Bananian

Zombie - Bot -infected bananian ?

2 1050
Edited by meretzkov980 at Wed Aug 26, 2015 15:04

Hello guys,
Can some one share his oppinion on a behaviour i have noticed on my banana pro.

The Problem:
I ve started looking at what it seemed to be an brute force ssh attack, from couple of adresses. The odd thing is that i have dynamical ip and logs (img's) of 2 previous instalations (timespan 2 months) , and they all show that no mather what ip i get i was always a targetof those and some new ip's. The last image i used, has no added stuff (to influence the traffic), checked for rootkits, added suspect ip's to iptables and it seemed like it was all fine until i've checked tcpdump. It seems like my banana was sending/receveing stuff to from all arround (unknown ip's to me). Below are some parts of the dump:
......
20:02:13.643518 IP temart-ws08.junik.lv.26755 > redstar.51413: UDP, length 101
20:02:13.643970 IP redstar.51413 > temart-ws08.junik.lv.26755: UDP, length 387
20:02:13.873405 IP temart-ws08.junik.lv.26755 > redstar.51413: UDP, length 101
20:02:13.873865 IP redstar.51413 > temart-ws08.junik.lv.26755: UDP, length 387
20:02:13.962472 IP 58.62.139.37.59208 > redstar.51413: UDP, length 101
20:02:13.962904 IP redstar.51413 > 58.62.139.37.59208: UDP, length 467
20:02:14.243375 IP temart-ws08.junik.lv.26755 > redstar.51413: UDP, length 101
20:02:14.243843 IP redstar.51413 > temart-ws08.junik.lv.26755: UDP, length 387
20:02:14.289858 IP 108-235-25-31.lightspeed.tukrga.sbcglobal.net.6881 > redstar.51413: UDP, length 101
20:02:14.290207 IP redstar.51413 > 103-151-223-66.gci.net.43263: UDP, length 58
20:02:14.290351 IP redstar.51413 > 108-235-25-31.lightspeed.tukrga.sbcglobal.net.6881: UDP, length 266
20:15:02.540196 IP host249-205-dynamic.211-62-r.retail.telecomitalia.it.36915 > redstar.51413: UDP, length 124
20:15:03.652721 IP redstar.51413 > rrcs-24-43-1-206.west.biz.rr.com.10809: UDP, length 94
20:15:03.961143 IP rrcs-24-43-1-206.west.biz.rr.com.10809 > redstar.51413: UDP, length 94
20:15:04.112714 IP 4E5C6D47.dsl.pool.telekom.hu.27468 > redstar.51413: UDP, length 124
20:15:04.884342 IP host24-240-static.15-188-b.business.telecomitalia.it.62594 > redstar.51413: UDP, length 124
20:15:06.277782 IP ip122-138-173-82.adsl2.static.versatel.nl.1024 > redstar.51413: UDP, length 101
20:15:06.278175 IP redstar.51413 > ip122-138-173-82.adsl2.static.versatel.nl.1024: UDP, length 379
20:15:06.309081 IP softbank060155031129.bbtec.net.18958 > redstar.51413: UDP, length 101
20:15:06.309315 IP redstar.51413 > softbank060155031129.bbtec.net.18958: UDP, length 435
20:15:06.531020 IP pool-96-250-212-53.nycmny.fios.verizon.net.64765 > redstar.51413: UDP, length 104
20:15:06.531360 IP redstar.51413 > pool-96-250-212-53.nycmny.fios.verizon.net.64765: UDP, length 283

......

And such odd ip's keep rolling all the time. Some among the ip's are those who were bruteforcing my ssh.
Am i paranoid or my banana pro is contacting other "zombie" friends (or calls home - where ever that is)?
What are your experiences? Any advices?

Thanks





I am no expert in these matters but I notice port 51413 appearing in the list could this be anything to do with Transmission?

Thank you for the suggestion @johnvick.  
I did'nt found any running process related to transmission nor transmission-daemon.service is running. Seems like MD5 of the img i  have and the appropriate "original" is not quite matching, god knows where have i picked up mine.

You have to log in before you can reply Login | Sign Up

Points Rules