Linux malware that tries to connect to random IPs Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) 2019 Community Moderator Election Results Why I closed the “Why is Kali so hard” questionThe myths about malware in Unix / LinuxIs Linux really malware safe? Or people just don't bother creating them for Linux?GNU/Linux distribution for network virus || malware identificationIs it possible to have malware software in Linux without executing untrusted applications?how to make malware file readable with “No read permission on file” on linux ext-4?Is this an argument that Linux security is not impenetrable?How to find out which particular e-mail in Thunderbird/Icedove that contains malware Doc.Dropper.Agent-1552723 pointed out by Clamscan?Detect malware that recreates files in /usr/bin with a backdoorWindows anti-virus and anti-malware available on Linux?how does fileless malware work on linux?

How would a mousetrap for use in space work?

Delete nth line from bottom

Generate an RGB colour grid

Would "destroying" Wurmcoil Engine prevent its tokens from being created?

Can you use the Shield Master feat to shove someone before you make an attack by using a Readied action?

How to answer "Have you ever been terminated?"

Where are Serre’s lectures at Collège de France to be found?

Extracting terms with certain heads in a function

Around usage results

How do I stop a creek from eroding my steep embankment?

What does this Jacques Hadamard quote mean?

Does classifying an integer as a discrete log require it be part of a multiplicative group?

What are the out-of-universe reasons for the references to Toby Maguire-era Spider-Man in ITSV

When the Haste spell ends on a creature, do attackers have advantage against that creature?

Using audio cues to encourage good posture

What is the meaning of the simile “quick as silk”?

Dating a Former Employee

What font is "z" in "z-score"?

Using et al. for a last / senior author rather than for a first author

Is "Reachable Object" really an NP-complete problem?

Circuit to "zoom in" on mV fluctuations of a DC signal?

If a VARCHAR(MAX) column is included in an index, is the entire value always stored in the index page(s)?

If my PI received research grants from a company to be able to pay my postdoc salary, did I have a potential conflict interest too?

How do I find out the mythology and history of my Fortress?



Linux malware that tries to connect to random IPs



Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
2019 Community Moderator Election Results
Why I closed the “Why is Kali so hard” questionThe myths about malware in Unix / LinuxIs Linux really malware safe? Or people just don't bother creating them for Linux?GNU/Linux distribution for network virus || malware identificationIs it possible to have malware software in Linux without executing untrusted applications?how to make malware file readable with “No read permission on file” on linux ext-4?Is this an argument that Linux security is not impenetrable?How to find out which particular e-mail in Thunderbird/Icedove that contains malware Doc.Dropper.Agent-1552723 pointed out by Clamscan?Detect malware that recreates files in /usr/bin with a backdoorWindows anti-virus and anti-malware available on Linux?how does fileless malware work on linux?



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








-1















My wife's laptop, with MX17 linux, tries from time to time since a few months to connect to apparently random 192.168.1.* IPs; at least that's what my home router warns me about (message from the router: the device "laptop IP" tries to connect to "random IP", which does not exist).



Yesterday, my son transferred some jpg and gimp files via usb from this computer to his own laptop (ubuntu 18), and my router gave me 3 similar warnings from yesterday on, but this time from my son's laptop, for the first time...



May it be some kind of linux malware ? which one ?



clamav does not detect any corrupted file on both systems, nor on the usb key.






linux malware







share|improve this question



















  • 2





    what is the message from the router? "Connect to some IP" isn't very helpful.

    – A.B
    9 hours ago











  • I've added the message in the question, but it's not more informative: it's a basic router without detailed logs, and I don't have any control on it.

    – xtof54
    9 hours ago






  • 1





    That doesn't help much anyway. You'd have to check everything apart, especially logs, permanent tcpdump from the router to try and catch more (what protocol? what port? ...) still check logs on systems, even if compromised systems can't be trusted. So it would be a very broad subject with the few facts you're giving, assuming there's really something. Are you sure it's not mDNS multicast for example? did the router write "random IP" or a value you're hiding, thus hindering any help?

    – A.B
    9 hours ago












  • The router does not write "random IP", but it writes for instance 192.168.1.4 one day, then 192.168.1.65 another day, and so on. I'm sure it's not multicast. i've thought about running tcpdump for a long time, but there are very long periods (>14 days) without any warning. But that's something I may wanna try. I just wanted to hear from "virus experts", if it may be a malware. In which case, it's much easier to reinstall ubuntu from scratch I guess...

    – xtof54
    9 hours ago


















-1















My wife's laptop, with MX17 linux, tries from time to time since a few months to connect to apparently random 192.168.1.* IPs; at least that's what my home router warns me about (message from the router: the device "laptop IP" tries to connect to "random IP", which does not exist).



Yesterday, my son transferred some jpg and gimp files via usb from this computer to his own laptop (ubuntu 18), and my router gave me 3 similar warnings from yesterday on, but this time from my son's laptop, for the first time...



May it be some kind of linux malware ? which one ?



clamav does not detect any corrupted file on both systems, nor on the usb key.






linux malware







share|improve this question



















  • 2





    what is the message from the router? "Connect to some IP" isn't very helpful.

    – A.B
    9 hours ago











  • I've added the message in the question, but it's not more informative: it's a basic router without detailed logs, and I don't have any control on it.

    – xtof54
    9 hours ago






  • 1





    That doesn't help much anyway. You'd have to check everything apart, especially logs, permanent tcpdump from the router to try and catch more (what protocol? what port? ...) still check logs on systems, even if compromised systems can't be trusted. So it would be a very broad subject with the few facts you're giving, assuming there's really something. Are you sure it's not mDNS multicast for example? did the router write "random IP" or a value you're hiding, thus hindering any help?

    – A.B
    9 hours ago












  • The router does not write "random IP", but it writes for instance 192.168.1.4 one day, then 192.168.1.65 another day, and so on. I'm sure it's not multicast. i've thought about running tcpdump for a long time, but there are very long periods (>14 days) without any warning. But that's something I may wanna try. I just wanted to hear from "virus experts", if it may be a malware. In which case, it's much easier to reinstall ubuntu from scratch I guess...

    – xtof54
    9 hours ago














-1












-1








-1








My wife's laptop, with MX17 linux, tries from time to time since a few months to connect to apparently random 192.168.1.* IPs; at least that's what my home router warns me about (message from the router: the device "laptop IP" tries to connect to "random IP", which does not exist).



Yesterday, my son transferred some jpg and gimp files via usb from this computer to his own laptop (ubuntu 18), and my router gave me 3 similar warnings from yesterday on, but this time from my son's laptop, for the first time...



May it be some kind of linux malware ? which one ?



clamav does not detect any corrupted file on both systems, nor on the usb key.






linux malware







share|improve this question
















My wife's laptop, with MX17 linux, tries from time to time since a few months to connect to apparently random 192.168.1.* IPs; at least that's what my home router warns me about (message from the router: the device "laptop IP" tries to connect to "random IP", which does not exist).



Yesterday, my son transferred some jpg and gimp files via usb from this computer to his own laptop (ubuntu 18), and my router gave me 3 similar warnings from yesterday on, but this time from my son's laptop, for the first time...



May it be some kind of linux malware ? which one ?



clamav does not detect any corrupted file on both systems, nor on the usb key.






linux malware




linux malware






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 9 hours ago







xtof54

















asked 10 hours ago









xtof54xtof54

1093




1093







  • 2





    what is the message from the router? "Connect to some IP" isn't very helpful.

    – A.B
    9 hours ago











  • I've added the message in the question, but it's not more informative: it's a basic router without detailed logs, and I don't have any control on it.

    – xtof54
    9 hours ago






  • 1





    That doesn't help much anyway. You'd have to check everything apart, especially logs, permanent tcpdump from the router to try and catch more (what protocol? what port? ...) still check logs on systems, even if compromised systems can't be trusted. So it would be a very broad subject with the few facts you're giving, assuming there's really something. Are you sure it's not mDNS multicast for example? did the router write "random IP" or a value you're hiding, thus hindering any help?

    – A.B
    9 hours ago












  • The router does not write "random IP", but it writes for instance 192.168.1.4 one day, then 192.168.1.65 another day, and so on. I'm sure it's not multicast. i've thought about running tcpdump for a long time, but there are very long periods (>14 days) without any warning. But that's something I may wanna try. I just wanted to hear from "virus experts", if it may be a malware. In which case, it's much easier to reinstall ubuntu from scratch I guess...

    – xtof54
    9 hours ago













  • 2





    what is the message from the router? "Connect to some IP" isn't very helpful.

    – A.B
    9 hours ago











  • I've added the message in the question, but it's not more informative: it's a basic router without detailed logs, and I don't have any control on it.

    – xtof54
    9 hours ago






  • 1





    That doesn't help much anyway. You'd have to check everything apart, especially logs, permanent tcpdump from the router to try and catch more (what protocol? what port? ...) still check logs on systems, even if compromised systems can't be trusted. So it would be a very broad subject with the few facts you're giving, assuming there's really something. Are you sure it's not mDNS multicast for example? did the router write "random IP" or a value you're hiding, thus hindering any help?

    – A.B
    9 hours ago












  • The router does not write "random IP", but it writes for instance 192.168.1.4 one day, then 192.168.1.65 another day, and so on. I'm sure it's not multicast. i've thought about running tcpdump for a long time, but there are very long periods (>14 days) without any warning. But that's something I may wanna try. I just wanted to hear from "virus experts", if it may be a malware. In which case, it's much easier to reinstall ubuntu from scratch I guess...

    – xtof54
    9 hours ago








2




2





what is the message from the router? "Connect to some IP" isn't very helpful.

– A.B
9 hours ago





what is the message from the router? "Connect to some IP" isn't very helpful.

– A.B
9 hours ago













I've added the message in the question, but it's not more informative: it's a basic router without detailed logs, and I don't have any control on it.

– xtof54
9 hours ago





I've added the message in the question, but it's not more informative: it's a basic router without detailed logs, and I don't have any control on it.

– xtof54
9 hours ago




1




1





That doesn't help much anyway. You'd have to check everything apart, especially logs, permanent tcpdump from the router to try and catch more (what protocol? what port? ...) still check logs on systems, even if compromised systems can't be trusted. So it would be a very broad subject with the few facts you're giving, assuming there's really something. Are you sure it's not mDNS multicast for example? did the router write "random IP" or a value you're hiding, thus hindering any help?

– A.B
9 hours ago






That doesn't help much anyway. You'd have to check everything apart, especially logs, permanent tcpdump from the router to try and catch more (what protocol? what port? ...) still check logs on systems, even if compromised systems can't be trusted. So it would be a very broad subject with the few facts you're giving, assuming there's really something. Are you sure it's not mDNS multicast for example? did the router write "random IP" or a value you're hiding, thus hindering any help?

– A.B
9 hours ago














The router does not write "random IP", but it writes for instance 192.168.1.4 one day, then 192.168.1.65 another day, and so on. I'm sure it's not multicast. i've thought about running tcpdump for a long time, but there are very long periods (>14 days) without any warning. But that's something I may wanna try. I just wanted to hear from "virus experts", if it may be a malware. In which case, it's much easier to reinstall ubuntu from scratch I guess...

– xtof54
9 hours ago






The router does not write "random IP", but it writes for instance 192.168.1.4 one day, then 192.168.1.65 another day, and so on. I'm sure it's not multicast. i've thought about running tcpdump for a long time, but there are very long periods (>14 days) without any warning. But that's something I may wanna try. I just wanted to hear from "virus experts", if it may be a malware. In which case, it's much easier to reinstall ubuntu from scratch I guess...

