pc is compromised

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

pc is compromised

ybed0
Hello,

I fear that my home PC is compromised, every now and then starts to open a lot of connection
and sends packets (about 200kbs) to certain ip addresses (eg google) without me doing anything.

Using debian 7 and I tried to reinstall the distro several times, taking care to remove all services
by checking with the nmap over 65,000 doors, also the dhcp service is uninstalled.
The machine is behind a modem / router with proprietary firmware and the things I can do are quite a few there.

With wireshark I think of strange packets do not arrive as soon as connected,
so
I think the compromise starts when I start the browser. Iceweasel and chromium, seems indifferent.

I do not know what to do, any advice would help me,
I believe that
those who succeed in the attack can do whatever you want with my PC.
(My suspicion is some sort of ip / dns spoofing but it could be more, I do not understand)

Sorry for my English
Reply | Threaded
Open this post in threaded view
|

Re: pc is compromised

Kees de Jong-2
Do you use the Google public DNS? 8.8.8.8 or 4.4.4.4?



On Fri, Mar 14, 2014 at 9:47 PM, <[hidden email]> wrote:
Hello,

I fear that my home PC is compromised, every now and then starts to open a lot of connection
and sends packets (about 200kbs) to certain ip addresses (eg google) without me doing anything.

Using debian 7 and I tried to reinstall the distro several times, taking care to remove all services
by checking with the nmap over 65,000 doors, also the dhcp service is uninstalled.
The machine is behind a modem / router with proprietary firmware and the things I can do are quite a few there.

With wireshark I think of strange packets do not arrive as soon as connected,
so
I think the compromise starts when I start the browser. Iceweasel and chromium, seems indifferent.

I do not know what to do, any advice would help me,
I believe that
those who succeed in the attack can do whatever you want with my PC.
(My suspicion is some sort of ip / dns spoofing but it could be more, I do not understand)

Sorry for my English

Reply | Threaded
Open this post in threaded view
|

Re: pc is compromised

Marco De Marco
Do you have some plug-in in your browser?
Which repositories do you use?
Only official or also unofficial?
Chromium has a lot of features that use google servers, like omnibar; turn all off.


On 14 marzo 2014 21:51:50 CET, Kees de Jong <[hidden email]> wrote:
Do you use the Google public DNS? 8.8.8.8 or 4.4.4.4?



On Fri, Mar 14, 2014 at 9:47 PM, <[hidden email]> wrote:
Hello,

I fear that my home PC is compromised, every now and then starts to open a lot of connection
and sends packets (about 200kbs) to certain ip addresses (eg google) without me doing anything.

Using debian 7 and I tried to reinstall the distro several times, taking care to remove all services
by checking with the nmap over 65,000 doors, also the dhcp service is uninstalled.
The machine is behind a modem / router with proprietary firmware and the things I can do are quite a few there.

With wireshark I think of strange packets do not arrive as soon as connected,
so
I think the compromise starts when I start the browser. Iceweasel and chromium, seems indifferent.

I do not know what to do, any advice would help me,
I believe that
those who succeed in the attack can do whatever you want with my PC.
(My suspicion is some sort of ip / dns spoofing but it could be more, I do not understand)

Sorry for my English


-- Inviato dal mio cellulare Android con K-9 Mail.
Reply | Threaded
Open this post in threaded view
|

Re: pc is compromised

Joe Rowan
In reply to this post by ybed0
On Fri, 14 Mar 2014 20:47:21 +0000
[hidden email] wrote:

> Hello,
>
> I fear that my home PC is compromised, every now and then starts to
> open a lot of connection
> and sends packets (about 200kbs) to certain ip addresses (eg google)
> without me doing anything.
>
> Using debian 7 and I tried to reinstall the distro several times,
> taking care to remove all services
> by checking with the nmap over 65,000 doors, also the dhcp service is
> uninstalled.
> The machine is behind a modem / router with proprietary firmware and
> the things I can do are quite a few there.
>
> With wireshark I think of strange packets do not arrive as soon as
> connected,
> so I think the compromise starts when I start the browser. Iceweasel
> and chromium, seems indifferent.
>
> I do not know what to do, any advice would help me,
> I believe that those who succeed in the attack can do whatever you
> want with my PC.
> (My suspicion is some sort of ip / dns spoofing but it could be more,
> I do not understand)
>
> Sorry for my English

No problem, it's very good. Browsers do a fair bit behind the scenes, so
this isn't necessarily something sinister. Firefox/Iceweasel, for
example, looks up popular Google search terms as you enter characters in
the search window. Chromium is also Google, of course.

Try installing Midori, which by default uses the DuckDuckGo search, and
see if the same kind of activity occurs when you start it. It's a bit
primitive as browsers go, but you are trying to solve a problem, not
have a great browsing experience.

If you are using your router as DNS server, try using e.g. OpenDNS
instead in your workstation DNS settings. There are certainly router DNS
compromises about. As you are comfortable with wireshark, have a look
at the destination IP addresses of DNS lookups, see if they are what you
expect. Man-in-the-middle attacks are harder than DNS server address
substitution.

--
Joe


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: https://lists.debian.org/20140314211015.600394e6@...

Reply | Threaded
Open this post in threaded view
|

Re: pc is compromised

Dimas Prawira
In reply to this post by ybed0


Application such as mail client, social media client, etc,  also sync with their server.

Regards
Dimas Yudha P.

----------------------
Sent from Photon Q GMail Client.
Powered by CM 10.1 Android 4.2.2 unlocked and rooted.

"I would like to change the world, but they won't give me the source code"

On Mar 15, 2014 3:47 AM, <[hidden email]> wrote:
Hello,

I fear that my home PC is compromised, every now and then starts to open a lot of connection
and sends packets (about 200kbs) to certain ip addresses (eg google) without me doing anything.

Using debian 7 and I tried to reinstall the distro several times, taking care to remove all services
by checking with the nmap over 65,000 doors, also the dhcp service is uninstalled.
The machine is behind a modem / router with proprietary firmware and the things I can do are quite a few there.

With wireshark I think of strange packets do not arrive as soon as connected,
so
I think the compromise starts when I start the browser. Iceweasel and chromium, seems indifferent.

I do not know what to do, any advice would help me,
I believe that
those who succeed in the attack can do whatever you want with my PC.
(My suspicion is some sort of ip / dns spoofing but it could be more, I do not understand)

Sorry for my English
Reply | Threaded
Open this post in threaded view
|

Re: pc is compromised

Marco De Marco
In reply to this post by Marco De Marco
There could be other things that work behind the scenes.

http://www.google.com/intl/en/chrome/browser/privacy/

On 14 marzo 2014 22:34:49 CET, Jordon Bedwell <[hidden email]> wrote:
On Fri, Mar 14, 2014 at 4:03 PM, Marco De Marco
<marco.de.[hidden email]> wrote:
Do you have some plug-in in your browser?
Which repositories do you use?
Only official or also unofficial?
Chromium has a lot of features that use google servers, like omnibar; turn
all off.

Omnibar does not randomly send data backs it's a triggered action,
metrics might however randomly send anonymous metrics back. Google
Hangouts also does not randomly send data as it's not P2P, it listens
for your browser to ask it to connect on it's behalf.

-- Inviato dal mio cellulare Android con K-9 Mail.
Reply | Threaded
Open this post in threaded view
|

Re: pc is compromised

ybed0
In reply to this post by Dimas Prawira
here is the log of wireshark, I removed some packages that reported the mac andress, attach the files that are pcapng

this and 'the newly connected PC
(here I'm using google dns)
https://filetea.me/t1s9VaxuNRWQAWOftoZ1foOUg

and this' when I start firefox and go to google.com
https://filetea.me/t1sV3uEy37JRU2y9ofZqvRhXA


this (the interesting and not too long) is the log before installing fresh, I had nothing open (services, browsers, etc.)
https://filetea.me/t1sEexcOWJvSnK1HLE9CLlSxw
Reply | Threaded
Open this post in threaded view
|

Re: pc is compromised

Tomasz Ciolek-2
 all 3 links arew empty?


On Sat, Mar 15, 2014 at 02:10:35PM +0100, [hidden email] wrote:

> here is the log of wireshark, I removed some packages that reported
> the mac andress, attach the files that are pcapng
>
> this and 'the newly connected PC (here I'm using google dns)
> https://filetea.me/t1s9VaxuNRWQAWOftoZ1foOUg
>
> and this' when I start firefox and go to google.com
> https://filetea.me/t1sV3uEy37JRU2y9ofZqvRhXA 
>
> this (the interesting and not too long) is the log before installing
> fresh, I had nothing open (services, browsers, etc.)
> https://filetea.me/t1sEexcOWJvSnK1HLE9CLlSxw
--
Tomasz M. Ciolek
*******************************************************************************
 tmc at vandradlabs dot com dot au
*******************************************************************************
   GPG Key ID: 0x41C4C2F0
   GPG Key Fingerprint: 3883 B308 8256 2246 D3ED  A1FF 3A1D 0EAD 41C4 C2F0
   Key available on good key-servers
*******************************************************************************

