0

Seems someone has setup something in my system. I have several ports on localhost sending outbound communications. When in Firefox I type web.whatsapp.com for whatsapp web, I get a browser re-direct.

Anybody knows some good approach about cleaning this sort of stuff from the sytem? I'm on a Debian Jessie 64bits.

Here are some suspicous connections on netsat -tulpan output:

tcp 0 0 192.168.1.2:50465 198.252.206.25:80 ESTABLISHED 4556/firefox
tcp 0 0 192.168.1.2:35162 151.101.65.69:80 TIME_WAIT -
tcp 0 0 192.168.1.2:46103 198.252.206.25:443 ESTABLISHED 4556/firefox
tcp 0 0 192.168.1.2:35191 151.101.65.69:80 TIME_WAIT -
tcp 0 0 192.168.1.2:44444 200.40.28.147:80 TIME_WAIT -
tcp 0 0 192.168.1.2:53077 151.101.193.69:80 TIME_WAIT -
tcp 0 0 192.168.1.2:44745 151.101.1.69:80 TIME_WAIT -
tcp 0 0 192.168.1.2:53072 151.101.193.69:80 TIME_WAIT -
tcp 0 0 192.168.1.2:50464 198.252.206.25:80 ESTABLISHED 4556/firefox
tcp 0 0 192.168.1.2:39236 192.0.73.2:443 ESTABLISHED 4556/firefox
tcp 0 0 192.168.1.2:42522 104.16.112.18:443 ESTABLISHED 4556/firefox
tcp 0 0 192.168.1.2:44447 64.233.190.102:443 ESTABLISHED 4556/firefox
tcp 0 0 192.168.1.2:35163 151.101.65.69:80 TIME_WAIT -
tcp 0 0 192.168.1.2:48172 200.40.28.16:80 TIME_WAIT -
tcp 0 0 192.168.1.2:45010 64.233.190.95:80 TIME_WAIT -

MarkSkayff
  • 109
  • 3
  • Possible duplicate of [How do I deal with a compromised server?](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – techraf Oct 30 '16 at 08:25
  • Why do you think they are suspicious? I'm seeing StackExchange IPs for most of that list, plus a couple Google, and a Cloudflare ... Removing the netstat output, all you have is a whatsapp redirect that you don't provide details for. – schroeder Oct 30 '16 at 14:31
  • Perhaps it's a (potentially malicious) firefox extension. – Jonas Czech Oct 30 '16 at 17:36

1 Answers1

2

When in Firefox I type web.whatsapp.com for whatsapp web, I get a browser re-direct.

That is concerning and could be an indicator for malware (adware) or a man-in-the-middle attack.

Anybody knows some good approach about cleaning this sort of stuff from the sytem?

Since you have only been giving generic information about what's going on I can only redirect you to a generic answer on how to deal with a compromised server.

Here are some suspicious connections on netsat -tulpan output:

tcp 0 0 192.168.1.2:50465 198.252.206.25:80 ESTABLISHED 4556/firefox
(...)

There is nothing inherently suspicious about the presented output. What you are seeing are several open TCP connections which is absolutely normal for an active browser session. The target ports 80 and 443 indicate that you are probably communicating with web services.

You can lookup the IP addresses online or perform a reverse DNS query, for example via the host(1) command, to find out more about the servers you are connected to. For example:

$ host 198.252.206.25
25.206.252.198.in-addr.arpa domain name pointer stackoverflow.com.

As you can see the first IP seems to belong to stackoverflow. That said, if you assume you have been compromised you should also be aware that all analysis from within the affected system is unreliable.

Arminius
  • 44,242
  • 14
  • 143
  • 138