Detect port scans performed by own computer
Solution 1:
A definite easy way to monitor your system is to run a command like netstat
for a day or so and see what's going outbound. For example, something like this would show all outgoing (polled) connections:
netstat -nputwc | tee ~/network.log
From there, you can check network.log
in your home folder to see if there are any weird/anomalous connections. It would be best to run this on a day when you're not going to use the internet too much, so you can get only background and not-active connections. Netstat will give you the capability to see what process is also calling the connections, which might be worthwhile to find and destroy if any scanner is running.
Furthermore, you can get a more detailed/verbose log using tcpdump
, which you can use to get more advanced output, and get more information. See man tcpdump
for more information. However, look particularly at the src
expression to only get outgoing connections. Also be sure to use the -w
option to write to a file for easy searching. You can read a bit more about tcpdump
here if you want. At the very least, this will tell you if your computer is actually scanning things.
From either of these, you can either get the process (through netstat
) or important things like when and where things are going. You can in fact run both at the same time to look for any triggers or similar that cause scans. You can even use tcpdump
to find when scans happen, and then cross-reference that with netstat
to find what process is doing things.
If you notice that these scans happen at regular times, you should look for cronjobs or similar, which can be removed (relatively) easily.
Otherwise, you can use the general security tips, such as running rkhunter
, clamav
, and so on. You could also always just reinstall your system from a known-good backup to just end it now.
And just for a bit of background on botnets, mostly to bore you.
Typically, a botnet sits idle on your system until triggered by some order. This can either be your system receiving a message from a remote server, or your machine polling a server for its new "orders." Either way, you can use these same tools to find these botnet commands, and where they're going to.
Once you can capture your machine being part of a botnet (if it is), you can find what and where the botnet software is, and remove it using any methods you want.
It may also be important to note that your computer may not be the infected device on the network. A router upstream, a WAP, a webcam, or any other sort of IoT thing (printers, even!) can also be members of a botnet. If they're behind the same connection/IP as your machine (especially at home or similar), you might be falsely blaming your computer instead of your smart toaster or whatever.
Solution 2:
Possible things you can do:
Change your passwords: in case of a human attacker using your device(s) as mask , it's obvious that your authentication was somehow compromised. This includes your computer, but also router, modem, smart devices on your home network. Most users only put password on wifi, but no password their router admin account , which is bad. As Kaz pointed out, smart devices are also easy targets. While you're checking the router, also check whether someone has enabled port forwarding on the router to know exactly what device is being accessed.
Check for nmap. Nmap is one of the most common tools used for scanning networks. It can be used for good and it's good tool for system administrators, but also can be used by the bad guys. Do
apt-cache policy nmap
to see if somebody installed it onto your machine.Analyze your network connections and traffic. Such tools as
netstat
will tell you what programs are using which network ports. Particularly of interest issudo netstat -tulpan
command. Another tool already mentioned is Wireshark. You might need to take time to learn how to use it. I'd recommend that you run all these tests with all browsers and applications that depend on network turned off.Consider deleting plugins for browsers: Chrome extensions and Firefox addons are amazing, but they're not innocent little kittens. You could be running a browser, and those extensions do all the malicious activity in background. Consider deleting them all, or simply removing
~/.mozilla
and~/.config/google-chrome/
If nothing else works, nuke it from the orbit: In other words, back up your data, and reinstall your Ubuntu. Once a system is compromised, it's hard to trust it. Quite common technique is replace a legitimate program with fake one. With thousands of binary files on computer, it can be hard to tell what is causing the mess, if you're not a computer forensic specialist or security researcher. Make an Ubuntu live USB ( preferably on a different, trusted computer ) and reinstall your system. Consider getting rid of your router as well and getting new one. Installing malware in routers isn't as uncommon as you think. If you don't want to do that, consider installing open source software to the router, such as DD-WRT or Open-WRT, it those support your router manufacturer and version.
Consider asking a professional for help: this one might cost you the most, but if you want to get to the bottom of this and find out what actually is going on, consider hiring someone who investigates computer network security for a living. The potential plus is that they can tell you who and how has compromised your network and is using it for malicious juju.
Solution 3:
I have another approach for you, as I confronted myself in the past with the same situation.
- DO NOT BLOCK ANYTHING with IPTABLES YET!
- Stop any application or process that can communicate with the victim (e.g. Browser connected to the victim IP address).
-
Find out what traffic is being made between your PC and victim's PC by using
tcpdump -nn host your_victim_ip
Your output should look similar to this
08:36:19.738610 IP 192.168.89.xxx.46582 > 89.35.224.xxx.80: Flags [.], ack 18825, win 523, options [nop,nop,TS val 15987331 ecr 427321428], length 0 08:36:19.738625 IP 89.35.224.xxx.80 > 192.168.89.xxx.46582: Flags [.], seq 18825:20273, ack 492, win 243, options [nop,nop,TS val 427321428 ecr 15987307], length 1448: HTTP 08:36:19.738635 IP 192.168.89.xxx.46582 > 89.35.224.xxx.80: Flags [.], ack 20273, win 545, options [nop,nop,TS val 15987331 ecr 427321428], length 0 08:36:19.738643 IP 89.35.224.xxx.80 > 192.168.89.xxx.46582: Flags [FP.], seq 20273:21546, ack 492, win 243, options [nop,nop,TS val 427321428 ecr 15987307], length 1273: HTTP
From the output above, the port's are bolder 192.168.89.xxx.46582 > 89.35.224.xxx.80
-
Find out what is using that port with
lsof
lsof -i:80
Change ":80" with the port/s founded in
tcpdump
output; the -n is used for suppress resolving IP's into names and the -P is used for suppressing converting ports into names; it should show you what process use the port 80.COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME firefox 30989 mihai 61u IPv4 496649 0t0 TCP 192.168.89.xxx:40890->89.35.224.xxx:80 (ESTABLISHED)
As you can see in my example, the COMMAND
firefox
is using the port 80 in the communication established with IP 89.35.224.xxx -
If the command appears to be strange verify from where is running with
ls -l /proc/$PID/exe
where the $PID is the Process ID founded with the lsof command earlier. Should have a similar out like:lrwxrwxrwx 1 mihai mihai 0 Jan 16 22:37 /proc/30989/exe -> /usr/lib/firefox/firefox
-
Additional you can check for more details the command listed above with
lsof -i:port
by usinglsof -c command_name
That's the digging part so keep in mind that almost everything is related with that "running command" it will show up, like what files it uses, what other connections, etc.
Kill the process with
sudo kill -9 $PID
It might be a good idea to backup the file in another place and delete it if it's not common process name like firefox, although you may consider reinstall the app if it's a common one.
Another approach is to change command use at step 4. With lsof -i@*victim_ip_address*
to see all process and commands that have active connections with your victim's IP address
IMPORTANT: Run all the commands as root or with sudo
.
If you don't have tcpdump
nor lsof
installed then you can install them by: sudo apt install lsof tcpdump
At this point I think you have all information needed to use IPTABLES and block outgoing traffic if it's still needed.
Don't forget to use tcpdump
again to see if the problem has gone.