2

I have been using Linux for about 5 years now but i am not very skilled with the commands to monitor and figure out internal issues.

I recently was having trouble with the internet. My roommates were complaining about internet being very slow. For some reason i checked my task manager and it said i uploaded 731 GB of data. I am not sure what it was. Its not doing it right now.

I do not know when it uploaded 731GB of data. Is there a way to figure out the history of the past few days to see when my computer uploaded that much data.

The issue here is not that my internet is slow but who(Process) and most importantly "WHEN" did it/they upload soo much data.

I have used NetHogs/ntop commands to make sure there is no process trying to upload data currently but i dont know how to check the history.

Thank you :)

EDIT: Its doing it again. Here is the screenshot of Nethogs command

Nethogs screenshot - do not know what those processes are

muru
  • 197,895
  • 55
  • 485
  • 740
hunterr986
  • 21
  • 4
  • 1
    Malware is unlikely, some other possiblities are:

    Bittorrent or Initial backup to Megasync or other cloud storage

     –  Dec 15 '15 at 16:47
  • I ran the history command to look at all the commands that got run. I did not see any bad commands. – hunterr986 Dec 15 '15 at 16:49
  • Also, my computer has a static ip behind the router. And I also have port forwarding to enable SSH to my machine. I have applications like team viewer, Dropbox, Skype on my machine. I also never used any torrent software. – hunterr986 Dec 15 '15 at 16:50
  • @hunterr986 Most likely, it was skype or dropbox streaming large amounts of data that required extra gigs to ensure a stable upload quality.That can make upload sizes increase drastically. A static IP will make that even higher. – David Dec 15 '15 at 16:52
  • Hmm. But a total of around 700 gigs? That's a lot right! – hunterr986 Dec 15 '15 at 16:54
  • If it's an Ubuntu machine, why does it say hunt@sid-fedora22? – muru Dec 15 '15 at 21:59
  • I just named it like that. – hunterr986 Dec 15 '15 at 22:05
  • Etherape will help and it's a gui so you don't need to know commands. – mchid Dec 16 '15 at 05:06
  • I have tried many commands. But I fail to identify the process. Its openening up max number of sockets. Can't open pages in browser as well because of that – hunterr986 Dec 16 '15 at 05:09
  • It's just a guess, but it looks like something is repeatedly connecting to the same machine, sending a web request, failing, then immediately retrying. That host (122.228.8.145) looks like someone's machine in China. Maybe you have a web page up that causes this? In a pinch, you could use ufw or gufw to add a firewall rule to prevent connections to this ip. –  Dec 16 '15 at 17:33
  • I added a rule to drop all the packers going to that ipaddress. But its sending data to another address now. If I block that it finds another machine to push data. – hunterr986 Dec 17 '15 at 00:48

2 Answers2

1

I would start with WireShark:

Wireshark is the world's foremost network protocol analyzer. It lets you see what's happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions.

Basically, this tool helps you to find out where the data goes. Here's how to install WireShark on Ubuntu.

Jasom Dotnet
  • 423
  • But I would like to know who and when the data was uploaded. I would like to know the process of figuring out the history of all the data sent over the network. – hunterr986 Dec 15 '15 at 17:41
  • You can see target servers or structure of traffice (torrents) and so derivate the source program. – Jasom Dotnet Dec 15 '15 at 17:47
  • Please look at the screenshot in the post. I an not sure how to read it. Why isnt there a PID? what are all those programs run by the root? – hunterr986 Dec 15 '15 at 18:33
  • http://ip-api.com/#122.228.8.145 Try to change root pass and, of course, update your system. Which Ubuntu do you have? – Jasom Dotnet Dec 15 '15 at 18:40
  • I have 14.04. I just figured out where the data is going to. Its all going to "122.228.8.145" but i cant figure out which process is doing it and how to kill it. I figured out the Ipaddress using the "iftop" command. – hunterr986 Dec 15 '15 at 18:55
  • It's a Chinese IP address. Did you changed root password and update your system? Which kernel version do you use? Try to update to the latest one. – Jasom Dotnet Dec 15 '15 at 19:04
  • I changed the password of my user. Will change the password of the root next. Will also update to the latest kenel. But right now i turned off my computer as i dont know how to kill the process. I cant ssh into my machine right now. Will go home and do all the above that you mentioned. – hunterr986 Dec 15 '15 at 19:07
  • I have had issues with that sub-net from China (and many many others). I now have a permanent block on the entire sub-net 122.224.0.0/12 – Doug Smythies Dec 15 '15 at 20:00
  • Looks like I will have to do the same. My fear is that if they have stolen my files and info. This happened to me before on an ubunth machine. I clean installed my laptop and installed fedora. – hunterr986 Dec 16 '15 at 02:16
  • Is it second similar attack on same machine it may not be an OS issue. It may be corrupter hard disk, motherboard chipset, network card... How your case continues? – Jasom Dotnet Dec 16 '15 at 15:32
  • Yeah its a second attack on the same machine. How do I findout which hardware is corrupt?Thats the reason I am trying to figure out the process that is causing this so that I can get to the root of this. But I don't know how to do it. – hunterr986 Dec 17 '15 at 00:23
  • That's beyond my current knowledge. I would start with Google or question within Stackexchange network :-) Did you change root pass? Does the attack still continues? ...maybe, its time to evaluate best answer in this thread? – Jasom Dotnet Dec 18 '15 at 01:51
1

May be you Torrent client is seeding continuously when you're connected to internet.

Use Wireshark to see the traffic's content (in addition to the remote address, but not the local process).

for that reason i use Network Monitor.

Fabby
  • 34,259
MC Naveen
  • 317
  • Please look at the screenshot in the post. I an not sure how to read it. Why isnt there a PID? what are all those programs run by the root? – hunterr986 Dec 15 '15 at 18:33