Advice

[leyvi]

Why the generic title? Because I don't know. Hopefully this won't sound too paranoid.

Recently, I've noticed that all the technology around me has suddenly started behaving funny. I think it might be malware, but then it would have to be cross-platform (my PCs, phone, and networking infrastructure all seem to be affected).

I want to find out if my concerns are justified, or if I just need to chill out (I need to chill out anyway, but it would be good to know if I'm right, I might even be able to do something).

What do you guys recommend for intrusion detection, forensics, etcetera on Gentoo (and GrapheneOS, which I use for my phone, though that's outside the scope of this forum, so I don't know about that)?

Judging by the nature of the strange behaviour in-question, the malware (if it exists) is likely somewhat advanced. And since it affects all of my devices, and all the networks I use on a regular basis (even ones I don't own), the would-be hacker would need to have some serious beef with me. I have no clue how I might have pissed someone off that badly, I don't do anything illegal (I even pay for licenses to use copyrighted material I torrent for personal use, that's how far I'll go to comply with the law). But I do live in a part of the world where warrentless government surveilence is the norm…

EDIT I
By "strange behaviour" I mean everything is slow, battery-life is in the gutter, everything runs hot, network latency is high, and once I ran a traceroute that went to my ISP, then to some address registered to a European company according to whois (nondescript, couldn't find them online), then back to my ISP, then off to it's original destination. I (technically) live in Asia.

[NathanZachary]

It's always alarming when multiple devices starting exhibiting strange behaviour simultaneously, but the conclusion of it being malware in some form seems premature here.

Some connections that I see are "battery-life is in the gutter" and "everything runs hot". Those two symptoms can indicate high processor usage or some application/process consuming substantial resources.

If you disconnect a misbehaving device from your local network, do you see any type of stability return?

Without a lot of additional detail here, it will be quite challenging to provide adequate advice and suggestions.

[NeddySeagoon]

leyvi,

Malware usually goes to great lenghts to avoid detection, so that's unlikley.

It's likely something the devices all have in common, so it's only that common factor you need to find.

Battery life is proportional to clock speed, until batteries get old, then they can fail fairly quickly.
Some systems can power down, or even power off parts that are not in use, which is good but does not make up for an old battery.

It's always possible that you have picked up a bitcoin miner by visting some shady website but cross platform is unlikely.

[Banana]

As your topic history suggest (only examples), you experiment much. Which is good!

Sometimes a misconfiguration is not immediately recognizable and builds up over time.

In addition to what others said:
Find the common denominator and start from there. Or check your latest experiments. Maybe something changed since then.
Or, if possible, start from scratch to rule out any config confusions build up over time.

[Zucca]

EDIT I
By "strange behaviour" I mean everything is slow, battery-life is in the gutter, everything runs hot, network latency is high, and once I ran a traceroute that went to my ISP, then to some address registered to a European company according to whois (nondescript, couldn't find them online), then back to my ISP, then off to it's original destination. I (technically) live in Asia.

This is rather wild guess, but something spamming your network might cause the symptoms you're describing.
The something might be, for example:

• packets going in a loop
• some rogue program spamming your local network

So, does this happen if you take some of your devices out of the network? if the symptons disappear, then I'd start to investigate your network internally for misconfigured program.

[leyvi]

OK, I'm going to download all distfiles for my next update, disconnect from the internet completely (by unplugging the Ethernet cable), update my system, and see how that goes. I'll try doing something similar (airplane mode, listening to offline music, reading ebooks, watching offline media) on my phone. I'll see how quickly battery life drains.

[NathanZachary]

I agree that it could be something spamming your network (whether intentionally or unintentionally). Let us know what you find out, and we can keep troubleshooting with you. The more details we have, the easier it will be to continue.

Good luck!

[leyvi]

What's weird is that this happens on my home network, my school network, and on my cellular network/hotspot. Maybe I've misconfigured some network-related setting on my devices. But it would have to be all of my devices. And one of them is running GrapheneOS, which has very limited network configurability, yet it has these problems even when it's kilometers away from my other devices. My laptop has these problems away from home, even when my phone is in my dormitory. And my desktop has these problems even when I access it remotely.

[leyvi]

The something might be, for example:

• packets going in a loop
• some rogue program spamming your local network

So, does this happen if you take some of your devices out of the network? if the symptons disappear, then I'd start to investigate your network internally for misconfigured program.

Packets going in a loop sounds implausible to me, given how many networks I use but don't control. A rouge/misconfigured program seems more likely. But how would I figure out which one? I can use packet capture tools, but I'm a lot more interested in statistics than individual packets; what tools do I use for that?

[NathanZachary]

You're right that it's quite peculiar to happen across both multiple devices and multiple networks (some of which are not under your direct control). You'll probably want to start with the basic network analyser tools like Wireshark. I can also recommend NetHogs (which is available in Gentoo) for another approach. Starting with a generalised packet capture and then delving into more specific findings based on that initial capture is my typical method of starting to troubleshoot network congestion or even rogue applications consuming substantial bandwidth.

[Banana]

What's weird is that this happens on my home network, my school network, and on my cellular network/hotspot. Maybe I've misconfigured some network-related setting on my devices. But it would have to be all of my devices. And one of them is running GrapheneOS, which has very limited network configurability, yet it has these problems even when it's kilometers away from my other devices. My laptop has these problems away from home, even when my phone is in my dormitory. And my desktop has these problems even when I access it remotely.

