Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: My computer is doing outbound TCP-FIN scanning and I wish to make it stop  (Read 11313 times)

0 Members and 1 Guest are viewing this topic.

151rby

    Topic Starter


    Greenhorn

    Thanked: 1
    • Experience: Beginner
    • OS: Windows 7
    I  have a System76 Pangolin Performance (Panp8).  It has 4 GB of RAM and an Intel Core i5-2410M CPU @ 2.30GHz 4 processor. My hard drive has a total of 250 GB, but the partitioning makes it a little more complicated than that (which I'll explain more about a little later in this post); the OS I'm currently running has 102 GB of disk space. I'm using 64-bit Ubuntu, 12.04, but I was using 11.10 when this problem first started.

    This is the beginning of the account, and at this time I was using Ubuntu 11.10. So last week, I believe it was Thursday or Friday, maybe Wednesday, I got kicked off the wireless network where I live. I called the admin, and he said it was because my computer was doing outbound TCP-FIN scans, which (according to him) means that I probably have a network virus. I'm skeptical, because I've heard that there are virtually zero viruses out there for Linux systems. He sent me an email with many links to free virus scans and "free" virus scans, all for Windows. I attempted some of these scans using Wine with varying (low to none) degrees of success. One of them told me that I have some Win32/Toolbar/Babylon applications on my computer, as well as some threats in the Firefox cache, and some other threats that I can't remember. However, I hadn't checked the box "remove found threats" when I first started running the scan (I didn't want it to accidentally remove something important), and at the end of the scan, there was no option to remove them. Thereafter, that particular scan didn't work anymore. I really wish I'd exported the list of threats to a text document. Ultimately, I wasn't able to remove anything from my system with any of the scans. I tried ClamAV and it turned up nothing, but I don't think it was working right, as it reported that it only scanned a megabyte. I'm going to uninstall it, reinstall it, and try again, and if I get a different result I will update this post. My network administrator is really not being so cool about it. He knows I use Linux, knows nothing about Linux, assumes it's a virus, sends me some links to Windows virus scans for Windows viruses, and just tells me I have to make my computer stop doing outbound TCP-FIN scans or else he's going to kick me off the network again. I'm not completely sure that I don't have a virus, but I get the feeling he is just heaping the burden of his ignorance upon me so that he doesn't have to learn anything about non-Windows systems for his job. Yes, I should know about my own computer, but I'm not the one getting paid to maintain the well-being of the network (which he generally does a terrible job of anyhow). Sorry, I'm venting a bit. Anyhow, I don't think my computer was doing it before last week, but I have called the admin to ask him when it started, and where the scans are being directed. I got his voicemail and have yet to hear back from him. I'll update this post when I do, unless it has already been solved by then.

    Now, unfortunately, some events happened which potentially complicate this whole thing, but maybe not. I don't know. I'm going to describe them just in case they are relevant. On Saturday of that same week (or maybe it was Friday night? I forget), after the above paragraph happened, I attempted to upgrade to 12.04. When it was in the middle of upgrading, the program doing the update froze. When I finally gave up hope that the upgrade would finish, I closed the program that was doing the upgrade, sure enough it was "not responding" and I had to force the quit. Afterwards, clicking the mouse button had no effect on anything. I disconnected the power source and removed the battery to turn it off, and then when I turned it back on again, it wouldn't boot right, it just stayed on the purple "ubuntu" screen indefinitely, with those little dots changing from white to red-orange and back again. So, I ended up installing another copy of Ubuntu 12.04, alongside the old one. All my old files are within an encrypted directory, that I have not yet been able to access (but I'll post more about that with a different thread). I thought, maybe there's a little silver lining, maybe this'll somehow fix the TCP-FIN scanning issue. Nope. Admin called me yesterday and told me that my computer started doing it again, 2 and a half days after I installed the new copy of 12.04 and started using my computer again. Now, I had done some web surfing within that time, so if I did get some virus from some website (which I think is unlikely), it's possible I could have gotten the same virus again after starting with the new 12.04. But is it possible that, if I had a virus, it could still operate from within that encrypted private directory after booting a new OS? I don't know.

    Anyhow, I just need to make my computer stop doing these outbound TCP-FIN scans, and I would also very much like to know why it is doing the scans in the first place. I will be very grateful to those who help.

    Salmon Trout



      Genius

      Thanked: 923
      • Yes
    • Computer: Specs
    • Experience: Experienced
    • OS: Other
    I don't know much about this kind of thing, but a quick Google suggests you should ask for router log files and check the destination IPs alleged to be scanned by your machine. A careful reading of the log should tell you if it really is your machine, and if so, you might get a clue from the ports being used and you could check the domain e.g. here

    http://whois.domaintools.com/[put_ip_address_of_destination_here]

    example http://whois.domaintools.com/74.125.132.106

    Maybe somebody else is spoofing your IP? or the admin is mistaken? You are connecting to a wireless network in a building?



