HACKER Q&A
📣 wasipwned

Was I pwned? [resolved]


A few days ago, I noticed that my home network performance would degrade substantially to the point of being unusable. I would just power-cycle all my switches, and the issue would resolve for a while. It happened again this morning, so I decided to try to look closer at what could be causing the issue. That's when I noticed that my Linux desktop was doing a lot of traffic, and here's what I observed:

- My desktop has a private IP address, let's say 10.0.0.2.

- Running `iftop`, I saw all the traffic coming from a different source IP address, 10.0.0.3. It was transferring ~300Mbps.

- Running `tcpdump`, I saw that all of this traffic was going to a public IP address (AT&T). All of the source port/dest were ipsec-nat-t.

- I saw that `10.0.0.3` showed up as a client on my switch with a randomized MAC address (presumably, since I couldn't find the MAC prefix in a vendor list).

- I could not find any references to `10.0.0.3` or the random MAC address on my desktop (looking at kernel logs, system logs, ip a, ifconfig).

- During this period, my network was degraded (high packet loss across my switches).

It was at this point that I decided to try blocking the MAC address from my switch, and performance immediately returned to normal. I tried unblocking the MAC a few minutes later, but it has yet to return. That plus the fact that the issue happens at seemingly random times (especially the middle of the night) makes me think that it's not automatically connecting and instead being triggered remotely.

I've since disconnected my desktop from the network and am in the process of rotating keys. I'm especially perplexed at the traffic showing up from a different source IP on my desktop, but I did not see any interface that matched. I tried to look and see if it was potentially a VM running, but I didn't see anything in virsh. I did have Docker containers running, but I assume I would have seen the IP address show up on one of my interfaces.

I'm at a bit of a loss and was wondering if anyone has ever seen anything like this before, and if there is any suggestions for things I should check.

  👤 wasipwned Accepted Answer ✓
False alarm. Really appreciate everyone helping me sanity check this. The randomized MAC is part of iOS' Wi-Fi privacy, and my phone is using Wi-Fi calling for AT&T. The randomized MAC and the fact that I thought I saw the traffic originating from my desktop (it wasn't, it was just multicast traffic) really threw me off.
👤 LocalPCGuy
Sounds like you found the issue but for future reference or for anyone stumbling across this later on, another thing to check is network ports in the "cheap" (i.e. generally most < $100) USB/USB-C hubs/port expanders with a power passthrough and a network port.

I had a pretty bizarre experience where it would work just fine during the day while the computer was on, but when I'd shut the lid of my work MacBook, the network port on that little USB-C hub would just start sending off ACK signals like crazy, killing my network for anything else trying to use it (effectively denial of service myself). It was really hard to track down also because it wasn't "traffic" really, and it didn't happen on the devices that were impacted (i.e. I'd be using my Windows PC in the evening and that was attached to my work computer). Even more perplexing because it was semi-random - turned out it wasn't "random", it was when I shut the lid of my work laptop vs. just leaving it up and walking away. I finally saw the flood of traffic by dumping network traffic and was able to trace it back to that hub (first I thought my laptop was pwned and was doing something like exfiltrating data or mining when I wasn't logged in, but it was very definitely the hub after a bit more digging).

Since discovering that, I have come across others that have written up the same or similar issues. With the power passthrough, the hub still has power, and if the network interface is flaky as many are, it can cause issues, particularly when the machine it's plugged into stops using it.

This post has links to a few various write-ups: https://mjtsai.com/blog/2022/05/11/usb-c-hubs-breaking-ether...

👤 Kikawala
Do you happen to have a mobile phone with AT&T and are near Fremont, CA?
👤 harel
Even though this was a false alarm in the end, the processes taken to investigate this merit an upvote and a save for future reference.
👤 xur17
I experienced a somewhat similar issue yesterday on my network that I described in detail here [0].

Essentially one of the computers (running ubuntu) on my network started sending a VERY high volume (it measured 20gb for the day, and I think it was all over a 10 minute period) of DNS traffic to my router, which runs an unbound instance for my network. That traffic (or at least I think it was that traffic) brought down my network to the point where I could even ping an external or internal ip address.

Does tcpdump show the destination ip address the traffic was sent to on AT&T's network? Curious if that could be a dns server..

Also, what version of ubuntu is your desktop running, and what software does it have on it? Are you using canonical's livepatch service?

[0] https://forum.opnsense.org/index.php?topic=31284.0

👤 yabones
I think we need more information. Do you run any services on that machine that would be exposed? Do you port-forward to that box? Use a VPN or something like Tailscale?

Or perhaps a sync client like syncthing, onedrive, nextcloud, etc. could be to blame.

One option would be to log all traffic on that machine to a .pcap and feed it through some IDS analyzers.

👤 tetraca
Do you have a corporate laptop or computer? Things like crowdstrike love to scan your network and phone home.
👤 maineldc
Older versions of Unifi controller were subject to mining hacks because of the Log4J compromise. I would check to make sure you are running a recent version of the Unifi Controller.
👤 bguebert
Some cell phones will generate a random MAC address. Is 10.0.0.3 given out from your dhcp server? Maybe a phone syncing video to a cloud service.
👤 andrewf
Are you running any virtual machines on your desktop? Because "My machine is 10.0.0.2 but there's something on the same physical host communicating as 10.0.0.3" is what it'd look like if a virtual machine with a "bridged" ethernet interface got its own IP address via DHCP and talked to the Internet.

This is speculation, I don't know whether you were owned.

👤 deusum
At least block the external IP and ports where the transfers are happening. Change the router password, some neighbor might be in the network.

It sounds like it might be part of a DDoS campaign, as well. Hard to diagnose here.

👤 erdos4d
How is your desktop connected to the switch (ethernet or wifi)? If the computer is wired, maybe you have a virus on it and that is somehow using the wifi to get another IP? I would suggest you backup your user data and wipe/restore the desktop. If it comes back after that, I'd bet someone has cracked your wifi password and is getting in that way, or some other device on the network is the culprit and reinfecting your desktop.
👤 nonane
> - I saw that `10.0.0.3` showed up as a client on my switch with a randomized MAC address (presumably, since I couldn't find the MAC prefix in a vendor list).

MAC address randomization is enabled by default on iOS: https://www.linksys.com/support-article?articleNum=317709

👤 FollowingTheDao
Are any of your switches running a BGP service you do not know about? Could it be trying to send or receive a huge routing table?
👤 guerrilla
> I'm especially perplexed at the traffic showing up from a different source IP on my desktop, but I did not see any interface that matched

This is easy to do with a raw socket, you just ARP for the IP. See fantaip in Unicornscan for example an example of software that can do that for you. So, all you need is root.

👤 itake
Is your router patched? Maybe they hacked your router. Not sure why it would need to assign itself a new IP. Maybe there is a docker container running on the router?
👤 kevin_thibedeau
Keep it as a honeypot and run the replacement in a vlaned subnet off the currently owned router.
👤 jatin2302
Looks like RAT

Or it could be torrent running in background or some sync services for any storage app.

👤 guerby
iproute2 things you could look at:

ip ne # show the IP/MAC table

ip rule # show the source routing state

ip netns list # show network namespaces

You could also transfer a trusted "ip" binary from another system in case yours is compromised (kernel could be compromised too)

👤 seussfrank 

  i agree there have problems.
👤 cyberpunk
I mean. Yes, you're pwned. You need to reflash all possible firmware, dd your disks to zeros and start again.. I wouldn't even trust it then, personally.

What's the IP address it was talking to? Maybe we can help find out what it was?