0

I fear that I'm under a linux botnet takeover.

sudo netstat -antpv with all browsers closed, besides other results, returns this:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 192.168.0.100:48090     216.58.197.67:443       TIME_WAIT   -               
tcp        0      0 192.168.0.100:49130     216.58.197.68:443       TIME_WAIT   -               
tcp        0      0 192.168.0.100:47830     74.125.200.190:443      TIME_WAIT   -               
tcp        0      0 192.168.0.100:33494     216.58.197.81:443       TIME_WAIT   -               
tcp        0      0 192.168.0.100:42121     216.58.220.42:443       TIME_WAIT   -               
tcp        0      0 192.168.0.100:33497     216.58.197.81:443       TIME_WAIT   -               
tcp        0      0 192.168.0.100:40590     198.41.215.68:443       TIME_WAIT   -

These ip addresses keep changing. These addresses belong to

http://104.244.43.39.ipaddress.com (twitter)

http://54.192.159.56.ipaddress.com (cloudfront/amazon

http://216.58.197.67.ipaddress.com (google) (Same for the rest of the ips in this series)

http://74.125.200.190.ipaddress.com (google)

http://198.41.215.68.ipaddress.com (cloudflare)

So here are my questions:

1) Am I reading this right? Assuming so-

2) How do determine the processes that are doing this

3) How do I safeguard myself. Are there any good linux antivirus solutions

4) What's happening? I can understand twitter spamming, but what about google? Are they clicking on google links for SEO?

5) How do I get rid of them pronto?

Improve this question

1 Answer 1

Reset to default
3

1) Am I reading this right?

All the connection which you show us are already closed.

If you used a webbrowser (and visited a webpage with the twitter-link icon in it) then this seems perfectly normal.

That is not to say that you could not be infected somehow, but TIME_WAIT is a state where we once had a link but it is already closed and in the process of being cleaned up.

Closing a TCP connection look like this (simplified):

Time_wait_closing_diagram

2) How do determine the processes that are doing this

At the moment these processes are already gone. Try monitoring to find one which is ESTABLISHED, then try to find out which app is using that connection. I got a feeling that this will be your browser.

3) How do I safeguard myself. Are there any good linux antivirus solutions

Standard solutions: Do not run as root. Do use common sense when clicking on items, do keep your OS and applications up to date

What's happening? I can understand twitter spamming, but what about google? Are they clicking on google links for SEO?

On windows I noticed the same when firefox was adding suggestions to my searches. Lots of active links to google. Not just the webpage. And if I visit a webpage with a link to facebook or twitter that can also open an connectoion to their site. (Even if innocent if it only downloads the twitter logo from twitters site).

As for cloudfare: they are a Content delivery network (CND). Almost anything could trigger those, including google and twitter.

5) How do I get rid of them pronto?

Reboot.

Log in (non graphical) and check if no connections.
Next start your graphical environment (and possible auto starting applications). Check again. Fire up your favourite progras, one by one. Check again after each, ...

Improve this answer
2
  • I'm usually very careful about not using root. What you're saying all makes sense, thanks a lot. When I run as non-GUI, I don't have these. I doubt I'll get a better answer but I'm going to wait before selecting this as the answer.
    – 0fnt
    Commented Jul 5, 2016 at 11:09
  • That is the way it should be done. Accepting to quick is not best.
    – Hennes
    Commented Jul 5, 2016 at 11:09

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .