Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   Strange network activity after updates (http://www.linux-archive.org/debian-user/690397-strange-network-activity-after-updates.html)

Paul Zimmerman 08-03-2012 05:56 PM

Strange network activity after updates
 
Today I downloaded a large group of updates, including Open Office and some dns-related utilities. Once they were applied, some strange network activity started on my machine. It keeps sending and receiving about 10-14k per second but I cannot find any programs that would be doing anything on the network. Trying to figure out what is going on, I installed iftop and it says there is a constant connection to 239.255.255.250 and various transient connections to sites like vc-in-f106-1e100.net -- which turns out to be owned by Google -- and other sites like something called activeminds.net. I know the constant connection is a multicast address, but what is this other stuff? It looks like something is broken/misconfigured or an outright hack of the Debian repository has occurred and many Debian systems are now part of a botnet. My Debian box is staying offline until I find out what is going on.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1344016574.51012.YahooMailNeo@web126102.mail.ne1.y ahoo.com">http://lists.debian.org/1344016574.51012.YahooMailNeo@web126102.mail.ne1.y ahoo.com

Frank McCormick 08-03-2012 07:06 PM

Strange network activity after updates
 
Sorry first reply went to his email address -


On 03/08/12 01:56 PM, Paul Zimmerman wrote:

Today I downloaded a large group of updates, including Open Office and some dns-related utilities. Once they were applied,
> some strange network activity started on my machine. It keeps sending
> and receiving about 10-14k per second but I cannot find any programs
> that would be

> doing anything on the network. Trying to figure out what is going on,
I installed iftop and it says there is a constant connection to
239.255.255.250 and various transient connections to sites like
vc-in-f106-1e100.net --

which turns out to be owned by Google --
and other sites like something called activeminds.net.


Activeminds.net is actually activeminds.de....an ISP in Germany


I know the constant connection is a multicast address, but what is this
other stuff?
It looks like something is broken/misconfigured or an outright hack of
the Debian repository has occurred and many Debian systems are now part
of a botnet.


Certainly hope not



My Debian box is staying offline until I find out what is going on.






--
Cheers
Frank


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 501C2151.20005@videotron.ca">http://lists.debian.org/501C2151.20005@videotron.ca

JulHer 08-03-2012 07:07 PM

Strange network activity after updates
 
El vie, 03-08-2012 a las 10:56 -0700, Paul Zimmerman escribió:
> I installed iftop and it says there is a constant connection to
> 239.255.255.250 and various transient connections to sites like
> vc-in-f106-1e100.net -- which turns out to be owned by Google -- and
> other sites like something called activeminds.net. I know the constant
> connection is a multicast address, but what is this other stuff?

239.255.255.250 maybe is SSDP

http://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol

The other stuff I dont know,

Greetings

JulHer


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/1344020832.5682.8.camel@x101.praha

Darren Baginski 08-03-2012 07:14 PM

Strange network activity after updates
 
03.08.2012, 23:06, "Frank McCormick" <debianlist@videotron.ca>:
> Sorry first reply went to his email address -
>
> On 03/08/12 01:56 PM, Paul Zimmerman wrote:
>
>> *Today I downloaded a large group of updates, including Open Office and some dns-related utilities. Once they were applied,
>> *some strange network activity started on my machine. It keeps sending
>> *and receiving about 10-14k per second but I cannot find any programs
>> *that would be
>> *doing anything on the network. Trying to figure out what is going on,
>
> I installed iftop and it says there is a constant connection to
> 239.255.255.250 and various transient connections to sites like
> vc-in-f106-1e100.net --
> which turns out to be owned by Google --
> and other sites like something called activeminds.net.
>
> Activeminds.net is actually activeminds.de....an ISP in Germany
>
> I know the constant connection is a multicast address, but what is this
> other stuff?
> It looks like something is broken/misconfigured or an outright hack of
> the Debian repository has occurred and many Debian systems are now part
> of a botnet.
>
> Certainly hope not
>
> My Debian box is staying offline until I find out what is going on.
>

You would better publish tcpdump pcap file for analyses


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 732811344021245@web30f.yandex.ru">http://lists.debian.org/732811344021245@web30f.yandex.ru

Sthu Deus 08-04-2012 05:53 AM

Strange network activity after updates
 
Good time of the day, Paul.


You wrote:
> My Debian box is staying offline until I find out what is going on.

You can simply allow only desired output traffic - rather than staying
off line - until You solve Your problem OR everafter.


Sthu.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 501cb8c8.7067980a.1b45.ffffa669@mx.google.com">htt p://lists.debian.org/501cb8c8.7067980a.1b45.ffffa669@mx.google.com

Paul Zimmerman 08-04-2012 07:15 PM

Strange network activity after updates
 
JulHer <julher@escomposlinux.org> writes:

>239.255.255.250 maybe is SSDP >http://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol >The other stuff I don't know,
That's a possibility, I guess. But it's not an intermittent
or occasional thing. And it doesn't run for a bit and then
stop. This is a constant 10-14k stream of data coming from
somewhere. What I don't understand is why the multicast IP
address would be the source, and the router IP would be the
destination, and yet it shows up streaming into MY computer.
(I don't control the AP.) Why would data streaming from an
abstract address TO the router/AP be incoming to my system?

If I boot Windows XP on the same machine (it's dual boot)
and connect to the same AP I don't see this. And before these
latest updates I didn't see it in Linux either. So WHAT
changed in those updates? And why does it make the AP send
this continuous stream at me?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1344107703.59978.YahooMailNeo@web126101.mail.ne1.y ahoo.com">http://lists.debian.org/1344107703.59978.YahooMailNeo@web126101.mail.ne1.y ahoo.com

Camaleón 08-04-2012 07:57 PM

Strange network activity after updates
 
On Fri, 03 Aug 2012 10:56:14 -0700, Paul Zimmerman wrote:

> Today I downloaded a large group of updates, including Open Office and
> some dns-related utilities. Once they were applied, some strange network
> activity started on my machine. It keeps sending and receiving about
> 10-14k per second but I cannot find any programs that would be doing
> anything on the network.

