Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Is this a virus/trojan ?

  1. #1
    Join Date
    Dec 2005
    Beans
    792
    Distro
    Kubuntu 13.10 Saucy Salamander

    Is this a virus/trojan ?

    Have noticed the router logs for this computer trying to access various ports, like ..

    192.168.1.101:46597 > 199.101.28.130:139 S Seq=-422340680, Ack=0 -Default Defense

    192.168.1.101:55075 > 199.101.28.130:445, S Seq=-1339368640, Ack=0 -Default Defense

    what would be running on Kubuntu that is trying to access those ports ?

  2. #2
    Join Date
    Jan 2010
    Location
    Auckland, New Zealand
    Beans
    87
    Distro
    Ubuntu 12.10 Quantal Quetzal

    Re: Is this a virus/trojan ?

    That sounds like samba. This page explains the use of ports 137, 138, 139 and 445 quite well:

    http://wiki.centos.org/HowTos/SetUpSamba
    Last edited by Sazhen86; January 26th, 2013 at 11:09 AM. Reason: Added link

  3. #3
    Join Date
    Dec 2005
    Beans
    792
    Distro
    Kubuntu 13.10 Saucy Salamander

    Re: Is this a virus/trojan ?

    Quote Originally Posted by Sazhen86 View Post
    That sounds like samba. This page explains the use of ports 137, 138, 139 and 445 quite well:
    Okay thanks. I haven't installed samba package, but I was trying to access another computer on the LAN at the time, so the IP address of the destination should have been ..

    192.168.1.100:139

    but it was ..

    199.101.28.130:139

    which is a Bigpond address, strange. There are 'bit' of samba installed by default, for example.

    samba-common
    samba-common-bin
    libwbclient0
    smbclient
    libsmbclient
    kdenetwork-filesharing

  4. #4
    Join Date
    Jan 2010
    Location
    Auckland, New Zealand
    Beans
    87
    Distro
    Ubuntu 12.10 Quantal Quetzal

    Re: Is this a virus/trojan ?

    Sorry, I noticed the ports rather than the addresses. It would be useful to know what executable is making that connection , or at least trying to make it. Perhaps 'lsof" could be of help here. I'm not sure if there's a way to get the firewall to log the executable, perhaps someone else knows.

  5. #5
    Join Date
    Dec 2005
    Beans
    792
    Distro
    Kubuntu 13.10 Saucy Salamander

    Re: Is this a virus/trojan ?

    Quote Originally Posted by Sazhen86 View Post
    Sorry, I noticed the ports rather than the addresses.
    The IP address resolves to http://www.bigpondsitehelp.com/ , and BigPond is the ISP I use. But there was nothing in the router logs this morning for that IP. Then , I tried to access the Win XP computer from Ubuntu, by using Dolphin's location bar. Then that same IP started up, ports 139 and 445.

    Quote Originally Posted by Sazhen86 View Post
    It would be useful to know what executable is making that connection , or at least trying to make it. Perhaps 'lsof" could be of help here. I'm not sure if there's a way to get the firewall to log the executable, perhaps someone else knows.
    The router logs don't provide that level of detail. I know some windows firewall logs often have that type of details though. I ran "lsof", output was huge, nothing to tell me what was causing the request out to that IP/port.

  6. #6
    Join Date
    Jan 2010
    Location
    Auckland, New Zealand
    Beans
    87
    Distro
    Ubuntu 12.10 Quantal Quetzal

    Re: Is this a virus/trojan ?

    Do you have the samba nmbd process running? This is the discovery process for samba and will cause broadcasts to be sent.

  7. #7
    Join Date
    Dec 2005
    Beans
    792
    Distro
    Kubuntu 13.10 Saucy Salamander

    Re: Is this a virus/trojan ?

    Nothing under the name of samba in the processes. There is

    kio-smb
    gvfsd-smb
    gvfsd-smb-browse

    Post about ports 139 and 445
    Last edited by oygle; January 28th, 2013 at 06:29 AM. Reason: add info about other post

  8. #8
    Join Date
    Jan 2010
    Location
    Auckland, New Zealand
    Beans
    87
    Distro
    Ubuntu 12.10 Quantal Quetzal

    Re: Is this a virus/trojan ?

    The clue seems to be that you tried to access the XP computer when this happened. You could run wireshark with a filter set to the bigpond IP and ports 445 and 139. That will allow you to see the traffic being sent and should allow you to pipe the output of lsof to grep and look for the strings "netbios" and "microsoft". That may allow you to catch whatever executable is making the connection.

  9. #9
    Join Date
    Dec 2005
    Beans
    792
    Distro
    Kubuntu 13.10 Saucy Salamander

    Re: Is this a virus/trojan ?

    Thanks, I have installed WireShark. However, when I ran it, no interfaces were showing. Possibly it has to be run as "sudo" to get the interfaces ??

    Anyway, read a bit on their site, and came across a utility called dumpcap, which is already installed under Kubuntu. Used one of their examples ..

    Code:
    $ sudo dumpcap -i eth0 -a duration:60 -w Documents/output.pcap
    and then browsed the XP share whilst that was running. Then opened that file under WireShark. There were lots of entries, but none for that BigPond IP address. So, I'm thinking that I have the wrong interface ??

    Oygle

  10. #10
    Join Date
    Aug 2010
    Beans
    107
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Is this a virus/trojan ?

    Yes, Wireshark from normal user account doesn't show interfaces because it doesn't have permissions to access them. Running it as root seems like workaround (it works, but since it's GUI network app, it's not recommended to run it as root, because if one app gets exploited, entire system is compromised). Wireshark is split in two parts - Wireshark (GUI frontend) and dumpcap (core) - if properly configured, it allows to run GUI as non-root and dumpcap as root to reduce security risks:

    http://wiki.wireshark.org/CaptureSet...turePrivileges

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •