Computer Security Help

[redyoshi49q]

...I have a problem.

I discovered this problem as a consequence of my new college's soft bandwidth limits.  If a dorm computer uploads or downloads more than 2GB of data, that computer's bandwidth is limited by the firewall until the heavy network use falls off the 24 hour window.  Naturally, the school provides a webpage that allows students to monitor their own computer's bandwidth usage.  I was watching mine, and found my bandwidth usage to be inexplicably high.  Even at times when I was not actively using the bandwidth (when the only uses were running IM/IRC clients and running but not actively used browsers, etc.), my bandwidth usage would sometimes be considerably *higher* than when I was actively using the bandwidth (for example, when watching several Youtube videos in a row).

This made me suspicious, so I downloaded a network monitor (EtherApe) and set it to record the IPs and corresponding data transfers overnight.  I found out that several domains I did not recognize were communicating with my computer.  Moreover, one of these domains in particular was using several subdomains to transfer anywhere between 10-30 MB per subdomain at a time when I was asleep (and thus not using my computer).

My firewall is set to allow only incoming connections on port 22 (SSH), which means that the connections mentioned above must have been initiated from my computer.  Given this, there is only one conclusion that I can come up with to explain this:  My computer seems to be running a "service" that I do not know about.  That service needs to die, and I need help/advice in terms of finding that service.

The following are the services/bandwidth users that *should* be on my computer.

• My web browser
• An FaH client (it effectively donates some of my computer's processing power)
• A Hamachi client (it's a VPN program, and it's connected to only 1 VPN)
• An SSH server
• Pidgin (IM client) running several protocols
• Ubuntu's automatic update checker and corresponding update client.

Unless I've forgotten something, anything else presently using my bandwidth is an illegitimate program.

As of right now, my desktop's firewall is locked (it's now blocking *everything*, even legitimate use) so that this doesn't get worse in the meantime.  I'm using my laptop to post this in the meantime, but I'd rather not have to wipe my desktop's OS to fix this if at all possible.  Also, though I alluded to this previously, my desktop is running Ubuntu 10.4.

...

Please help.

[Foxpup]

Hmm... I don't know anything about Linux malware, so my advice for now is to just post the results of ls /proc/ and see if there's anything that shouldn't be there. Oh, and don't run anything as root while connected to the internet.

[Feathertail]

Maybe it's not malware so much as something you installed and forgot about? I often try something weird out, and then forget I ever did.

Failing that, maybe someone else is hijacking your connection ... somehow. Or something.

[Foxpup]

Maybe it's not malware so much as something you installed and forgot about? I often try something weird out, and then forget I ever did.

Unlikely. Linux users don't download bandwidth hogging software and then forget about it.

Failing that, maybe someone else is hijacking your connection ... somehow. Or something.

That's how malware usually works. Attacker uses a buffer overflow to start a shell from which he/she runs wget or something to download malware from a remote site. Then justs sits back and lets the malware do it's thing. Whatever it's thing is... Packet logs would be helpful, although they could contain sensitive information. @redyoshi49q, PM me for an email address and PGP key, if you don't mind me seeing what you were up to that night.

[McMajik]

Maybe it's not malware so much as something you installed and forgot about? I often try something weird out, and then forget I ever did.

Unlikely. Linux users don't download bandwidth hogging software and then forget about it.

Feathertail is an avid linux user. Just thought that was worth mentioning.

Redyoshi: Could it be Ubuntu's automatic update checker? Have you tried checking the update times against the times the unknown IPs connected? The package lists alone are quite large (not sure about 10-30 meg, but it's more than possible).

[redyoshi49q]

Thanks for the help, everybody.

Hmm... I don't know anything about Linux malware, so my advice for now is to just post the results of ls /proc/ and see if there's anything that shouldn't be there.

Well... (*uses flash drive to fetch his list of /proc stuff...*)

Code: [Select]

1
10
1026
1031
1035
1042
1043
1045
1046
1049
1050
1053
11
1125
1152
1157
1158
12
12953
12959
12960
13
1329
13467
1369
14
1457
1466
15
15758
1625
1646
1649
1671
16728
16729
16766
16767
16784
16793
17
1732
1734
1746
1770
1787
1788
18
1822
1824
1825
1840
1843
1844
1846
1847
18868
18874
19
1900
19021
19027
19141
2
20
21
2133
2151
2184
2188
2193
2196
2197
22
2201
2203
2204
2206
2213
2215
2220
2224
2227
2238
2239
2240
2243
2244
2246
2252
22524
2258
2259
22611
2262
2263
2264
2266
2287
2291
2292
2293
2294
23
2301
2302
2303
2304
2305
2369
2373
2374
24
2488
2493
2495
2496
2498
2499
25
2503
2507
2508
2509
2536
2538
2541
26
27
28
2877
2878
2893
2895
29
291
2932
2948
2949
2970
2972
2973
2974
2988
3
30
3019
3023
3024
3026
309
31
3173
32
3204
3214
3216
3234
3268
3278
3281
3283
344
35
36
37
370
38
3848
389
39
4
40
41
42
4393
4443
46
47
48
49
5
5167
5169
54
55
56
57
58
59
6
60
61
62
6871
6873
6875
688
692
6944
6947
6950
6954
6957
6998
7
7030
7033
706
7064
7082
7090
7098
7101
7111
7149
7152
7156
7227
7230
7278
7334
7340
7357
7361
7376
7431
7434
7466
7469
749
7545
7548
7552
7626
7671
7677
7697
7707
7788
790
7913
793
8
858
859
881
883
9
9367
939
9504
9995
9998
9999
acpi
asound
buddyinfo
bus
cgroups
cmdline
cpuinfo
crypto
devices
diskstats
dma
driver
execdomains
fb
filesystems
fs
interrupts
iomem
ioports
irq
kallsyms
kcore
key-users
kmsg
kpagecount
kpageflags
latency_stats
loadavg
locks
mdstat
meminfo
misc
modules
mounts
mtrr
net
pagetypeinfo
partitions
sched_debug
schedstat
scsi
self
slabinfo
softirqs
stat
swaps
sys
sysrq-trigger
sysvipc
timer_list
timer_stats
tty
uptime
version
version_signature
vmallocinfo
vmstat
zoneinfo

I haven't looked explicitly at /proc's contents before, so I can't say definitively that something doesn't belong.  However, the files and folders listed don't look all that out of place.

Oh, and don't run anything as root while connected to the internet.

That's... actually *really* good advice (aside from the obvious need to run package managers as root while connected).  Normally, I just ask myself if I recognize, trust, and have explicitly called program X before giving root privileges.

Maybe it's not malware so much as something you installed and forgot about? I often try something weird out, and then forget I ever did.

I do "tinker" occasionally, but I've never had a need to tinker dangerously with sudo.  For instance, I've tried getting development versions of Gimp and Ardour to work at one point, both of which required synaptic (and thus root) for prerequisite packages.  I've also installed programs like Cave Story (through wine), IWBTG (through wine), and Dwarf Fortress; none of these required root privileges either.  I don't completely discard the possibility that I might have forgotten *something* (my system is several years old, after all), but I don't think this is the case.

Redyoshi: Could it be Ubuntu's automatic update checker? Have you tried checking the update times against the times the unknown IPs connected? The package lists alone are quite large (not sure about 10-30 meg, but it's more than possible).

It's unlikely.  The domain *.ord.llnw.net was the one that I mentioned in my first post, and 14 of their 16 subdomains used 10-30 MB *each*.  The total usage between all of the subdomains on *.ord.llnw.net is somewhere around 330 MB.  It's way too much for a package list.  Moreover, googling "ubuntu ord.llnw.net" doesn't return relevant pages.  There were several other domains and IPs intermingled in this usage range, but #.ord.llnw.net was by far the biggest user.

[Foxpup]

Well... (*uses flash drive to fetch his list of /proc stuff...*)

Code: [Select]

