8

I was told that my working PC is massively scanning the ports of somebody else's PC, which is not intended by me. How can I find out which program is doing that?

Following the advice of ByteCommander's comment, I used nethogs to list my network traffic. I haven't found suspicious programs running on my computer in that way (which does not necessarily mean that there are no such programs - I just cannot oversee the whole output), but there are some strange lines of the form

my_ip_address:port-other_ip_address:port

where the right hand side ip addresses are e.g. 123.24.163.24, 58.221.44.109, or 88.248.51.254. By googling them you will see that they all appear on some blacklists. Does that mean there is something suspicious ongoing? Could that have anything to do with my original problem?

Dune
  • 143
  • 2
  • 9

5 Answers5

8

A definite easy way to monitor your system is to run a command like netstat for a day or so and see what's going outbound. For example, something like this would show all outgoing (polled) connections:

netstat -nputwc | tee ~/network.log

From there, you can check network.log in your home folder to see if there are any weird/anomalous connections. It would be best to run this on a day when you're not going to use the internet too much, so you can get only background and not-active connections. Netstat will give you the capability to see what process is also calling the connections, which might be worthwhile to find and destroy if any scanner is running.

Furthermore, you can get a more detailed/verbose log using tcpdump, which you can use to get more advanced output, and get more information. See man tcpdump for more information. However, look particularly at the src expression to only get outgoing connections. Also be sure to use the -w option to write to a file for easy searching. You can read a bit more about tcpdump here if you want. At the very least, this will tell you if your computer is actually scanning things.

From either of these, you can either get the process (through netstat) or important things like when and where things are going. You can in fact run both at the same time to look for any triggers or similar that cause scans. You can even use tcpdump to find when scans happen, and then cross-reference that with netstat to find what process is doing things.

If you notice that these scans happen at regular times, you should look for cronjobs or similar, which can be removed (relatively) easily.

Otherwise, you can use the general security tips, such as running rkhunter, clamav, and so on. You could also always just reinstall your system from a known-good backup to just end it now.

And just for a bit of background on botnets, mostly to bore you.

Typically, a botnet sits idle on your system until triggered by some order. This can either be your system receiving a message from a remote server, or your machine polling a server for its new "orders." Either way, you can use these same tools to find these botnet commands, and where they're going to.

Once you can capture your machine being part of a botnet (if it is), you can find what and where the botnet software is, and remove it using any methods you want.

It may also be important to note that your computer may not be the infected device on the network. A router upstream, a WAP, a webcam, or any other sort of IoT thing (printers, even!) can also be members of a botnet. If they're behind the same connection/IP as your machine (especially at home or similar), you might be falsely blaming your computer instead of your smart toaster or whatever.

Community
  • 1
Kaz Wolfe
  • 34,122
  • 21
  • 114
  • 172
6

Possible things you can do:

  • Change your passwords: in case of a human attacker using your device(s) as mask , it's obvious that your authentication was somehow compromised. This includes your computer, but also router, modem, smart devices on your home network. Most users only put password on wifi, but no password their router admin account , which is bad. As Kaz pointed out, smart devices are also easy targets. While you're checking the router, also check whether someone has enabled port forwarding on the router to know exactly what device is being accessed.

  • Check for nmap. Nmap is one of the most common tools used for scanning networks. It can be used for good and it's good tool for system administrators, but also can be used by the bad guys. Do apt-cache policy nmap to see if somebody installed it onto your machine.

  • Analyze your network connections and traffic. Such tools as netstat will tell you what programs are using which network ports. Particularly of interest is sudo netstat -tulpan command. Another tool already mentioned is Wireshark. You might need to take time to learn how to use it. I'd recommend that you run all these tests with all browsers and applications that depend on network turned off.

  • Consider deleting plugins for browsers: Chrome extensions and Firefox addons are amazing, but they're not innocent little kittens. You could be running a browser, and those extensions do all the malicious activity in background. Consider deleting them all, or simply removing ~/.mozilla and ~/.config/google-chrome/

  • If nothing else works, nuke it from the orbit: In other words, back up your data, and reinstall your Ubuntu. Once a system is compromised, it's hard to trust it. Quite common technique is replace a legitimate program with fake one. With thousands of binary files on computer, it can be hard to tell what is causing the mess, if you're not a computer forensic specialist or security researcher. Make an Ubuntu live USB ( preferably on a different, trusted computer ) and reinstall your system. Consider getting rid of your router as well and getting new one. Installing malware in routers isn't as uncommon as you think. If you don't want to do that, consider installing open source software to the router, such as DD-WRT or Open-WRT, it those support your router manufacturer and version.

  • Consider asking a professional for help: this one might cost you the most, but if you want to get to the bottom of this and find out what actually is going on, consider hiring someone who investigates computer network security for a living. The potential plus is that they can tell you who and how has compromised your network and is using it for malicious juju.

Sergiy Kolodyazhnyy
  • 105,154
  • 20
  • 279
  • 497
3

I have another approach for you, as I confronted myself in the past with the same situation.

  1. DO NOT BLOCK ANYTHING with IPTABLES YET!
  2. Stop any application or process that can communicate with the victim (e.g. Browser connected to the victim IP address).

