miguelito at biffster.org
Mon Feb 27 15:09:16 MST 2012
Hmmm... I understand your concern, but I think I've gotta agree with
David. It sounds like SUSE is checking for updates. I know you said
that you disabled auto-checking, but it sure sounds like auto-checking
is still happening.
On Mon, Feb 27, 2012 at 1:21 PM, David L. Willson <DLWillson at thegeek.nu> wrote:
> Could this be innocuous? Could it be that you're running [Open]SUSE, and
> your machine's trying to update itself?
> my machine has clearly been hacked and infected. any help greatly
> appreciated. I have a wireshark capture of my machine trying to access the
> akami ftp site when nothing other than wireshark was running! additionally
> my machine is looking up downloads.suse.org and the download.nvidiacom site
> every several minutes, again without any other activity.
> i'm running open suse 12.1, automatic updates is set to not check for
> updates. packagekitd is also frequently running for no good reason, fairly
> alarming as it suggest someone has been futsing with my system. what logs
> should i look at? transmission is also randomly terminating without any
> notice of crash or any apparent reason further suggesting that someone wants
> bandwidth on my machine, most likely to steal files or run some sort of bot
> trying to attack other sites (as the akami ftp access suggest). the akami
> ftp site is password protected for "anonymous" logins and my machine is
> responding with a password that seems to work specifically "yast at 10.x.x"
> where x is a number i've blanked out for obvious reasons. Scary!
> on further examination of the wireshark capture my machine is entering the
> suse directory at the akami site (18.104.22.168) which is NOT from a dns
> query further suggesting a virus/bot infection since the ip address is
> obviously hard coded! further after it succesfully logs into the akami site
> and changes directory a 951 byte file named "repo.md.xml" is being
> downloaded and then my system is logged out of the akami site. very odd
> any one have any idea wtf is going on? is this a virus/bot or strange
> behaviour somehow normal???
> this install has been running less than 1 month. also experiancing apparent
> high load/delays randomly further suggesting a slow down but the task
> monitors etc. don't show any apps using a lot of cpu time. i'ts a dual core
> athlon running at 3Ghz and usually fairly peppy. also having dropouts in
> audio playing movies that go away later when playing the same file and have
> not occured before on at least 2 different players (vlc and caffeine, vlc
> has it's own codecs so it's not a codec issue).
> I have forwarded the wireshark capture to akami security of course.
Michael Fierro biffster at gmail.com
"The truth of the matter is, I'm a bright enough guy, but I'm hardly a
genius." - Cory Doctorow
More information about the clue