are you on dial-up? I think it's the update manager (though I didn't see it in the listed tasks) or the Network manager, auto-establishing connections upon system start. What interfaces are listed in the Network manager? And what interfaces are listed in the System ==> Administration ==> Networking menu?
In the "Devices - Network Tools" app, the "Devices" tab only has eth0 and the loopback interfaces listed.
Regards,
-- Dr.U
Sorry, forgot to mention that I use ISDN dialup (internet via call-by-call). I have not been seeing this problem (connections starting with the startup of each Gnome app) with Edubuntu 6.10 (the only other Linux distro with Gnome that I use).scorp123 wrote:Are you on dial-up? I think it's the update manager (though I didn't see it in the listed tasks) or the Network manager, auto-establishing connections upon system start. What interfaces are listed in the Network manager? And what interfaces are listed in the System ==> Administration ==> Networking menu?
Regards,
-- Dr.U
The modem is not active (I don't even have a modem). I use an thernet card that goes to an ISDN capable router that then connects (dials out) through my ISDN box that the telephone company installed. The wired connection entry does not have anything about dial on demand in any of its configuration settings.scorp123 wrote:I think there is some "dial on demand" thing active in your case. Can you check those modem settings please if it somewhere says something about automatically establishing connections?Dr.U wrote:Sorry, forgot to mention that I use ISDN dialup
But who or what is dialing out? Is this some sort of Gnome feature that can be turned off?
Regards,
-- Dr.U
System ==> Preferences ==> Sessions ... A new window should pop up. Check "Startup Programs". In my GNOME I have entries such as update-notifier ... that would be a typical candidate for dialling out, e.g. when checking for new OS updates. You could also check "Current Session" ... There again I have an entry for the update-notifier.Dr.U wrote:But who or what is dialing out? Is this some sort of Gnome feature that can be turned off?
Exasperation grows!
Update-notifier was the first thing that I suspected and so I removed it from my current session and it is deactivated in startup programs (and it also does not appear in the ps -efH outputs). I did this right after installing Linux Mint. What else is there? In startup programs there is "evolution-alarm-notify" that I can disable (but does that dial out??). There also appear the following that I could disable: "nm-applet --sm-disable", "gnome-power-manager", "gnome-volume-manager --sm-disable".scorp123 wrote:System ==> Preferences ==> Sessions ... A new window should pop up. Check "Startup Programs". In my GNOME I have entries such as update-notifier ... that would be a typical candidate for dialling out, e.g. when checking for new OS updates. You could also check "Current Session" ... There again I have an entry for the update-notifier.Dr.U wrote:But who or what is dialing out? Is this some sort of Gnome feature that can be turned off?
That's it! This is really driving me crazy. Even if it isn't a security risk (and I sure hope it isn't!) each dial out costs me money!! And if the router is turned off, Linux Mint is essentially useless because all Gnome applications take so long to start (>25 seconds).
Regards,
-- Dr.U
Problem remains
Thanks for the tip -- but it didn't work. I completely removed NetworkManager and rebooted (it no longer appears in "ps -efH" or sessions or anywhere -- it's history, man). But now upon booting, same problem as always, and when any Gnome application is started: same problem as always -- an internet connection is opened and data is transferred to/from my computer!clem wrote:The network manager initiates a connection at startup. It's its purpose. You can remove it safely from synaptics, then reboot, and then setup your ethernet card through System->Administration->Networking.
Any more ideas before I stop using Linux Mint? I'm just paranoid about what's going on -- and anyway, it seems too much like Microsoft and Windoof
Please help! Does anyone else have this problem?
Regards,
-- Dr.U
Re: Problem remains
Please give me the output of these commands:Dr.U wrote:Any more ideas before I stop using Linux Mint?
