Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: Malicious network traffic originating from a Linux machine
4 views
Skip to first unread message
Carlos E.R.
Aug 31, 2022, 8:08:09 AM8/31/22
to
On 2022-08-30 15:17, John Friday wrote:
> On Tuesday, August 30, 2022 at 4:01:17 PM UTC+3, Marco Moock wrote:
>> Am Dienstag, 30. August 2022, um 05:10:37 Uhr schrieb John Friday:
>>
>>> The problem was resolved with my friend being told not to plug his
>>> Linux laptop into the university network again, and instead use a
>>> Windows machine supplied by and administered by the IT department.
>> Why don't reinstall the Linux operating system on the laptop?
>> Maybe it has been hacked.
>
> Re-installing the Linux operating system is indeed the end step. For now, we are trying to understand what happened and how it happened.
For understanding what happened, the first thing needed is a report by
the IT of what exactly did that machine, what did they see.
>
> If his Linux computer was compromised then all of us (except maybe the Windows admins) would want to know how to prevent recurrences in the future.
>
> Also, if his computer really was compromised then it means a ton of legwork for him - credit card, bank, email, crypto accounts all need to be secured. He must further assume all personal data on the laptop is now in the possession of third parties. Therefore he wants to make certain if is laptop has indeed been compromised.
Connect the machine on another network he controls, with sacrificial
Windows machines, and examine the traffic.
May not work, if what happened was that somebody in that university
hacked this laptop in order to launch attacks from there. Could be as
simple as using it as mail relay (in that case, check your logs).
>
>>> How it happened:
>>> 1. Presumably if someone wanted to spoof the MAC address of a
>>> computer on a local network, the best MAC address to spoof would be
>>> occasional laptop users who bring their laptop into work.
>> Hard to say, but you need to tell us what the machine did and what was
>> running on the machine.
>
> The machine won't be powered on for the time being. We are making an image of the hard drive housing his root and home directories. His laptop had a separate hard drive for VMs - I presume imaging that one would not be necessary? Anything malicious would probably reside in the root and home folders?
I would suspect those VMs too, specially if they are Windows.
...
Oh, I have seen now the posts about torrent. Certainly, that could be
it. Easy then, install torrent in Windows and download things, see if
the IT people get mad again >:-p
--
Cheers, Carlos.
> On Tuesday, August 30, 2022 at 4:01:17 PM UTC+3, Marco Moock wrote:
>> Am Dienstag, 30. August 2022, um 05:10:37 Uhr schrieb John Friday:
>>
>>> The problem was resolved with my friend being told not to plug his
>>> Linux laptop into the university network again, and instead use a
>>> Windows machine supplied by and administered by the IT department.
>> Why don't reinstall the Linux operating system on the laptop?
>> Maybe it has been hacked.
>
> Re-installing the Linux operating system is indeed the end step. For now, we are trying to understand what happened and how it happened.
For understanding what happened, the first thing needed is a report by
the IT of what exactly did that machine, what did they see.
>
> If his Linux computer was compromised then all of us (except maybe the Windows admins) would want to know how to prevent recurrences in the future.
>
> Also, if his computer really was compromised then it means a ton of legwork for him - credit card, bank, email, crypto accounts all need to be secured. He must further assume all personal data on the laptop is now in the possession of third parties. Therefore he wants to make certain if is laptop has indeed been compromised.
Connect the machine on another network he controls, with sacrificial
Windows machines, and examine the traffic.
May not work, if what happened was that somebody in that university
hacked this laptop in order to launch attacks from there. Could be as
simple as using it as mail relay (in that case, check your logs).
>
>>> How it happened:
>>> 1. Presumably if someone wanted to spoof the MAC address of a
>>> computer on a local network, the best MAC address to spoof would be
>>> occasional laptop users who bring their laptop into work.
>> Hard to say, but you need to tell us what the machine did and what was
>> running on the machine.
>
> The machine won't be powered on for the time being. We are making an image of the hard drive housing his root and home directories. His laptop had a separate hard drive for VMs - I presume imaging that one would not be necessary? Anything malicious would probably reside in the root and home folders?
I would suspect those VMs too, specially if they are Windows.
...
Oh, I have seen now the posts about torrent. Certainly, that could be
it. Easy then, install torrent in Windows and download things, see if
the IT people get mad again >:-p
--
Cheers, Carlos.
0 new messages