Re: [opensuse] what is this traffic on my eth0?

5 Jul 2014

      Hi Daniel,

(forgive the top-posting, I think it appropriate here)

I hate to even think it, but your computer "might" have been compromised.
I had experience with this last month when I had an openSuSE 12.1 server
rooted from China via Korea.  I don't know what they were doing, but it
had the net effect of launching a DOS against Google over port 53 (domain).

Take a look around at running processes using "top" and look for anything
unusual, especially process names beginning with a ".".   Also look in
/etc/init.d for new/unusual entries.  You might also find binaries in /boot
that are used to restart the malware after booting.  You might also see
and edit of root's "history".   I saw references to IptabLes and IptabLex.
There's lots on Google about this, but no clear indication of the
vulnerability.  Here's one link:

http://lowendtalk.com/discussion/28795/vps-got-hacked-with-iptables-iptablex

Feel free to post a top printout, we might be able to notice something.

In my case, the malware was rather crude, which made it easy to
detect.  That may not always be the case.

If compromised, you'll need to slick and reinstall your box, since it can
never be fully trusted again.

For the record, my compromised box had only anonymous ftp (vsftp) and
ssh listening publicly.  I used sshguard to block ssh password guesses, but
it looks like they got in by supplying the root password correctly.  The dedicated
host provider had just moved the box to a new data center and had reset
the root password,  possibly an easy one to guess?   If that's not what
happened, ssh or vsftp may have a zero-day remote root vulnerability in
the wild?

I decommissioned the server since I really don't need it at this time.

Regards,
Lew

On 07/05/2014 03:37 AM, Daniel Bauer wrote:
...
Hello,
All of a sudden I had a lot of internet traffic (seen on gkrellm) but didn't have 
any internet application open...
I logged out an in again, had less, but still have traffic (see below).
I see google, blogger, likedin, my own website, many more etc.
How comes?
Is this something I should worry?
I don't have any idea about network etc., but maybe the listing below sais 
something to somebody who has?
Thanks for hints!
Daniel
...
tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:29:17.892834 IP 192.168.1.36.54051 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 55122+ A? img1.blogblog.com. (35)
12:29:17.893468 IP 192.168.1.36.57780 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 24803+ PTR? 
36.1.168.192.in-addr.arpa. (43)
12:29:17.929639 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.54051: 55122 2/0/0 CNAME blogger.l.google.com., A 173.194.66.191 (82)
12:29:17.929756 IP 192.168.1.36.46637 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 7321+ A? img2.blogblog.com. (35)
12:29:17.931315 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.57780: 24803 NXDomain* 0/1/0 (102)
12:29:17.966284 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.46637: 7321 2/0/0 CNAME blogger.l.google.com., A 74.125.206.191 (82)
12:29:17.966471 IP 192.168.1.36.38370 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 22323+ A? www.blogger.com. (33)
12:29:18.000919 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.38370: 22323 2/0/0 CNAME blogger.l.google.com., A 173.194.66.191 (80)
12:29:21.261728 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp 
time 5]
12:29:21.262031 IP 192.168.1.36.43978 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 34441+ PTR? 
1.1.168.192.in-addr.arpa. (42)
12:29:21.298464 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.43978: 34441 NXDomain 0/1/0 (119)
12:29:21.950746 IP 192.168.1.36.ntp > guti.uc3m.es.ntp: NTPv4, Client, length 48
12:29:21.951081 IP 192.168.1.36.58377 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 14687+ PTR? 
33.202.117.163.in-addr.arpa. (45)
12:29:21.987356 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.58377: 14687 1/0/0 PTR guti.uc3m.es. (71)
12:29:21.995901 IP guti.uc3m.es.ntp > 192.168.1.36.ntp: NTPv4, Server, length 48
12:29:22.904589 ARP, Request who-has 192.168.1.1 tell 192.168.1.36, length 28
12:29:22.904976 ARP, Reply 192.168.1.1 is-at 00:02:cf:56:7c:a0 (oui Unknown), 
length 46
12:29:32.264629 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, 
length: 64
12:29:32.264943 IP 192.168.1.36.47458 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 58833+ PTR? 
255.1.168.192.in-addr.arpa. (44)
12:29:32.301324 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.47458: 58833 NXDomain* 0/1/0 (103)
12:29:33.001399 IP 192.168.1.36.43151 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 16752+ A? labs.domaintools.com. (38)
12:29:33.071888 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.43151: 16752 1/0/0 A 199.30.228.83 (54)
12:29:33.072075 IP 192.168.1.36.51057 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 2316+ A? www.inteligentcomp.com. (40)
12:29:33.176330 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.51057: 2316 3/0/0 CNAME ghs.google.com., CNAME ghs.l.google.com., A 
173.194.66.121 (101)
12:29:33.176486 IP 192.168.1.36.58612 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 37971+ PTR? 
199.49.26.217.in-addr.arpa. (44)
12:29:33.211630 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.58612: 37971 1/0/0 PTR imap.mail.hostpoint.ch. (80)
12:29:36.263301 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp 
time 5]
12:29:36.984661 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 304
12:29:36.984956 IP 192.168.1.36.56713 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 48073+ PTR? 
250.255.255.239.in-addr.arpa. (46)
12:29:37.020628 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.56713: 48073 NXDomain 0/1/0 (103)
12:29:37.084505 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 299
12:29:37.184685 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 371
12:29:37.284520 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 304
12:29:37.384695 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 347
12:29:37.484501 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 304
12:29:37.584672 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 367
12:29:37.684497 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 304
12:29:37.784658 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 347
12:29:37.984639 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 363
12:29:38.084811 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 379
12:29:38.184649 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 363
12:29:38.284809 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 361
12:29:38.384633 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length 377
12:29:48.212084 IP 192.168.1.36.42014 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 35763+ A? whois.domaintools.com. (39)
12:29:48.285337 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.42014: 35763 2/0/0 CNAME whois.domaintools.com.c.footprint.net., A 
8.247.6.160 (106)
12:29:48.285534 IP 192.168.1.36.45337 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 59863+ A? ettercap.sf.net. (33)
12:29:48.363848 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.45337: 59863 1/0/0 A 216.34.181.96 (49)
12:29:48.364026 IP 192.168.1.36.49004 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 59233+ A? www.daniel-bauer.com. (38)
12:29:48.519073 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.49004: 59233 1/0/0 A 217.26.50.29 (54)
12:29:51.262713 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp 
time 5]
12:30:02.264601 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, 
length: 64
12:30:03.519587 IP 192.168.1.36.57927 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 45024+ A? linkedin.com. (30)
12:30:03.554148 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.57927: 45024 1/0/0 A 216.52.242.86 (46)
12:30:06.263232 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp 
time 5]
12:30:08.536678 ARP, Request who-has 192.168.1.1 tell 192.168.1.36, length 28
12:30:08.537079 ARP, Reply 192.168.1.1 is-at 00:02:cf:56:7c:a0 (oui Unknown), 
length 46
12:30:21.263706 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp 
time 5]
12:30:32.266592 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, 
length: 64
12:30:33.554870 IP 192.168.1.36.33980 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 20740+ PTR? 
84.67.194.173.in-addr.arpa. (44)
12:30:33.589164 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.33980: 20740 1/0/0 PTR wi-in-f84.1e100.net. (77)
12:30:33.589355 IP 192.168.1.36.57673 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 46372+ A? www.inteligentcomp.com. (40)
12:30:33.625683 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.57673: 46372 3/0/0 CNAME ghs.google.com., CNAME ghs.l.google.com., A 
173.194.66.121 (101)
12:30:33.625856 IP 192.168.1.36.43331 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 56039+ PTR? 
208.217.245.63.in-addr.arpa. (45)
12:30:33.696940 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.43331: 56039 1/0/0 PTR sync02.phx.services.mozilla.com. (90)
12:30:33.697112 IP 192.168.1.36.39176 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 38932+ PTR? 
23.41.194.173.in-addr.arpa. (44)
12:30:33.733580 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.39176: 38932 1/0/0 PTR mad01s14-in-f23.1e100.net. (83)
12:30:33.733747 IP 192.168.1.36.41130 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 42042+ PTR? 
228.41.194.173.in-addr.arpa. (45)
12:30:33.769881 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.41130: 42042 1/0/0 PTR mad01s15-in-f4.1e100.net. (83)
12:30:33.770048 IP 192.168.1.36.50991 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 2430+ PTR? 
139.253.215.67.in-addr.arpa. (45)
12:30:33.805512 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.50991: 2430 1/0/0 PTR 1.counter.a.statcounter.com. (86)
12:30:33.805680 IP 192.168.1.36.48923 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 38159+ PTR? 
29.50.26.217.in-addr.arpa. (43)
12:30:33.909179 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.48923: 38159 1/0/0 PTR www.daniel-bauer.com. (77)
12:30:33.909316 IP 192.168.1.36.42281 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 33172+ PTR? 
3.41.194.173.in-addr.arpa. (43)
12:30:33.944897 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.42281: 33172 1/0/0 PTR mad01s14-in-f3.1e100.net. (81)
12:30:33.945026 IP 192.168.1.36.43238 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 62285+ PTR? 
41.34.194.173.in-addr.arpa. (44)
12:30:33.980957 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.43238: 62285 1/0/0 PTR par03s03-in-f9.1e100.net. (82)
12:30:33.981085 IP 192.168.1.36.47322 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 57773+ PTR? 
248.34.194.173.in-addr.arpa. (45)
12:30:34.017930 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.47322: 57773 1/0/0 PTR mad01s09-in-f24.1e100.net. (84)
12:30:34.018062 IP 192.168.1.36.47332 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 49187+ PTR? 
234.34.194.173.in-addr.arpa. (45)
12:30:34.054564 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.47332: 49187 1/0/0 PTR mad01s09-in-f10.1e100.net. (84)
12:30:36.265199 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp 
time 5]
12:30:49.055056 IP 192.168.1.36.39989 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 15001+ A? 1.gravatar.com. (32)
12:30:49.091464 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.39989: 15001 2/0/0 CNAME cs91.wac.edgecastcdn.net., A 68.232.35.121 (86)
12:30:51.264657 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp 
time 5]
12:30:54.072671 ARP, Request who-has 192.168.1.1 tell 192.168.1.36, length 28
12:30:54.073052 ARP, Reply 192.168.1.1 is-at 00:02:cf:56:7c:a0 (oui Unknown), 
length 46
12:31:02.266585 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, 
length: 64
12:31:06.265150 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp 
time 5]
12:31:21.265653 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp 
time 5]
12:31:32.268546 IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, 
length: 64
12:31:34.092677 IP 192.168.1.36.51976 > 
250.Red-80-58-61.staticIP.rima-tde.net.domain: 4676+ A? www.inteligentcomp.com. (40)
12:31:34.128480 IP 250.Red-80-58-61.staticIP.rima-tde.net.domain > 
192.168.1.36.51976: 4676 3/0/0 CNAME ghs.google.com., CNAME ghs.l.google.com., A 
173.194.66.121 (101)
12:31:36.267176 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp 
time 5]
^C
93 packets captured
93 packets received by filter
0 packets dropped by kernel
-- 
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse+owner@opensuse.org

Re: [opensuse] what is this traffic on my eth0?

Lew Wolfgang