security breach? [solved]

Wallsandfences · Guru Joined: 29 Mar 2010 Posts: 378

Hi,
An hour ago I started my box. I'm running the profile change induced updates at the moment.

My hardware monitor shows, that my box uploaded 500MB at a more or less constant rate of 180Kib/sec during this hour.

I have no uploads running. So I think something strange is going on. How would you proceed from here?

R.

roboto · Posted: Sun Dec 03, 2017 3:36 pm Post subject:

What network service are you using?

I've had experience with DHCP constantly sending packets to 127.0.0.1.

If you have wireshark installed, then you can see where your packets are going. If they're going to 127.0.0.1, then you're fine. If they're going to a different and unfamiliar IP address, then something's up.
_________________
Answers please.

The true hater of man expects nothing from him and is indiscriminate to his works.
-Ayn Rand

Wallsandfences · Guru Joined: 29 Mar 2010 Posts: 378

I use NetworkManager

Great tip re wireshark, it shows that the traffic goes to 224.0.0.56

I recall that‘s reserved, so not sure what that tells me...

NeddySeagoon · Posted: Sun Dec 03, 2017 5:24 pm Post subject:

Wallsandfences,

That's 224.0.0.37-224.0.0.68 zeroconfaddr according to iana
Your box is multicasting something.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

Wallsandfences · Guru Joined: 29 Mar 2010 Posts: 378

Ok found it: multicast/rtp was active in pulseaudio. Switching it off solved the issue

Ant P. · Watchman Joined: 18 Apr 2009 Posts: 6920

(edit: too slow, but might be useful for someone else)
Run lsof -ni (as root) and it should show what program's sending to that IP.

Wallsandfences · Guru Joined: 29 Mar 2010 Posts: 378

Ant P., your reply is still helpful, thanks!
R.

the other posters, thanks as well!