How to deal with malware?

I see a lot of places to help with malware but they always have guides for Windows and Mac only so I’m not sure where to turn to. Is it okay to discuss and troubleshoot this particular type of issue in these forums, like what happened and maybe try to remove whatever I’ve caught, if possible or ensure that it will not follow me in a reinstall and if not, can anyone recommend a different community in which I may go to instead?

I will write down some thoughts about it below in case it is a valid topic for discussion here, and I would really love your help.

assuming can ask about this here:

So, a couple hours ago, I was trying to download some ISOs to do a fresh install (ironic?) and the download was incredibly slow. I checked and my upload was using up 100% of my bandwidth. Well that don’t seem right. And I had noticed almost 2 GiB had been uploaded since I turned on the computer, strange, seeing as my internet connection is molasses slow, 1.4 MB/s when the stars align.

I tried downloading Wireshark, and while it was downloading, the upload stopped. As soon as it was finished though, the upload continued (this almost feels like, ‘if user doing certain activities, pause upload’?)

I ran Wireshark but this is not the best time to try to understand how it works. I did end up in Statistics > Conversations > TCP and noticed quite a lot of traffic with 152.199.21.175 which a quick google search shows it as being heavily reported as Don’t know how well those sites can be trusted though.

Afterwards I noticed that it was uploading and downloading at the same speeds. And an insane amount of data seems to be being transferred both in and out (with my slow speed, how?). I think at the time I severed connection it was 2.3 GiB down, 2.0 GiB up

I did notice earlier about 10 hours ago that my .iso download was extremely slow I checked the network tab in System Monitor and didn’t notice anything, but I was a bit out of it and am not sure I looked at the upload side of the window. I went to sleep (and turned off computer) which lead to my first paragraph of this section.

my behavior/computer usage

I have been trying to rack my brain on if I noticed this behavior earlier on. I have been really sick for the last two months and been mostly bedridden. I have tried to update my computer daily and 99% of what I’ve done is watch YouTube videos. I have also used Firefox with NordVPN in a VM (that I also keep up-to-date as well) and watch more videos.

Now before today I do not know how long this has been going on for. Like I said I have mostly just been watching videos. They did buffer more than usual (YouTube only) but barely noticeably, and I figured the reason for that was my ad blockers since I have been paranoid about drive-by malware, haha…

I do not really visit many websites, I’m always paranoid I’ll catch something and I hardly ever download things, unless bank or government. If there is something else I want, I’ll download it, then attempt to scan it in VirusTotal and unless it gets a 100% pass (excluding those that do not complete the scan), I will not keep the file. And by want I don’t mean pirating software or media, I mean stuff like TLCL or books, movies, games that I have purchased and a few thesis papers. I did download Fedora Silverblue on the 27th and the download speed was appropriate.

I have maybe noticed the extra 5% (if that) of buffering for maybe a week. But I did injure myself pretty badly a few weeks ago, so I was extra dazed, so I could’ve missed it completely during that time.

Only other site I have heavily visited is the CS50 Harvard programming course, but I have not downloaded anything for that course seeing as they have VSCode on the cloud with all their plug-ins already installed.

Software

I do have third party repos on my computer: code, gh-cli, rpmfusion-{free{-updates},nonfree{-updates}} and vivaldi.
I’m not sure how to to check which repo things were installed from but I have installed ffmpeg, steam, vivaldi-stable, code, libwebp-tools, libheif-tools, gh, poppler-utils, wimlib-utils, heif-pixbuf-loader which I believe are all from third party repos (some might not be).

I have no extensions on Vivaldi and I have Firefox Multi-Account Containers and uBlock Origin in Firefox (also in VM).

I can’t remember what version of Fedora Server I initially installed. Maybe 35 or 37 and currently on 39. I installed it with Gnome. I eventually switched to and still use XFCE, I believe I installed KDE and Sway. Even though I installed the server version, I have not really been using it as a server.

The firewall is enabled, with services cockpit dhcpv6-client kdeconnect mdns and ssh. And my router’s is too and no ports open.

I haven’t noticed anything that catches my eye in htop or System Monitor, load is currently 0.78 but I think even when it was uploading it was not a heavy load either. I do not see a network tab in either of those programs so do not know how to analyze what is doing all the transferring? Is there something that would tell me?

I am sure that there is much more information that I need to provide but I’m not thinking clearly at the moment, so apologies. Please let me know what other information I can provide and I will do my best to deliver. Thanks for your time.

Generally, yes. If you are unsure, this is always the right place.

First, what Fedora do you use? Workstation, KDE, Silverblue, Kinoite, … ? Also, please open a terminal and provide the output of uname -r.

How did you try to download it?

An alternative to wireshark might be tcpdump (but both should be available with dnf).

If your goal is to find out what causes traffic, I guess this is the best time. Alternatively, check out tcpdump as mentioned above.

I don’t want to make too much marketing for our SIG, but if you want so much to maximize security, you might check out the Confined Users SIG: SELinux-confined users currently do not deliver a perfect user experience given its restrictions, but given your self-restrictions, it might make things easier for you. In such an environment, it will be hard for a process to outreach, even if it was captured. Fedora’s default Firefox already imposes more restrictive crypto preferences as the default, and if you set its security properties to “strong” and add NoScript or uBlock, I am quite sure your risks against web sites are below the risks of third-party repos. Especially if you complement it with a user account that is set to staff_u (SELinux confined user profile) or so.

As indicated above, be aware that third-party repos can be argued to be on average more dangerous than well tested browsers like Firefox on the Internet. Adding them means you trust them.

However, you should be indeed always careful what you download and then execute.

I haven’t read your post in detail, and so far I cannot contribute much more than the above responses to individual parts of your post since I am not sure what your actual goal is:

• Do you want to find out what causes your traffic? Then this is indeed the time to get into Wireshark or tcpdump, but you might also check top and systemctl status to see what processes and services are permanently active/running, and then compare it against a normal Fedora installation. That way you can find out if something is active that is not default and from which you maybe do not know about.
• Do you fear to have malware? If so, I would still start with my suggestions to the first: find out what processes and services are running, and use wireshark/tcpdump to check what causes traffic. Do not by default assume there is malware or so. However, be careful with third-party repos… If you want to use them and still maximize security to the level you seem to desire, I suggest to limit third-party repos to the packages that you actually need from them. This way you e.g. prevent the third-party repo to replace a package that is run with higher privileges by pretending to have a newer version. This is not just about replacing packages with malware intentionally but also with vulnerable and/or less tested packages.

Supplement: Maybe you just reinstall your Fedora and do not re-use anything if you still feel unsure after the above measures? And then change passwords, etc.?

There are types of malware that can persist a reinstallation since they are “below” the operating system, but they are unlikely to cause the type of issues you are currently experiencing.

Thanks so much for replying, I really appreciate it! I’ll do my best to provide you the information you require.

I believe I downloaded Fedora Server Edition. Most likely from https://torrent.fedoraproject.org

uname -r returns 6.7.7-200.fc39.x86_64

Downloaded Wireshark via sudo dnf install wireshark. Did not know about tcpdump, and it is already installed.

Sorry, I meant, I have no idea what is going on in Wireshark and I am guessing it’ll take me a week to even begin to scratch the surface of what the program does and probably should’ve been an expert at it before this happened and I can only assume hundreds of gigabytes have left my computer as well as been sent to me.

That SIG does intrigue me. I’ll have to look into it thanks.

Yes, I do worry, if something in the third party repos could be responsible. I have tried to maintain a minimum amount of packages. I don’t much fear that Microsoft would try to infect us, but anything is possible and the other repos are companies/organizations that are not under constant scrutiny. I do not however, distrust them, but that may be the problem.

Want

Yes, primarily I fear that something has leeched onto my system. I can’t think of any legitimate reason why maybe hundreds gibibytes would have been transferred out (and in) without my consent.

Seeing as I was going to do a fresh install anyway, I would like to figure out why that happened, in order to assess if something would persist even with a format of the OS drive (but not secondary drives).

