0

I have Fedora 12 Linux on my laptop with all the latest security updates installed. But when I open wireshark and view only dns requests (by adding a dns filter), I notice that my laptop keeps doing dns requests to random sites. I have observed this even after closing all applications (browser, torrent clients etc.,)

Is this some kind of worm or virus? :( How do I find out which process is sending these DNS requests? Strangely enough, only some of the sites that are being queried for DNS are the ones I have visited. The other sites- I haven't even heard of them before..

Tried running lsof -nl | grep udp in a loop inside a script. This always results in no output.

Thanks,
-Keshav

Improve this question
2
  • 1
    what are some of the sites?
    – Stephen Jennings
    Commented Dec 6, 2009 at 4:17
  • Some of the sites are like www.google.com, howtogeek.com, safebrowsing-cache.google.com etc., I just got these fresh from wireshark output.
    – Keshav Prasad
    Commented Dec 6, 2009 at 4:24

4 Answers 4

Reset to default
0

The site's you don't think you visited could possibly just be nameservers of sites that you did. For example, Superuser is actually located in the http://www.peak.org datacenter on a VLAN. These mystery requests could also be services in the background such as your system querying the internet time server, rather than obvious programs like your torrent client.

Improve this answer
3
  • Hi John, ajax.googleapis.com, www.gravatar.com, ftp.hostrino.com would seldom be requested from background daemons is what I feel. The above sites were queried for DNS when my browser was closed!
    – Keshav Prasad
    Commented Dec 6, 2009 at 4:46
  • Well, the first 2 are probably from visiting superuser. Possibly just keepalive packets being sent until the timeout is reached.
    – user1931
    Commented Dec 6, 2009 at 5:12
  • Hmm, I cleared full browser cache, closed the browser and tried again with wireshark. It queried for www.neogaf.com, ajax.googleapis.com etc., again (when the browser was closed)
    – Keshav Prasad
    Commented Dec 6, 2009 at 5:13
1

Some notes.

  1. All the names you refer in your comments appear to be
    things that would be either related to your browser or fedora update processes.
    • When you run wireshark from a silent Fedora installation,
      it would help to keep an open capture-filter to get all packets.
      This will tell you what happens with a site after the DNS lookup.
      That latter part will have really useful information.
      If there is malware involved, DNS lookup will be the least suspicious packets.
    • In general (and, I am probably sticking my neck out on this one),
      it is not likely you have a some form of root-kit hitting your Fedora,
      And, you should find reasonable answers based on the above two points.
      Then, it would be appropriate to,
    • remove the worm and virus tags from your question -- once you are confident this is not the case. At least consider clarifying your case-after-investigations in your question.
    • add notes in your question describing what exactly was happening on your Fedora

Updating with your results would help people reaching this question in future.

Improve this answer
3
  • Hi Nik, Good suggestion to inspect what happens after the DNS query. I will check that and update..Thanks!
    – Keshav Prasad
    Commented Dec 6, 2009 at 16:40
  • Well turns out that it does just DNS request and gets the response back..there are no suspicious packets after that!
    – Keshav Prasad
    Commented Dec 7, 2009 at 11:53
  • I'm not sure what you think makes a packet suspicious, but if you're seeing these DNS requests when you're certain you have no browser window open, try capturing connections to port 80 (and SYN packets to port 443 - those are HTTPS, so no point getting the payload, it's encrypted anyway, but figure out who's talking).
    – Gabe
    Commented Nov 29, 2013 at 16:08
0

You can try to use ltrace to capture the DNS api such as gethostbyname(), getaddrinfo() of any running programs. 

[root@fc8 tmp]# ltrace -e getaddrinfo -f -tt wget http://www.google.com
--07:30:31--  http://www.google.com/
           => `index.html'
Resolving www.google.com... 07:30:31.415398 getaddrinfo("www.google.com", NULL, 0xbfd5e120, 0xbfd5e154) = 0
72.14.213.106, 72.14.213.105, 72.14.213.103, ...
Connecting to www.google.com|72.14.213.106|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

    [ <=>                                                     ] 5,640         --.--K/s

07:30:31 (216.90 KB/s) - `index.html' saved [5640]

You can attach the ltrace to running program with -p pid option.

If you are really in the CSI/Perry Mason/Sherlock Homes moods, you can try to write a shim library to globally replace the DNS APIs and log who and what everyone is doing. Use Modifying a Dynamic Library Without Changing the Source Code as an example.

Please let us know what you find.

Improve this answer
0

Switch all your nameservers to OpenDNS (208.67.222.222 and 208.67.220.220) OR Google (8.8.8.8 and 8.8.4.4) because then you can be alerted if any of your request dns entries for known malware sites and phishing sites. I recommend OpenDNS over google because it has very fine grain control of categories of websites. You can block all dns queries to .ru and .cn but then whitelist legitimate ones.

netstat can tells you what are the current connections and the processes that have those connections open. memorize this command, t=tcp,u=udp,n=numerical,a=all, p=processes: netstat -tunap

Firewall activity: iptstate

host peak.org whois peak.org robtex.com is awesome for analyzing networks.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .