Welcome to SparkyLinux forums
Zapraszamy również na polsko-języczne Forum https://forum.linuxiarze.pl

How to block over a hundred Bad ip adresses ?

Started by mee, July 11, 2020, 06:31:31 PM

Previous topic - Next topic

mee

Hi Ive been using Sparky for over a year now and have ran into a tracking problem or Major security issue, After a fresh install my Sparky calls out to well over a hundred different ip adresses , after updating it , i have tried the HOST file, The Block host file, to no avail. it seems that as soon as just 1 if these rogue ip adresses calls home it downloads a HUGE LIST of fresh ones. where can i find these lists so i can delete them ? Also tried clam av and after i update the system antivirus does not work afterwards, Even tried Bleachbit that will not clean it out, gives 3 errors 1 memory, 1 swap and 1 child process error. As soon as i boot with ethernet cable unpluged i pull up the command prompt and plug cable in, as soon as it connects i type netstat and there it is HUNDREDS OF ROGUE IP ADRESSES that cant be blocked, HELP I LOVE SPARKY !

8bit

Restore from a recent backup.

I could never be sure I cleaned it out. For me it's nuke from orbit and pave. YMMV

https://smallbusiness.chron.com/cleanse-virus-bios-79706.html

Good luck,

8bit

bin

Perhaps it would help if you provided a copy of the list?

You say that this is a fresh install. Just to be clear, you install Sparky, use a clean /home/user and then as soon as you connect you get this huge list of bad addresses?

OR is there some bit that you have missed out?

Bleachbit is a file cleaner - how do you get it to show memory, swap and child process errors - or is that what happens when you try to run Bleachbit.

mee

#3
Thank you for your response and the link 2 a very informative topic, After i do a fresh install i always run the netstat command 2 see who my comp, calls out to. With a clean install [ After the H.D. has been formatted ] Sparky installed it calls out to 3 ip adresses I figure its updating or checking 4 updates. Its After i use the update manager and install extra packages that i get MANY unknown ip adresses. I find them by using the [netstat command in terminal]. The key 2 finding them is allow Sparky 2 fully boot with the ethernet cable UNPLUGED and afyer Sparky boots, then run the netstat command, and there you are. I kinda feel that the servers have been hacked and files have been replaced with Fakes. But thats why im asking, PLEASE try the netstat command on your machine by this method and see if yours is infected too. And i get Bleach bit to give me these errors only after running it 2ce, 2 get All 3 errors. THANK YOU IN ADVANCE FOR YOUR TIME AND EXPERTEESE. I feel this may be a global problem.
Is it ok to copy and paste the adresses of the rogue websites in the box im typing in now ? with out being banned or repromanded ?

bin


netstat -a > netstat.txt

Attach

You have not provided any information about what apps you have installed - any/many could be very chatty.

You will always see a burst of traffic from NTP, update checking etc - not sure if geo-ip does a bit of calling as well.

Repeat question - Bleachbit is a file cleaner - how are you seeing the errors you describe

mee

By Bleachbit, when it gets done doing its thing, IT WILL SHOW the Errors, that it could not complete.  Please give me a bit 2 find a site i can host my Try 2 block Blocklist So it can be reviewed by you. And to End TAILS session reboot into Sparky and write down installed Apps.n Reboot into Tails again. Ive only been a fan of LINUX for about 5 years now. And a dedicated fan of sparky for almost 3 years now. And im still learning. Have u tried the fully boot method with cable unpluged and much after boot, Then plug ethernet cable in and run the netstat command ?, Some times i have to enter netstat command 7 or 8 times before it will show who its connected to. Thank you in advance for your patience.

mee

I have the list hosted now it is at  http://txt.do/1gya8  Please note that there may be some addresses added more than 1 time as I have ran the netstat command more than once. installed apps are
Clamtk  Wich does not work.
Gtkhash
Hashcheck
Timeshift
uget
usbdiskformatter
I believe these are the programs i installed, I just thought some one knew the location of the file that contains the list that calls out to All these ENTITIES.  Or some way to BLOCK them from calling out Other than using the host file and the Block Host file, as im not having any luck and am completely unable to stop it.So i can delete them and have a secure machine again.Thank you for your great knowledge and understanding concerning Deleting/Blocking these MANY And UNWANTED ENTITIES. THANK YOU

bin

#7
What options are you ticking in Bleachbit?

I only use it to clean out unwanted language files, but it does offer a lot of system options.

Not entirely sure I would want to be trying to clean memory.....

Sorry - I don't do short links

Here's the top of my netstat -a   All the rest is irrelevant at this stage - please do likewise.

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State     
tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN     
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN     
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN     
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN     
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN     
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN     
udp        0      0 0.0.0.0:mdns            0.0.0.0:*                         
udp        0      0 0.0.0.0:bootpc          0.0.0.0:*                         
udp        0      0 0.0.0.0:sunrpc          0.0.0.0:*                         
udp        0      0 flopsy.local:ntp        0.0.0.0:*                         
udp        0      0 flopsy.local:ntp        0.0.0.0:*                         
udp        0      0 localhost:ntp           0.0.0.0:*                         
udp        0      0 0.0.0.0:ntp             0.0.0.0:*                         
udp        0      0 0.0.0.0:ipp             0.0.0.0:*                         
udp        0      0 0.0.0.0:60293           0.0.0.0:*                         
udp6       0      0 [::]:mdns               [::]:*                             
udp6       0      0 [::]:50623              [::]:*                             
udp6       0      0 [::]:sunrpc             [::]:*                             
udp6       0      0 fe80::fa4a:22da:f88:ntp [::]:*                             
udp6       0      0 localhost:ntp           [::]:*                             
udp6       0      0 [::]:ntp                [::]:*                             
raw6       0      0 [::]:ipv6-icmp          [::]:*                  7         
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     15128    /run/avahi-daemon/socket
unix  2      [ ACC ]     STREAM     LISTENING     15132    /var/run/dbus/system_bus_socket


