[opensuse] what is this traffic on my eth0?
Hello, All of a sudden I had a lot of internet traffic (seen on gkrellm) but didn't have any internet application open... I logged out an in again, had less, but still have traffic (see below). I see google, blogger, likedin, my own website, many more etc. How comes? Is this something I should worry? I don't have any idea about network etc., but maybe the listing below sais something to somebody who has? Thanks for hints! Daniel
-- Daniel Bauer photographer Basel Barcelona professional photography: http://www.daniel-bauer.com google+: https://plus.google.com/109534388657020287386 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/05/2014 06:37 AM, Daniel Bauer wrote:
I don't have any idea about network etc., but maybe the listing below sais something to somebody who has?
There's a lot of stuff there, but one thing stands out. The SSDP stuff is for multimedia multicasts. https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 05/07/14 06:37, Daniel Bauer escribió:
Well, there are many applications that do http requests in the background.. It may be your browser, for example chrome/chromium will keep working in the background if you do not tell it to stop. Also, desktop applets might perform network activity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
(argh, sorry for pm...) Am 05.07.2014 16:42, schrieb Cristian Rodríguez:
I don't use chrome because it's connected to google, the most un-trustworthy organisation imaginable; "don't do nothing thats not evel"
Also, desktop applets might perform network activity.
But which one? I have not installed anything.... -- Daniel Bauer photographer Basel Barcelona professional photography: http://www.daniel-bauer.com google+: https://plus.google.com/109534388657020287386 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi Daniel, (forgive the top-posting, I think it appropriate here) I hate to even think it, but your computer "might" have been compromised. I had experience with this last month when I had an openSuSE 12.1 server rooted from China via Korea. I don't know what they were doing, but it had the net effect of launching a DOS against Google over port 53 (domain). Take a look around at running processes using "top" and look for anything unusual, especially process names beginning with a ".". Also look in /etc/init.d for new/unusual entries. You might also find binaries in /boot that are used to restart the malware after booting. You might also see and edit of root's "history". I saw references to IptabLes and IptabLex. There's lots on Google about this, but no clear indication of the vulnerability. Here's one link: http://lowendtalk.com/discussion/28795/vps-got-hacked-with-iptables-iptablex Feel free to post a top printout, we might be able to notice something. In my case, the malware was rather crude, which made it easy to detect. That may not always be the case. If compromised, you'll need to slick and reinstall your box, since it can never be fully trusted again. For the record, my compromised box had only anonymous ftp (vsftp) and ssh listening publicly. I used sshguard to block ssh password guesses, but it looks like they got in by supplying the root password correctly. The dedicated host provider had just moved the box to a new data center and had reset the root password, possibly an easy one to guess? If that's not what happened, ssh or vsftp may have a zero-day remote root vulnerability in the wild? I decommissioned the server since I really don't need it at this time. Regards, Lew On 07/05/2014 03:37 AM, Daniel Bauer wrote:
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Lew Wolfgang <wolfgang@sweet-haven.com> [07-05-14 12:47]:
Hi Daniel,
(forgive the top-posting, I think it appropriate here)
Instead, why not *just* post your reply and delete the repeated/full-quote which is available to anyone who wishes to see it w/o you posting it again. Remember we still have members using metered/slow internet service, Carlos for one. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-07-05 18:53, Patrick Shanahan wrote:
True. The only excuse is when using a mobile app which makes very difficult to control the post.
Remember we still have members using metered/slow internet service, Carlos for one.
Yes, but not always, fortunately :-) Nowdays, only when not at home and using tethering to my mobile phone. Probably on vacation days ;-) However, I'm not the only one on slow/limited Internet. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 07/05/2014 10:28 AM, Carlos E. R. wrote:
Hi Carlos, As long as we're discussing it, I generally agree with editing replies. But my experience with using email lists for coordinating operational teams, network security for one, is to top post, leaving the content below for reference as operationally needed. If you bottom-post and don't edit, the "meat" of the message can be difficult to find, but if you do edit, you can carve needed references, possibly then requiring searching through previous messages that might not even be available at that time. I considered that this message, as it relates to security, was important enough to top post. After all, it's not every day that we get what could be a remote-root ssh zero-day. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Lew Wolfgang wrote:
I never saw people top-post routinely before the widespread use of MS Outhouse. Personally, I think top-posting impedes clear communication, because it completely discourages in-line comments among the lazy, who generally don't put much effort into communicating clearly to begin with.
network security for one, is to top post, leaving the content below for reference as operationally needed. If you bottom-post and don't edit,
That, I think is a special case. In general, I've yet to see anything outside of e-mail hold a convention of keeping records in reverse-chronological order, or that people are expected to review records in reverse chronological order.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dirk Gently wrote:
I never saw people top-post routinely before the widespread use of MS Outhouse.
Coincidence w/GUI's for reading email. I'd still be using it if it reliably supported IMAP, but it didn't (broke the protocol, leaving IMAP server in deadlock on a per-connection basis). That killed off Outhouse from Office97 -- up to 2002 when they went to multiple connections/IMAP server -- which mostly hid the problem (wasn't certain it was fixed, but was already using other readers then). Thing is, when you display a message, a GUI displays the 1st page(30-40 lines), but line-oriented readers will leave the last 25 lines of the message on the screen. For short messages, on line-oriented readers, it was more common to display the whole message than to type in the necessary filter option to display the message a page-at-a-time. Thus if you put new content at the end, and it was <~25 lines, the person saw the new content and could reply to it w/o redisplaying the message through a "pager". Most people today display email on a GUI and TTY's are only emulated for console-related work. I don't know of ANY email reader that displays the last page of an email, by default, when you display it. This means that if the new content isn't on the first page, people have to move off of the message selection interface over to the reading interface to adjust it.
---- Oh contrare! I favor top posting for short replies, but do inline comments as needed.
---- no more so than any professional field (doctors and lawyers, for example have always had top-posted charting). The earth is arranged with the most recent stuff at the top, archeologically speaking, and people's piles are organized the same way. Reading things from the last page first is consistent with the anachronistic TTY interface.
---- See doctors, lawyers -- professional fields where time is money... Also it's a natural order. The thing is, the mail being responded to is a *courtesy*, to allow those tuning in to go back if they want. The alternative to not posting inline, and not top-posting, is to not give any context. Some people illogically think that email is a book organized for their benefit. If you have read all the stuff before, you don't want to read it again. If you are new to the conversation, you shouldn't expect that the entire conversation will be included, or require that people waste their time skimming through old content looking for the start of new.
---- The meat isn't hard to find if it is the first thing they see (i.e. on top). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/07/2014 03:53 PM, Carlos E. R. wrote:
Nope, but then if I forgot what this was all about, I'd have to fish through eleventy-hundred previous emails, some of which might be deleted by now. As Linda says, editing/bottom-posting is fine for casual conversations, but when you need to preserve context and references as concisely and reliably as possible, you top-post. What does a bottom posted thread look like when you have to print it out for archival purposes, after all? But be honest, how many times have you had to page down many times in order to see a one-lined bone-headed response in a bottom-posted missive? How many times have you started to page down and said to yourself, "Screw it, I've got better things to do!". I've done this many times myself... Please note that it is what it is, and if the custom here is to bottom post I'm personally fine with that. I still think my one exception was reasonable in that particular case. This top/bottom post religious war has been going on forever, let's let it die or bring it to offtopic? It might distract us from the incessant wars about same-sex marriage! Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/07/2014 04:19 PM, Lew Wolfgang wrote:
What does a bottom posted thread look like when you have to print it out for archival purposes, after all?
Har! I just realized that I stepped on my own crank on that one! I concede that bottom-posting is better when hard-copy printouts are required. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-07-08 01:19, Lew Wolfgang wrote:
On 07/07/2014 03:53 PM, Carlos E. R. wrote:
but when you need to preserve context and references as concisely and reliably as possible, you top-post.
But as it is a mail list, everything you send is resent possibly to thousands of people, so bytes count. And then, being a mail list, there is an archive, where we can all retrieve any post we wish, or read online, complete, any time.
Please note that it is what it is, and if the custom here is to bottom post I'm personally fine with that.
That's the whole point :-) Each mail list has its customs and rules (we have a link to them). When I post on any list, I try to adhere to the conventions there, no matter what I may think about them, or how different they are of what I'm used to or prefer. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Hey, On 08.07.2014 01:19, Lew Wolfgang wrote:
But when you need to preserve context and references as concisely and reliably as possible, you top-post.
Not on this list, you don't. As stated in the openSUSE Mailing List Etiquette[1]: Use bottom-posting or interleaved style to answer. End of discussion. Henne [1] http://en.opensuse.org/openSUSE:Mailing_list_netiquette#Use_bottom-posting_o... -- Henne Vogelsang, Mailinglist Admin http://www.opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/07/2014 07:19 PM, Lew Wolfgang pecked at the keyboard and wrote:
No, it is needed for technical discussions to keep everything in perspective.
Ah yes, hitting the PgDn key is so hard to do. This discussion has taken place many times on this list and I would venture a guess that it will comes up many more times. But, the default for this list is interleaved or bottom posting and has been this way since I joined the list in 1998. Perhaps you can start your own list with the etiquette the way you want it. -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Ken Schneider - openSUSE wrote:
Ah yes, hitting the PgDn key is so hard to do.
If it comes down to having to hit a pagedn, I often skip the message unless it is a thread I'm following. If the 1st page doesn't catch my interest, not worth reading. I look at mail headers 1st, then look at the first page to see what they said. Usually people who have only quotes on the 1st page aren't worth reading.
--- And it was my grandpappies default before that, and goes back to my first ancestors coming out of africa... yup... Arguing historical precedent, in a community based on cutting edge software tech seems more than a bit ironic. No problem changing the way your system works to the point of it not working, but dealing with top posting?... frothing at the mouth... geez. Truly, that puzzles me. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hey, On 09.07.2014 03:07, Linda Walsh wrote:
More top-post rant
What about "End of discussion" didn't you guys understand? Do I really need to block each and every thread? Henne -- Henne Vogelsang, Mailinglist Admin http://www.opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Henne Vogelsang wrote:
Maybe they didn't read your post? -- Per Jessen, Zürich (13.4°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/08/2014 09:07 PM, Linda Walsh wrote:
Yes, I can understand that, but its not an issue of 'top posting' so much as an issue of people not trimming back the post they are replying to and only commenting on the relevant parts. We really, really don't need the full history of the thread. And kudos to you for being a good practitioner in this respect. -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/07/2014 06:53 PM, Carlos E. R. wrote:
Did you have to page down to see this reply?
I had to roll back a lot of paper. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 05.07.2014 18:46, schrieb Lew Wolfgang:
... I'll have a look at the details tomorrow and, quite sure, come up with more questions... Daniel -- Daniel Bauer photographer Basel Barcelona professional photography: http://www.daniel-bauer.com google+: https://plus.google.com/109534388657020287386 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Daniel Bauer wrote:
Filter your dump of known traffic...then get rid of variable info. This is your dump w/o the DNS and duplicates filtered: ARP, Reply 192.168.1.1 is-at 00:02:cf:56:7c:a0 (oui Unknown), length 46 ARP, Request who-has 192.168.1.1 tell 192.168.1.36, length 28 IP 192.168.1.1 > all-systems.mcast.net: igmp query v2 [max resp time 5] IP 192.168.1.1.router > 192.168.1.255.router: RIPv2, Response, length: 64 IP 192.168.1.1.ssdp > 239.255.255.250.ssdp: UDP, length IP 192.168.1.36.ntp > guti.uc3m.es.ntp: NTPv4, Client, length 48 IP guti.uc3m.es.ntp > 192.168.1.36.ntp: NTPv4, Server, length 48 ---------- Nothing looks like a hack in this... I see NTP (time) kernel does ARP, routing service discovery protocol. Nothing indicates a hack, IMO... The DNS lookups could be from tcpdump resolving names it sees or a webpage loading...did you have a browser active? That's all normal traffic, IMO... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 07.07.2014 04:02, schrieb Linda Walsh:
Hi Linda and everybody :-) I searched my system, read the mentioned blogs, installed and run rkhunter, and as much as I can see: nothing not normal... I was wondering because at the moment I took the tcpdum-list, there was - except ntp - nothing open that should connect to internet (and I checked in the process-list (ctrl-esc) that no browser, email, radio, skype or torrent program was running. Still I saw gkrellm showing eth0 traffic and the mentioned list resulted from tcpdump... So after reading the answers here I am not very worried anymore, but I'll keep an eye on it and use lsof -iTCP etc. to see what happens. In case I detect something that makes me feel insecure I'll post to a new thread... Thanks everybody for having a look at my problem :-) Daniel -- Daniel Bauer photographer Basel Barcelona professional photography: http://www.daniel-bauer.com google+: https://plus.google.com/109534388657020287386 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/05/2014 06:37 AM, Daniel Bauer wrote:
I don't have any idea about network etc., but maybe the listing below sais something to somebody who has?