Code: Select all
sudo cat /etc/hosts
sudo cat /etc/resolv.conf
sudo cat /etc/network/interfaces
Re: Problem remains
Here are the results:scorp123 wrote:Please give me the output of these commands:Dr.U wrote:Any more ideas before I stop using Linux Mint?Code: Select all
sudo cat /etc/hosts sudo cat /etc/resolv.conf sudo cat /etc/network/interfaces
### Contents of /etc/hosts ###
127.0.0.1 localhost
127.0.1.1 woody.schwarzwald
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
### Contents of /etc/resolv.conf ###
domain schwarzwald
nameserver 192.168.16.1
nameserver 130.244.127.161
nameserver 130.244.127.169
### Contents of /etc/network/interfaces ###
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.16.2
netmask 255.255.255.0
gateway 192.168.16.1
auto eth1
iface eth1 inet dhcp
auto eth2
iface eth2 inet dhcp
auto ath0
iface ath0 inet dhcp
auto wlan0
iface wlan0 inet dhcp
Again, thank you for your time and attention to this matter.
Regards,
-- Dr.U
ATTENTION: Virus, spy-ware, or harmless?
Large thread on this on problem on Ubuntu
Forums:
Ubuntu slow when not connected to internet:
http://www.ubuntuforums.org/showthread. ... 7&t=230534
Also, have firefox looks for updates to search engines, and extensions
Firefox/Edit Preferences/Advanced/Updates
Also have you tried disabling IPV6? also installing the network moniter to see which applications are connecting to internet.
Regards- Nick
Forums:
Ubuntu slow when not connected to internet:
http://www.ubuntuforums.org/showthread. ... 7&t=230534
Also, have firefox looks for updates to search engines, and extensions
Firefox/Edit Preferences/Advanced/Updates
Also have you tried disabling IPV6? also installing the network moniter to see which applications are connecting to internet.
Regards- Nick
Re: ATTENTION: Virus, spy-ware, or harmless?
Thank you for the time and effort. However, while this is all very interesting, it is not the problem. Yes, things are slow when the router is turned off, but what is this crap with diverse Gnome apps opening internet connections when they are started??? This has nothing to do with IPv6 (since it is turned off in Bea anyway -- but just to be sure, I did create a bad_list file as suggested in the thread you referenced). Why does (for example) starting gnome-terminal take 30 SECONDS when the router is off, but only 6 seconds (also somewhat slow, IMHO, but I could live with that) when the router is on, plus opening an internet connection to God only knows where?nick wrote:Large thread on this on problem on Ubuntu
Forums:
Ubuntu slow when not connected to internet:
http://www.ubuntuforums.org/showthread. ... 7&t=230534
Also, have firefox looks for updates to search engines, and extensions
Firefox/Edit Preferences/Advanced/Updates
Also have you tried disabling IPV6? also installing the network moniter to see which applications are connecting to internet.
Regards- Nick
All automatic update checks in Firefox get turned off as soon as I install any distro. I do not use Thunderbird or any other mail client (only use web-based mail, like yahoo, etc.).
I would install a network monitor if you would give me the package name. I am not a linux guru, just someone who hates M$ and generally likes LinuxMint... but not when unknown data is being transmitted to and from my computer just because I open gedit or gnome-terminal. This sounds like something Bill Gates would dream up and have implemented in XP.
Regards,
-- Dr.U
Re: Problem remains
Change this to:Dr.U wrote:### Contents of /etc/hosts ###
127.0.0.1 localhost
127.0.1.1 woody.schwarzwald
Code: Select all
127.0.0.1 localhost localhost.localdomain yourmachineshostname
I suppose you're not using IPv6? OK, comment all those lines out.Dr.U wrote:# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
Shouldn't that be schwarzwald.de or something like that? Or maybe the DNS domain of your provider?Dr.U wrote:### Contents of /etc/resolv.conf ###
domain schwarzwald
Are you sure the number of Ethernet interfaces shown here is right? You have three of them! One set to static and the other two to DHCP? What happens if you comment out those apparently unneeded lines?Dr.U wrote:### Contents of /etc/network/interfaces ###
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.16.2
netmask 255.255.255.0
gateway 192.168.16.1
auto eth1
iface eth1 inet dhcp
auto eth2
iface eth2 inet dhcp
auto ath0
iface ath0 inet dhcp
auto wlan0
iface wlan0 inet dhcp
Re: ATTENTION: Virus, spy-ware, or harmless?