  3. Find out what traffic is being made between your PC and victim's PC by using

    tcpdump -nn host your_victim_ip

    Your output should look similar to this

    08:36:19.738610 IP 192.168.89.xxx.46582 > 89.35.224.xxx.80: Flags [.], ack 18825, win 523, options [nop,nop,TS val 15987331 ecr 427321428], length 0
08:36:19.738625 IP 89.35.224.xxx.80 > 192.168.89.xxx.46582: Flags [.], seq 18825:20273, ack 492, win 243, options [nop,nop,TS val 427321428 ecr 15987307], length 1448: HTTP
08:36:19.738635 IP 192.168.89.xxx.46582 > 89.35.224.xxx.80: Flags [.], ack 20273, win 545, options [nop,nop,TS val 15987331 ecr 427321428], length 0
08:36:19.738643 IP 89.35.224.xxx.80 > 192.168.89.xxx.46582: Flags [FP.], seq 20273:21546, ack 492, win 243, options [nop,nop,TS val 427321428 ecr 15987307], length 1273: HTTP

    From the output above, the port's are bolder 192.168.89.xxx.46582 > 89.35.224.xxx.80

  4. Find out what is using that port with lsof

    lsof -i:80

    Change ":80" with the port/s founded in tcpdump output; the -n is used for suppress resolving IP's into names and the -P is used for suppressing converting ports into names; it should show you what process use the port 80.

    COMMAND   PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
firefox 30989 mihai   61u  IPv4 496649      0t0  TCP 192.168.89.xxx:40890->89.35.224.xxx:80 (ESTABLISHED)

    As you can see in my example, the COMMAND firefox is using the port 80 in the communication established with IP 89.35.224.xxx

  5. If the command appears to be strange verify from where is running with ls -l /proc/$PID/exe where the $PID is the Process ID founded with the lsof command earlier. Should have a similar out like:

    lrwxrwxrwx 1 mihai mihai 0 Jan 16 22:37 /proc/30989/exe -> /usr/lib/firefox/firefox

  6. Additional you can check for more details the command listed above with lsof -i:port by using lsof -c command_name

    That's the digging part so keep in mind that almost everything is related with that "running command" it will show up, like what files it uses, what other connections, etc.

  7. Kill the process with sudo kill -9 $PID

  8. It might be a good idea to backup the file in another place and delete it if it's not common process name like firefox, although you may consider reinstall the app if it's a common one.

Another approach is to change command use at step 4. With lsof -i@*victim_ip_address* to see all process and commands that have active connections with your victim's IP address

IMPORTANT: Run all the commands as root or with sudo.

If you don't have tcpdump nor lsof installed then you can install them by: sudo apt install lsof tcpdump

At this point I think you have all information needed to use IPTABLES and block outgoing traffic if it's still needed.

Don't forget to use tcpdump again to see if the problem has gone.

Pablo Bianchi
  • 15,657
Stancu Mihai
  • 455
  • lsof comes with Ubuntu by default , and I'm pretty sure that tcpdump does as well. At least, I've never had to do so with my Ubuntu. – Sergiy Kolodyazhnyy Jan 17 '17 at 10:03
  • As i said "If you don't have them already installed", was just an additional info, as not all users have installed ubuntu with default presets. – Stancu Mihai Jan 17 '17 at 10:37
2

You should install wireshark for packet inspection. In the meantime you could block the IPs or better yet the whole range(in case they own it all) but it is likely they'll just use another route.

For a single IP:

sudo ufw deny from 123.24.163.24 to any

For a range:

sudo ufw deny from 123.24.163.0/24 to any

or append a rule to iptables if you prefer this way.

sudo iptables -A INPUT -s 123.24.163.0/24 -j DROP

There is a chance that someone is operating from your computer, hence the scanning. In such case, then who knows what else has already been done on your computer. Might require a total cleanout.

Community
  • 1
user633551
  • 476
  • I would like to comment on the above answers. Change your passwords, just not from this computer or any other inside your LAN network as it could already be compromised. I think you were infected with a reverse shell. Best to wipe your system clean as there is no telling where they have nested. Unless you are an expert and have time to scour a couple hundred thousand files on your system. Also as said already, consider changing your router unless you are 100% sure that no one in the neighborhood is hacking you. I would say try n access the admin but you could be giving them the password. – user633551 Jan 16 '17 at 11:08
2

The EtherApe network monitor is a midrange option for monitoring your network’s data traffic. As an open source network monitor,EtherApe displays network activity graphically with a color coded protocols display. Hosts and links change in size with traffic. It supports Ethernet, WLAN, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network. For downloads and more information, visit the EtherApe homepage.

screenshot

Blocking the offensive address is as simple as adding the suspect address to an input IP Tables chain like this

iptables –A INPUT –m tcp –s OFFENDING_IP_ADDRESS –d WEB_SERVER_ADDRESS –dport 80 –j DENY (where OFFENDING_IP_ADDRESS is the suspect address and WEB_SERVER_ADDRESS is the web server being hit)

There are also other very good open-source software (OSS) for Linux and you can install in your Ubuntu to have a greater security and evaluate your system of possible failures.

Lynis

Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.

Although it has many options of analysis (even can be complemented with plugins), the base operation is to analyze a series of aspects of the system and check if the configuration is correct.

In the end, based on the results obtained, you will be offered a guideline score of 100, which they call the hardening index, along with a good record of all the warnings and corrective measures you are suggested to apply.

Lynis runs on almost all UNIX-based systems and versions.

Lynis is light-weight and easy to use,it is used for several different purposes.

You can read more about Lynis in its official website link.

Installation guide

Typical use cases for Lynis include:

Security auditing
Compliance testing (e.g. PCI, HIPAA, SOx)
Vulnerability detection and scanning
System hardening

OpenVAS / Nessus

These products focus primarily on vulnerability scanning. They do this via the network by polling services. Optionally they will log in to a system and gather data.

RootKit Checkers: rkhunter & chkrootkit

The package rkhunter is in the repos, so just

sudo apt-get install rkhunter

So is chkrootkit

sudo apt-get install chkrootkit
Pablo Bianchi
  • 15,657