On Fri, 14 Mar 2014 20:47:21 +0000 yb...@hushmail.com wrote: > Hello, > > I fear that my home PC is compromised, every now and then starts to > open a lot of connection > and sends packets (about 200kbs) to certain ip addresses (eg google) > without me doing anything. > > Using debian 7 and I tried to reinstall the distro several times, > taking care to remove all services > by checking with the nmap over 65,000 doors, also the dhcp service is > uninstalled. > The machine is behind a modem / router with proprietary firmware and > the things I can do are quite a few there. > > With wireshark I think of strange packets do not arrive as soon as > connected, > so I think the compromise starts when I start the browser. Iceweasel > and chromium, seems indifferent. > > I do not know what to do, any advice would help me, > I believe that those who succeed in the attack can do whatever you > want with my PC. > (My suspicion is some sort of ip / dns spoofing but it could be more, > I do not understand) > > Sorry for my English
No problem, it's very good. Browsers do a fair bit behind the scenes, so this isn't necessarily something sinister. Firefox/Iceweasel, for example, looks up popular Google search terms as you enter characters in the search window. Chromium is also Google, of course. Try installing Midori, which by default uses the DuckDuckGo search, and see if the same kind of activity occurs when you start it. It's a bit primitive as browsers go, but you are trying to solve a problem, not have a great browsing experience. If you are using your router as DNS server, try using e.g. OpenDNS instead in your workstation DNS settings. There are certainly router DNS compromises about. As you are comfortable with wireshark, have a look at the destination IP addresses of DNS lookups, see if they are what you expect. Man-in-the-middle attacks are harder than DNS server address substitution. -- Joe -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140314211015.60039...@jretrading.com
