Re: pc is compromised

To: ybed0@hushmail.com
Cc: debian-security@lists.debian.org
Subject: Re: pc is compromised
From: Paul Wise <pabs@debian.org>
Date: Mon, 17 Mar 2014 08:39:06 +0800
Message-id: <[🔎] CAKTje6F8GM9LLX5t=S_PxVxdmXv0JRmaWPCV_J8u4Z5TcR_hEw@mail.gmail.com>
In-reply-to: <[🔎] 20140316231054.AF887608AE@smtp.hushmail.com>
References: <20140314203008.789048E@bendel.debian.org> <20140314203013.A2CE6D2@bendel.debian.org> <[🔎] 20140314204722.60F832038E@smtp.hushmail.com> <[🔎] CALsfj6Z4AiWXYxfemBjOTcFu0pRdrjnp3iH2+Z=Lc+fNuhwfnA@mail.gmail.com> <20140314214050.31CFF2038C@smtp.hushmail.com> <CALsfj6a85q+_zr-aw4cHHc1K2mwYkpPZatjEvCkgb_jkg3dZ3w@mail.gmail.com> <[🔎] 20140315131036.752BB608D1@smtp.hushmail.com> <[🔎] 20140315140159.GA10277@vandradlabs.com.au> <[🔎] 20140316231054.AF887608AE@smtp.hushmail.com>

On Mon, Mar 17, 2014 at 7:10 AM, ybed0 wrote:

> I had nothing running (eg browsers or other clients). What could it be?

Looking at the wireshark Statistics -> Protocol Hierarchy tool, it
appears that random machines on the Internet are attempting to connect
to TCP and UDP ports 54424 and 59520. Linux on your computer is
responding to these packets saying that the ports are closed. The data
in the UDP packets is one of these lengths: 20 30 67 101 103. The
longer packets are more interesting. The have some strings like ping1
and find_node1. A web search for them turns up this page where some
folks are discussing a similar issue. It appears that this is to do
with the Kademlia distributed hash table. If the IP you are now using
has ever used any of the peer-to-peer networks listed in the
implementations section of the Wikipedia page about Kademlia, you will
probably see these connections/packets. I guess they will gradually
reduce over time as your IP address gets dropped by clients.

http://es.comp.hackers.narkive.com/jcAAu5K5/puerto-13406
https://en.wikipedia.org/wiki/Kademlia
https://en.wikipedia.org/wiki/Kademlia#Implementations

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Re: pc is compromised
  - From: ybed0@hushmail.com

References:
- pc is compromised
  - From: ybed0@hushmail.com
- Re: pc is compromised
  - From: "Dimas Yudha P." <dhiemaz.mitnick@gmail.com>
- Re: pc is compromised
  - From: ybed0@hushmail.com
- Re: pc is compromised
  - From: Tomasz Ciolek <tmc@vandradlabs.com.au>
- Re: pc is compromised
  - From: ybed0@hushmail.com

Prev by Date: Re: pc is compromised
Next by Date: Re: pc is compromised
Previous by thread: Re: pc is compromised
Next by thread: Re: pc is compromised
Index(es):
- Date
- Thread