Results 1 to 7 of 7

Thread: Odd network traffic immediately after install

  1. #1
    Join Date
    Jul 2009
    Beans
    3

    Odd network traffic immediately after install

    I recently installed Ubuntu 12.04 on my system over CentOS 5.7.

    I later received a report from shadowserver.org that the system had accessed irc.undernet.org (IP 208.83.20.130 ) basically at the time the install likely finished. That IP is some system in Tampa, Florida, USA that seems well known on the internet to be malicious.

    At this point, there were no user accounts on the computer other than mine (which had just been created), though files from the earlier system persisted.

    I have no idea when or how my system could have been compromised.. I've even seen that IP show up on these forms ( http://ubuntuforums.org/showthread.p...=208.83.20.130 )

    I hate to suggest this, but is it possible that the image I used to install had code in it to access this IRC server? I only ask because it happened so soon after (minutes) the install.

  2. #2
    Join Date
    Oct 2011
    Location
    ZZ9 Plural Z Alpha
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Odd network traffic immediately after install

    Did you check the iso md5sum? If they don't match up, that's a dead giveaway.

  3. #3
    Join Date
    Jul 2009
    Beans
    3

    Re: Odd network traffic immediately after install

    I confess I didn't... I don't have the original .img file I used anymore though.

    I downloaded it from the Ubuntu site. (not sure what mirror) and just assumed it'd be fine.

    Would I be able to check from the USB stick I burned the image onto?

  4. #4
    Join Date
    Oct 2011
    Location
    ZZ9 Plural Z Alpha
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Odd network traffic immediately after install

    Quote Originally Posted by khea_actua View Post
    I confess I didn't... I don't have the original .img file I used anymore though.

    I downloaded it from the Ubuntu site. (not sure what mirror) and just assumed it'd be fine.

    Would I be able to check from the USB stick I burned the image onto?
    Not that I know of- how hard would it be to download a new ISO (and check it) and reinstall? That may be your best option.

  5. #5
    Join Date
    Jul 2009
    Beans
    3

    Re: Odd network traffic immediately after install

    It'd be easy. I'll do that now. Just... If I did happen to download a compromised ubuntu iso off of some mirror, what are the odds that I'd download the same one?

  6. #6
    Join Date
    Oct 2011
    Location
    ZZ9 Plural Z Alpha
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Odd network traffic immediately after install

    Quote Originally Posted by khea_actua View Post
    It'd be easy. I'll do that now. Just... If I did happen to download a compromised ubuntu iso off of some mirror, what are the odds that I'd download the same one?
    Don't know the odds, but you can be absolutely sure it's not corrupt by checking the md5sum. You can check that in any OS including Windows.

  7. #7
    Join Date
    Nov 2007
    Location
    Wisconsin
    Beans
    1,139

    Re: Odd network traffic immediately after install

    It seems easy enough to test if an install image has been compromised. Install into a VM, and let the hosts's firewall log any packets to/from that address.

    If a test of this sort returns positive, please file a bug in Launchpad and add the Ubuntu Securty Team to the bug.
    Last edited by Cheesehead; August 4th, 2012 at 01:00 PM.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •