ubuntu unauthorized upload processes

Question

I've spoken to my ISP and they've sent me reports of high levels of uploads that exceeds their threshold and causes disconnects. I know for certain that I did not initiate these uploads (my computer is newly rebuilt ubuntu 16.04 with practically nothing on it) but the high upload volume seem to be coming from my device. I have just moved from windows to ubuntu and have secured as much as possible using various forums.

Unfortunately my ISP won't help me from there and have said they'll just happily keep disconnecting me each time and it's up to me to find the culprit. Trust me when I say I have spent the entire last week looking through any Ubuntu security articles I could lay my hands on but my learning curve is steep and I need help getting to some shortcuts, even some ideas to get me started so I can sort this out.

My question:

What is the quickest way of finding out what processes are running that are likely to upload data or share data? Common processes to check or some script I can use to prevent this from happening. I'm being disconnected regularly, e.g. every 40 minutes or so, and sometimes even constantly. Are there particularly vulnerable applications that I can remove?

I've removed samba and vino. I've disabled bluetooth and wifi. I've updated with a screenshot at the time the issue is happening (not disconnection but very slow connection):

flossco@my-pc1:~$ sudo lsof -i -n -P
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
master  1519 root   12u  IPv4  24632      0t0  TCP 127.0.0.1:25 (LISTEN)
master  1519 root   13u  IPv6  24633      0t0  TCP [::1]:25 (LISTEN)
firefox 6454 flossco   75u  IPv4 158078      0t0  TCP <my ip>:37640->104.16.109.18:443 (ESTABLISHED)
firefox 6454 flossco   76u  IPv4 135010      0t0  TCP <my ip>:48806->220.244.136.34:443 (ESTABLISHED)
firefox 6454 flossco   77u  IPv4 151831      0t0  TCP <my ip>:48266->23.49.213.202:443 (ESTABLISHED)
firefox 6454 flossco   78u  IPv4 154196      0t0  TCP <my ip>:49458->52.85.41.180:443 (ESTABLISHED)
firefox 6454 flossco   79u  IPv4 153071      0t0  TCP <my ip>:32918->220.244.223.104:443 (ESTABLISHED)
firefox 6454 flossco   80u  IPv4 151834      0t0  TCP <my ip>:51864->23.37.139.27:80 (ESTABLISHED)
firefox 6454 flossco   81u  IPv4 155071      0t0  TCP <my ip>:44848->23.37.139.181:443 (ESTABLISHED)
firefox 6454 flossco   82u  IPv4 151793      0t0  TCP <my ip>:54870->172.217.25.35:443 (ESTABLISHED)
firefox 6454 flossco   84u  IPv4 156640      0t0  TCP <my ip>:55606->151.101.1.69:443 (ESTABLISHED)
firefox 6454 flossco   85u  IPv4 154097      0t0  TCP <my ip>:42938->162.213.33.102:443 (ESTABLISHED)
firefox 6454 flossco   86u  IPv4 154098      0t0  TCP <my ip>:42940->162.213.33.102:443 (ESTABLISHED)
firefox 6454 flossco   87u  IPv4 135733      0t0  TCP <my ip>:45052->172.217.25.46:443 (ESTABLISHED)
firefox 6454 flossco   88u  IPv4 153025      0t0  TCP <my ip>:42942->162.213.33.102:443 (ESTABLISHED)
firefox 6454 flossco   89u  IPv4 153026      0t0  TCP <my ip>:42944->162.213.33.102:443 (ESTABLISHED)
firefox 6454 flossco   90u  IPv4 153027      0t0  TCP <my ip>:42946->162.213.33.102:443 (ESTABLISHED)
firefox 6454 flossco   91u  IPv4 153028      0t0  TCP <my ip>:42948->162.213.33.102:443 (ESTABLISHED)
firefox 6454 flossco   92u  IPv4 156156      0t0  TCP <my ip>:32934->220.244.223.104:443 (ESTABLISHED)
firefox 6454 flossco   93u  IPv4 156160      0t0  TCP <my ip>:48820->220.244.136.34:443 (ESTABLISHED)
firefox 6454 flossco   94u  IPv4 135074      0t0  TCP <my ip>:35954->54.214.238.49:443 (ESTABLISHED)
firefox 6454 flossco   95u  IPv4 156641      0t0  TCP <my ip>:41216->216.58.199.42:443 (ESTABLISHED)
firefox 6454 flossco   96u  IPv4 135075      0t0  TCP <my ip>:34838->157.240.8.23:443 (ESTABLISHED)
firefox 6454 flossco   97u  IPv4 157071      0t0  TCP <my ip>:49648->115.178.9.19:443 (ESTABLISHED)
firefox 6454 flossco   98u  IPv4 155329      0t0  TCP <my ip>:49650->115.178.9.19:443 (ESTABLISHED)
firefox 6454 flossco   99u  IPv4 154913      0t0  TCP <my ip>:44998->172.217.25.40:443 (ESTABLISHED)
firefox 6454 flossco  100u  IPv4 151753      0t0  TCP <my ip>:44988->172.217.25.46:443 (ESTABLISHED)
firefox 6454 flossco  101u  IPv4 156097      0t0  TCP <my ip>:43738->184.24.212.192:443 (ESTABLISHED)
firefox 6454 flossco  102u  IPv4 154949      0t0  TCP <my ip>:48330->64.233.189.157:443 (ESTABLISHED)
firefox 6454 flossco  103u  IPv4 156099      0t0  TCP <my ip>:51816->23.37.139.27:80 (ESTABLISHED)
firefox 6454 flossco  104u  IPv4 155342      0t0  TCP <my ip>:58924->115.178.8.31:443 (ESTABLISHED)
firefox 6454 flossco  105u  IPv4 135672      0t0  TCP <my ip>:43764->184.24.212.192:443 (ESTABLISHED)
firefox 6454 flossco  106u  IPv4 156642      0t0  TCP <my ip>:56602->151.101.65.69:443 (ESTABLISHED)
firefox 6454 flossco  107u  IPv4 135673      0t0  TCP <my ip>:43766->184.24.212.192:443 (ESTABLISHED)
firefox 6454 flossco  108u  IPv4 154144      0t0  TCP <my ip>:59136->172.217.25.46:80 (ESTABLISHED)
firefox 6454 flossco  109u  IPv4 156108      0t0  TCP <my ip>:59138->172.217.25.46:80 (ESTABLISHED)
firefox 6454 flossco  110u  IPv4 154961      0t0  TCP <my ip>:59140->172.217.25.46:80 (ESTABLISHED)
firefox 6454 flossco  111u  IPv4 154962      0t0  TCP <my ip>:59142->172.217.25.46:80 (ESTABLISHED)
firefox 6454 flossco  112u  IPv4 154222      0t0  TCP <my ip>:36362->157.240.8.35:443 (ESTABLISHED)
firefox 6454 flossco  113u  IPv4 151985      0t0  TCP <my ip>:50216->115.178.9.18:443 (ESTABLISHED)
firefox 6454 flossco  114u  IPv4 135009      0t0  TCP <my ip>:51854->23.37.139.27:80 (ESTABLISHED)
firefox 6454 flossco  115u  IPv4 156643      0t0  TCP <my ip>:52212->192.0.73.2:443 (ESTABLISHED)
firefox 6454 flossco  116u  IPv4 158079      0t0  TCP <my ip>:37642->104.16.109.18:443 (ESTABLISHED)
firefox 6454 flossco  117u  IPv4 153333      0t0  TCP <my ip>:39978->184.24.223.126:443 (ESTABLISHED)
firefox 6454 flossco  118u  IPv4 154419      0t0  TCP <my ip>:55388->106.10.199.11:443 (ESTABLISHED)
firefox 6454 flossco  119u  IPv4 152087      0t0  TCP <my ip>:38360->27.0.0.1:8888 (SYN_SENT)
firefox 6454 flossco  120u  IPv4 159008      0t0  TCP <my ip>:59528->198.252.206.26:443 (ESTABLISHED)

Is your computer the only one on the network? If you use wifi, have you tried changing the password + using WPA2? — MiJyn, Jan 04 '17 at 06:59
My ISP: We have checked the usage graph of your account and found an over-utilized upload activity which is affecting the speed and session stability.Please be advised that NBN set a user upload limit to 5Mbps and we detected that you are hitting / exceeding this limit. NBN system is resetting the session if the line is over-utilizing the upload (PIR). Peak Information Rate (PIR) is defined as the maximum data throughput that may be delivered by the NBN Network. Note: Traffic that exceeds the PIR will be discarded by NBN Co Network — user637251, Jan 04 '17 at 08:16
@muru thanks for your comment. I have reviewed this but this is specifically about uploads. I was trying to narrow it down so I can pinpoint what is responsible. — user637251, Jan 04 '17 at 09:40
@user637251 ok, so? Do the tools in the other post only deal with download traffic? — muru, Jan 04 '17 at 09:43
@muru - I have downloaded nethogs but there was a bug warning re this - sudo apt-get install nethogs. What I'm trying to understand is whether this will solve this particular problem. I'm monitoring today and will continue to do so. I would prefer, rather than install a software, to understand if there's also a possiblity of a rogue program/process on my system somewhere that I will know about for future. I appreciate the link though - I need all the help I can get! — user637251, Jan 04 '17 at 09:58
Are you plugged into a switch or router that you have control of where you can see traffic statistics? — , Jan 04 '17 at 15:48

ubuntu unauthorized upload processes

0 Answers0