7
3
I run Ubuntu 9.04 and was recently told by my university that my computer is massively port scanning the network.
I am interesting in learning more about figuring out what is happening to stop it, but I am lost at where to begin. What steps should I take (or files to look at) to figure out what is happening?
2
Use a network sniffer like Wireshark to see what kind of traffic is send over your network interface?
2
$ sudo apt-get install htop
It's a cooler version of 'top' so you can go through all the processes. Check them all out, see if you see one in particular that is running which you didn't expect.
Check your crontab. Check "ps waux | less".
Next: download rootkit scanners, make sure you didn't get, in the parlance, pwned.
Trevoke
Posted 2010-02-05T16:21:53.767
Reputation: 408
-1
Sounds like your university (like mine and most) is just anti-Linux or at least Windows-centric. Does anyone else running Linux (Ubuntu or otherwise) get a similar warning? The above mentioned methods (htop & wireshark) of monitoring should help if it is compromised (very unlikely).
valbaca
Posted 2010-02-05T16:21:53.767
Reputation: 404
It's also possible that, during a setup, it scanned the whole network/domain to find printers, domain controllers, etc etc.. A one-time deal which showed as an unusual spike. Who knows. – Trevoke – 2010-02-05T18:29:49.187