Finding the common denominator is getting complicated.
Do you have any "solid" errors or findings what is wrong? Looking for solution based on feelings is like looking for the needle in a haystack.

[NeddySeagoon]

leyvi,

For your battery devices, it may be worth calibrating the battery management system.
There two sources of acumulating error.
1. battery capacity falls with each charge/discarge cycle.
2. The state of charge is done by measuring charge in/and charge out. It's a dead reconning system.

Discharge the battery as far as you can.
Now charge it in one go.
Provided the discharge was far enough, you will get a new number for total capacity. That's actual, not as manufactured and the state of charge system will be recalibrated too.

If the actual capacity is less than half the manufactured capacity, the battery is end of life.
Replace it with a good quality battery from a trustworthy source. You really don't want a Lithium fire.

[leyvi]

You're right that it's quite peculiar to happen across both multiple devices and multiple networks (some of which are not under your direct control). You'll probably want to start with the basic network analyser tools like Wireshark. I can also recommend NetHogs (which is available in Gentoo) for another approach. Starting with a generalised packet capture and then delving into more specific findings based on that initial capture is my typical method of starting to troubleshoot network congestion or even rogue applications consuming substantial bandwidth.

OK, gonna try NetHogs.

[leyvi]

What's weird is that this happens on my home network, my school network, and on my cellular network/hotspot. Maybe I've misconfigured some network-related setting on my devices. But it would have to be all of my devices. And one of them is running GrapheneOS, which has very limited network configurability, yet it has these problems even when it's kilometers away from my other devices. My laptop has these problems away from home, even when my phone is in my dormitory. And my desktop has these problems even when I access it remotely.

Finding the common denominator is getting complicated.
Do you have any "solid" errors or findings what is wrong? Looking for solution based on feelings is like looking for the needle in a haystack.

Not yet. I aim to try running NetHogs, see what happens.

For the record: chrootkit didn't find anything, unhide won't run all it's tests, and running a ClamAV scan made my system reboot suddenly, a "data fabric flood event" that happens on my desktop sometimes. Last thing might be because the hardware is similar, or it might be an evasion technique.

[leyvi]

leyvi,

For your battery devices, it may be worth calibrating the battery management system.
There two sources of acumulating error.
1. battery capacity falls with each charge/discarge cycle.
2. The state of charge is done by measuring charge in/and charge out. It's a dead reconning system.

Discharge the battery as far as you can.
Now charge it in one go.
Provided the discharge was far enough, you will get a new number for total capacity. That's actual, not as manufactured and the state of charge system will be recalibrated too.

If the actual capacity is less than half the manufactured capacity, the battery is end of life.
Replace it with a good quality battery from a trustworthy source. You really don't want a Lithium fire.

Good to know.

I regularly run my phone down to 2% battery. The battery checker says that it's done about 350 discharge cycles over the last year and a half.

I haven't run my laptop down below 50% before, it's only a few months old. For drive health we have SMART and it's userspace tools. But what about battery health?

[Zucca]

and running a ClamAV scan made my system reboot suddenly, a "data fabric flood event" that happens on my desktop sometimes.

Can you elaborate?
That sounds like hardware problem.

[NathanZachary]

I agree with Zucca that that sounds like it could be a hardware fault. The two potential ones that come to mind are faulty/failing RAM or the system overheating.

[leyvi]

It is in fact a hardware problem. There are some kernel parameters that can be used to fix it. I just only started having this problem with my laptop after using it a few months (it's only happened once though, whereas on my desktop it happens all the time). I wasn't expecting this to happen at all though.

It isn't completely illogical to speculate that it could be exploited by a hacker wishing to remain undiscovered though.

[zen_desu]

leyvi,

For your battery devices, it may be worth calibrating the battery management system.
There two sources of acumulating error.
1. battery capacity falls with each charge/discarge cycle.
2. The state of charge is done by measuring charge in/and charge out. It's a dead reconning system.

Discharge the battery as far as you can.
Now charge it in one go.
Provided the discharge was far enough, you will get a new number for total capacity. That's actual, not as manufactured and the state of charge system will be recalibrated too.

If the actual capacity is less than half the manufactured capacity, the battery is end of life.
Replace it with a good quality battery from a trustworthy source. You really don't want a Lithium fire.

Good to know.

I regularly run my phone down to 2% battery. The battery checker says that it's done about 350 discharge cycles over the last year and a half.

I haven't run my laptop down below 50% before, it's only a few months old. For drive health we have SMART and it's userspace tools. But what about battery health?

you may be able to read battery info in /sys depending on the battery. It would have to track and expose that info (generally the devices internal BMS tracks that)

[NathanZachary]

It is in fact a hardware problem. There are some kernel parameters that can be used to fix it. I just only started having this problem with my laptop after using it a few months (it's only happened once though, whereas on my desktop it happens all the time). I wasn't expecting this to happen at all though.

It isn't completely illogical to speculate that it could be exploited by a hacker wishing to remain undiscovered though.

Nobody would fault you for considering malicious activity; it's good to be security-aware. If you need any assistance with kernel parameters, please feel free to ask.