Hello Dr.U,Dr.U wrote:Hi, everyone!
My first post (Internet connection upon startup) seems to have stirred little interest or perhaps no one has an answer. But something very suspicious is occurring in my Linux Mint 2.1 installation, and I DON'T LIKE IT!! Here is what is occurring:
Beyond what was stated in my first post, I now know that starting almost ANY Gnome application initiates the opening of an internet connection (to where?) and the transmission of data of some sort or other This happens, for example, when starting Nautilus, gedit, Gnome Control Center, the menu layout editor (alacarte), and others.
I have downloaded the simple editor mousepad, and see there: no internet connection is opened when mousepad starts!
When I turn off my router, starting any of the Gnome applications mentioned (and those not mentioned that open internet connections) takes about 24 seconds and longer before their GUI appears on the screen -- apparently the opening of an internet connection is being attempted, and this eventually times-out, whereupon the application GUI finally appears.
I view this as a grave security threat and want to know just what the hell is going on here, how can I prevent it from occurring and who else among you is having this problem
Thanks in advance,
-- Dr.U
I too have noticed my eth0 network connection blinking madly at statrup, as if I'm downloading something.
It got me worried too. So I installed the Firestarter firewall (it is configurable). And in order to see what's going out or coming in, I installed a nice network monitor package called KnetDockApp.
They both can be found in Synaptic.
Greetings,
npap
Re: Problem remains
Thank you for your attention to this problem(s)! I have made the changes you suggested to hosts and, since I deactivated IPv6 it probably isn't necessary to comment out the remaining IPv6-related lines, but I'll do it anyway just to be sure!scorp123 wrote:Change this to:Dr.U wrote:### Contents of /etc/hosts ###
127.0.0.1 localhost
127.0.1.1 woody.schwarzwaldThe line 127.0.1.1 can be commented out.Code: Select all
127.0.0.1 localhost localhost.localdomain yourmachineshostname
I suppose you're not using IPv6? OK, comment all those lines out.Dr.U wrote:# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
Shouldn't that be schwarzwald.de or something like that? Or maybe the DNS domain of your provider?Dr.U wrote:### Contents of /etc/resolv.conf ###
domain schwarzwald
Are you sure the number of Ethernet interfaces shown here is right? You have three of them! One set to static and the other two to DHCP? What happens if you comment out those apparently unneeded lines?Dr.U wrote:### Contents of /etc/network/interfaces ###
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.16.2
netmask 255.255.255.0
gateway 192.168.16.1
auto eth1
iface eth1 inet dhcp
auto eth2
iface eth2 inet dhcp
auto ath0
iface ath0 inet dhcp
auto wlan0
iface wlan0 inet dhcp
As for the the resolv.conf contents, I am not using DHCP but a local network (with a static IP) called schwarzwald because that is the name of the workgroup on my wife's M$ Windows machine that is on our LAN -- although I never use this LAN to communicate with that box nor does she use her machine to talk with mine. Still I enter it always just in case we decide it is necessary for the two machines to communicate with each other in the future. I do not have a steady provider. I use various call-up providers (internet call-by-call is what it is called here) depending on the time of day and their per-minute charges.
As for the other ethernet interfaces: they are entered by default in Ubuntu and also other distro network configurations. They are not used (note that they do not have any addresses associated with them, and I only have one ethernet card in my machine; also the "Devices - Network Tools" app only shows one wired device: eth0). But again, just to be sure: I will remove them too.
Regards,
-- Dr.U