Virus in ubuntu

[theDaveTheRave]

Hi all,

just adding my few pennies worth of info.

I had a lot of issues in one location I used to be at, and I got into a lot of network monitoring stuff.

the 2 things I found most usefull where nmap and traceroute, below are sample outputs for my machine.

Code:

~$ nmap 127.0.0.1

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-09 21:40 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0013s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
80/tcp   open  http
631/tcp  open  ipp
3306/tcp open  mysql
9090/tcp open  zeus-admin

Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds

As you can see it lists any services with thier open ports.
You should try this on the remote IP that is / was sending you data, it may be interesting.
You don't want to do this too often to a single site, as it is also something hackers do, and can result in getting your ip blacklisted as it pulls a lot of resources off of terminal you are mapping.

a traceroute to google is always interesting...

Code:

~$ traceroute www.google.com
traceroute to www.google.com (173.194.40.210), 30 hops max, 60 byte packets
 1  xxx.xxx.x.x (xxx.xxx.x.x)  2.064 ms  2.750 ms  2.666 ms
 2  xxx.xxx.x.x (xxx.xxx.x.x)  10.011 ms  14.395 ms  15.085 ms
 3  mrs1rj-ae0.100.numericable.net (80.236.6.22)  14.917 ms  14.792 ms  14.702 ms
 4  ip-214.net-80-236-0.static.numericable.fr (80.236.0.214)  14.658 ms  14.624 ms  14.529 ms
 5  ip-209.net-80-236-0.static.numericable.fr (80.236.0.209)  16.673 ms  16.566 ms  16.405 ms
 6  * 172.19.128.170 (172.19.128.170)  13.286 ms  10.916 ms
 7  ip-161.net-80-236-1.static.numericable.fr (80.236.1.161)  10.101 ms  10.734 ms  13.521 ms
 8  72.14.239.205 (72.14.239.205)  42.388 ms  22.008 ms  21.993 ms
 9  209.85.243.51 (209.85.243.51)  14.360 ms  14.329 ms  14.291 ms
10  par10s12-in-f18.1e100.net (173.194.40.210)  14.057 ms  20.304 ms  21.372 ms

it may be interesting to see where the IP address that is being connected to is passing through.
Reputable ISPs aren't keen to have 'rogue' or 'hacker' IP addresses connecting via them, so they may be equally interested in getting this IP address blacklisted.

Good luck with your security searches, and with Ubuntu (or for you apparently K).

David

[cariboo]

+1 for using nmap, although to get the proper result, it should be run from another system on your internal network, as you will get different results form when run form localhost.

I prefer mtr over traceroute, see the screenshot, it's less to type.

[leeper69]

Hi alexying200005 you might want to run rkhunter to see if a rootkit has ben installed it can be downloaded from ubuntu software center and can be found with the serch bar at the top of the page. this is good software.
good luck and let me know if this helped.

[alexying200005]

David, cariboo907 and leeper69,

thank you all for helping. I will try all your methods.

[Irihapeti]

If you're going to run rkhunter, first of all read up about the false positives. Many people jump to the conclusion that they've been infected when in fact the result is a known false positive.

Also read the security sticky in this forum, if you haven't already.