mee

I checked All the boxes in Bleachbit, But I don"t know what that has to do with the Location of the file that contains the HUGE List of Rogue ip address That i need to find and or disable/delete, I have just downloaded Sparky minimal iso { it took 4 times b 4 the checksums matched} and only then after switching servers. It DOES NOT CALL OUT LIKE THE Brand New One Does "Nibiru" 5.12. My question is a Very Simple One, EXACTLY WHERE IS THE LIST AT IN A INSTALLED SPARKY INSTALLATION THAT CONTAINS THE LIST OF IP ADDRESSES  THAT CALLS HOME ?. Im sure this is probally a common problem by now, And Feel it should be addressed. THANK YOU.

bin

If you've ticked all the boxes in Bleachbit then there's a good chance it will break, so that explains the errors.
If you don't know - or understand - what an option is for I suggest you don't use it - especially if you are running the Administrator option :)

We now know that you are seeing this on the new 5.12 release which helps

The fact that it took 4 goes to get a valid checksum is interesting. I trust you were downloading from https://sourceforge.net/projects/sparkylinux/files/latest/download  Some mirrors can be a bit sluggish, I have to frequently swap between them depending on time of day.

Please could you provide the lines of say a dozen of the addresses that show up in your netstat? Just copy and paste a chunk out of the file you created

There is no central file that does what you suggest, individual services or applications would be responsible. Just out of interest, do you see this happening on the live version or only after install?

mee

yes i was downloading from Sourceforge, I had to change mirrors 2 ce , It is calling out after a clean install, i even went with a Sparky Minimal install, That helped but after installing Mozilla Firefox, it started again, After some digging in Firefox i found there is No way to remove the Trusted Credentials of Dubious Entities, Like Amazon, Google, Baltimore, Microsoft, Deploy.Akamaitechnologies, And other Minor web trackers, I feel it is Major Security flaw that should be investigated. I have installed other web browsers like iceCat, with only the same results. Ive even Deleted the Certificates only for them to reappear at next boot. I have posted a partial list in my other post in this thread. You have made more sense than any one so far, Thank You

mee

sfo07s17-in-f10.1:https ESTABLISHED
a104-123-154-192.d:http ESTABLISHED
ec2-54-149-192-13:https ESTABLISHED
ec2-34-247-232-11:https ESTABLISHED
72.21.91.29:http        ESTABLISHED
sfo03s07-in-f3.1e1:http ESTABLISHED
ec2-34-247-232-11:https ESTABLISHED
sfo03s07-in-f3.1e1:http ESTABLISHED
lax17s46-in-f3.1e1
a23-1-237-161.depl:http
a96-16-172-31.dep
lax31s01-in-f14.1:https

bin

OK - of those I can tell you that 72.21.91.29 is Verizon so I guess that may be your ISP?

Here is my netstat with Firefox running and then immediately after closing it and anything else

Proto Recv-Q Send-Q Local Address           Foreign Address         State     
tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN     
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN     
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN     
tcp        0      0 flopsy.local:53362      lhr25s28-in-f4.1e:https ESTABLISHED
tcp        0      0 flopsy.local:33090      104.x.x.x:https     ESTABLISHED
tcp        0      0 flopsy.local:50712      93.x.x.x:http      TIME_WAIT 
tcp        0      0 flopsy.local:35384      172.x.x.x:https    ESTABLISHED
tcp        0      0 flopsy.local:53360      lhr25s28-in-f4.1e:https TIME_WAIT 
tcp        0      0 flopsy.local:50710      93.x.x.x:http      TIME_WAIT 


Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State     
tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN     
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN     
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN     
tcp        0      0 flopsy.local:35778      lhr48s08-in-f10.1:https TIME_WAIT 
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN     
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN     
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN     


This is all quite normal. If I was seeing lots of connections  but with nothing else running - no browser, no email, no music streaming, no internet driven wallpaper changer, nothing - then I would be puzzled.

So, I have to come back to my original question to be sure what is going on.

If you are running the XFCE based sparky then go to Session and Startup and disable APTus Upgrade checker and Blueman.

Shut down.
Start the machine from cold, all network connections plugged in as normal.
Wait 5 minutes and do nothing.
Start terminal and run netstat -a
Copy and paste result into Mousepad or other editor - then open Firefox and reply to this.

What did you get?

mee

Verizon is Not my isp provider And im using open box manager and cant find Session startup any where. Now im getting 3 seperate connections to Microsoft, I Didnt realize this was going to be so much of a problem, Just Blocking a Call out connection. I stoped using Linux Mint, Septor, and Antix for this same reason. I feel it has to do with your Trusted Certificates, As ALL of your encrypted data can easily be Decrypted By these nosey snoopers, I See they have taken Tails off too, You cant even get it any more. Sorry ive taken up so much of your time, Im gonna throw this thing out in the yard and be done with Spyware n Tracking Crap 4 good. Please close this thread because im DONE, THANK YOU

View the most recent posts on the forum