Replies, suspicions, wild speculation

I don’t want to overdo it with security per se, I just do not understand it, so am overly cautious.

Do you mean, I can tell a repository to only allow downloads/installs from an approved list of packages, rather than the whole repository being available to me? I could definitely live without some of those packages I currently have installed as well.

Also, does this mean you suspect the third-party repo to be the primary suspect of this occuring?

I do keep wondering about the IP address that showed up with so many bytes transferred to it, in such a short amount of time. I had actually created a rule in my firewall to block access to it. But figured that would not help with Wireshark/tcpdump so I disabled the rule and restarted the computer and now the transferring is no longer happening.
I do not know if this means I should just dismiss this whole thing as nothing important, with no need to investigate any further? With likely hundreds of gigabytes transferred that seems like a hard pill to swallow.
I kept getting results for CVE-2016-2211 associated to the IP address. I keep seeing the CVE description with, “…allows remote attackers to execute arbitrary code or cause a denial of service…” but it sounds Windows specific, although I did see some mentions of Mac. Strangely enough, according to Debian, Red Hat and a lot of sites that track security vulnerabilities used to have an article for this CVE but now most of them have been removed. Red Hat had a page for it but now reads, “‘CVE-2016-2211’ is not a valid bug number nor an alias to a bug.”

This is actually crazy, I have had almost 0 bytes transferred since I turned on the computer an hour ago. When I had used Wireshark in school (Windows and Linux), there would be hundreds of new entries each second on computers doing nothing, but having Wireshark open. Now there are just a handful for router, dns, ntp, Google. I have been waiting several minutes and still have yet to hit 100 entries in Wireshark, is this actually how it should behave?

Also, I really wish I’d known about tcpdump, seems easier to read, even if it is in the terminal.

I have run systemctl status but I’ll have to install Fedora on some other machine to compare, thanks for all the tips!

I’m not feeling very well so I’m going to go rest a bit, but I’ll be back later to check on replies, thanks again for your time.

I assume you installed your graphical interface, browser, etc. on yourself. You might choose an edition that is intended for normal client use cases, such as Workstation or the KDE spin. They might be better suited for you if you do nothing server-specific.

Yes. See includepkgs in DNF Configuration Reference — DNF @DNF_VERSION@-1 documentation → you can use that in the config file of the respective repository in /etc/yum.repos.d/

No. I don’t know the issue. But you seemed to desire a lot of security, and you take precautions in other areas that are very restrictive, while you seem to not consider the implications of repositories. I just wanted to make aware that repos have security implications just like, e.g., a browser, and given your desire for security, I gave you advice how to improve security in this respect. Nothing more.

I guess you are misinterpreting something. I don’t think that you can make this CVE affect your Fedora - I guess it would be a skill to do so

Some rest is a good idea I think. Try to relax and calm down. I cannot tell you what the actual problem is, but what you describe doesn’t sound like an intentional attack, rather a misconfiguration or malfunction, or maybe a misinterpretation.

As far as I understand you, you are worrying about the traffic that is sent FROM your machine TO the Internet. If someone runs an attack that is so sophisticated that they achieved sufficient access to your machine that enables them to get many gigabytes of your data, you can assume that they would not make it so “noisy” because “noisy” makes it likely that you interrupt the Internet connection.

Also, be aware that the Internet has a lot of “background noise”, in both directions. This does not necessarily mean that the packages contain private data or such. E.g., your computer tells you that you are connected to the Internet or not. But how does it know? Because it sends a little package every few seconds to a server on the Internet and asks something like “are you there?” to get the answer “yes”. This already causes traffic - just for this little function.

It might be added that your machine gets all traffic from its local network (in which the IP address is resolved into the actual address of the network adapter): even if your machine is idling itself, it will see what is sent and received in the local network by others. This might explain the traffic you saw in school and when in a network.

Because packages are very small, you have to also be aware that data transfers on modern Internet connections quickly cause an unreadable amount of entries. An update in the background can be sufficient for that.