There's a lot of stuff there, but one thing stands out. The SSDP stuff is for multimedia multicasts. https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 05/07/14 06:37, Daniel Bauer escribió:
Well, there are many applications that do http requests in the background.. It may be your browser, for example chrome/chromium will keep working in the background if you do not tell it to stop. Also, desktop applets might perform network activity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
(argh, sorry for pm...) Am 05.07.2014 16:42, schrieb Cristian Rodríguez:
I don't use chrome because it's connected to google, the most un-trustworthy organisation imaginable; "don't do nothing thats not evel"
Also, desktop applets might perform network activity.
But which one? I have not installed anything.... -- Daniel Bauer photographer Basel Barcelona professional photography: http://www.daniel-bauer.com google+: https://plus.google.com/109534388657020287386 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi Daniel, (forgive the top-posting, I think it appropriate here) I hate to even think it, but your computer "might" have been compromised. I had experience with this last month when I had an openSuSE 12.1 server rooted from China via Korea. I don't know what they were doing, but it had the net effect of launching a DOS against Google over port 53 (domain). Take a look around at running processes using "top" and look for anything unusual, especially process names beginning with a ".". Also look in /etc/init.d for new/unusual entries. You might also find binaries in /boot that are used to restart the malware after booting. You might also see and edit of root's "history". I saw references to IptabLes and IptabLex. There's lots on Google about this, but no clear indication of the vulnerability. Here's one link: http://lowendtalk.com/discussion/28795/vps-got-hacked-with-iptables-iptablex Feel free to post a top printout, we might be able to notice something. In my case, the malware was rather crude, which made it easy to detect. That may not always be the case. If compromised, you'll need to slick and reinstall your box, since it can never be fully trusted again. For the record, my compromised box had only anonymous ftp (vsftp) and ssh listening publicly. I used sshguard to block ssh password guesses, but it looks like they got in by supplying the root password correctly. The dedicated host provider had just moved the box to a new data center and had reset the root password, possibly an easy one to guess? If that's not what happened, ssh or vsftp may have a zero-day remote root vulnerability in the wild? I decommissioned the server since I really don't need it at this time. Regards, Lew On 07/05/2014 03:37 AM, Daniel Bauer wrote:
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Lew Wolfgang <wolfgang@sweet-haven.com> [07-05-14 12:47]:
Hi Daniel,
(forgive the top-posting, I think it appropriate here)
Instead, why not *just* post your reply and delete the repeated/full-quote which is available to anyone who wishes to see it w/o you posting it again. Remember we still have members using metered/slow internet service, Carlos for one. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (13)
-
Anton Aylward -
Carlos E. R. -
Cristian Rodríguez -
Daniel Bauer -
Dirk Gently -
Florian Gleixner -
Henne Vogelsang -
James Knott -
Ken Schneider - openSUSE -
Lew Wolfgang -
Linda Walsh -
Patrick Shanahan -
Per Jessen