– xtof54
9 hours ago











0






active

oldest

votes












Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f513044%2flinux-malware-that-tries-to-connect-to-random-ips%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f513044%2flinux-malware-that-tries-to-connect-to-random-ips%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-linux, malware
-

Popular posts from this blog

Frič See also Navigation menuinternal link

Image
SurnamesCzech-language surnames ‹ The template Infobox surname is being considered for merging. › Frič Origin Language(s) Czechized German (eastern Middle German dialects and Alemannic German) - Thuringian, Upper Saxon, Low Lusatian, Silesian Meaning derived from German: Friedrich Other names Variant(s) Fritsch, Fritzsch, Frycz, Fricz, Fryczyński, Frietsch, Fritsche, Fritzsche; Fritschi (Alemannic), Fritz, Fritze, Fritzel, Fritzl, Fritzke, Fritzen Frič is a Czechized German surname. Notable people with the surname include: Alberto Vojtěch Frič, Czech botanist Antonín Jan Frič (Fritsch) , Czech paleontologist Jaroslav Erik Frič, Czech poet Martin Frič, Czech film director, screenwriter and actor See also Fričovce (Hungarian: Frics ) .mw-parser-output table.dmboxclear:both;margin:0.9em 1em;border-top:1px solid #ccc;border-bottom:1px solid #ccc;background-color:transparent Surname list This page lists people with the surname Frič . If an internal link intending to refer to a specifi
Read more

Identify plant with long narrow paired leaves and reddish stems Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?What is this plant with long sharp leaves? Is it a weed?What is this 3ft high, stalky plant, with mid sized narrow leaves?What is this young shrub with opposite ovate, crenate leaves and reddish stems?What is this plant with large broad serrated leaves?Identify this upright branching weed with long leaves and reddish stemsPlease help me identify this bulbous plant with long, broad leaves and white flowersWhat is this small annual with narrow gray/green leaves and rust colored daisy-type flowers?What is this chilli plant?Does anyone know what type of chilli plant this is?Help identify this plant

Image
Apollo command module space walk? prime numbers and expressing non-prime numbers Can a non-EU citizen traveling with me come with me through the EU passport line? Extract all GPU name, model and GPU ram How to deal with a team lead who never gives me credit? Why was the term "discrete" used in discrete logarithm? Why do we bend a book to keep it straight? When do you get frequent flier miles - when you buy, or when you fly? How come Sam didn't become Lord of Horn Hill? At the end of Thor: Ragnarok why don't the Asgardians turn and head for the Bifrost as per their original plan? Is it true that "carbohydrates are of no use for the basal metabolic need"? Using et al. for a last / senior author rather than for a first author How to tell that you are a giant? How to react to hostile behavior from a senior developer? String `!23` is replaced with `docker` in command line How to find out what spells would be useless to a blind NPC sp
Read more

fontconfig warning: “/etc/fonts/fonts.conf”, line 100: unknown “element blank” The 2019 Stack Overflow Developer Survey Results Are In“tar: unrecognized option --warning” during 'apt-get install'How to fix Fontconfig errorHow do I figure out which font file is chosen for a system generic font alias?Why are some apt-get-installed fonts being ignored by fc-list, xfontsel, etc?Reload settings in /etc/fonts/conf.dTaking 30 seconds longer to boot after upgrade from jessie to stretchHow to match multiple font names with a single <match> element?Adding a custom font to fontconfigRemoving fonts from fontconfig <match> resultsBroken fonts after upgrading Firefox ESR to latest Firefox

Image
How to type this arrow in math mode? Multiply Two Integer Polynomials What do hard-Brexiteers want with respect to the Irish border? Why isn't the circumferential light around the M87 black hole's event horizon symmetric? For what reasons would an animal species NOT cross a *horizontal* land bridge? Can one be advised by a professor who is very far away? Identify boardgame from Big movie slides for 30min~1hr skype tenure track application interview Why do we hear so much about the Trump administration deciding to impose and then remove tariffs? If I score a critical hit on an 18 or higher, what are my chances of getting a critical hit if I roll 3d20? Can we generate random numbers using irrational numbers like π and e? Worn-tile Scrabble Output the Arecibo Message What is the meaning of Triage in Cybersec world? How are circuits which use complex ICs normally simulated? Shouldn't "much" here be used instead of "more"? Dele
Read more