1
10
1026
1031
1035
1042
1043
1045
1046
1049
1050
1053
11
1125
1152
1157
1158
12
12953
12959
12960
13
1329
13467
1369
14
1457
1466
15
15758
1625
1646
1649
1671
16728
16729
16766
16767
16784
16793
17
1732
1734
1746
1770
1787
1788
18
1822
1824
1825
1840
1843
1844
1846
1847
18868
18874
19
1900
19021
19027
19141
2
20
21
2133
2151
2184
2188
2193
2196
2197
22
2201
2203
2204
2206
2213
2215
2220
2224
2227
2238
2239
2240
2243
2244
2246
2252
22524
2258
2259
22611
2262
2263
2264
2266
2287
2291
2292
2293
2294
23
2301
2302
2303
2304
2305
2369
2373
2374
24
2488
2493
2495
2496
2498
2499
25
2503
2507
2508
2509
2536
2538
2541
26
27
28
2877
2878
2893
2895
29
291
2932
2948
2949
2970
2972
2973
2974
2988
3
30
3019
3023
3024
3026
309
31
3173
32
3204
3214
3216
3234
3268
3278
3281
3283
344
35
36
37
370
38
3848
389
39
4
40
41
42
4393
4443
46
47
48
49
5
5167
5169
54
55
56
57
58
59
6
60
61
62
6871
6873
6875
688
692
6944
6947
6950
6954
6957
6998
7
7030
7033
706
7064
7082
7090
7098
7101
7111
7149
7152
7156
7227
7230
7278
7334
7340
7357
7361
7376
7431
7434
7466
7469
749
7545
7548
7552
7626
7671
7677
7697
7707
7788
790
7913
793
8
858
859
881
883
9
9367
939
9504
9995
9998
9999
acpi
asound
buddyinfo
bus
cgroups
cmdline
cpuinfo
crypto
devices
diskstats
dma
driver
execdomains
fb
filesystems
fs
interrupts
iomem
ioports
irq
kallsyms
kcore
key-users
kmsg
kpagecount
kpageflags
latency_stats
loadavg
locks
mdstat
meminfo
misc
modules
mounts
mtrr
net
pagetypeinfo
partitions
sched_debug
schedstat
scsi
self
slabinfo
softirqs
stat
swaps
sys
sysrq-trigger
sysvipc
timer_list
timer_stats
tty
uptime
version
version_signature
vmallocinfo
vmstat
zoneinfo

I haven't looked explicitly at /proc's contents before, so I can't say definitively that something doesn't belong.  However, the files and folders listed don't look all that out of place.

Nope, nothing wrong there.

The domain *.ord.llnw.net was the one that I mentioned in my first post, and 14 of their 16 subdomains used 10-30 MB *each*.  The total usage between all of the subdomains on *.ord.llnw.net is somewhere around 330 MB.  It's way too much for a package list.  Moreover, googling "ubuntu ord.llnw.net" doesn't return relevant pages.  There were several other domains and IPs intermingled in this usage range, but #.ord.llnw.net was by far the biggest user.

Okay, I've done some digging around, and llnw.net is Limelight Networks, a content delivery company known for blasting a helluva lot of unwanted data at Windows Live/MSN users. I think they've got a deal with Microsoft or something. No idea what they think they're doing to your Linux box. I say block all connections to and from 65.54.87/24 until we find out more.

[redyoshi49q]

The domain *.ord.llnw.net was the one that I mentioned in my first post, and 14 of their 16 subdomains used 10-30 MB *each*.  The total usage between all of the subdomains on *.ord.llnw.net is somewhere around 330 MB.  It's way too much for a package list.  Moreover, googling "ubuntu ord.llnw.net" doesn't return relevant pages.  There were several other domains and IPs intermingled in this usage range, but #.ord.llnw.net was by far the biggest user.

Okay, I've done some digging around, and llnw.net is Limelight Networks, a content delivery company known for blasting a helluva lot of unwanted data at Windows Live/MSN users. I think they've got a deal with Microsoft or something. No idea what they think they're doing to your Linux box. I say block all connections to and from 65.54.87/24 until we find out more.

My firewall is still locked.  *All* connections are (or in theory, should) be blocked).

...and the IPs that correspond to the *.ord.llnw.net data transfers... seem to be in the 68.142.72.x range, not 65.54.87.x...  Strange...

[Foxpup]

The domain *.ord.llnw.net was the one that I mentioned in my first post, and 14 of their 16 subdomains used 10-30 MB *each*.  The total usage between all of the subdomains on *.ord.llnw.net is somewhere around 330 MB.  It's way too much for a package list.  Moreover, googling "ubuntu ord.llnw.net" doesn't return relevant pages.  There were several other domains and IPs intermingled in this usage range, but #.ord.llnw.net was by far the biggest user.

Okay, I've done some digging around, and llnw.net is Limelight Networks, a content delivery company known for blasting a helluva lot of unwanted data at Windows Live/MSN users. I think they've got a deal with Microsoft or something. No idea what they think they're doing to your Linux box. I say block all connections to and from 65.54.87/24 until we find out more.

My firewall is still locked.  *All* connections are (or in theory, should) be blocked).

...and the IPs that correspond to the *.ord.llnw.net data transfers... seem to be in the 68.142.72.x range, not 65.54.87.x...  Strange...

Hmm... That's Half-Life TV, one of Limelight Networks' legitimate services. I don't know of any reason why they would be bombarding you with bogus traffic (unless you're actually using it). Blocking 68.142.64/18 would be a start. EDIT: I've checked the system logs, and I can't find anything more suspicious than a timed out Google session. No idea what's going on.