@py0xc3

Edit: You may be onto something. I am by no means a Wireshark expert, but when I right click a packet, select Follow > TCP Stream the majority of the incoming traffic I captured is from various Microsoft servers? That is strange, but less worrisome.
And I suppose you may be right about misconfiguration, malfunction or misinterpretation because even though many GiB of data showed up in System Monitor as uploads and my download speeds were sub-dial-up speeds, while upload remained maxed out, absolutely nothing at all shows up in Wireshark for uploads. To the best of my abilities, it seems like to Wireshark no data was uploaded anywhere whatsoever.
/Edit

Yeah, during the installation process, I added those packages to it. Yeah, I had different plans when I installed this, but it turned into a regular desktop instead, in fact, that is exactly what I was going to do with the reinstall, just use workstation.

Thanks for the link.

Ah, yeah, I am a bit paranoid, heh.

Sorry, I meant to say that since it seems to be Windows specific I do not think it is that. I did also see things like port scanning, brute-force ssh, hacking, DNS poisoning, (D)Dos, etc. associated with it, I probably should’ve mentioned those, but they seem less concrete in my head than CVE.

misconfigurations, malfunctions and misinterpretations

Hmm…I think the last system configuration I did was to throttle dnf speeds so I could continue watching videos.

To be fair, when I did certain things, the uploads seemed to seize immediately. Updates were unaffected and went at full speed and as I said the videos buffered more but probably Google throttling ad blocker users, since it was only marginally more and could still stream at the same resolution as always, which was pushing the limits of my download speeds. But yeah, it would be strange to not throttle the uploads as well, when I started a download of my own. So, it would actually be fantastic if it was literally just a misunderstanding on my part, heh.

Hmm…looking at your last few paragraphs I think, I might’ve mislead you. I know that all that traffic is normal and I understand what it is (at least to some extent). I was just wondering (out loud) why there was almost no network activity whatsoever but that has nothing to do with the issue at hand. Just my curiosity getting the best of me, as I doubt that zero traffic when connected to the Internet is anything abnormal.

If you believe it unlikely to be something malicious, what would I do to help figure out what this incident was? Is there a way to read the data from the captures I performed on Wireshark? I have hundreds of megabytes of captures. Would this involve combining a lot of packets together or is it hopeless to know?

@steppybug

Yes, that is a big concern of mine, let’s just hope I’m being paranoid, hehe.

First, most IP addresses change regularly. So if you have a login
attempt of SSH, this is not necessarily an attack: the address might be
used by someone earlier for an SSH service (many many entities are
active on the Internet!). There are also a lot of automated services
that map address ranges, simply don’t do what they are intended to do
but no one is aware of it, or things like that. This is the “background
noise” I was talking about, and it is the reason why it is a real
challenge and a skill to identify a “real attack”: Distinguishing
“background noise” from attacks and other things is hard work. Just as
an example.

If you tell me that downloads and uploads negatively impact each other,
the first thing I have in mind is a low quality Internet connection. You
might put different devices at the same Internet connection, and if you
experience the issue on one, you might immediately check if the other
has the same problem. I tend to assume that the bottleneck is there. At
the same time, check if your Fedora has the same issue when connected to
other Internet connections.

Concerning gigabytes of data, it might be asked what time period we talk
about. Generally, gigabytes is nothing special today. If you watch
movies on Netflix or YouTube, you get Gigabytes of downloads quickly.
With video conferencing, you get it managed to have gigabytes in both
directions, download AND upload.

If only your Fedora is affected and no other system at the same Internet
connection, and if large amounts of data transfers occupy the Internet
connection (I assume you have an Internet connection that is by default
sufficient for video streaming) for longer periods while you do nothing
(and while no other device is connected through your Fedora, e.g., when
Fedora has a WiFi hotspot), you might check at the very time what
exactly occupies them with, e.g., nethogs → install with dnf install nethogs

Nethogs will monitor (and show) which process sends / receives what
amount of data per second. As far as I understand your concerns, I guess
nethogs is currently the best service for you.

