How can I close a root process "unknown TCP" that shows up in nethogs?

Question

I think my box has been pwned and using nethogs I see a root process of "unknown TCP". Can anyone tell me if this an expected process, what it may be for and if/how I can close it.

I changed my user password to try and stop this person but I am unsure yet if that is enough. enter image description here

UPDATE Now I am also seeing this.. so pwned? enter image description here

@bodhi.zazen Sorry, how do I post the log? Where can I find it? — dibs, Jan 06 '14 at 21:49
Post a screenshot or more information on what you are looking at or use an alternate tool, such as sudo netstat -ntulp or sudo lsof -i -n -P — Panther, Jan 06 '14 at 21:52
I don't think you are necessarily rooted - nethogs says "unknown TCP" with 0 bytes is expected: http://sourceforge.net/p/nethogs/bugs/17/ — ImaginaryRobots, Jan 06 '14 at 22:14

score 22 · Accepted Answer · answered Jan 06 '14 at 22:33

The "Nethogs" package will always show a fake process called "unknown TCP", that corresponds to everything it can't identify. Notice that it doesn't have a process ID, and the amount of data is shown as 0, indicating that there isn't any unknown traffic.

Here's the line from the nethogs source code where that line gets initialised:

unknowntcp = new Process (0, "", "unknown TCP");

(Source code download, look in process.cpp)

There's also a bug report on the nethogs sourceforge page explaining that it's normal: http://sourceforge.net/p/nethogs/bugs/17/

The "remote-login-service" process shown is owned by the lightdm user which is your login screen, and hasn't sent or received any data. I'm not sure if it normally runs by default, but it doesn't seem to be doing anything with the network in the screenshot you posted, so it should also be safe.

http://packages.ubuntu.com/saucy/remote-login-service

So, based on what you've posted, nothing appears to be out of the ordinary and (unless you find other evidence of problems) your computer is most likely secure. If you are truly worried, you could do a fresh install just to be sure.

Thanks for the help with this. I have been getting lots of other ip ranges showing up in nethogs too when nobody is using the machine. I think I have got a problem still as I seem to be using about 500Mb per hour in traffic. — dibs, Jan 07 '14 at 00:29
That amount of traffic is definitely suspicious. Make backups, wipe your hard drive, and do a clean install from a known-good installer DVD. — ImaginaryRobots, Jan 07 '14 at 17:09
you might also want to install and run chkrootkit and rkhunter, which should help detect intrusions. — ImaginaryRobots, Jan 07 '14 at 17:09

How can I close a root process "unknown TCP" that shows up in nethogs?

1 Answers1

Linked