HACKER Q&A
📣 WTHISGO

Do I have a Linux bootkit?


Lately I noticed my laptop has been acting weirdly, and have been looking for causes. By using nethogs I noticed that my system makes connections to hosting companies, mainly in Germany, from a root account. These entries typically look like this:

    ? root     10.138.153.2:53498-68.235.39.11:80          tzulo, inc
    ? root     10.138.153.2:53156-104.26.5.15:443          Cloudflare    
    ? root     10.132.193.74:35374-184.105.99.43:443       Civilized Discourse Construction Kit Inc
    ? root     10.132.193.74:42738-172.67.70.33:443        Cloudflare
    ? root     10.132.193.74:56512-199.232.53.91:443       Fastly, Inc
It goes both ways, once sending, once receiving. For example when I woken it up from sleep, I had a dozen hosts making connection to my laptop and sending some data. I don't know what, because I'm not knowledgable enough to investigate.

But the weirdest part is, I upgraded and downgraded the BIOS, reinstalled the system, and even created live bootable usb stick from a fresh sha verified ISO, and this persists. Both my laptop and desktop are affected. I had only tried Linux Mint and PopOS. I have no access to another computer to create live usb stick on it to see if it still be affected, but I have suspicion this is UEFI based rootkit. What the hell is that?

  👤 dchest Accepted Answer ✓
If you open 68.235.39.11, you end up on Linux Mint's Repositories website.

Similarly, others connections may be caused by:

- autoupdater

- internet detection when connecting to wi-fi

- some kind of analytics backed into the distro

- some other software

👤 verdverm
you could try running clamav on linux

not sure if it'll catch a root|boot-kit, but if it's a ddos bot or similar, it can catch those, I know from experience :]