"netstat -putan" should give you some hints.

> Trying to figure out what is going on, I installed iftop and it says
> there is a constant connection to 239.255.255.250 and various transient
> connections to sites like vc-in-f106-1e100.net -- which turns out to be
> owned by Google -- and other sites like something called
> activeminds.net.

Are these inbound or outgoing connections? And what ports?

Anyway, at a first glance I don't see anything suspiciuos about the
mentioned sites:

239.255.255.250 → SSDP/UPnP
1e100.net → Google stuff
activeminds.net → a German ISP

> I know the constant connection is a multicast address, but what is this
> other stuff? It looks like something is broken/misconfigured or an
> outright hack of the Debian repository has occurred and many Debian
> systems are now part of a botnet.

Linux as part of a botnet? That's a good one :-P

> My Debian box is staying offline until I find out what is going on.

That's sounds a bit radical :-o

More information is needed to find out what's happening.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/jvjurj$dtf$6@dough.gmane.org

Henrique de Moraes Holschuh 08-04-2012 08:40 PM

Strange network activity after updates
 
On Sat, 04 Aug 2012, Camaleón wrote:
> > I know the constant connection is a multicast address, but what is this
> > other stuff? It looks like something is broken/misconfigured or an
> > outright hack of the Debian repository has occurred and many Debian
> > systems are now part of a botnet.
>
> Linux as part of a botnet? That's a good one :-P

Now, here I will have to step in. No, it is not a good one. Linux
nodes _are_ commonly co-opted to act as C&C for botnets. And
browser-based ephemeral botnet nodes (in javascript, installed by
drive-by attacks) DO work in Linux.

> > My Debian box is staying offline until I find out what is going on.
>
> That's sounds a bit radical :-o

It is actually a very responsible way of handling it.

--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120804204053.GA13433@khazad-dum.debian.net">http://lists.debian.org/20120804204053.GA13433@khazad-dum.debian.net

Henrique de Moraes Holschuh 08-04-2012 08:47 PM

Strange network activity after updates
 
On Sat, 04 Aug 2012, Paul Zimmerman wrote:
> JulHer <julher@escomposlinux.org> writes:
>
> >239.255.255.250 maybe is SSDP >http://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol >The other stuff I don't know,
> That's a possibility, I guess. But it's not an intermittent
> or occasional thing. And it doesn't run for a bit and then
> stop. This is a constant 10-14k stream of data coming from
> somewhere. What I don't understand is why the multicast IP
> address would be the source, and the router IP would be the
> destination, and yet it shows up streaming into MY computer.
> (I don't control the AP.) Why would data streaming from an
> abstract address TO the router/AP be incoming to my system?
>
> If I boot Windows XP on the same machine (it's dual boot)
> and connect to the same AP I don't see this. And before these
> latest updates I didn't see it in Linux either. So WHAT
> changed in those updates? And why does it make the AP send
> this continuous stream at me?

Install package wireshark. Add to it a filter "host 239.255.255.250" and
capture ~5s worth of traffic to a file. Gzip it, and send it attached. You
may send it to the debian-security list [WARNING: debian-security IS a
public list] instead of debian-user. If you send it to debian-security,
please send it attached to a email where you summarize this thread, so that
people there will know what you're talking about.

Alternatively you may use 'tcpdump' instead of wireshark. Run "tcpdump -s
1600 -i any -w /tmp/output.tcpdump.bin host 239.255.255.250", and stop it
with ^C after 5-10s. It will save the packet dump to
/tmp/output.tcpdump.bin, which you should gzip or xz'ip before attaching.

While you're doing the capture, just in case, DO NOT engage in any other
activities, do not have your browser, mail user agent, or any other programs
open that could send credentials over the wire (such as email logins, etc)
just in case the wireshark filter is not correct and it ends up capturing
packets with data you'd rather keep private.

--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120804204730.GB13433@khazad-dum.debian.net">http://lists.debian.org/20120804204730.GB13433@khazad-dum.debian.net

Camaleón 08-04-2012 08:59 PM

Strange network activity after updates
 
On Sat, 04 Aug 2012 17:40:53 -0300, Henrique de Moraes Holschuh wrote:

> On Sat, 04 Aug 2012, Camaleón wrote:
>> > I know the constant connection is a multicast address, but what is
>> > this other stuff? It looks like something is broken/misconfigured or
>> > an outright hack of the Debian repository has occurred and many
>> > Debian systems are now part of a botnet.
>>
>> Linux as part of a botnet? That's a good one :-P
>
> Now, here I will have to step in. No, it is not a good one. Linux
> nodes _are_ commonly co-opted to act as C&C for botnets. And
> browser-based ephemeral botnet nodes (in javascript, installed by
> drive-by attacks) DO work in Linux.

I've never read about linux boxes being used as bots, can you please
indicate any report/stats about that fact?

(and please, do not put linux *servers* in the same bag, I speak here
about linux *desktops* not computers with opened ports and running out-of-
date and unpatched software)

>> > My Debian box is staying offline until I find out what is going on.
>>
>> That's sounds a bit radical :-o
>
> It is actually a very responsible way of handling it.

With the given data? Running Debian? Behind a home router which usually
come by default with NAT and firewall enabled? I don't think so. Really.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/jvk2fk$dtf$10@dough.gmane.org


All times are GMT. The time now is 05:55 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.