Recently I noticed my little Banana Pi Server running Ubuntu 14.04.2 a bit laggy, so I checked several stuff. CPU usage, memory all seem normal but nethogs give me a list like this!
PID USER PROGRAM SENT RECEIVED
? root 192.168.1.xxx:6958-106.8.160.1xx:2949 0.032 0.038 KB/sec
? root 192.168.1.xxx:6958-183.170.160.xxx:631539 0.021 0.025 KB/sec
? root ..120:6958-94.201.84:65313 0.000 0.000 KB/sec
There are more than 40 similar traffic, all going to different IP:port pair with small traffic like above list...
As you can see, the process with PID "?" is connecting to all over the world without my approval.
The port 6958 is used by amule as I once set it up. I had specified 6958 as one of amule's I/O port. I am sure amule is not running and checked this with ps aufx.
Without a valid PID from nethogs, I cannot determine what this process is. Thus I run netstat to try to determine the PID.
However, neither netstat shows any traffic through port 6958, nor ps aufx shows any strange process (or I just not sure what should I looking for?)
(all command above issues with sudo.)
It looks really like some bot infested my machine and turned it into a zombie. and the bot is distribution and call home all the time...
So, what is it? How can I find it? Please let me know if more information are needed....