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: pc is compromised

ybed0
all 3 links arew empty?

sorry, I uploaded a wrong service

here is the log of wireshark, attach the files that are pcapng

this and 'the newly connected PC
(here I'm using google dns)
stashbox.org/1438705/start

and this' when I start firefox and go to google.com
stashbox.org/1438686/firefox


this (the interesting and not too long) is the log before installing fresh, I had nothing open (services, browsers, etc.)
stashbox.org/1438697/session

Reply | Threaded
Open this post in threaded view
|

Re: pc is compromised

ybed0
In reply to this post by Tomasz Ciolek-2
all 3 links arew empty?

Can you see the files? As you seem logs?

I put back the links to safety

here is the log of wireshark, attach the files that are pcapng

this and 'the newly connected PC
(here I'm using google dns)
http://stashbox.org/1438705/start

and this' when I start firefox and go to google.com
<a target="_blank" href="http://stashbox.org/1438686/firefox" onclick="window.open('http://stashbox.org/1438686/firefox');return false;">http://stashbox.org/1438686/firefox

this (the interesting and not too long) is the log before installing fresh, I had nothing open (services, browsers, etc.)
<a target="_blank" href="http://stashbox.org/1438697/session" onclick="window.open('http://stashbox.org/1438697/session');return false;">http://stashbox.org/1438697/session
Reply | Threaded
Open this post in threaded view
|

Re: pc is compromised

ybed0
In reply to this post by Tomasz Ciolek-2
I logged the traffic with wireshark,
http://stashbox.org/1440698/wireshark

and simultaneously the output of lsof
http://stashbox.org/1440699/lsof

and the output of netstat-anp
http://stashbox.org/1440700/netstat

I had nothing running (eg browsers or other clients). What could it be?
Reply | Threaded
Open this post in threaded view
|

Re: pc is compromised

Paul Wise via nm
On Mon, Mar 17, 2014 at 7:10 AM, ybed0 wrote:

> I had nothing running (eg browsers or other clients). What could it be?

Looking at the wireshark Statistics -> Protocol Hierarchy tool, it
appears that random machines on the Internet are attempting to connect
to TCP and UDP ports 54424 and 59520. Linux on your computer is
responding to these packets saying that the ports are closed. The data
in the UDP packets is one of these lengths: 20 30 67 101 103. The
longer packets are more interesting. The have some strings like ping1
and find_node1. A web search for them turns up this page where some
folks are discussing a similar issue. It appears that this is to do
with the Kademlia distributed hash table. If the IP you are now using
has ever used any of the peer-to-peer networks listed in the
implementations section of the Wikipedia page about Kademlia, you will
probably see these connections/packets. I guess they will gradually
reduce over time as your IP address gets dropped by clients.

http://es.comp.hackers.narkive.com/jcAAu5K5/puerto-13406
https://en.wikipedia.org/wiki/Kademlia
https://en.wikipedia.org/wiki/Kademlia#Implementations

--
bye,
pabs

http://wiki.debian.org/PaulWise


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: https://lists.debian.org/CAKTje6F8GM9LLX5t=S_PxVxdmXv0JRmaWPCV_J8u4Z5TcR_hEw@...

Reply | Threaded
Open this post in threaded view
|

Re: pc is compromised

ybed0
I do not know how to thank you!

I am trying snort wireshark etc.
to solve,
and did not even know the existence of these tools LOL

Maybe I overdid it with the paranoia.

I apologize for disturbing the list.

So you say that I do not have to worry too much, I'll try.

Again, thank you :)

Reply | Threaded
Open this post in threaded view
|

Re: pc is compromised

Paul Wise via nm
On Mon, 2014-03-17 at 01:54 +0100, ybed0 wrote:

> I do not know how to thank you!

I can answer that one too...

The best way to thank me is to help Debian :)

http://www.debian.org/intro/help
http://blog.zobel.ftbfs.de/2011/06/how-you-can-help-debian-1.html
https://packages.debian.org/jessie/how-can-i-help
https://wiki.debian.org/how-can-i-help

--
bye,
pabs

http://wiki.debian.org/PaulWise

signature.asc (836 bytes) Download Attachment