    « Last Edit: May 05, 2012, 02:43:41 PM by Salmon Trout »

    Geek-9pm


      Mastermind
    • Geek After Dark
    • Thanked: 972
      • Gekk9pm bnlog
    • Certifications: List
    • Computer: Specs
    • Experience: Expert
    • OS: Windows XP
    There are indeed virus scanners just for Linux. Just do a Google search and find them. AVG offers a free Linux AV.
    The 4 Best Free Linux Anti-Virus Programs

    151rby

      Topic Starter


      Greenhorn

      Thanked: 1
      • Experience: Beginner
      • OS: Windows 7
      I don't know much about this kind of thing, but a quick Google suggests you should ask for router log files and check the destination IPs alleged to be scanned by your machine. A careful reading of the log should tell you if it really is your machine, and if so, you might get a clue from the ports being used and you could check the domain e.g. here

      http://whois.domaintools.com/[put_ip_address_of_destination_here]

      example http://whois.domaintools.com/74.125.132.106

      Maybe somebody else is spoofing your IP? or the admin is mistaken? You are connecting to a wireless network in a building?

      Yes, I am connecting to a wireless network in a building. How'd you know? And when I look at the log files, how will I be able to determine whether it's my machine or if someone is spoofing my IP?

      Geek-9pm


        Mastermind
      • Geek After Dark
      • Thanked: 972
        • Gekk9pm bnlog
      • Certifications: List
      • Computer: Specs
      • Experience: Expert
      • OS: Windows XP
      Quote
      Yes, I am connecting to a wireless network in a building. How'd you know? And when I look at the log files, how will I be able to determine whether it's my machine or if someone is spoofing my IP?
      A wireless router gives out local IP using DHCP.  So the local IP may change once in awhile.
      But the router identifies each user by name and MAC.  If somebody was spoofing you, they would have to have your MAC.
      Quote
      http://en.wikipedia.org/wiki/MAC_address
      A Media Access Control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet.  ...
      MAC addresses are most often assigned by the manufacturer of a network interface card (NIC) and are stored in its hardware, the card's read-only memory, or some other firmware mechanism. If assigned by the manufacturer, ...A network node may have multiple NICs and will then have one unique MAC address per NIC.
      This confirms that MAC sis used on wireless networks. The administrator can block you by entering you MAC in a look-up table inside the routers memory area.

      epoh



        Rookie

        • Experience: Beginner
        • OS: Unknown
        do a clean install....and save data to flash-drive.or hard drive ,to install a system over the top of the same o/s can always cause problems...the best way to check if you are been tracked..wear headphones...if you hear clicking then your firewall is not up to much...you should with all wiffy...have an enyption software...

        Geek-9pm


          Mastermind
        • Geek After Dark
        • Thanked: 972
          • Gekk9pm bnlog
        • Certifications: List
        • Computer: Specs
        • Experience: Expert
        • OS: Windows XP
        do a clean install....and save data to flash-drive.or hard drive ,to install a system over the top of the same o/s can always cause problems...the best way to check if you are been tracked..wear headphones...if you hear clicking then your firewall is not up to much...you should with all wiffy...have an enyption software...

        You can also place a US dime on the touch-pad a put down two drops of lemon juice on it.  It turns dark, you have the lemon-drop virus.

        Salmon Trout



          Genius

          Thanked: 923
          • Yes
        • Computer: Specs
        • Experience: Experienced
        • OS: Other
        do a clean install....and save data to flash-drive.or hard drive ,to install a system over the top of the same o/s can always cause problems...the best way to check if you are been tracked..wear headphones...if you hear clicking then your firewall is not up to much...you should with all wiffy...have an enyption software...

        THis is all nonsense, especially this:

        Quote
        the best way to check if you are been tracked..wear headphones...if you hear clicking then your firewall is not up to much


        BC_Programmer


          Mastermind
        • Typing is no substitute for thinking.
        • Thanked: 1083
          • Yes
          • Yes
          • BC-Programming.com
        • Certifications: List
        • Computer: Specs
        • Experience: Beginner
        • OS: Windows 8
        Why do people sometimes use o/s to represent Operating System? It's not an Operating/System...
        I was trying to dereference Null Pointers before it was cool.

        Salmon Trout



          Genius

          Thanked: 923
          • Yes
        • Computer: Specs
        • Experience: Experienced
        • OS: Other
        Why do people sometimes use o/s to represent Operating System? It's not an Operating/System...

        From old documents and records I have noticed It was once quite a widespread "workplace jargon" or informal abbreviation style here in the United Kingdom, but not so much nowadays. Around the time of World War 2, certainly in the armed forces and government service, where you might see this sort of thing in log books, official forms, etc

        A/C aircraft
        W/Op Wireless Operator
        Wop/AG Wireless Operator and air gunner (dual role for one of the crew of a heavy bomber e.g. Avro Lancaster)
        W/O Warrant Officer
        P/O Pilot Officer (RAF rank)
        M/C machine
        W/C water closet (lavatory)
        B/S *censored* (seen in personal diary entries and letters)

        Also some older people write M/C for Manchester.