It is likely to identify the process that causes the “unintended”
traffic. However, keep monitoring it for some time to see if it is
always the same process that causes such traffic amounts, but I guess it
will show that (IF the origin is in Fedora), it will be one process we
can isolate as “origin”. Also, be aware that short sending/receiving
peaks in processes are nothing special and can be ignored. If there is a
massive use of Internet bandwidth and if the origin is in/on Fedora,
then we are seeking something that causes large amounts of traffic for
longer periods.

Just to ensure that it is nothing trivial: Do you have daily automatic
updates enabled?

Sorry, I will continue replying to you later, but I just saw a spike of upload, it seems that the transfers are happening by something that has a PID of ? by user root of an unknown TCP program. Is that normal? Should the PID not appear? I ran the program as sudo nethogs so I should be able to know the PID?

Edit:
Okay from what I find online, it is nothing alarming just catches all traffic that they could not figure out where it came from. And as you pointed out random spikes for 10 seconds is nothing to worry about.

Ah, okay, that makes sense. I just assumed someone was keeping the address permanently since there were over 3 years of complaints about it. But now I see what you mean about the ‘background noise’ I thought you meant what I normally observe, my bad there.

Hmm…if I understand you correctly, you mean that one device is negatively impacting another? If so, only the computer in question was turned on (no phone or other devices either). I did test a download of Fedora Workstation ISO on a secondary computer when I disconnected the one with the ‘issue’ and download was slow as well, might be ISP throttling me again, usually happens when I transfer around 100GB or more in a day. Tested today and downloads fine.

Unfortunately, I do not have access to another internet connection.

No video calls, no file uploads, no transfers to another device, nothing from my part that would constitute an intentional or unintentional (that I am aware of) upload. And I understand GB is nothing nowadays, but I have never noticed this on an idle computer. I could understand 100MiB after a full days worth of idling but not 100MiB in a couple minutes with all windows closed.
That would be a good point though, if I didn’t think that video calls were uploading data. Unfortunately, my computer has no camera or mic and I have been bedridden from my desktop and my keyboard is wired and does not reach my bed so I leave it there. I just login, go to YouTube and let it auto-play videos. Pause it if I need to sleep, then play again when feeling better.

Okay this secondary computer (same LAN, I do not have a WLAN AP) has been on for a while and zero uploads are occurring, or well a KiB here and a KiB there, but you know what I mean, nothing that screams out of the normal.

Oh, I just mentioned that today it happens sporadically and you said that is normal and can be ignored. Yeah the massive continuous (for hours at a time) uploads have seized. So, what I am seeing now is of no concern but when it was constant, that’s when I should’ve been using Wireshark, tcpdump and nethogs, haha…Well that is concerning but I suppose there is nothing to do about it now.

No, I do not have daily uploads enabled.

I’m pretty sure I know your answer but might as well ask to be sure. Seeing as it is not happening continuously (every second of the whole day) anymore then it is probably nothing to worry about and I should just do the fresh install I was going to perform without worrying?

If so I’ll just mark your post as Solution and thank you so very much for all the time you’ve taken, for your infinite patience with how confusing I can be, for sharing your knowledge, letting me know about these monitoring tools as well as the includepkgs and SIG, you have no idea how much help you have been.

Every process has a PID (although, e.g., Firefox can run multiple
processes, so that you have multiple PIDs that are Firefox). For further
evaluation, we need the process name or the PID of the process that
causes the issue. You should be able to get that with nethogs. Actually,
we need the process name, but if you have the PID, we can identify it:
to get the process name from a PID, use ps -p <PID> (e.g., ps -p 15000 if the PID is 15000).

Be aware that the PIDs change over time, and a PID is not always
allocated to the same process. So do the ps command at the very time
when the problem occurs. And some information of the amount of data that
is transferred per second (e.g., Mb/s or MB/s - not the same!) and the
time period it is transferring that amount of data would be relevant
too. E.g., 214 seconds, always above 5 MB/s, never below 3 MB/s, average
4 MB/s. That type of information.

@py0xc3

Sorry, took me a while to edit the previous post.

Yeah, my output from nethogs looked a bit like:

PID     USER     PROGRAM         DEV         SENT       RECEIVED 
?       root     unknown TCP     <blank>     1481.18    0.727 KB/sec
2405    welter   firefox         enp0s25     0.013      0.071 KB/sec

But as far as I can tell ? root unknown TCP is something that happens very commonly. And since it only happened for like 10 seconds, it is probably not the same thing as the continuous uploads I was getting earlier.
No yeah, I’m out of it but it was definitely MB/s not Mb/s.

Sadly, I do not think we can troubleshoot it anymore, if it stopped happening and I will just have to hope that hundreds of GB of uploads was some strange malfunction.

I assume you run nethogs without sudo privileges, so it may have no
access to the data. You can do it with sudo and see if it outputs more.

However, what you have shown is no relevant data transfer. I doubt that
you would experience this transfer in any way if your Internet
connection can manage video streaming.

The question for me is how long this issue must have lasted so that it
could upload hundreds of GB because most end user Internet connections
would need a lot of time for this amount (end user Internet connections
are usually asymmetric, which means that they can upload much less than
they can download).

Maybe whatever data you were using was falsified by some means, or it
was a misinterpretation and the amount of GB was, e.g., the sum of a
much longer time period, or it referred to something else. The issue you
experienced could be simply an issue of the Internet connection.
Bottlenecks occur since end user Internet connections usually share
their bandwidth with others (to achieve competitive prices). Also,
technical difficulties occur. So I would not automatically link any data
about uploads to the issue you experienced.

In any case, this is unlikely to indicate a malware that is below your
operating system: that type of malware would not produce this type of
symptoms. You may reinstall Fedora and do not reuse executables/binaries
to ensure some “explicit security”, but I do not see a need to do more
with the data we have so far.

I would then say that at this point you have nothing to worry about and deal with immediately.

Feel free to perform the fresh install with the Fedora image of your choice you downloaded earlier. After that, just try to keep the amount of software installed by third-party repositories to a minimum and in general to be more mindful about your system usage should you happen to notice some peculiarities like the ones you saw when you initially wrote now. In normal, day-to-day use of software packaged in the official Fedora repositories, everything usually just works. Have some rest if you need it and do the fresh install when you have the time for that. If you have any issues in future, you can always write in these discussion boards.

You already did a good analysis of your situation and thought about many things (firewall, etc), so you have a good starting point to understand it if something similar ever happens again. You can also use the tips given by @py0xc3 to limit installation of 3rd-party packages only to what you explicitly require. If the problem occurs again, you now have some clue about what programs you can use to diagnose it better as it happens, so you will be able to open a new topic with more specific information while it is still happening.

You can also think about installing some of the software you need using Flatpak, e.g. if it is packaged on FlatHub. I know this is not feasible in many cases but a lot of desktop programs are available there and are working very well. It’s just one more thing that may potentially help you with reducing the amount of 3rd-party repositories on your system.

For now, I think you should be good to go and I hope that whatever happened is not going to bother you after the fresh install you planned to do in the first place.

No, nethogs will not run without root privileges.

Yeah, that’s correct that was an irrelevant transfer unlike what I originally posted about.

I feel like maybe it was a malfunction because now that you mention it, how did I get 43 GiB of up/downloads in a few hours on my connection? That makes no sense. Yeah, I feel like System Monitor resets after each session but maybe it carried over from before whatever was malfunctioning.

Yeah, I’ll reinstall. Seeing as it seems like it was just a glitch in the system.

@smarnv
Yeah, thanks, I never use my computer anyway so might as well just forgo third-party repos for now and if I need them in the future I’ll limit them. And I’ll be sure to keep the tools mentioned here on hand for future needs.

Oh good point on if I add something and it occurs again, there could be the culprit.

two more ideas:

1. you mentioned downloading something from https://torrent.fedoraproject.org - any chance that you’re still seeding? The bittorrent protocol definitely has the capabilities to max out your connection speed.

2. I read about a virtual machine:

What OS is it? How do you connect to the graphical desktop? I do not remember completely the circumstances, but I saw a huge “network” load (similar to what you mentioned) while working with a VM via SPICE or RDP (Windows) but in the end it was all just streaming the desktop over the loopback interface to the host.