Re: pc is compromised
On Fri, 14 Mar 2014 20:47:21 +0000
ybed0@hushmail.com wrote:
> Hello,
>
> I fear that my home PC is compromised, every now and then starts to
> open a lot of connection
> and sends packets (about 200kbs) to certain ip addresses (eg google)
> without me doing anything.
>
> Using debian 7 and I tried to reinstall the distro several times,
> taking care to remove all services
> by checking with the nmap over 65,000 doors, also the dhcp service is
> uninstalled.
> The machine is behind a modem / router with proprietary firmware and
> the things I can do are quite a few there.
>
> With wireshark I think of strange packets do not arrive as soon as
> connected,
> so I think the compromise starts when I start the browser. Iceweasel
> and chromium, seems indifferent.
>
> I do not know what to do, any advice would help me,
> I believe that those who succeed in the attack can do whatever you
> want with my PC.
> (My suspicion is some sort of ip / dns spoofing but it could be more,
> I do not understand)
>
> Sorry for my English
No problem, it's very good. Browsers do a fair bit behind the scenes, so
this isn't necessarily something sinister. Firefox/Iceweasel, for
example, looks up popular Google search terms as you enter characters in
the search window. Chromium is also Google, of course.
Try installing Midori, which by default uses the DuckDuckGo search, and
see if the same kind of activity occurs when you start it. It's a bit
primitive as browsers go, but you are trying to solve a problem, not
have a great browsing experience.
If you are using your router as DNS server, try using e.g. OpenDNS
instead in your workstation DNS settings. There are certainly router DNS
compromises about. As you are comfortable with wireshark, have a look
at the destination IP addresses of DNS lookups, see if they are what you
expect. Man-in-the-middle attacks are harder than DNS server address
substitution.
--
Joe
Reply to: