2

I have been using Linux for about 5 years now but I am not very skilled with the commands to monitor and figure out internal issues.

I recently was having trouble with the Internet. My roommates were complaining about Internet being very slow. For some reason I checked my task manager and it said I uploaded 731 GB of data. I am not sure what it was. It's not doing it right now.

I do not know when it uploaded 731 GB of data. Is there a way to figure out the history of the past few days to see when my computer uploaded that much data?

"WHO"(Process) is uploading so much data from my machine?

I have used NetHogs/ntop commands to figure out who is uploading data but I can't find the process. NetHogs has ? as PID and root as user. So what do I do next?

Also, this is the second time. First it was on the Ubuntu partition and now it's on the Fedora partition.

Here is the screenshot of Nethogs command

Nethogs screenshot - do not know what those processes are

I have used WIRESHARK to capture data packets but I don't know how to see the data in those packets.

Every time I block an IP address that the data is going to it automatically finds another IP address to push data.

Dmitry Grigoryev
  • 10,122
  • 1
  • 26
  • 56
hunterr986
  • 29
  • 1
  • @ott-- 137 is part of the IP address. – Dmitry Grigoryev Dec 17 '15 at 22:14
  • Yeah. That's not the port number. The Malicious process is opening up all the ports on my machine to send data. – hunterr986 Dec 17 '15 at 22:15
  • A shot in the dark, can you show us what's inside your ~/.bash_history for root and for your current user? Most people cover these tracks, but... you never know. Edit out anything sensitive. – Mark Buffalo Dec 17 '15 at 22:16
  • 2
    One thing I would do (if you have not already done so) is run wireshark for a while, capture as much as you want and save it to disk. This will allow you to come back and analyze the traffic anytime. Once that is done, I would disconnect the machine from the internet, who knows what it could be doing. – pureooze Dec 17 '15 at 23:40
  • I already captured about 20 mins of data transfer. I just can't figure out how to analyze it – hunterr986 Dec 17 '15 at 23:50
  • 4
    FYI, this is a DDOS tool. Your computer is most likely attacking other targets in China or around the world. You should pull it from the network. – Ohnana Dec 18 '15 at 01:09
  • Yeah. I pulled it from the network. But this is the second time on a different partition. I don't know how to prevent it from happening again. – hunterr986 Dec 18 '15 at 01:17
  • 2
    @hunterr986 if this happens multiple times then either another device on your network is compromised (it could be your own computer) and in turn compromises the newly reinstalled server, or you're reusing credentials/keys that have been compromised, allowing the attackers to log back into your reinstalled server, or you're reusing a malicious/vulnerable binary on the newly reinstalled server which causes it to get compromised again. You should take a complete image of the hard drive of the server with "dd" and keep it for forensic purposes before reinstalling. – André Borie Dec 18 '15 at 01:28
  • @AndréBorie I am reinstalling fedora now. Will take an image and investigate further but I don't know how to do it. If I figure out anything at all I will post it here for sure. – hunterr986 Dec 18 '15 at 02:15
  • Having shared drives or directories between the different OSs could explain the cross-OS contamination. – Neil Smithline Dec 18 '15 at 04:08

0 Answers0