While assisting someone from the web forum who was infected by Trojan/Malware (it’s Windows machine FYI), I deliberately browsed on suspected IP address knowing that Windows Trojan and/or Malware won’t harm my Ubuntu Linux Machine. Won’t it?
Well … my machine got infected! Immediately after I browse that IP address, my outbound internet connection suddenly full with strange connection to some local (Indonesian) IP Address and some other IP from outside Indonesia.
netstat -a reveal nothing when no browser open, but suddenly full of establish ongoing connection to port 443 (ssl) and other port when I open Chrome of Firefox on my Ubuntu Machine, some connection were legit (namely the infamous Google’s sin01*-site) but many are just rouge connection, and it steal(!) my bandwidth.
I’ve installed avg antivirus for linux (the deb version for debian/ubuntu) and clamav which I never thought I’d have on my Linux Machine but all the scan revealed nothing, rkhunter and chkrootkit says nada – no infection whatsoever, but the weird establish outbound connection is still there.
So I retraced my step to the IP address I browsed before I got the problem: and compared it to some of the IP list on my netstat output: It seemed that all the connection to the suspected IP always forwarded to a248.e.akamai.net and some other rouge site.
Further research revealed that the culprit was my dns cache, it seemed that the rouge site manipulate my dns cache so it can control my outbound connection, that was why I can’t find any infected file on my system ;) … and worse, dnsmasq was ran by default on my Ubuntu 12.04 because it’s build in NetworkManager (with all the DNS Poisoning threat lately I guess Canonical should disable it in 12.10).
Here’s what I do to fix my problem :
1. Clear all my browser cache
2. Edit NetworkManager.conf
sudo pico /etc/NetworkManager/NetworkManager.conf
3. Disable dnsmasq.
#dns=dnsmasq
4. Restart Network Manager
sudo restart network-manager
5. Clear the dns cache
sudo /etc/init.d/dns-clean start
and just to be sure I installed nscd too
sudo apt-get install nscd
sudo /etc/init.d/nscd start
6. Done!